@restingowlorg/owlauth 1.0.1

package/dist/infra/databases/postgresql/helpers.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateSchema = validateSchema;
+exports.validateTable = validateTable;
+exports.validateColumns = validateColumns;
+exports.validateForeignKey = validateForeignKey;
+/**
+ * Validation Helpers for PostgreSQL
+ */
+async function validateSchema(pool, schema) {
+    const res = await pool.query(`SELECT schema_name FROM information_schema.schemata WHERE schema_name = $1`, [schema]);
+    if (!res.rowCount)
+        throw new Error(`[Auth:validateSchema] Schema '${schema}' does not exist`);
+}
+async function validateTable(pool, qualifiedTable) {
+    const res = await pool.query(`SELECT to_regclass($1) AS table_exists`, [qualifiedTable]);
+    if (!res.rows[0].table_exists)
+        throw new Error(`[Auth:validateTable] Table '${qualifiedTable}' does not exist`);
+}
+async function validateColumns(pool, schema, table, requiredColumns) {
+    const res = await pool.query(`
+      SELECT column_name
+      FROM information_schema.columns
+      WHERE table_name = $1 AND table_schema = $2
+    `, [table, schema]);
+    const existingColumns = res.rows.map((r) => r.column_name);
+    for (const col of requiredColumns) {
+        if (!existingColumns.includes(col)) {
+            throw new Error(`[Auth:validateColumns] Table '${schema}.${table}' missing required column '${col}'`);
+        }
+    }
+}
+async function validateForeignKey(pool, schema, table, refSchema, refTable, col, refCol) {
+    const res = await pool.query(`
+      SELECT
+        ccu.table_name AS referenced_table,
+        ccu.column_name AS referenced_column,
+        ccu.table_schema AS referenced_schema
+      FROM information_schema.table_constraints AS tc
+      JOIN information_schema.key_column_usage AS kcu
+        ON tc.constraint_name = kcu.constraint_name
+      JOIN information_schema.constraint_column_usage AS ccu
+        ON ccu.constraint_name = tc.constraint_name
+      WHERE tc.constraint_type = 'FOREIGN KEY'
+        AND tc.table_name = $1
+        AND tc.table_schema = $2
+        AND kcu.column_name = $3
+    `, [table, schema, col]);
+    const valid = res.rows.some((r) => r.referenced_table === refTable &&
+        r.referenced_schema === refSchema &&
+        r.referenced_column === refCol);
+    if (!valid) {
+        throw new Error(`[Auth:validateForeignKey] Table '${schema}.${table}' must have a foreign key '${col}' referencing '${refSchema}.${refTable}.${refCol}'`);
+    }
+}

package/dist/infra/databases/postgresql/postgres.d.ts

@@ -0,0 +1,5 @@
+export { PostgresAdapter } from "./adapter";
+export { initPostgres } from "./db";
+export { PostgresUserRepository } from "../../../repositories/postgresql/user.repo";
+export { PostgresMagicLinkRepository } from "../../../repositories/postgresql/magic.link.repo";
+export { MagicLinkRow, TableColumn, ColumnRow, FKRow, TableExistsRow, ColumnInfoRow, PrimaryKeyRow } from "../../../types/index";

package/dist/infra/databases/postgresql/postgres.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PostgresMagicLinkRepository = exports.PostgresUserRepository = exports.initPostgres = exports.PostgresAdapter = void 0;
+var adapter_1 = require("./adapter");
+Object.defineProperty(exports, "PostgresAdapter", { enumerable: true, get: function () { return adapter_1.PostgresAdapter; } });
+var db_1 = require("./db");
+Object.defineProperty(exports, "initPostgres", { enumerable: true, get: function () { return db_1.initPostgres; } });
+var user_repo_1 = require("../../../repositories/postgresql/user.repo");
+Object.defineProperty(exports, "PostgresUserRepository", { enumerable: true, get: function () { return user_repo_1.PostgresUserRepository; } });
+var magic_link_repo_1 = require("../../../repositories/postgresql/magic.link.repo");
+Object.defineProperty(exports, "PostgresMagicLinkRepository", { enumerable: true, get: function () { return magic_link_repo_1.PostgresMagicLinkRepository; } });

package/dist/infra/databases/postgresql/schema.d.ts

@@ -0,0 +1,6 @@
+export declare const PostgresUserSchema: {
+    requiredColumns: readonly ["id", "email", "username", "password"];
+};
+export declare const PostgresMagicLinkSchema: {
+    requiredColumns: readonly ["id", "user_id", "token", "expires_at", "used_at", "created_at"];
+};

package/dist/infra/databases/postgresql/schema.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PostgresMagicLinkSchema = exports.PostgresUserSchema = void 0;
+exports.PostgresUserSchema = {
+    requiredColumns: ["id", "email", "username", "password"]
+};
+exports.PostgresMagicLinkSchema = {
+    requiredColumns: ["id", "user_id", "token", "expires_at", "used_at", "created_at"]
+};

package/dist/infra/security/bcrypt.adapter.d.ts

@@ -0,0 +1,9 @@
+import { ICryptoAdapter } from "../../types";
+export declare class BcryptAdapter implements ICryptoAdapter {
+    private readonly SALT_ROUNDS;
+    hashPassword(password: string): Promise<string>;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    generateToken(length?: number): string;
+    hashToken(token: string): Promise<string>;
+    verifyToken(token: string, hash: string): Promise<boolean>;
+}

package/dist/infra/security/bcrypt.adapter.js

@@ -0,0 +1,62 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BcryptAdapter = void 0;
+const bcrypt = __importStar(require("bcryptjs"));
+const crypto = __importStar(require("crypto"));
+const config_1 = require("../../config");
+class BcryptAdapter {
+    constructor() {
+        this.SALT_ROUNDS = config_1.SECURITY_CONFIG.SALT_ROUNDS;
+    }
+    // ---------------- Password Helpers ----------------
+    async hashPassword(password) {
+        return bcrypt.hash(password, this.SALT_ROUNDS);
+    }
+    async verifyPassword(password, hash) {
+        return bcrypt.compare(password, hash);
+    }
+    // ---------------- Magic Link Helpers ----------------
+    generateToken(length = 32) {
+        return crypto.randomBytes(length).toString("hex");
+    }
+    async hashToken(token) {
+        return bcrypt.hash(token, this.SALT_ROUNDS);
+    }
+    async verifyToken(token, hash) {
+        return bcrypt.compare(token, hash);
+    }
+}
+exports.BcryptAdapter = BcryptAdapter;

package/dist/infra/security/bcrypt.adapter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/infra/security/bcrypt.adapter.test.js

@@ -0,0 +1,67 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const bcrypt_adapter_1 = require("./bcrypt.adapter");
+const bcrypt = __importStar(require("bcryptjs"));
+jest.mock("bcryptjs", () => ({
+    hash: jest.fn(),
+    compare: jest.fn()
+}));
+describe("BcryptAdapter", () => {
+    let adapter;
+    beforeEach(() => {
+        adapter = new bcrypt_adapter_1.BcryptAdapter();
+        jest.clearAllMocks();
+    });
+    it("should correctly hash a password", async () => {
+        bcrypt.hash.mockResolvedValue("hashed_pwd");
+        const result = await adapter.hashPassword("my_password");
+        expect(result).toBe("hashed_pwd");
+        // eslint-disable-next-line @typescript-eslint/unbound-method
+        expect(bcrypt.hash).toHaveBeenCalledWith("my_password", 10);
+    });
+    it("should correctly verify a password", async () => {
+        bcrypt.compare.mockResolvedValue(true);
+        const result = await adapter.verifyPassword("my_password", "hashed_pwd");
+        expect(result).toBe(true);
+        // eslint-disable-next-line @typescript-eslint/unbound-method
+        expect(bcrypt.compare).toHaveBeenCalledWith("my_password", "hashed_pwd");
+    });
+    it("should return false if verification fails", async () => {
+        bcrypt.compare.mockResolvedValue(false);
+        const result = await adapter.verifyPassword("wrong_password", "hashed_pwd");
+        expect(result).toBe(false);
+    });
+});

package/dist/infra/security/pwned-passwords.d.ts

@@ -0,0 +1,5 @@
+export type PwnedCheckResult = {
+    detected: boolean;
+    error?: Error;
+};
+export declare function isBreachedPassword(password: string): Promise<PwnedCheckResult>;

package/dist/infra/security/pwned-passwords.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isBreachedPassword = isBreachedPassword;
+const js_sha1_1 = require("js-sha1");
+const security_audit_logger_1 = require("./security-audit-logger");
+const config_1 = require("../../config");
+async function isBreachedPassword(password) {
+    const hash = (0, js_sha1_1.sha1)(password).toUpperCase();
+    const prefix = hash.slice(0, 5);
+    const suffix = hash.slice(5);
+    let timeout;
+    try {
+        // 3-second timeout fallback to prevent hanging requests
+        const controller = new AbortController();
+        timeout = setTimeout(() => controller.abort(), 3000);
+        timeout.unref(); // Allow process to exit even if timer is active
+        const response = await fetch(`${config_1.SECURITY_CONFIG.PWNED_API_URL}/${prefix}`, {
+            signal: controller.signal
+        });
+        if (!response.ok) {
+            const error = new Error(`PwnedPasswords API returned status ${response.status}`);
+            security_audit_logger_1.auditLogger.warn(`${error.message}. Fallback to caller handling.`);
+            return { detected: false, error };
+        }
+        const text = await response.text();
+        const lines = text.split("\n");
+        const detected = lines.some((line) => line.split(":")[0] === suffix);
+        return { detected };
+    }
+    catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        if (err.name === "AbortError") {
+            security_audit_logger_1.auditLogger.warn("PwnedPasswords check timed out. Fallback to caller handling.");
+        }
+        else {
+            security_audit_logger_1.auditLogger.warn(`Failed to check breached password. Error: ${err.message}`);
+        }
+        return { detected: false, error: err };
+    }
+    finally {
+        if (timeout) {
+            clearTimeout(timeout);
+        }
+    }
+}

package/dist/infra/security/pwned-passwords.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/infra/security/pwned-passwords.test.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const pwned_passwords_1 = require("./pwned-passwords");
+const security_audit_logger_1 = require("./security-audit-logger");
+const js_sha1_1 = require("js-sha1");
+// Mock dependencies
+jest.mock("./security-audit-logger", () => ({
+    auditLogger: {
+        warn: jest.fn()
+    }
+}));
+jest.mock("js-sha1", () => ({
+    sha1: jest.fn()
+}));
+describe("isBreachedPassword", () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+        global.fetch = jest.fn();
+        js_sha1_1.sha1.mockReturnValue("DEFAULT_HASH_FOR_TESTS");
+    });
+    it("should return detected true if password suffix is found in the API response", async () => {
+        const fakeHash = "0123456789ABCDEF0123456789ABCDEF01234567";
+        js_sha1_1.sha1.mockReturnValue(fakeHash);
+        const suffix = "56789ABCDEF0123456789ABCDEF01234567";
+        const mockResponse = `${suffix}:10\nOTHERHASH:5\n`;
+        global.fetch.mockResolvedValue({
+            ok: true,
+            text: () => Promise.resolve(mockResponse)
+        });
+        const result = await (0, pwned_passwords_1.isBreachedPassword)("any_password");
+        expect(result.detected).toBe(true);
+        expect(global.fetch).toHaveBeenCalledWith(expect.stringContaining("01234"), expect.any(Object));
+    });
+    it("should return detected false if password suffix is NOT found", async () => {
+        js_sha1_1.sha1.mockReturnValue("0123456789ABCDEF0123456789ABCDEF01234567");
+        global.fetch.mockResolvedValue({
+            ok: true,
+            text: () => Promise.resolve("OTHERHASH:10\n")
+        });
+        const result = await (0, pwned_passwords_1.isBreachedPassword)("secure_password");
+        expect(result.detected).toBe(false);
+    });
+    it("should handle API error and return error object", async () => {
+        global.fetch.mockResolvedValue({
+            ok: false,
+            status: 500
+        });
+        const result = await (0, pwned_passwords_1.isBreachedPassword)("test");
+        expect(result.detected).toBe(false);
+        expect(result.error).toBeDefined();
+        // eslint-disable-next-line @typescript-eslint/unbound-method
+        expect(security_audit_logger_1.auditLogger.warn).toHaveBeenCalled();
+    });
+    it("should handle fetch timeout/error", async () => {
+        global.fetch.mockRejectedValue(new Error("Network Error"));
+        const result = await (0, pwned_passwords_1.isBreachedPassword)("test");
+        expect(result.detected).toBe(false);
+        expect(result.error).toBeDefined();
+        // eslint-disable-next-line @typescript-eslint/unbound-method
+        expect(security_audit_logger_1.auditLogger.warn).toHaveBeenCalledWith(expect.stringContaining("Failed to check breached password"));
+    });
+});

package/dist/infra/security/security-audit-logger.d.ts

@@ -0,0 +1,11 @@
+import { IAuditLogger, SecurityEvent } from "../../types/index";
+export declare class SecurityAuditLogger implements IAuditLogger {
+    private readonly prefix;
+    private customMaskingKeys;
+    setCustomMaskingKeys(keys: string[]): void;
+    info(message: string, context?: unknown, correlationId?: string): void;
+    warn(message: string, context?: unknown, correlationId?: string): void;
+    error(message: string, error: unknown, context?: unknown, correlationId?: string): void;
+    audit(event: SecurityEvent): void;
+}
+export declare const auditLogger: SecurityAuditLogger;

package/dist/infra/security/security-audit-logger.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditLogger = exports.SecurityAuditLogger = void 0;
+/* eslint-disable no-console */
+const config_1 = require("../../config");
+/**
+ * Robustly masks sensitive data in objects/arrays.
+ * Handles circular references and recursively masks nested objects.
+ */
+function maskSensitiveData(data, customKeys, seen = new WeakSet()) {
+    if (!data || typeof data !== "object")
+        return data;
+    const dataObj = data;
+    if (seen.has(dataObj))
+        return "[Circular]";
+    // Only add non-primitive objects to the seen set
+    seen.add(dataObj);
+    if (Array.isArray(data)) {
+        const masked = [...data];
+        for (let i = 0; i < masked.length; i++) {
+            masked[i] = maskSensitiveData(masked[i], customKeys, seen);
+        }
+        return masked;
+    }
+    const masked = data instanceof Error
+        ? {
+            name: data.name,
+            message: data.message,
+            stack: data.stack,
+            ...dataObj
+        }
+        : { ...dataObj };
+    const allSensitiveKeys = [
+        ...config_1.SECURITY_CONFIG.SENSITIVE_KEYS,
+        ...customKeys
+    ].map((k) => k.toLowerCase());
+    // Mask sensitive data
+    for (const key in masked) {
+        const value = masked[key];
+        if (allSensitiveKeys.includes(key.toLowerCase())) {
+            masked[key] = "********";
+        }
+        else if (value && typeof value === "object") {
+            masked[key] = maskSensitiveData(value, customKeys, seen);
+        }
+    }
+    // Restore Error object structure
+    if (data instanceof Error) {
+        const err = new Error(masked.message);
+        err.name = masked.name;
+        err.stack = masked.stack;
+        for (const key in masked) {
+            if (!["name", "message", "stack"].includes(key)) {
+                err[key] = masked[key];
+            }
+        }
+        return err;
+    }
+    return masked;
+}
+class SecurityAuditLogger {
+    constructor() {
+        this.prefix = config_1.SECURITY_CONFIG.LOGGER_PREFIX;
+        this.customMaskingKeys = [];
+    }
+    setCustomMaskingKeys(keys) {
+        this.customMaskingKeys = keys;
+    }
+    info(message, context, correlationId) {
+        console.info(`${this.prefix} [INFO]${correlationId ? ` [${correlationId}]` : ""} - ${message}`, context ? maskSensitiveData(context, this.customMaskingKeys) : "");
+    }
+    warn(message, context, correlationId) {
+        console.warn(`${this.prefix} [WARN]${correlationId ? ` [${correlationId}]` : ""} - ${message}`, context ? maskSensitiveData(context, this.customMaskingKeys) : "");
+    }
+    error(message, error, context, correlationId) {
+        console.error(`${this.prefix} [ERROR]${correlationId ? ` [${correlationId}]` : ""} - ${message}`, maskSensitiveData(error, this.customMaskingKeys), context ? maskSensitiveData(context, this.customMaskingKeys) : "");
+    }
+    audit(event) {
+        const { type, userId, email, correlationId, ...rest } = event;
+        console.log(`${this.prefix} [AUDIT]${correlationId ? ` [${correlationId}]` : ""} - ${type}`, maskSensitiveData({
+            userId,
+            email,
+            ...rest,
+            timestamp: new Date().toISOString()
+        }, this.customMaskingKeys));
+    }
+}
+exports.SecurityAuditLogger = SecurityAuditLogger;
+exports.auditLogger = new SecurityAuditLogger();
+/* eslint-enable no-console */

package/dist/repositories/contracts.d.ts

@@ -0,0 +1,21 @@
+import { User, MagicLinkRow, MagicLinkToken, CreateUserInput, SafeUser } from "../types";
+export interface UserRepository {
+    create(input: CreateUserInput): Promise<SafeUser>;
+    findByEmail(email: string): Promise<User | null>;
+    findById(id: string | number): Promise<User | null>;
+    findByUsername?(username: string): Promise<User | null>;
+    updatePassword(userId: string | number, passwordHash: string): Promise<boolean>;
+}
+export interface MagicLinkRepository {
+    create(data: {
+        userId: string | number;
+        tokenHash: string;
+        expiresAt: Date;
+    }): Promise<MagicLinkToken>;
+    findAll(): Promise<MagicLinkRow[]>;
+    findByTokenHash(tokenHash: string): Promise<MagicLinkToken | null>;
+    findById(id: string | number): Promise<MagicLinkToken | null>;
+    consume(id: string | number): Promise<boolean>;
+    invalidateByUserId(userId: string | number): Promise<boolean>;
+    deleteByUserId(userId: string | number): Promise<boolean>;
+}

package/dist/repositories/contracts.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/repositories/mongo/magicLink.repo.d.ts

@@ -0,0 +1,26 @@
+import { Collection } from "mongodb";
+import { MagicLinkToken, MagicLinkRow, IMongoMagicLinkDoc } from "../../types";
+import { MagicLinkRepository } from "../contracts";
+export declare class MongoMagicLinkRepo implements MagicLinkRepository {
+    private collection;
+    constructor(collection: Collection<IMongoMagicLinkDoc>);
+    /** Create a new magic link token */
+    create(token: {
+        userId: string | number;
+        tokenHash: string;
+        expiresAt: Date;
+        usedAt?: Date | null;
+    }): Promise<MagicLinkToken>;
+    /** Find token by its hash */
+    findByTokenHash(tokenHash: string): Promise<MagicLinkToken | null>;
+    /** Find token by its ID */
+    findById(id: string | number): Promise<MagicLinkToken | null>;
+    /** Mark a token as used */
+    consume(id: string | number): Promise<boolean>;
+    /** Delete existing tokens for a user */
+    deleteByUserId(userId: string | number): Promise<boolean>;
+    /** Invalidate existing tokens for a user */
+    invalidateByUserId(userId: string | number): Promise<boolean>;
+    /** Return all active tokens as MagicLinkRow (for contracts) */
+    findAll(): Promise<MagicLinkRow[]>;
+}

package/dist/repositories/mongo/magicLink.repo.js

@@ -0,0 +1,106 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MongoMagicLinkRepo = void 0;
+const mongodb_1 = require("mongodb");
+class MongoMagicLinkRepo {
+    constructor(collection) {
+        this.collection = collection;
+    }
+    /** Create a new magic link token */
+    async create(token) {
+        var _a, _b;
+        const now = new Date();
+        // Build the doc
+        const doc = {
+            user_id: new mongodb_1.ObjectId(token.userId.toString()),
+            token: token.tokenHash,
+            expires_at: token.expiresAt,
+            used_at: (_a = token.usedAt) !== null && _a !== void 0 ? _a : null,
+            created_at: now,
+            updated_at: now
+        };
+        const result = await this.collection.insertOne(doc);
+        return {
+            id: result.insertedId.toString(),
+            userId: token.userId,
+            tokenHash: token.tokenHash,
+            expiresAt: token.expiresAt,
+            usedAt: (_b = token.usedAt) !== null && _b !== void 0 ? _b : null,
+            createdAt: now
+        };
+    }
+    /** Find token by its hash */
+    async findByTokenHash(tokenHash) {
+        var _a;
+        const doc = await this.collection.findOne({ token: tokenHash });
+        if (!doc)
+            return null;
+        return {
+            id: doc._id.toString(),
+            userId: doc.user_id.toString(),
+            tokenHash: doc.token,
+            expiresAt: doc.expires_at,
+            usedAt: (_a = doc.used_at) !== null && _a !== void 0 ? _a : null,
+            createdAt: doc.created_at
+        };
+    }
+    /** Find token by its ID */
+    async findById(id) {
+        var _a;
+        let objectId;
+        try {
+            objectId = new mongodb_1.ObjectId(id.toString());
+        }
+        catch {
+            return null;
+        }
+        const doc = await this.collection.findOne({ _id: objectId });
+        if (!doc)
+            return null;
+        return {
+            id: doc._id.toString(),
+            userId: doc.user_id.toString(),
+            tokenHash: doc.token,
+            expiresAt: doc.expires_at,
+            usedAt: (_a = doc.used_at) !== null && _a !== void 0 ? _a : null,
+            createdAt: doc.created_at
+        };
+    }
+    /** Mark a token as used */
+    async consume(id) {
+        const result = await this.collection.updateOne({ _id: new mongodb_1.ObjectId(id.toString()), used_at: null }, { $set: { used_at: new Date(), updated_at: new Date() } });
+        return result.modifiedCount > 0;
+    }
+    /** Delete existing tokens for a user */
+    async deleteByUserId(userId) {
+        const result = await this.collection.deleteMany({ user_id: new mongodb_1.ObjectId(userId.toString()) });
+        return result.deletedCount > 0;
+    }
+    /** Invalidate existing tokens for a user */
+    async invalidateByUserId(userId) {
+        const filter = { user_id: new mongodb_1.ObjectId(userId.toString()), used_at: null };
+        await this.collection.updateMany(filter, {
+            $set: { used_at: new Date(), updated_at: new Date() }
+        });
+        // Confirm no active tokens remain
+        const remainingCount = await this.collection.countDocuments(filter);
+        return remainingCount === 0;
+    }
+    /** Return all active tokens as MagicLinkRow (for contracts) */
+    async findAll() {
+        const now = new Date();
+        const docs = await this.collection.find({ expires_at: { $gt: now }, used_at: null }).toArray();
+        return docs.map((doc) => {
+            var _a;
+            return ({
+                id: doc._id.toString(),
+                user_id: doc.user_id.toString(),
+                token: doc.token,
+                expires_at: doc.expires_at,
+                used_at: (_a = doc.used_at) !== null && _a !== void 0 ? _a : null,
+                created_at: doc.created_at
+            });
+        });
+    }
+}
+exports.MongoMagicLinkRepo = MongoMagicLinkRepo;

package/dist/repositories/mongo/user.repo.d.ts

@@ -0,0 +1,16 @@
+import { CreateUserInput, IMongoUserDoc } from "../../types";
+import { User } from "../../types/index";
+import { UserRepository } from "../contracts";
+import { Collection } from "mongodb";
+/**
+ * MongoDB implementation of UserRepository
+ */
+export declare class MongoUserRepo implements UserRepository {
+    private collection;
+    constructor(collection: Collection<IMongoUserDoc>);
+    create(input: CreateUserInput): Promise<User>;
+    findByEmail(email: string): Promise<User | null>;
+    findById(id: string): Promise<User | null>;
+    findByUsername(username: string): Promise<User | null>;
+    updatePassword(userId: string | number, passwordHash: string): Promise<boolean>;
+}