@rineex/auth-core 0.1.0 → 0.1.1

package/eslint.config.mjs

@@ -1,59 +0,0 @@
-import config from '@rineex/eslint-config/base';
-import db from '@rineex/eslint-config/db';
-
-export default [
-  ...config,
-  ...db,
-
-  {
-    rules: {
-      '@typescript-eslint/class-literal-property-style': ['off'],
-      '@typescript-eslint/consistent-type-definitions': ['off'],
-      '@typescript-eslint/consistent-type-imports': 'off',
-      '@typescript-eslint/no-extraneous-class': 'off',
-      'max-params': ['error', 5],
-    },
-  },
-  {
-    rules: {
-      'perfectionist/sort-imports': [
-        'error',
-        {
-          groups: [
-            'builtin', // Node.js built-in modules (e.g., 'fs', 'path')
-            'external', // External dependencies (e.g., 'react', 'lodash')
-            'nestjs',
-            'common', // Your custom group for '@/common/*'
-            'internal', // Other internal imports (e.g., '~/components/Button')
-            'parent', // Parent directory imports (e.g., '../utils')
-            'sibling', // Same directory imports (e.g., './config')
-            'index', // Index file imports (e.g., './')
-          ],
-          customGroups: {
-            value: {
-              nestjs: '@nestjs/*',
-              common: '@/*', // Matches imports like '@/common/utils', '@/common/helpers', etc.
-            },
-          },
-
-          newlinesBetween: 'always',
-          type: 'line-length',
-
-          order: 'desc',
-        },
-      ],
-      'perfectionist/sort-objects': [
-        'error',
-        {
-          type: 'line-length',
-          order: 'desc',
-        },
-      ],
-
-      'perfectionist/sort-decorators': [
-        'error',
-        { type: 'line-length', order: 'desc' },
-      ],
-    },
-  },
-];

package/src/application/mfa/events/challenge-issue-observability.event.ts

@@ -1,18 +0,0 @@
-import { ObservabilityEvent } from '@/types/observability-event';
-
-export class ChallengeIssueObservabilityEvent extends ObservabilityEvent {
-  constructor(params: {
-    sessionId: string;
-    challengeType: string;
-    success?: boolean;
-  }) {
-    super({
-      payload: {
-        challengeType: params.challengeType,
-        sessionId: params.sessionId,
-        success: params.success,
-      },
-      name: 'authentication.mfa.challenge.issued',
-    });
-  }
-}

package/src/application/mfa/events/session-started-observability.event.ts

@@ -1,18 +0,0 @@
-import { ObservabilityEvent } from '@/types/observability-event';
-
-export class SessionStartedObservabilityEvent extends ObservabilityEvent {
-  constructor(params: {
-    sessionId: string;
-    identityId: string;
-    reused?: boolean;
-  }) {
-    super({
-      payload: {
-        reused: params.reused ?? false,
-        identityId: params.identityId,
-        sessionId: params.sessionId,
-      },
-      name: 'authentication.mfa.session.started',
-    });
-  }
-}

package/src/application/mfa/events/verification-failed-observability.event.ts

@@ -1,14 +0,0 @@
-import { ObservabilityEvent } from '@/types/observability-event';
-
-export class VerificationFailedObservabilityEvent extends ObservabilityEvent {
-  constructor(sessionId: string, reasonCode: string) {
-    super({
-      payload: {
-        reasonCode,
-        sessionId,
-      },
-      name: 'authentication.mfa.verification_failed',
-      occurredAt: new Date(),
-    });
-  }
-}

package/src/application/mfa/events/verification-succeeded-observibility.event.ts

@@ -1,12 +0,0 @@
-import { ObservabilityEvent } from '@/types/observability-event';
-
-export class VerificationSucceededObservabilityEvent extends ObservabilityEvent {
-  constructor(params: { sessionId: string }) {
-    super({
-      payload: {
-        sessionId: params.sessionId,
-      },
-      name: 'authentication.mfa.verification.succeeded',
-    });
-  }
-}

package/src/application/mfa/issue-mfa-challenge.application-service.ts

@@ -1,75 +0,0 @@
-import { ObservabilityEventPort } from '@/ports/observability/observability-event.port';
-import { MfaSessionRepository } from '@/ports/mfa/mfa-session-repository.port';
-import { MfaSessionId } from '@/domain/mfa/value-objects/mfa-session-id.vo';
-import { MFAChallenge } from '@/domain/mfa/entities/mfa-challenge.entity';
-import { ApplicationServicePort, Result } from '@rineex/ddd';
-import { MfaClock } from '@/ports/mfa/mfa-clock.port';
-import { LoggerPort } from '@/ports/log/log.port';
-
-import { ChallengeIssueObservabilityEvent } from './events/challenge-issue-observability.event';
-
-type IssueMfaChallengeInput = {
-  sessionId: MfaSessionId;
-  challenge: MFAChallenge;
-};
-
-type IssueMfaChallengeOutput = Result<void, never>;
-
-export class IssueMfaChallengeApplicationService implements ApplicationServicePort<
-  IssueMfaChallengeInput,
-  IssueMfaChallengeOutput
-> {
-  constructor(
-    private readonly repository: MfaSessionRepository,
-    private readonly clock: MfaClock,
-    private readonly logger: LoggerPort,
-    private readonly events: ObservabilityEventPort,
-  ) {}
-
-  async execute({
-    challenge,
-    sessionId,
-  }: IssueMfaChallengeInput): Promise<IssueMfaChallengeOutput> {
-    try {
-      const session = await this.repository.findById(sessionId);
-
-      if (!session) {
-        this.logger.warn('MFA session not found', { sessionId });
-        throw new Error('MFA session not found'); // app-layer error
-      }
-
-      session.issueChallenge(challenge, this.clock.now());
-
-      await this.repository.save(session);
-
-      this.logger.info('MFA challenge issued', {
-        sessionId: sessionId.toString(),
-        challengeType: challenge,
-      });
-
-      this.events.emit(
-        new ChallengeIssueObservabilityEvent({
-          challengeType: challenge.props.challengeType,
-          sessionId: sessionId.toString(),
-          success: true,
-        }),
-      );
-
-      return Result.ok(undefined);
-    } catch (error) {
-      this.events.emit(
-        new ChallengeIssueObservabilityEvent({
-          challengeType: challenge.props.challengeType,
-          sessionId: sessionId.toString(),
-          success: false,
-        }),
-      );
-
-      this.logger.error('Error issuing MFA challenge', {
-        sessionId: sessionId.toString(),
-        error,
-      });
-      return Result.fail(error as never);
-    }
-  }
-}

package/src/application/mfa/start-mfa-session.application-service.ts

@@ -1,90 +0,0 @@
-import { ObservabilityEventPort } from '@/ports/observability/observability-event.port';
-import { MfaSessionIdGenerator } from '@/ports/mfa/mfa-session-id-generator.port';
-import { MfaSessionRepository } from '@/ports/mfa/mfa-session-repository.port';
-import { MFASession } from '@/domain/mfa/aggregates/mfa-session.aggregate';
-import { ApplicationServicePort, Result } from '@rineex/ddd';
-import { LoggerPort } from '@/ports/log/log.port';
-import { IdentityId } from '@/index';
-
-import { VerificationFailedObservabilityEvent } from './events/verification-failed-observability.event';
-import { SessionStartedObservabilityEvent } from './events/session-started-observability.event';
-
-type StartMFASessionInput = {
-  identityId: IdentityId;
-  maxAttempts: number;
-};
-
-type StartMFASessionOutput = Result<MFASession, never>;
-
-export class StartMfaSessionApplicationService implements ApplicationServicePort<
-  StartMFASessionInput,
-  StartMFASessionOutput
-> {
-  constructor(
-    private readonly repository: MfaSessionRepository,
-    private readonly idGenerator: MfaSessionIdGenerator,
-    private readonly logger: LoggerPort,
-    private readonly events: ObservabilityEventPort,
-  ) {}
-
-  async execute(args: StartMFASessionInput): Promise<StartMFASessionOutput> {
-    try {
-      const existing = await this.repository.findActiveByIdentity(
-        args.identityId,
-      );
-
-      if (existing) {
-        this.logger.info('MFA session reused', {
-          identityId: args.identityId.toString(),
-        });
-
-        this.events.emit(
-          new SessionStartedObservabilityEvent({
-            identityId: args.identityId.toString(),
-            sessionId: existing.id.toString(),
-            reused: true,
-          }),
-        );
-
-        return Result.ok(existing);
-      }
-
-      const session = new MFASession({
-        id: this.idGenerator.generate(),
-        maxAttempts: args.maxAttempts,
-        identityId: args.identityId,
-        attemptsUsed: 0,
-        challenges: [],
-      });
-
-      await this.repository.save(session);
-
-      this.logger.info('MFA session started', {
-        identityId: args.identityId.toString(),
-        sessionId: session.id.toString(),
-      });
-
-      this.events.emit(
-        new SessionStartedObservabilityEvent({
-          identityId: args.identityId.toString(),
-          sessionId: session.id.toString(),
-          reused: false,
-        }),
-      );
-
-      return Result.ok(session);
-    } catch (violation) {
-      this.events.emit(
-        new VerificationFailedObservabilityEvent(
-          args.identityId.toString(),
-          violation instanceof Error
-            ? violation.message
-            : 'START_MFA_SESSION_ERROR',
-        ),
-      );
-
-      this.logger.error('Error starting MFA session', { violation, ...args });
-      return Result.fail(violation as never);
-    }
-  }
-}

package/src/application/mfa/verify-mfa.application-service.ts

@@ -1,61 +0,0 @@
-import { ObservabilityEventPort } from '@/ports/observability/observability-event.port';
-import { MfaSessionRepository } from '@/ports/mfa/mfa-session-repository.port';
-import { MfaSessionId } from '@/domain/mfa/value-objects/mfa-session-id.vo';
-import { ApplicationServicePort, Result } from '@rineex/ddd';
-import { MfaClock } from '@/ports/mfa/mfa-clock.port';
-import { LoggerPort } from '@/ports/log/log.port';
-
-import { VerificationSucceededObservabilityEvent } from './events/verification-succeeded-observibility.event';
-import { VerificationFailedObservabilityEvent } from './events/verification-failed-observability.event';
-
-type VerifyMFAInput = {
-  sessionId: MfaSessionId;
-};
-
-type VerifyMFAOutput = Result<void, never>;
-
-export class VerifyMfaApplicationService implements ApplicationServicePort<
-  VerifyMFAInput,
-  VerifyMFAOutput
-> {
-  constructor(
-    private readonly repository: MfaSessionRepository,
-    private readonly clock: MfaClock,
-    private readonly events: ObservabilityEventPort,
-
-    private readonly logger: LoggerPort,
-  ) {}
-
-  async execute({ sessionId }: VerifyMFAInput): Promise<VerifyMFAOutput> {
-    try {
-      const session = await this.repository.findById(sessionId);
-
-      if (!session) {
-        throw new Error('MFA session not found');
-      }
-
-      session.markAttempt();
-      session.verify(this.clock.now());
-
-      await this.repository.save(session);
-
-      this.events.emit(
-        new VerificationSucceededObservabilityEvent({
-          sessionId: session.id.toString(),
-        }),
-      );
-
-      return Result.ok(undefined);
-    } catch (error) {
-      this.events.emit(
-        new VerificationFailedObservabilityEvent(
-          sessionId.toString(),
-          // eslint-disable-next-line @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
-          (error as any).code ?? 'UNKNOWN',
-        ),
-      );
-      this.logger?.error('Error verifying MFA session', { sessionId, error });
-      return Result.fail(error as never);
-    }
-  }
-}

package/src/application/services/auth-orchestrator.service.ts

@@ -1,77 +0,0 @@
-import { AuthenticationAttemptRepositoryPort } from '@/ports/outbound/authentication-attempt.repository.port';
-import { DomainEventPublisherPort } from '@/ports/outbound/domain-event-publisher.port';
-import { StartAuthenticationCommand } from '@/ports/inbound/start-auth.command';
-import { AuthAttemptId, AuthenticationAttempt, AuthMethod } from '@/domain';
-import { AuthMethodPort } from '@/ports/inbound/auth-method.port';
-import { AuthMethodName } from '@/types/auth-method.type';
-import { ApplicationServicePort } from '@rineex/ddd';
-
-/**
- * Application service responsible for orchestrating authentication flows.
- *
- * This service:
- * - Coordinates domain objects
- * - Delegates authentication to method modules
- * - Remains stateless and deterministic
- *
- * It is safe to use in:
- * - HTTP servers
- * - Workers
- * - Serverless
- * - CLI tools
- */
-export class AuthOrchestratorService implements ApplicationServicePort<
-  StartAuthenticationCommand,
-  AuthAttemptId
-> {
-  constructor(
-    private readonly authMethods: readonly AuthMethodPort[],
-    private readonly attemptRepository: AuthenticationAttemptRepositoryPort,
-    private readonly eventPublisher: DomainEventPublisherPort,
-    private readonly idGenerator: () => AuthAttemptId,
-  ) {}
-
-  /**
-   * Starts a new authentication flow.
-   *
-   * @throws Error if method is not registered
-   */
-  async execute({
-    identityId,
-    context,
-    method,
-  }: StartAuthenticationCommand): Promise<AuthAttemptId> {
-    const authMethod = this.resolveAuthMethod(method);
-
-    const attemptId = this.idGenerator();
-
-    const attempt = AuthenticationAttempt.start(
-      attemptId,
-      AuthMethod.create(method),
-      identityId,
-    );
-
-    await this.attemptRepository.save(attempt);
-
-    await this.eventPublisher.publish(attempt.pullDomainEvents());
-
-    await authMethod.authenticate(context);
-
-    return attemptId;
-  }
-
-  /**
-   * Resolves an authentication method implementation.
-   *
-   * Fail-fast behavior is intentional for security reasons.
-   */
-  private resolveAuthMethod(method: AuthMethodName): AuthMethodPort {
-    const resolved = this.authMethods.find(m => m.method.is(method));
-
-    if (!resolved) {
-      throw new Error(`Authentication method not registered: ${method}`);
-    }
-
-    return resolved;
-  }
-}

package/src/application/services/oauth-authorize.service.ts

@@ -1,12 +0,0 @@
-import { ApplicationServicePort } from '@rineex/ddd';
-
-export class OAuthAuthorizeService implements ApplicationServicePort<any, any> {
-  constructor(
-    private readonly authorizationRepository: AuthorizationRepository,
-    private readonly clientRepository: ClientRepository,
-  ) {}
-
-  async execute(command: any): Promise<any> {
-    // Implementation goes here
-  }
-}

package/src/domain/identity/aggregates/authentication-attempt.aggregate.ts

@@ -1,136 +0,0 @@
-import { AggregateRoot, CreateEntityProps } from '@rineex/ddd';
-
-import { AuthenticationSucceededEvent } from '../events/authentication-succeeded.event';
-import { AuthenticationStartedEvent } from '../events/authentication-started.event';
-import { AuthenticationFailedEvent } from '../events/authentication-failed.event';
-import { AuthAttemptId } from '../value-objects/auth-attempt-id.vo';
-import { AuthStatus } from '../value-objects/auth-status.vo';
-import { AuthMethod } from '../value-objects/auth-method.vo';
-import { IdentityId } from '../value-objects/identity-id.vo';
-
-interface AuthenticationAttemptProps extends CreateEntityProps<AuthAttemptId> {
-  status: AuthStatus;
-  method: AuthMethod;
-  identityId?: IdentityId;
-}
-
-/**
- * Aggregate Root representing a single authentication attempt.
- *
- * Responsibilities:
- * - Enforce authentication lifecycle invariants
- * - Emit auditable domain events
- * - Prevent invalid state transitions
- *
- * This aggregate DOES NOT:
- * - Perform authentication
- * - Talk to infrastructure
- * - Know about HTTP or sessions
- */
-export class AuthenticationAttempt extends AggregateRoot<AuthAttemptId> {
-  /**
-   * Current status of the authentication attempt.
-   */
-  private _status: AuthStatus;
-  /**
-   * Method used for authentication.
-   */
-  private _method: AuthMethod;
-  /**
-   * Optional identity being authenticated.
-   */
-  private _identityId?: IdentityId;
-
-  private constructor({ createdAt, id, ...props }: AuthenticationAttemptProps) {
-    super({
-      createdAt,
-      id,
-    });
-    this._status = props.status;
-    this._method = props.method;
-    this._identityId = props.identityId;
-  }
-
-  toObject(): Record<string, unknown> {
-    return {
-      identityId: this._identityId.getValue(),
-      createdAt: this.createdAt,
-      id: this.id.getValue(),
-      status: this._status,
-      method: this._method,
-    };
-  }
-
-  /**
-   * Factory method to start a new authentication attempt.
-   */
-  static start(
-    id: AuthAttemptId,
-    method: AuthMethod,
-    identityId?: IdentityId,
-  ): AuthenticationAttempt {
-    const attempt = new AuthenticationAttempt({
-      status: AuthStatus.create('PENDING'),
-      identityId,
-      method,
-      id,
-    });
-
-    attempt.addEvent(new AuthenticationStartedEvent(id, method));
-
-    return attempt;
-  }
-
-  /**
-   * Marks the authentication attempt as successful.
-   *
-   * @throws Error if already completed
-   */
-  succeed(): void {
-    if (this._status.isNot('PENDING')) {
-      throw new Error('Authentication attempt already completed');
-    }
-
-    this.mutate(draft => {
-      draft._status = AuthStatus.create('SUCCEEDED');
-    });
-
-    this.addEvent(new AuthenticationSucceededEvent(this.id));
-  }
-
-  /**
-   * Marks the authentication attempt as failed.
-   *
-   * @throws Error if already completed
-   */
-  fail(reason: string): void {
-    if (this._status.isNot('PENDING')) {
-      throw new Error('Authentication attempt already completed');
-    }
-
-    if (!reason || reason.length < 3) {
-      throw new Error('Failure reason must be provided');
-    }
-
-    this.mutate(draft => {
-      draft._status = AuthStatus.create('FAILED');
-    });
-
-    this.addEvent(new AuthenticationFailedEvent(this.id));
-  }
-
-  /**
-   * Aggregate invariant validation.
-   *
-   * Called automatically before domain events are added.
-   */
-  validate(): void {
-    if (!this._method) {
-      throw new Error('AuthenticationAttempt must have a method');
-    }
-
-    if (!this._status) {
-      throw new Error('AuthenticationAttempt must have a status');
-    }
-  }
-}

package/src/domain/identity/aggregates/index.ts

@@ -1 +0,0 @@
-export * from './authentication-attempt.aggregate';