@plyaz/auth 1.0.0 → 1.0.2

package/src/server/guards/roles.guard.ts

@@ -1,31 +1,33 @@
-import type { CanActivate, ExecutionContext } from '@nestjs/common';
-import { Injectable } from '@nestjs/common';
-import type { Reflector } from '@nestjs/core';
-import type { RoleManager } from '../../rbac/role.manager';
-import { AuthenticationError } from '@plyaz/errors';
-
+import type { CanActivate, ExecutionContext } from "@nestjs/common";
+import { Injectable } from "@nestjs/common";
+import type { Reflector } from "@nestjs/core";
+import type { RoleManager } from "../../rbac/role.manager";
+import { AuthenticationError } from "@plyaz/errors";
 
 @Injectable()
 export class RolesGuard implements CanActivate {
   constructor(
     private roleManager: RoleManager,
-    private reflector: Reflector
+    private reflector: Reflector,
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
+    const requiredRoles = this.reflector.get<string[]>(
+      "roles",
+      context.getHandler(),
+    );
     if (!requiredRoles) return true;
 
     const request = context.switchToHttp().getRequest();
     const user = request.user;
-    
-    if (!user) throw new AuthenticationError('AUTH_INVALID_CREDENTIALS');
+
+    if (!user) throw new AuthenticationError("AUTH_INVALID_CREDENTIALS");
 
     const hasRole = await this.roleManager.hasAnyRole(user.sub, requiredRoles);
     if (!hasRole) {
-      throw new AuthenticationError('AUTH_ROLE_REQUIRED');
+      throw new AuthenticationError("AUTH_ROLE_REQUIRED");
     }
 
     return true;
   }
-}
+}

package/src/server/middleware/auth.middleware.ts

@@ -13,10 +13,10 @@ export interface AuthRequest extends Request {
 /**
  * Middleware to extract the session ID from incoming requests.
  *
- * This middleware does **not validate** the session.  
+ * This middleware does **not validate** the session.
  * It only reads the session ID from:
- *  - Cookies (`session_id`)  
- *  - Headers (`x-session-id`)  
+ *  - Cookies (`session_id`)
+ *  - Headers (`x-session-id`)
  * and attaches it to `req.sessionId` for use in guards or controllers.
  *
  * @example
@@ -32,7 +32,7 @@ export class AuthMiddleware implements NestMiddleware {
    * @param res - Express response object
    * @param next - Function to pass control to the next middleware
    */
-  use(req: AuthRequest, res: Response, next: NextFunction):void {
+  use(req: AuthRequest, res: Response, next: NextFunction): void {
     // Read session cookie (or header)
     const sessionId = req.cookies?.session_id ?? req.headers["x-session-id"];
 

package/src/server/middleware/session.middleware.ts

@@ -55,7 +55,7 @@ export class SessionMiddleware implements NestMiddleware {
 
   constructor(
     private tokenService: TokenService,
-    private sessionService: SessionService
+    private sessionService: SessionService,
   ) {
     this.config = {
       refreshThreshold: 300, // 5 minutes
@@ -132,7 +132,7 @@ export class SessionMiddleware implements NestMiddleware {
   private async refreshTokens(
     req: Request,
     res: Response,
-    refreshToken: string
+    refreshToken: string,
   ): Promise<void> {
     try {
       this.logger.debug("Refreshing tokens");
@@ -156,7 +156,7 @@ export class SessionMiddleware implements NestMiddleware {
       const tokenPair = await this.tokenService.refreshTokenPair(
         refreshToken,
         userRoles,
-        userPermissions
+        userPermissions,
       );
 
       // Set new tokens in cookies
@@ -211,7 +211,7 @@ export class SessionMiddleware implements NestMiddleware {
   private setTokenCookies(
     res: Response,
     accessToken: string,
-    refreshToken: string
+    refreshToken: string,
   ): void {
     const fifteen = 15;
     // Set access token cookie (shorter expiry)

package/src/server/services/account.service.ts

@@ -1,20 +1,20 @@
 /**
  * @fileoverview Account service for @plyaz/auth
  * @module @plyaz/auth/server/services/account-service
- * 
+ *
  * @description
  * NestJS service for connected account management operations.
  * Provides high-level operations for linking/unlinking provider accounts,
  * managing primary accounts, and handling account-related business logic.
- * 
+ *
  * @example
  * ```typescript
  * import { AccountService } from '@plyaz/auth';
- * 
+ *
  * @Controller('accounts')
  * export class AccountsController {
  *   constructor(private accountService: AccountService) {}
- * 
+ *
  *   @Post('link')
  *   async linkAccount(@Body() data, @CurrentUser() user) {
  *     return await this.accountService.link(user.id, data.provider, data);
@@ -23,11 +23,11 @@
  * ```
  */
 
-import { Injectable, Logger } from '@nestjs/common';
-import type { ConnectedAccountRepository } from '../../db/repositories/connected-account.repository';
+import { Injectable, Logger } from "@nestjs/common";
+import type { ConnectedAccountRepository } from "../../db/repositories/connected-account.repository";
 
-import type { ConnectedAccount } from '@plyaz/types';
-import { AUTH_EVENTS } from '@plyaz/types';
+import type { ConnectedAccount } from "@plyaz/types";
+import { AUTH_EVENTS } from "@plyaz/types";
 
 /**
  * Account service implementation
@@ -48,30 +48,35 @@ export class AccountService {
    * @returns Created connected account
    */
 
-  async link(userId: string, provider: string, providerData: ConnectedAccount): Promise<ConnectedAccount> {
+  async link(
+    userId: string,
+    provider: string,
+    providerData: ConnectedAccount,
+  ): Promise<ConnectedAccount> {
     this.logger.debug(`Linking ${provider} account for user: ${userId}`);
-    
-    try {
-     
 
+    try {
       // Link the account
       const connectedAccount = await this.accountRepository.linkAccount(
         userId,
         provider,
-        providerData
+        providerData,
       );
-      
+
       this.logger.log(`${provider} account linked for user: ${userId}`);
       this.emitEvent(AUTH_EVENTS.ACCOUNT_LINKED, {
         userId,
         provider,
         accountId: connectedAccount.id,
-        timestamp: new Date()
+        timestamp: new Date(),
       });
-      
+
       return connectedAccount;
     } catch (error) {
-      this.logger.error(`Failed to link ${provider} account for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to link ${provider} account for user: ${userId}`,
+        error,
+      );
       throw error;
     }
   }
@@ -84,7 +89,7 @@ export class AccountService {
    */
   async unlink(userId: string, accountId: string): Promise<void> {
     this.logger.debug(`Unlinking account ${accountId} for user: ${userId}`);
-    
+
     try {
       // Get account details
       const account = await this.accountRepository.findById(accountId);
@@ -94,21 +99,24 @@ export class AccountService {
 
       // Verify account belongs to user
       if (account?.userId !== userId) {
-        throw new Error('Account does not belong to user');
+        throw new Error("Account does not belong to user");
       }
 
       // Unlink the account (includes validation for last auth method)
       await this.accountRepository.unlinkAccount(accountId);
-      
+
       this.logger.log(`Account ${accountId} unlinked for user: ${userId}`);
       this.emitEvent(AUTH_EVENTS.ACCOUNT_UNLINKED, {
         userId,
         provider: account?.provider,
         accountId,
-        timestamp: new Date()
+        timestamp: new Date(),
       });
     } catch (error) {
-      this.logger.error(`Failed to unlink account ${accountId} for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to unlink account ${accountId} for user: ${userId}`,
+        error,
+      );
       throw error;
     }
   }
@@ -120,7 +128,7 @@ export class AccountService {
    */
   async getAll(userId: string): Promise<ConnectedAccount[]> {
     this.logger.debug(`Getting all accounts for user: ${userId}`);
-    
+
     try {
       return await this.accountRepository.findByUserId(userId);
     } catch (error) {
@@ -135,21 +143,28 @@ export class AccountService {
    * @param accountId - Account identifier to set as primary
    */
   async setPrimary(userId: string, accountId: string): Promise<void> {
-    this.logger.debug(`Setting primary account ${accountId} for user: ${userId}`);
-    
+    this.logger.debug(
+      `Setting primary account ${accountId} for user: ${userId}`,
+    );
+
     try {
       // Verify account belongs to user
       const account = await this.accountRepository.findById(accountId);
       if (account?.userId !== userId) {
-        throw new Error('Account not found or does not belong to user');
+        throw new Error("Account not found or does not belong to user");
       }
 
       // Set as primary
       await this.accountRepository.setPrimary(userId, accountId);
-      
-      this.logger.log(`Primary account set to ${accountId} for user: ${userId}`);
+
+      this.logger.log(
+        `Primary account set to ${accountId} for user: ${userId}`,
+      );
     } catch (error) {
-      this.logger.error(`Failed to set primary account ${accountId} for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to set primary account ${accountId} for user: ${userId}`,
+        error,
+      );
       throw error;
     }
   }
@@ -161,11 +176,14 @@ export class AccountService {
    */
   async getPrimary(userId: string): Promise<ConnectedAccount | null> {
     this.logger.debug(`Getting primary account for user: ${userId}`);
-    
+
     try {
       return await this.accountRepository.findPrimary(userId);
     } catch (error) {
-      this.logger.error(`Failed to get primary account for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to get primary account for user: ${userId}`,
+        error,
+      );
       throw error;
     }
   }
@@ -176,13 +194,24 @@ export class AccountService {
    * @param providerAccountId - Provider account ID
    * @returns Connected account or null
    */
-  async findByProvider(provider: string, providerAccountId: string): Promise<ConnectedAccount | null> {
-    this.logger.debug(`Finding account by provider: ${provider}, ID: ${providerAccountId}`);
-    
+  async findByProvider(
+    provider: string,
+    providerAccountId: string,
+  ): Promise<ConnectedAccount | null> {
+    this.logger.debug(
+      `Finding account by provider: ${provider}, ID: ${providerAccountId}`,
+    );
+
     try {
-      return await this.accountRepository.findByProvider(provider, providerAccountId);
+      return await this.accountRepository.findByProvider(
+        provider,
+        providerAccountId,
+      );
     } catch (error) {
-      this.logger.error(`Failed to find account by provider: ${provider}`, error);
+      this.logger.error(
+        `Failed to find account by provider: ${provider}`,
+        error,
+      );
       throw error;
     }
   }
@@ -193,14 +222,25 @@ export class AccountService {
    * @param accessToken - New access token
    * @param refreshToken - New refresh token (optional)
    */
-  async updateTokens(accountId: string, accessToken: string, refreshToken?: string): Promise<void> {
+  async updateTokens(
+    accountId: string,
+    accessToken: string,
+    refreshToken?: string,
+  ): Promise<void> {
     this.logger.debug(`Updating tokens for account: ${accountId}`);
-    
+
     try {
-      await this.accountRepository.updateTokens(accountId, accessToken, refreshToken);
+      await this.accountRepository.updateTokens(
+        accountId,
+        accessToken,
+        refreshToken,
+      );
       this.logger.log(`Tokens updated for account: ${accountId}`);
     } catch (error) {
-      this.logger.error(`Failed to update tokens for account: ${accountId}`, error);
+      this.logger.error(
+        `Failed to update tokens for account: ${accountId}`,
+        error,
+      );
       throw error;
     }
   }
@@ -212,7 +252,7 @@ export class AccountService {
    */
   async getById(accountId: string): Promise<ConnectedAccount | null> {
     this.logger.debug(`Getting account by ID: ${accountId}`);
-    
+
     try {
       return await this.accountRepository.findById(accountId);
     } catch (error) {
@@ -229,12 +269,17 @@ export class AccountService {
    */
   async hasProviderAccount(userId: string, provider: string): Promise<boolean> {
     this.logger.debug(`Checking if user ${userId} has ${provider} account`);
-    
+
     try {
       const accounts = await this.accountRepository.findByUserId(userId);
-      return accounts.some(account => account.provider === provider && account.isActive);
+      return accounts.some(
+        (account) => account.provider === provider && account.isActive,
+      );
     } catch (error) {
-      this.logger.error(`Failed to check provider account for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to check provider account for user: ${userId}`,
+        error,
+      );
       return false;
     }
   }
@@ -246,12 +291,15 @@ export class AccountService {
    */
   async getAccountCount(userId: string): Promise<number> {
     this.logger.debug(`Getting account count for user: ${userId}`);
-    
+
     try {
       const accounts = await this.accountRepository.findByUserId(userId);
-      return accounts.filter(account => account.isActive).length;
+      return accounts.filter((account) => account.isActive).length;
     } catch (error) {
-      this.logger.error(`Failed to get account count for user: ${userId}`, error);
+      this.logger.error(
+        `Failed to get account count for user: ${userId}`,
+        error,
+      );
       return 0;
     }
   }
@@ -266,4 +314,4 @@ export class AccountService {
     // Mock event emission - in real implementation would use event system
     this.logger.debug(`Event: ${eventType}`, payload);
   }
-}
+}

package/src/server/services/auth.service.ts

@@ -1,43 +1,56 @@
-import { Injectable } from '@nestjs/common';
-
-import type { SessionManager } from '../../core/session/session.manager';
-import type { TraditionalAuthStrategy } from '../../strategies/traditional-auth.strategy';
-import type { OAuthStrategy, OAuthProfile } from '../../strategies/oauth.strategy';
-import type { UserRepository } from '../../db/repositories/user.repository';
-import type { User, AuthTokens } from '../../common/types/auth.types';
-import type { Session } from '@plyaz/types';
-import type { JwtManager } from '@/core/jwt/jwt.manager';
+import { Injectable } from "@nestjs/common";
 
+import type { SessionManager } from "../../core/session/session.manager";
+import type { TraditionalAuthStrategy } from "../../strategies/traditional-auth.strategy";
+import type {
+  OAuthStrategy,
+  OAuthProfile,
+} from "../../strategies/oauth.strategy";
+import type { UserRepository } from "../../db/repositories/user.repository";
+import type { User, AuthTokens } from "../../common/types/auth.types";
+import type { Session } from "@plyaz/types";
+import type { JwtManager } from "@/core/jwt/jwt.manager";
 
 @Injectable()
 export class AuthService {
   // eslint-disable-next-line max-params
   constructor(
-    private jwtManager:JwtManager,
+    private jwtManager: JwtManager,
     private sessionManager: SessionManager,
     private traditionalAuth: TraditionalAuthStrategy,
     private oauthAuth: OAuthStrategy,
-    private userRepo: UserRepository
+    private userRepo: UserRepository,
   ) {}
 
-  async signIn(email: string, password: string, deviceInfo: Record<string,unknown>): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
+  async signIn(
+    email: string,
+    password: string,
+    deviceInfo: Record<string, unknown>,
+  ): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
     const user = await this.traditionalAuth.authenticate(email, password);
-    const session = await this.sessionManager.createSession(user.id, deviceInfo);
+    const session = await this.sessionManager.createSession(
+      user.id,
+      deviceInfo,
+    );
     const tokens = this.jwtManager.generateTokens(user);
-    
+
     await this.userRepo.updateLastLogin(user.id);
-    
-    return { user, tokens: { ...tokens, refreshToken: tokens.refreshToken ?? '' }, session };
+
+    return {
+      user,
+      tokens: { ...tokens, refreshToken: tokens.refreshToken ?? "" },
+      session,
+    };
   }
 
   async signUp(userData: Partial<User>, password: string): Promise<User> {
     const passwordHash = await this.traditionalAuth.hashPassword(password);
-    
+
     return this.userRepo.create({
       email: userData.email!,
       displayName: userData.displayName!,
       passwordHash,
-      authProvider: 'email',
+      authProvider: "email",
       isActive: true,
       ...userData,
     });
@@ -54,26 +67,42 @@ export class AuthService {
   async refreshToken(refreshToken: string): Promise<AuthTokens> {
     const payload = this.jwtManager.verifyRefreshToken(refreshToken);
     const user = await this.userRepo.findById(payload.sub);
-    
+
     if (!user?.isActive) {
-      throw new Error('Invalid refresh token');
+      throw new Error("Invalid refresh token");
     }
 
     const tokens = this.jwtManager.generateTokens(user);
-    return { ...tokens, refreshToken: tokens.refreshToken ?? '' };
+    return { ...tokens, refreshToken: tokens.refreshToken ?? "" };
   }
 
   async validateUser(userId: string): Promise<User | null> {
     return this.userRepo.findById(userId);
   }
 
-  async oauthSignIn(profile: OAuthProfile, accessToken: string, refreshToken?: string, deviceInfo?: Record<string,unknown>): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
-    const user = await this.oauthAuth.authenticate(profile, accessToken, refreshToken);
-    const session = await this.sessionManager.createSession(user.id, deviceInfo ?? {});
+  async oauthSignIn(
+    profile: OAuthProfile,
+    accessToken: string,
+    refreshToken?: string,
+    deviceInfo?: Record<string, unknown>,
+  ): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
+    const user = await this.oauthAuth.authenticate(
+      profile,
+      accessToken,
+      refreshToken,
+    );
+    const session = await this.sessionManager.createSession(
+      user.id,
+      deviceInfo ?? {},
+    );
     const tokens = this.jwtManager.generateTokens(user);
-    
+
     await this.userRepo.updateLastLogin(user.id);
-    
-    return { user, tokens: { ...tokens, refreshToken: tokens.refreshToken ?? '' }, session };
+
+    return {
+      user,
+      tokens: { ...tokens, refreshToken: tokens.refreshToken ?? "" },
+      session,
+    };
   }
-}
+}

package/src/server/services/brute-force.service.ts

@@ -3,26 +3,32 @@ import { Injectable, BadRequestException } from "@nestjs/common";
 import { NUMERIX } from "@plyaz/config";
 import type { Redis } from "ioredis";
 
-const thirty  = 30;
+const thirty = 30;
 @Injectable()
 export class BruteForceService {
   private static readonly USER_HARD_LIMIT = 6;
 
-  private static readonly USER_HARD_BLOCK_MS = thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
-  private static readonly USER_PROGRESSIVE_DELAYS: Record<number, number> = { 4: 5000, 5: 5000 };
+  private static readonly USER_HARD_BLOCK_MS =
+    thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
+  private static readonly USER_PROGRESSIVE_DELAYS: Record<number, number> = {
+    4: 5000,
+    5: 5000,
+  };
 
   private static readonly IP_HARD_LIMIT = 10;
-  private static readonly IP_HARD_BLOCK_MS = NUMERIX.SIXTY * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 1 hour
+  private static readonly IP_HARD_BLOCK_MS =
+    NUMERIX.SIXTY * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 1 hour
 
   private static readonly PROVIDER_HARD_LIMIT = 5;
-  private static readonly PROVIDER_HARD_BLOCK_MS = thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
+  private static readonly PROVIDER_HARD_BLOCK_MS =
+    thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
 
   constructor(private readonly redis: Redis) {}
 
   async trackFailedLogin(
     userId: string,
     ip: string,
-    providerId?: string
+    providerId?: string,
   ): Promise<void> {
     // User-level progressive delay + hard block
     await this.trackEntity(
@@ -30,7 +36,7 @@ export class BruteForceService {
       `bf:user:block:${userId}`,
       BruteForceService.USER_HARD_LIMIT,
       BruteForceService.USER_HARD_BLOCK_MS,
-      BruteForceService.USER_PROGRESSIVE_DELAYS
+      BruteForceService.USER_PROGRESSIVE_DELAYS,
     );
 
     // IP-level block
@@ -38,7 +44,7 @@ export class BruteForceService {
       `bf:ip:${ip}`,
       `bf:ip:block:${ip}`,
       BruteForceService.IP_HARD_LIMIT,
-      BruteForceService.IP_HARD_BLOCK_MS
+      BruteForceService.IP_HARD_BLOCK_MS,
     );
 
     // Provider-level block (optional)
@@ -47,7 +53,7 @@ export class BruteForceService {
         `bf:provider:${providerId}`,
         `bf:provider:block:${providerId}`,
         BruteForceService.PROVIDER_HARD_LIMIT,
-        BruteForceService.PROVIDER_HARD_BLOCK_MS
+        BruteForceService.PROVIDER_HARD_BLOCK_MS,
       );
     }
   }
@@ -58,30 +64,29 @@ export class BruteForceService {
     blockKey: string,
     limit: number,
     blockMs: number,
-    progressiveDelays?: Record<number, number>
+    progressiveDelays?: Record<number, number>,
   ): Promise<void> {
     const blockedUntil = await this.redis.get(blockKey);
     if (blockedUntil && Date.now() < Number(blockedUntil)) {
       throw new BadRequestException(
-        "Account temporarily blocked due to repeated failed attempts."
+        "Account temporarily blocked due to repeated failed attempts.",
       );
     }
 
     const failures = await this.redis.incr(entityKey);
     if (failures === 1) await this.redis.pexpire(entityKey, blockMs);
 
-   if (progressiveDelays?.[failures]) {
-  await new Promise<void>((resolve) => {
-  globalThis.setTimeout(resolve, progressiveDelays[failures]);
-  });
-}
-
+    if (progressiveDelays?.[failures]) {
+      await new Promise<void>((resolve) => {
+        globalThis.setTimeout(resolve, progressiveDelays[failures]);
+      });
+    }
 
     if (failures >= limit) {
       await this.redis.set(blockKey, Date.now() + blockMs, "PX", blockMs);
       await this.redis.del(entityKey); // reset failures
       throw new BadRequestException(
-        "Account locked due to too many failed login attempts."
+        "Account locked due to too many failed login attempts.",
       );
     }
   }
@@ -92,7 +97,7 @@ export class BruteForceService {
     if (providerId)
       await this.redis.del(
         `bf:provider:${providerId}`,
-        `bf:provider:block:${providerId}`
+        `bf:provider:block:${providerId}`,
       );
   }
 }

package/src/server/services/index.ts

@@ -12,4 +12,4 @@ export * from "./session.service";
 export * from "./token.service";
 export * from "./account.service";
 export * from "./brute-force.service";
-export * from "./rate-limiter.service"
+export * from "./rate-limiter.service";