@saulo.martins/backend-auth 1.0.2

package/dist/dto/change-password.dto.js

@@ -0,0 +1,38 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChangePasswordDto = void 0;
+const class_validator_1 = require("class-validator");
+class ChangePasswordDto {
+}
+exports.ChangePasswordDto = ChangePasswordDto;
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6),
+    __metadata("design:type", String)
+], ChangePasswordDto.prototype, "currentPassword", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], ChangePasswordDto.prototype, "currentClientHash", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6),
+    __metadata("design:type", String)
+], ChangePasswordDto.prototype, "newPassword", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], ChangePasswordDto.prototype, "newClientHash", void 0);

package/dist/dto/forgot-password.dto.d.ts

@@ -0,0 +1,3 @@
+export declare class ForgotPasswordDto {
+    email: string;
+}

package/dist/dto/forgot-password.dto.js

@@ -0,0 +1,20 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ForgotPasswordDto = void 0;
+const class_validator_1 = require("class-validator");
+class ForgotPasswordDto {
+}
+exports.ForgotPasswordDto = ForgotPasswordDto;
+__decorate([
+    (0, class_validator_1.IsEmail)(),
+    __metadata("design:type", String)
+], ForgotPasswordDto.prototype, "email", void 0);

package/dist/dto/login.dto.d.ts

@@ -0,0 +1,5 @@
+export declare class LoginDto {
+    email: string;
+    password?: string;
+    clientHash?: string;
+}

package/dist/dto/login.dto.js

@@ -0,0 +1,31 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LoginDto = void 0;
+const class_validator_1 = require("class-validator");
+class LoginDto {
+}
+exports.LoginDto = LoginDto;
+__decorate([
+    (0, class_validator_1.IsEmail)(),
+    __metadata("design:type", String)
+], LoginDto.prototype, "email", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6),
+    __metadata("design:type", String)
+], LoginDto.prototype, "password", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], LoginDto.prototype, "clientHash", void 0);

package/dist/dto/reset-password.dto.d.ts

@@ -0,0 +1,5 @@
+export declare class ResetPasswordDto {
+    token: string;
+    password?: string;
+    clientHash?: string;
+}

package/dist/dto/reset-password.dto.js

@@ -0,0 +1,31 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ResetPasswordDto = void 0;
+const class_validator_1 = require("class-validator");
+class ResetPasswordDto {
+}
+exports.ResetPasswordDto = ResetPasswordDto;
+__decorate([
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], ResetPasswordDto.prototype, "token", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6),
+    __metadata("design:type", String)
+], ResetPasswordDto.prototype, "password", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], ResetPasswordDto.prototype, "clientHash", void 0);

package/dist/dto/signup.dto.d.ts

@@ -0,0 +1,11 @@
+export declare class SignupDto {
+    email: string;
+    password?: string;
+    clientHash?: string;
+    firstName?: string;
+    lastName?: string;
+    phoneCountryCode?: string;
+    phoneNumber?: string;
+    /** When set, the host app should link customer/company profile rows via `AuthUsersServiceContract.onSignupComplete`. */
+    userType?: 'customer' | 'company';
+}

package/dist/dto/signup.dto.js

@@ -0,0 +1,56 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SignupDto = void 0;
+const class_validator_1 = require("class-validator");
+class SignupDto {
+}
+exports.SignupDto = SignupDto;
+__decorate([
+    (0, class_validator_1.IsEmail)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "email", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6),
+    __metadata("design:type", String)
+], SignupDto.prototype, "password", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "clientHash", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "firstName", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "lastName", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "phoneCountryCode", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], SignupDto.prototype, "phoneNumber", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsIn)(['customer', 'company']),
+    __metadata("design:type", String)
+], SignupDto.prototype, "userType", void 0);

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+export * from './auth.module';
+export * from './auth.service';
+export * from './auth.controller';
+export * from './jwt.strategy';
+export * from './jwt-optional.guard';
+export * from './contracts';
+export * from './tokens';
+export * from './dto/signup.dto';
+export * from './dto/login.dto';
+export * from './dto/forgot-password.dto';
+export * from './dto/reset-password.dto';
+export * from './dto/change-password.dto';

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth.module"), exports);
+__exportStar(require("./auth.service"), exports);
+__exportStar(require("./auth.controller"), exports);
+__exportStar(require("./jwt.strategy"), exports);
+__exportStar(require("./jwt-optional.guard"), exports);
+__exportStar(require("./contracts"), exports);
+__exportStar(require("./tokens"), exports);
+__exportStar(require("./dto/signup.dto"), exports);
+__exportStar(require("./dto/login.dto"), exports);
+__exportStar(require("./dto/forgot-password.dto"), exports);
+__exportStar(require("./dto/reset-password.dto"), exports);
+__exportStar(require("./dto/change-password.dto"), exports);

package/dist/jwt-optional.guard.d.ts

@@ -0,0 +1,7 @@
+import { ExecutionContext } from '@nestjs/common';
+declare const JwtOptionalGuard_base: import("@nestjs/passport").Type<import("@nestjs/passport").IAuthGuard>;
+export declare class JwtOptionalGuard extends JwtOptionalGuard_base {
+    handleRequest<TUser = unknown>(err: unknown, user: unknown, _info: unknown, _context: ExecutionContext, _status?: unknown): TUser;
+    canActivate(context: ExecutionContext): boolean | Promise<boolean> | import("rxjs").Observable<boolean>;
+}
+export {};

package/dist/jwt-optional.guard.js

@@ -0,0 +1,31 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtOptionalGuard = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+let JwtOptionalGuard = class JwtOptionalGuard extends (0, passport_1.AuthGuard)('jwt') {
+    handleRequest(err, user, _info, _context, _status) {
+        if (err) {
+            return null;
+        }
+        return (user ?? null);
+    }
+    canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const authHeader = request.headers['authorization'];
+        if (!authHeader) {
+            return true;
+        }
+        return super.canActivate(context);
+    }
+};
+exports.JwtOptionalGuard = JwtOptionalGuard;
+exports.JwtOptionalGuard = JwtOptionalGuard = __decorate([
+    (0, common_1.Injectable)()
+], JwtOptionalGuard);

package/dist/jwt.strategy.d.ts

@@ -0,0 +1,13 @@
+import { Strategy } from 'passport-jwt';
+declare const JwtStrategy_base: new (...args: any[]) => Strategy;
+export declare class JwtStrategy extends JwtStrategy_base {
+    constructor();
+    validate(payload: {
+        sub: string;
+        email: string;
+    }): Promise<{
+        userId: string;
+        email: string;
+    }>;
+}
+export {};

package/dist/jwt.strategy.js

@@ -0,0 +1,32 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtStrategy = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+const passport_jwt_1 = require("passport-jwt");
+let JwtStrategy = class JwtStrategy extends (0, passport_1.PassportStrategy)(passport_jwt_1.Strategy) {
+    constructor() {
+        super({
+            jwtFromRequest: passport_jwt_1.ExtractJwt.fromAuthHeaderAsBearerToken(),
+            ignoreExpiration: false,
+            secretOrKey: process.env.JWT_SECRET || 'dev-secret'
+        });
+    }
+    async validate(payload) {
+        return { userId: payload.sub, email: payload.email };
+    }
+};
+exports.JwtStrategy = JwtStrategy;
+exports.JwtStrategy = JwtStrategy = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [])
+], JwtStrategy);

package/dist/tokens.d.ts

@@ -0,0 +1,2 @@
+export declare const AUTH_USERS_SERVICE: unique symbol;
+export declare const AUTH_EMAIL_SERVICE: unique symbol;

package/dist/tokens.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_EMAIL_SERVICE = exports.AUTH_USERS_SERVICE = void 0;
+exports.AUTH_USERS_SERVICE = Symbol('AUTH_USERS_SERVICE');
+exports.AUTH_EMAIL_SERVICE = Symbol('AUTH_EMAIL_SERVICE');

package/jest.config.cjs

@@ -0,0 +1,10 @@
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  roots: ['<rootDir>/src'],
+  moduleFileExtensions: ['ts', 'js', 'json'],
+  transform: {
+    '^.+\\.ts$': 'ts-jest'
+  }
+};
+

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@saulo.martins/backend-auth",
+  "version": "1.0.2",
+  "private": false,
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "jest"
+  },
+  "dependencies": {
+    "@nestjs/common": "^10.4.15",
+    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/passport": "^10.0.3",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.1"
+  },
+  "devDependencies": {
+    "@nestjs/testing": "^10.4.15",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^22.10.5",
+    "@types/passport-jwt": "^4.0.1",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "typescript": "^5.7.3"
+  },
+  "peerDependencies": {
+    "@nestjs/core": "^10.4.15"
+  }
+}
+

package/src/auth.controller.ts

@@ -0,0 +1,77 @@
+import { Body, Controller, Get, Patch, Post, Req, UseGuards } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { Request } from 'express';
+import { AuthService } from './auth.service';
+import { SignupDto } from './dto/signup.dto';
+import { LoginDto } from './dto/login.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+
+interface JwtUser {
+  userId: string;
+  email: string;
+}
+
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Post('signup')
+  signup(@Body() dto: SignupDto) {
+    return this.authService.signup(dto);
+  }
+
+  @Post('login')
+  login(@Body() dto: LoginDto) {
+    return this.authService.login(dto);
+  }
+
+  @Get('me')
+  @UseGuards(AuthGuard('jwt'))
+  getMe(@Req() req: Request & { user: JwtUser }) {
+    return this.authService.getMe(req.user.userId);
+  }
+
+  @Patch('me')
+  @UseGuards(AuthGuard('jwt'))
+  async patchMe(
+    @Req() req: Request & { user: JwtUser },
+    @Body() body: { preferredLanguage?: string }
+  ) {
+    if (body.preferredLanguage != null) {
+      await this.authService.updatePreferredLanguage(
+        req.user.userId,
+        body.preferredLanguage
+      );
+      return { preferredLanguage: body.preferredLanguage };
+    }
+  }
+
+  @Patch('change-password')
+  @UseGuards(AuthGuard('jwt'))
+  changePassword(
+    @Req() req: Request & { user: JwtUser },
+    @Body() dto: ChangePasswordDto
+  ) {
+    return this.authService.changePassword(req.user.userId, dto);
+  }
+
+  @Post('forgot-password')
+  forgotPassword(
+    @Body() dto: ForgotPasswordDto,
+    @Req() req: Request
+  ) {
+    // The caller should set X-Frontend-Base-Url if necessary; otherwise this can be overridden at service level.
+    const headerBase =
+      (req.headers['x-frontend-base-url'] as string | undefined) ?? '';
+    const base = headerBase || '';
+    return this.authService.forgotPassword(dto.email, base);
+  }
+
+  @Post('reset-password')
+  resetPassword(@Body() dto: ResetPasswordDto) {
+    return this.authService.resetPassword(dto);
+  }
+}
+

package/src/auth.module.ts

@@ -0,0 +1,35 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import { AuthService } from './auth.service';
+import { AuthController } from './auth.controller';
+import { JwtStrategy } from './jwt.strategy';
+import { AUTH_EMAIL_SERVICE, AUTH_USERS_SERVICE } from './tokens';
+import { AuthEmailServiceContract, AuthUsersServiceContract } from './contracts';
+
+@Module({
+  imports: [
+    PassportModule,
+    JwtModule.register({
+      global: true,
+      secret: process.env.JWT_SECRET || 'dev-secret',
+      signOptions: { expiresIn: '1h' }
+    })
+  ],
+  providers: [
+    AuthService,
+    JwtStrategy,
+    {
+      provide: AUTH_USERS_SERVICE,
+      useValue: null as unknown as AuthUsersServiceContract
+    },
+    {
+      provide: AUTH_EMAIL_SERVICE,
+      useValue: null as unknown as AuthEmailServiceContract
+    }
+  ],
+  controllers: [AuthController],
+  exports: [AuthService, AUTH_USERS_SERVICE, AUTH_EMAIL_SERVICE]
+})
+export class AuthModule {}
+

package/src/auth.service.spec.ts

@@ -0,0 +1,129 @@
+import { JwtService } from '@nestjs/jwt';
+import { AuthService, ApiError } from './auth.service';
+import { AUTH_EMAIL_SERVICE, AUTH_USERS_SERVICE } from './tokens';
+import { AuthEmailServiceContract, AuthUsersServiceContract } from './contracts';
+
+class FakeUsersService implements AuthUsersServiceContract {
+  private users = new Map<string, { id: string; email: string; passwordScheme: 'sha256' | 'plain'; password: string }>();
+
+  async findByEmail(email: string) {
+    for (const u of this.users.values()) {
+      if (u.email === email) {
+        return {
+          id: u.id,
+          email: u.email,
+          passwordScheme: u.passwordScheme
+        };
+      }
+    }
+    return null;
+  }
+
+  async findById(id: string) {
+    const u = this.users.get(id);
+    return u ? { id: u.id, email: u.email, passwordScheme: u.passwordScheme } : null;
+  }
+
+  async create(input: {
+    email: string;
+    password: string;
+    passwordScheme: 'sha256' | 'plain';
+  }) {
+    const id = (this.users.size + 1).toString();
+    this.users.set(id, { id, email: input.email, passwordScheme: input.passwordScheme, password: input.password });
+    return { id, email: input.email, passwordScheme: input.passwordScheme };
+  }
+
+  async verifyCredentials(email: string, rawPasswordOrHash: string): Promise<void> {
+    const user = await this.findByEmail(email);
+    if (!user) throw new Error('not found');
+    const stored = Array.from(this.users.values()).find((u) => u.id === user.id);
+    if (!stored || stored.password !== rawPasswordOrHash) {
+      throw new Error('invalid credentials');
+    }
+  }
+
+  async upgradeToClientHash(userId: string, clientHash: string): Promise<void> {
+    const u = this.users.get(userId);
+    if (u) {
+      u.password = clientHash;
+      u.passwordScheme = 'sha256';
+    }
+  }
+
+  async setPasswordPlain(userId: string, plainPassword: string): Promise<void> {
+    const u = this.users.get(userId);
+    if (u) {
+      u.password = plainPassword;
+      u.passwordScheme = 'plain';
+    }
+  }
+
+  async updatePreferredLanguage(): Promise<void> {
+    // no-op for tests
+  }
+
+  async createPasswordReset() {
+    return {
+      id: '1',
+      userId: '1',
+      token: 'token',
+      expiresAt: new Date(),
+      usedAt: null
+    };
+  }
+
+  async findValidPasswordReset() {
+    return null;
+  }
+
+  async markPasswordResetUsed(): Promise<void> {
+    // no-op
+  }
+}
+
+class FakeEmailService implements AuthEmailServiceContract {
+  public sent: { email: string; link: string }[] = [];
+  async sendPasswordResetEmail(email: string, resetLink: string): Promise<void> {
+    this.sent.push({ email, link: resetLink });
+  }
+}
+
+describe('AuthService', () => {
+  const users = new FakeUsersService();
+  const email = new FakeEmailService();
+  const jwt = new JwtService({ secret: 'test-secret' });
+  const service = new AuthService(
+    // Inject via tokens in real Nest app; here we pass directly
+    (users as unknown) as any,
+    (email as unknown) as any,
+    jwt
+  );
+
+  it('signs up new user with clientHash', async () => {
+    const token = await service.signup({
+      email: 'john@example.com',
+      clientHash: 'hash',
+      password: undefined
+    } as any);
+
+    expect(typeof token.accessToken).toBe('string');
+  });
+
+  it('prevents duplicate email signup', async () => {
+    await expect(
+      service.signup({
+        email: 'john@example.com',
+        clientHash: 'hash2',
+        password: undefined
+      } as any)
+    ).rejects.toBeInstanceOf(ApiError);
+  });
+
+  it('requires credentials on login', async () => {
+    await expect(
+      service.login({ email: 'unknown@example.com' } as any)
+    ).rejects.toBeInstanceOf(ApiError);
+  });
+});
+