@saulo.martins/backend-auth 1.0.2

package/dist/auth.controller.d.ts

@@ -0,0 +1,43 @@
+import { Request } from 'express';
+import { AuthService } from './auth.service';
+import { SignupDto } from './dto/signup.dto';
+import { LoginDto } from './dto/login.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+interface JwtUser {
+    userId: string;
+    email: string;
+}
+export declare class AuthController {
+    private readonly authService;
+    constructor(authService: AuthService);
+    signup(dto: SignupDto): Promise<{
+        accessToken: string;
+    }>;
+    login(dto: LoginDto): Promise<{
+        accessToken: string;
+    }>;
+    getMe(req: Request & {
+        user: JwtUser;
+    }): Promise<import("./auth.service").ProfileResponse>;
+    patchMe(req: Request & {
+        user: JwtUser;
+    }, body: {
+        preferredLanguage?: string;
+    }): Promise<{
+        preferredLanguage: string;
+    } | undefined>;
+    changePassword(req: Request & {
+        user: JwtUser;
+    }, dto: ChangePasswordDto): Promise<{
+        accessToken: string;
+    }>;
+    forgotPassword(dto: ForgotPasswordDto, req: Request): Promise<{
+        message: string;
+    }>;
+    resetPassword(dto: ResetPasswordDto): Promise<{
+        accessToken: string;
+    }>;
+}
+export {};

package/dist/auth.controller.js

@@ -0,0 +1,115 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthController = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+const auth_service_1 = require("./auth.service");
+const signup_dto_1 = require("./dto/signup.dto");
+const login_dto_1 = require("./dto/login.dto");
+const change_password_dto_1 = require("./dto/change-password.dto");
+const forgot_password_dto_1 = require("./dto/forgot-password.dto");
+const reset_password_dto_1 = require("./dto/reset-password.dto");
+let AuthController = class AuthController {
+    constructor(authService) {
+        this.authService = authService;
+    }
+    signup(dto) {
+        return this.authService.signup(dto);
+    }
+    login(dto) {
+        return this.authService.login(dto);
+    }
+    getMe(req) {
+        return this.authService.getMe(req.user.userId);
+    }
+    async patchMe(req, body) {
+        if (body.preferredLanguage != null) {
+            await this.authService.updatePreferredLanguage(req.user.userId, body.preferredLanguage);
+            return { preferredLanguage: body.preferredLanguage };
+        }
+    }
+    changePassword(req, dto) {
+        return this.authService.changePassword(req.user.userId, dto);
+    }
+    forgotPassword(dto, req) {
+        // The caller should set X-Frontend-Base-Url if necessary; otherwise this can be overridden at service level.
+        const headerBase = req.headers['x-frontend-base-url'] ?? '';
+        const base = headerBase || '';
+        return this.authService.forgotPassword(dto.email, base);
+    }
+    resetPassword(dto) {
+        return this.authService.resetPassword(dto);
+    }
+};
+exports.AuthController = AuthController;
+__decorate([
+    (0, common_1.Post)('signup'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [signup_dto_1.SignupDto]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "signup", null);
+__decorate([
+    (0, common_1.Post)('login'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [login_dto_1.LoginDto]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "login", null);
+__decorate([
+    (0, common_1.Get)('me'),
+    (0, common_1.UseGuards)((0, passport_1.AuthGuard)('jwt')),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "getMe", null);
+__decorate([
+    (0, common_1.Patch)('me'),
+    (0, common_1.UseGuards)((0, passport_1.AuthGuard)('jwt')),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], AuthController.prototype, "patchMe", null);
+__decorate([
+    (0, common_1.Patch)('change-password'),
+    (0, common_1.UseGuards)((0, passport_1.AuthGuard)('jwt')),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, change_password_dto_1.ChangePasswordDto]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "changePassword", null);
+__decorate([
+    (0, common_1.Post)('forgot-password'),
+    __param(0, (0, common_1.Body)()),
+    __param(1, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [forgot_password_dto_1.ForgotPasswordDto, Object]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "forgotPassword", null);
+__decorate([
+    (0, common_1.Post)('reset-password'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [reset_password_dto_1.ResetPasswordDto]),
+    __metadata("design:returntype", void 0)
+], AuthController.prototype, "resetPassword", null);
+exports.AuthController = AuthController = __decorate([
+    (0, common_1.Controller)('auth'),
+    __metadata("design:paramtypes", [auth_service_1.AuthService])
+], AuthController);

package/dist/auth.module.d.ts

@@ -0,0 +1,2 @@
+export declare class AuthModule {
+}

package/dist/auth.module.js

@@ -0,0 +1,45 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const passport_1 = require("@nestjs/passport");
+const auth_service_1 = require("./auth.service");
+const auth_controller_1 = require("./auth.controller");
+const jwt_strategy_1 = require("./jwt.strategy");
+const tokens_1 = require("./tokens");
+let AuthModule = class AuthModule {
+};
+exports.AuthModule = AuthModule;
+exports.AuthModule = AuthModule = __decorate([
+    (0, common_1.Module)({
+        imports: [
+            passport_1.PassportModule,
+            jwt_1.JwtModule.register({
+                global: true,
+                secret: process.env.JWT_SECRET || 'dev-secret',
+                signOptions: { expiresIn: '1h' }
+            })
+        ],
+        providers: [
+            auth_service_1.AuthService,
+            jwt_strategy_1.JwtStrategy,
+            {
+                provide: tokens_1.AUTH_USERS_SERVICE,
+                useValue: null
+            },
+            {
+                provide: tokens_1.AUTH_EMAIL_SERVICE,
+                useValue: null
+            }
+        ],
+        controllers: [auth_controller_1.AuthController],
+        exports: [auth_service_1.AuthService, tokens_1.AUTH_USERS_SERVICE, tokens_1.AUTH_EMAIL_SERVICE]
+    })
+], AuthModule);

package/dist/auth.service.d.ts

@@ -0,0 +1,51 @@
+import { JwtService } from '@nestjs/jwt';
+import { AuthEmailServiceContract, AuthUsersServiceContract } from './contracts';
+import { SignupDto } from './dto/signup.dto';
+import { LoginDto } from './dto/login.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+export type ProfileResponse = {
+    id: string;
+    email: string;
+    firstName: string | null;
+    lastName: string | null;
+    phoneCountryCode: string | null;
+    phoneNumber: string | null;
+    preferredLanguage: string | null;
+    isAdmin: boolean;
+    isCustomer: boolean;
+    isCompany: boolean;
+};
+export declare class ApiError extends Error {
+    readonly status: number;
+    readonly code?: string | undefined;
+    constructor(status: number, message: string, code?: string | undefined);
+}
+export declare class AuthService {
+    private readonly usersService;
+    private readonly emailService;
+    private readonly jwtService;
+    constructor(usersService: AuthUsersServiceContract, emailService: AuthEmailServiceContract, jwtService: JwtService);
+    signup(dto: SignupDto): Promise<{
+        accessToken: string;
+    }>;
+    login(dto: LoginDto): Promise<{
+        accessToken: string;
+    }>;
+    tokenForUser(userId: string, email: string): Promise<{
+        accessToken: string;
+    }>;
+    getMe(userId: string): Promise<ProfileResponse>;
+    private profileWithRoles;
+    updatePreferredLanguage(userId: string, preferredLanguage: string): Promise<void>;
+    changePassword(userId: string, dto: ChangePasswordDto): Promise<{
+        accessToken: string;
+    }>;
+    forgotPassword(email: string, frontendBaseUrl: string): Promise<{
+        message: string;
+    }>;
+    resetPassword(dto: ResetPasswordDto): Promise<{
+        accessToken: string;
+    }>;
+    private buildToken;
+}

package/dist/auth.service.js

@@ -0,0 +1,243 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = exports.ApiError = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const crypto = __importStar(require("crypto"));
+const tokens_1 = require("./tokens");
+class ApiError extends Error {
+    constructor(status, message, code) {
+        super(message);
+        this.status = status;
+        this.code = code;
+    }
+}
+exports.ApiError = ApiError;
+function badRequest(message, code) {
+    return new ApiError(400, message, code);
+}
+function unauthorized(message, code) {
+    return new ApiError(401, message, code);
+}
+function toBaseProfile(user) {
+    return {
+        id: user.id,
+        email: user.email,
+        firstName: user.firstName ?? null,
+        lastName: user.lastName ?? null,
+        phoneCountryCode: user.phoneCountryCode ?? null,
+        phoneNumber: user.phoneNumber ?? null,
+        preferredLanguage: user.preferredLanguage ?? null
+    };
+}
+function isAdminFromEnv(email) {
+    const adminEmails = (process.env.ADMIN_EMAILS ?? '')
+        .split(',')
+        .map((e) => e.trim().toLowerCase())
+        .filter(Boolean);
+    return adminEmails.length > 0 && adminEmails.includes(email.toLowerCase());
+}
+let AuthService = class AuthService {
+    constructor(usersService, emailService, jwtService) {
+        this.usersService = usersService;
+        this.emailService = emailService;
+        this.jwtService = jwtService;
+    }
+    async signup(dto) {
+        const raw = dto.clientHash ?? dto.password;
+        if (!raw) {
+            throw badRequest('Send clientHash (SHA-256 of password) or password', 'SEND_CLIENT_HASH_OR_PASSWORD');
+        }
+        const existing = await this.usersService.findByEmail(dto.email);
+        if (existing) {
+            throw unauthorized('Email is already in use', 'EMAIL_ALREADY_IN_USE');
+        }
+        const passwordScheme = dto.clientHash ? 'sha256' : 'plain';
+        const user = await this.usersService.create({
+            email: dto.email,
+            password: raw,
+            passwordScheme,
+            firstName: dto.firstName,
+            lastName: dto.lastName,
+            phoneCountryCode: dto.phoneCountryCode,
+            phoneNumber: dto.phoneNumber
+        });
+        if (this.usersService.onSignupComplete) {
+            await this.usersService.onSignupComplete(user.id, {
+                userType: dto.userType,
+                firstName: dto.firstName,
+                lastName: dto.lastName
+            });
+        }
+        return this.buildToken(user.id, user.email);
+    }
+    async login(dto) {
+        if (!dto.clientHash && !dto.password) {
+            throw badRequest('Send clientHash or password', 'SEND_CLIENT_HASH_OR_PASSWORD');
+        }
+        const user = await this.usersService.findByEmail(dto.email);
+        if (!user) {
+            throw unauthorized('Invalid email or password', 'INVALID_EMAIL_OR_PASSWORD');
+        }
+        const scheme = user.passwordScheme ?? 'plain';
+        const valueToCompare = scheme === 'sha256' ? dto.clientHash : dto.password;
+        if (!valueToCompare) {
+            throw unauthorized(scheme === 'sha256'
+                ? 'Login requires clientHash (password hashed on client).'
+                : 'Resend your password for this device.', 'LOGIN_REQUIRES_CLIENT_HASH_OR_PASSWORD');
+        }
+        await this.usersService.verifyCredentials(dto.email, valueToCompare);
+        if (scheme === 'plain' && dto.clientHash && dto.password) {
+            await this.usersService.upgradeToClientHash(user.id, dto.clientHash);
+        }
+        return this.buildToken(user.id, user.email);
+    }
+    async tokenForUser(userId, email) {
+        return this.buildToken(userId, email);
+    }
+    async getMe(userId) {
+        const user = await this.usersService.findById(userId);
+        if (!user) {
+            throw unauthorized('User not found', 'USER_NOT_FOUND');
+        }
+        return this.profileWithRoles(user);
+    }
+    async profileWithRoles(user) {
+        const base = toBaseProfile(user);
+        let isCustomer = false;
+        let isCompany = false;
+        if (this.usersService.getProfileRoles) {
+            const roles = await this.usersService.getProfileRoles(user.id);
+            isCustomer = roles.isCustomer;
+            isCompany = roles.isCompany;
+        }
+        return {
+            ...base,
+            isAdmin: isAdminFromEnv(user.email),
+            isCustomer,
+            isCompany
+        };
+    }
+    async updatePreferredLanguage(userId, preferredLanguage) {
+        await this.usersService.updatePreferredLanguage(userId, preferredLanguage);
+    }
+    async changePassword(userId, dto) {
+        const user = await this.usersService.findById(userId);
+        if (!user) {
+            throw unauthorized('User not found', 'USER_NOT_FOUND');
+        }
+        const scheme = user.passwordScheme ?? 'plain';
+        const currentRaw = scheme === 'sha256' ? dto.currentClientHash : dto.currentPassword;
+        const newRaw = dto.newClientHash ?? dto.newPassword;
+        if (!currentRaw || !newRaw) {
+            throw badRequest(scheme === 'sha256'
+                ? 'Send currentClientHash and newClientHash'
+                : 'Send currentPassword and newPassword (or use clientHash)', 'SEND_CURRENT_AND_NEW_PASSWORD');
+        }
+        await this.usersService.verifyCredentials(user.email, currentRaw);
+        if (scheme === 'sha256') {
+            await this.usersService.upgradeToClientHash(userId, newRaw);
+        }
+        else {
+            await this.usersService.setPasswordPlain(userId, newRaw);
+        }
+        return this.buildToken(userId, user.email);
+    }
+    async forgotPassword(email, frontendBaseUrl) {
+        const user = await this.usersService.findByEmail(email);
+        if (!user) {
+            return {
+                message: 'If this email exists in our system, you will receive instructions to reset your password.'
+            };
+        }
+        const token = crypto.randomBytes(32).toString('hex');
+        const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
+        await this.usersService.createPasswordReset(user.id, token, expiresAt);
+        const baseUrl = frontendBaseUrl.replace(/\/+$/, '');
+        const resetLink = `${baseUrl}/reset-password?token=${encodeURIComponent(token)}`;
+        await this.emailService.sendPasswordResetEmail(user.email, resetLink);
+        return {
+            message: 'If this email exists in our system, you will receive instructions to reset your password.'
+        };
+    }
+    async resetPassword(dto) {
+        const record = await this.usersService.findValidPasswordReset(dto.token);
+        if (!record) {
+            throw badRequest('Invalid or expired reset token.', 'INVALID_OR_EXPIRED_RESET_TOKEN');
+        }
+        const user = await this.usersService.findById(record.userId);
+        if (!user) {
+            throw badRequest('User not found for this token.', 'USER_NOT_FOUND_FOR_TOKEN');
+        }
+        const raw = dto.clientHash ?? dto.password;
+        if (!raw) {
+            throw badRequest('Send clientHash (SHA-256 of password) or password.', 'SEND_CLIENT_HASH_OR_PASSWORD');
+        }
+        const passwordScheme = dto.clientHash ? 'sha256' : 'plain';
+        if (passwordScheme === 'sha256') {
+            await this.usersService.upgradeToClientHash(user.id, raw);
+        }
+        else {
+            await this.usersService.setPasswordPlain(user.id, raw);
+        }
+        await this.usersService.markPasswordResetUsed(record.id);
+        return this.buildToken(user.id, user.email);
+    }
+    async buildToken(userId, email) {
+        const payload = { sub: userId, email };
+        const accessToken = await this.jwtService.signAsync(payload);
+        return { accessToken };
+    }
+};
+exports.AuthService = AuthService;
+exports.AuthService = AuthService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(tokens_1.AUTH_USERS_SERVICE)),
+    __param(1, (0, common_1.Inject)(tokens_1.AUTH_EMAIL_SERVICE)),
+    __metadata("design:paramtypes", [Object, Object, jwt_1.JwtService])
+], AuthService);

package/dist/auth.service.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth.service.spec.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const jwt_1 = require("@nestjs/jwt");
+const auth_service_1 = require("./auth.service");
+class FakeUsersService {
+    constructor() {
+        this.users = new Map();
+    }
+    async findByEmail(email) {
+        for (const u of this.users.values()) {
+            if (u.email === email) {
+                return {
+                    id: u.id,
+                    email: u.email,
+                    passwordScheme: u.passwordScheme
+                };
+            }
+        }
+        return null;
+    }
+    async findById(id) {
+        const u = this.users.get(id);
+        return u ? { id: u.id, email: u.email, passwordScheme: u.passwordScheme } : null;
+    }
+    async create(input) {
+        const id = (this.users.size + 1).toString();
+        this.users.set(id, { id, email: input.email, passwordScheme: input.passwordScheme, password: input.password });
+        return { id, email: input.email, passwordScheme: input.passwordScheme };
+    }
+    async verifyCredentials(email, rawPasswordOrHash) {
+        const user = await this.findByEmail(email);
+        if (!user)
+            throw new Error('not found');
+        const stored = Array.from(this.users.values()).find((u) => u.id === user.id);
+        if (!stored || stored.password !== rawPasswordOrHash) {
+            throw new Error('invalid credentials');
+        }
+    }
+    async upgradeToClientHash(userId, clientHash) {
+        const u = this.users.get(userId);
+        if (u) {
+            u.password = clientHash;
+            u.passwordScheme = 'sha256';
+        }
+    }
+    async setPasswordPlain(userId, plainPassword) {
+        const u = this.users.get(userId);
+        if (u) {
+            u.password = plainPassword;
+            u.passwordScheme = 'plain';
+        }
+    }
+    async updatePreferredLanguage() {
+        // no-op for tests
+    }
+    async createPasswordReset() {
+        return {
+            id: '1',
+            userId: '1',
+            token: 'token',
+            expiresAt: new Date(),
+            usedAt: null
+        };
+    }
+    async findValidPasswordReset() {
+        return null;
+    }
+    async markPasswordResetUsed() {
+        // no-op
+    }
+}
+class FakeEmailService {
+    constructor() {
+        this.sent = [];
+    }
+    async sendPasswordResetEmail(email, resetLink) {
+        this.sent.push({ email, link: resetLink });
+    }
+}
+describe('AuthService', () => {
+    const users = new FakeUsersService();
+    const email = new FakeEmailService();
+    const jwt = new jwt_1.JwtService({ secret: 'test-secret' });
+    const service = new auth_service_1.AuthService(
+    // Inject via tokens in real Nest app; here we pass directly
+    users, email, jwt);
+    it('signs up new user with clientHash', async () => {
+        const token = await service.signup({
+            email: 'john@example.com',
+            clientHash: 'hash',
+            password: undefined
+        });
+        expect(typeof token.accessToken).toBe('string');
+    });
+    it('prevents duplicate email signup', async () => {
+        await expect(service.signup({
+            email: 'john@example.com',
+            clientHash: 'hash2',
+            password: undefined
+        })).rejects.toBeInstanceOf(auth_service_1.ApiError);
+    });
+    it('requires credentials on login', async () => {
+        await expect(service.login({ email: 'unknown@example.com' })).rejects.toBeInstanceOf(auth_service_1.ApiError);
+    });
+});

package/dist/contracts.d.ts

@@ -0,0 +1,59 @@
+export type AuthUserProfile = {
+    id: string;
+    email: string;
+    firstName?: string | null;
+    lastName?: string | null;
+    phoneCountryCode?: string | null;
+    phoneNumber?: string | null;
+    preferredLanguage?: string | null;
+    passwordScheme?: 'sha256' | 'plain' | null;
+};
+export type PasswordResetRecord = {
+    id: string;
+    userId: string;
+    token: string;
+    expiresAt: Date;
+    usedAt: Date | null;
+};
+/** Payload passed to {@link AuthUsersServiceContract.onSignupComplete} after the user row exists. */
+export type SignupFollowUpPayload = {
+    userType?: 'customer' | 'company';
+    firstName?: string;
+    lastName?: string;
+};
+export interface AuthUsersServiceContract {
+    findByEmail(email: string): Promise<AuthUserProfile | null>;
+    findById(id: string): Promise<AuthUserProfile | null>;
+    create(input: {
+        email: string;
+        password: string;
+        passwordScheme: 'sha256' | 'plain';
+        firstName?: string | null;
+        lastName?: string | null;
+        phoneCountryCode?: string | null;
+        phoneNumber?: string | null;
+    }): Promise<AuthUserProfile>;
+    verifyCredentials(email: string, rawPasswordOrHash: string): Promise<void>;
+    upgradeToClientHash(userId: string, clientHash: string): Promise<void>;
+    setPasswordPlain(userId: string, plainPassword: string): Promise<void>;
+    updatePreferredLanguage(userId: string, preferredLanguage: string): Promise<void>;
+    createPasswordReset(userId: string, token: string, expiresAt: Date): Promise<PasswordResetRecord>;
+    findValidPasswordReset(token: string): Promise<PasswordResetRecord | null>;
+    markPasswordResetUsed(resetId: string): Promise<void>;
+    /**
+     * Optional: create domain rows after signup (e.g. CustomerUser / CompanyUser).
+     * Implement in the host app when using `userType` on signup.
+     */
+    onSignupComplete?(userId: string, payload: SignupFollowUpPayload): Promise<void>;
+    /**
+     * Optional: resolve customer vs company flags for `/auth/me`.
+     * If omitted, both default to `false` (admin still uses `ADMIN_EMAILS`).
+     */
+    getProfileRoles?(userId: string): Promise<{
+        isCustomer: boolean;
+        isCompany: boolean;
+    }>;
+}
+export interface AuthEmailServiceContract {
+    sendPasswordResetEmail(email: string, resetLink: string): Promise<void>;
+}

package/dist/contracts.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/dto/change-password.dto.d.ts

@@ -0,0 +1,6 @@
+export declare class ChangePasswordDto {
+    currentPassword?: string;
+    currentClientHash?: string;
+    newPassword?: string;
+    newClientHash?: string;
+}