@plyaz/auth 1.0.0

package/src/server/services/brute-force.service.ts

@@ -0,0 +1,98 @@
+// src/security/rate-limiting/auth/brute-force.service.ts
+import { Injectable, BadRequestException } from "@nestjs/common";
+import { NUMERIX } from "@plyaz/config";
+import type { Redis } from "ioredis";
+
+const thirty  = 30;
+@Injectable()
+export class BruteForceService {
+  private static readonly USER_HARD_LIMIT = 6;
+
+  private static readonly USER_HARD_BLOCK_MS = thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
+  private static readonly USER_PROGRESSIVE_DELAYS: Record<number, number> = { 4: 5000, 5: 5000 };
+
+  private static readonly IP_HARD_LIMIT = 10;
+  private static readonly IP_HARD_BLOCK_MS = NUMERIX.SIXTY * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 1 hour
+
+  private static readonly PROVIDER_HARD_LIMIT = 5;
+  private static readonly PROVIDER_HARD_BLOCK_MS = thirty * NUMERIX.SIXTY * NUMERIX.THOUSAND; // 30 min
+
+  constructor(private readonly redis: Redis) {}
+
+  async trackFailedLogin(
+    userId: string,
+    ip: string,
+    providerId?: string
+  ): Promise<void> {
+    // User-level progressive delay + hard block
+    await this.trackEntity(
+      `bf:user:${userId}`,
+      `bf:user:block:${userId}`,
+      BruteForceService.USER_HARD_LIMIT,
+      BruteForceService.USER_HARD_BLOCK_MS,
+      BruteForceService.USER_PROGRESSIVE_DELAYS
+    );
+
+    // IP-level block
+    await this.trackEntity(
+      `bf:ip:${ip}`,
+      `bf:ip:block:${ip}`,
+      BruteForceService.IP_HARD_LIMIT,
+      BruteForceService.IP_HARD_BLOCK_MS
+    );
+
+    // Provider-level block (optional)
+    if (providerId) {
+      await this.trackEntity(
+        `bf:provider:${providerId}`,
+        `bf:provider:block:${providerId}`,
+        BruteForceService.PROVIDER_HARD_LIMIT,
+        BruteForceService.PROVIDER_HARD_BLOCK_MS
+      );
+    }
+  }
+
+  // eslint-disable-next-line max-params
+  private async trackEntity(
+    entityKey: string,
+    blockKey: string,
+    limit: number,
+    blockMs: number,
+    progressiveDelays?: Record<number, number>
+  ): Promise<void> {
+    const blockedUntil = await this.redis.get(blockKey);
+    if (blockedUntil && Date.now() < Number(blockedUntil)) {
+      throw new BadRequestException(
+        "Account temporarily blocked due to repeated failed attempts."
+      );
+    }
+
+    const failures = await this.redis.incr(entityKey);
+    if (failures === 1) await this.redis.pexpire(entityKey, blockMs);
+
+   if (progressiveDelays?.[failures]) {
+  await new Promise<void>((resolve) => {
+  globalThis.setTimeout(resolve, progressiveDelays[failures]);
+  });
+}
+
+
+    if (failures >= limit) {
+      await this.redis.set(blockKey, Date.now() + blockMs, "PX", blockMs);
+      await this.redis.del(entityKey); // reset failures
+      throw new BadRequestException(
+        "Account locked due to too many failed login attempts."
+      );
+    }
+  }
+
+  async reset(userId: string, ip: string, providerId?: string): Promise<void> {
+    await this.redis.del(`bf:user:${userId}`, `bf:user:block:${userId}`);
+    await this.redis.del(`bf:ip:${ip}`, `bf:ip:block:${ip}`);
+    if (providerId)
+      await this.redis.del(
+        `bf:provider:${providerId}`,
+        `bf:provider:block:${providerId}`
+      );
+  }
+}

package/src/server/services/index.ts

@@ -0,0 +1,15 @@
+/**
+ * @fileoverview Server services barrel export for @plyaz/auth
+ * @module @plyaz/auth/server/services
+ *
+ * @description
+ * Centralized export of all NestJS services for authentication and authorization.
+ * Provides a single import point for all service functionality.
+ */
+
+export * from "./auth.service";
+export * from "./session.service";
+export * from "./token.service";
+export * from "./account.service";
+export * from "./brute-force.service";
+export * from "./rate-limiter.service"

package/src/server/services/rate-limiter.service.ts

@@ -0,0 +1,60 @@
+import { Injectable } from "@nestjs/common";
+import type { Redis } from "ioredis";
+
+export interface RateLimiterOptions {
+  windowMs: number; // time window in milliseconds
+  limit: number;    // max requests allowed in the window
+  blockMs?: number; // optional block duration in milliseconds
+}
+
+@Injectable()
+export class RateLimiterService {
+  constructor(private readonly redis: Redis) {}
+
+  getOption(routeKey: string): RateLimiterOptions {
+    globalThis.console.log(routeKey)
+    // Example placeholder, replace with your actual logic
+    throw new Error("Method not implemented.");
+  }
+
+  async isRateLimited(
+    identifier: string,
+    options: RateLimiterOptions
+  ): Promise<boolean> {
+    const rateKey = `rate:${identifier}`;
+    const blockKey = `block:${identifier}`;
+
+    // Check if user is already blocked
+    const blockedUntil = await this.redis.get(blockKey);
+    if (blockedUntil && Date.now() < Number(blockedUntil)) {
+      return true;
+    }
+
+    // Increase request count
+    const requests = await this.redis.incr(rateKey);
+
+    // Set window expiry on first request
+    if (requests === 1) {
+      await this.redis.pexpire(rateKey, options.windowMs);
+    }
+
+    // Block user if limit exceeded
+    if (requests > options.limit && options.blockMs) {
+      const blockUntil = Date.now() + options.blockMs;
+
+      await this.redis.set(blockKey, blockUntil.toString(), "PX", options.blockMs);
+      await this.redis.del(rateKey); // reset counter
+
+      return true;
+    }
+
+    return false;
+  }
+
+  async reset(identifier: string): Promise<void> {
+    const rateKey = `rate:${identifier}`;
+    const blockKey = `block:${identifier}`;
+
+    await this.redis.del(rateKey, blockKey);
+  }
+}

package/src/server/services/session.service.ts

@@ -0,0 +1,287 @@
+/**
+ * @fileoverview Session service for @plyaz/auth
+ * @module @plyaz/auth/server/services/session-service
+ * 
+ * @description
+ * NestJS service for session management operations. Provides high-level
+ * session operations for controllers and other services. Wraps the
+ * EnhancedSessionManager with NestJS dependency injection and logging.
+ * 
+ * @example
+ * ```typescript
+ * import { SessionService } from '@plyaz/auth';
+ * 
+ * @Controller('auth')
+ * export class AuthController {
+ *   constructor(private sessionService: SessionService) {}
+ * 
+ *   @Post('logout-all')
+ *   async logoutAll(@CurrentUser() user) {
+ *     await this.sessionService.invalidateAllUserSessions(user.id);
+ *   }
+ * }
+ * ```
+ */
+
+import { Injectable, Logger } from '@nestjs/common';
+import type { EnhancedSessionManager, UserContext, SessionCreationData } from '../../session/enhanced-session-manager';
+
+import type { Session, SessionData } from '@plyaz/types';
+import { AUTH_EVENTS } from '@plyaz/types';
+
+/**
+ * Session service implementation
+ * Provides session management operations for NestJS applications
+ */
+@Injectable()
+export class SessionService {
+  private readonly logger = new Logger(SessionService.name);
+
+  constructor(private sessionManager: EnhancedSessionManager) {}
+
+  /**
+   * Create a new session
+   * @param userContext - User context information
+   * @param sessionData - Session creation data
+   * @returns Created session
+   */
+  async createSession(userContext: UserContext, sessionData: SessionCreationData = {}): Promise<Session> {
+    this.logger.debug(`Creating session for user: ${userContext.userId}`);
+    
+    try {
+      const session = await this.sessionManager.createSession(userContext, sessionData);
+      
+      this.logger.log(`Session created: ${session.id} for user: ${userContext.userId}`);
+      this.emitEvent(AUTH_EVENTS.SESSION_CREATED, {
+        userId: userContext.userId,
+        sessionId: session.id,
+        timestamp: new Date()
+      });
+      
+      return session;
+    } catch (error) {
+      this.logger.error(`Failed to create session for user: ${userContext.userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Get session by ID
+   * @param sessionId - Session identifier
+   * @returns Session or null if not found
+   */
+  async getSession(sessionId: string): Promise<Session | null> {
+    this.logger.debug(`Getting session: ${sessionId}`);
+    
+    try {
+      return await this.sessionManager.getSession(sessionId);
+    } catch (error) {
+      this.logger.error(`Failed to get session: ${sessionId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Validate session
+   * @param sessionId - Session identifier
+   * @returns True if session is valid
+   */
+  async validateSession(sessionId: string): Promise<boolean> {
+    this.logger.debug(`Validating session: ${sessionId}`);
+    
+    try {
+      const isValid = await this.sessionManager.validateSession(sessionId);
+      
+      if (!isValid) {
+        this.logger.warn(`Invalid session: ${sessionId}`);
+      }
+      
+      return isValid;
+    } catch (error) {
+      this.logger.error(`Failed to validate session: ${sessionId}`, error);
+      return false;
+    }
+  }
+
+  /**
+   * Refresh session
+   * @param sessionId - Session identifier
+   * @returns Refreshed session
+   */
+  async refreshSession(sessionId: string): Promise<Session> {
+    this.logger.debug(`Refreshing session: ${sessionId}`);
+    
+    try {
+      const session = await this.sessionManager.refreshSession(sessionId);
+      
+      this.logger.log(`Session refreshed: ${sessionId}`);
+      this.emitEvent(AUTH_EVENTS.SESSION_REFRESHED, {
+        userId: session.userId,
+        sessionId: session.id,
+        timestamp: new Date()
+      });
+      
+      return session;
+    } catch (error) {
+      this.logger.error(`Failed to refresh session: ${sessionId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Update session data
+   * @param sessionId - Session identifier
+   * @param updates - Partial session updates
+   * @returns Updated session
+   */
+  async updateSession(sessionId: string, updates:Partial<SessionData>): Promise<Session> {
+    this.logger.debug(`Updating session: ${sessionId}`);
+    
+    try {
+      return await this.sessionManager.updateSession(sessionId, updates);
+    } catch (error) {
+      this.logger.error(`Failed to update session: ${sessionId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Delete session
+   * @param sessionId - Session identifier
+   */
+  async deleteSession(sessionId: string): Promise<void> {
+    this.logger.debug(`Deleting session: ${sessionId}`);
+    
+    try {
+      await this.sessionManager.deleteSession(sessionId);
+      
+      this.logger.log(`Session deleted: ${sessionId}`);
+      this.emitEvent(AUTH_EVENTS.SESSION_INVALIDATED, {
+        sessionId,
+        timestamp: new Date()
+      });
+    } catch (error) {
+      this.logger.error(`Failed to delete session: ${sessionId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Invalidate all sessions for a user
+   * @param userId - User identifier
+   */
+  async invalidateAllUserSessions(userId: string): Promise<void> {
+    this.logger.debug(`Invalidating all sessions for user: ${userId}`);
+    
+    try {
+      await this.sessionManager.invalidateAllUserSessions(userId);
+      
+      this.logger.log(`All sessions invalidated for user: ${userId}`);
+      this.emitEvent(AUTH_EVENTS.SESSION_INVALIDATED, {
+        userId,
+        timestamp: new Date()
+      });
+    } catch (error) {
+      this.logger.error(`Failed to invalidate all sessions for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Detect concurrent sessions for a user
+   * @param userId - User identifier
+   * @returns Array of active sessions
+   */
+  async detectConcurrentSessions(userId: string): Promise<Session[]> {
+    this.logger.debug(`Detecting concurrent sessions for user: ${userId}`);
+    
+    try {
+      return await this.sessionManager.detectConcurrentSessions(userId);
+    } catch (error) {
+      this.logger.error(`Failed to detect concurrent sessions for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Generate CSRF token for session
+   * @param sessionId - Session identifier
+   * @returns CSRF token
+   */
+  async generateCsrfToken(sessionId: string): Promise<string> {
+    this.logger.debug(`Generating CSRF token for session: ${sessionId}`);
+    
+    try {
+      return await this.sessionManager.generateCsrfToken(sessionId);
+    } catch (error) {
+      this.logger.error(`Failed to generate CSRF token for session: ${sessionId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Validate CSRF token for session
+   * @param sessionId - Session identifier
+   * @param token - CSRF token to validate
+   * @returns True if token is valid
+   */
+  async validateCsrfToken(sessionId: string, token: string): Promise<boolean> {
+    this.logger.debug(`Validating CSRF token for session: ${sessionId}`);
+    
+    try {
+      const isValid = await this.sessionManager.validateCsrfToken(sessionId, token);
+      
+      if (!isValid) {
+        this.logger.warn(`Invalid CSRF token for session: ${sessionId}`);
+      }
+      
+      return isValid;
+    } catch (error) {
+      this.logger.error(`Failed to validate CSRF token for session: ${sessionId}`, error);
+      return false;
+    }
+  }
+
+  /**
+   * Check if session needs refresh
+   * @param sessionId - Session identifier
+   * @returns True if session should be refreshed
+   */
+  async shouldRefreshSession(sessionId: string): Promise<boolean> {
+    try {
+      return await this.sessionManager.shouldRefreshSession(sessionId);
+    } catch (error) {
+      this.logger.error(`Failed to check if session needs refresh: ${sessionId}`, error);
+      return false;
+    }
+  }
+
+  /**
+   * Get session statistics
+   * @returns Session statistics
+   */
+  async getSessionStats(): Promise<{
+    totalSessions: number;
+    activeUsers: number;
+  }> {
+    this.logger.debug('Getting session statistics');
+    
+    try {
+      return await this.sessionManager.getSessionStats();
+    } catch (error) {
+      this.logger.error('Failed to get session statistics', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Emit event (mock implementation)
+   * @param eventType - Event type
+   * @param payload - Event payload
+   * @private
+   */
+  private emitEvent(eventType: string, payload:unknown): void {
+    // Mock event emission - in real implementation would use event system
+    this.logger.debug(`Event: ${eventType}`, payload);
+  }
+}