npm - @scryan7371/sdr-security - Versions diffs - 0.1.2 → 0.1.4 - Mend

@scryan7371/sdr-security 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/nest/security-auth.service.js CHANGED Viewed

@@ -17,6 +17,7 @@ const common_1 = require("@nestjs/common");
 const crypto_1 = require("crypto");
 const bcryptjs_1 = require("bcryptjs");
 const jsonwebtoken_1 = require("jsonwebtoken");
+const uuid_1 = require("uuid");
 const typeorm_1 = require("@nestjs/typeorm");
 const typeorm_2 = require("typeorm");
 const roles_1 = require("../api/roles");
@@ -26,21 +27,24 @@ const app_user_entity_1 = require("./entities/app-user.entity");
 const password_reset_token_entity_1 = require("./entities/password-reset-token.entity");
 const refresh_token_entity_1 = require("./entities/refresh-token.entity");
 const security_role_entity_1 = require("./entities/security-role.entity");
+const security_user_entity_1 = require("./entities/security-user.entity");
 const security_user_role_entity_1 = require("./entities/security-user-role.entity");
 const tokens_1 = require("./tokens");
 const EMAIL_TOKEN_BYTES = 24;
 const REFRESH_TOKEN_BYTES = 32;
 const PASSWORD_ROUNDS = 12;
 let SecurityAuthService = class SecurityAuthService {
-    usersRepo;
+    appUsersRepo;
+    securityUsersRepo;
     refreshTokenRepo;
     passwordResetRepo;
     rolesRepo;
     userRolesRepo;
     options;
     notifier;
-    constructor(usersRepo, refreshTokenRepo, passwordResetRepo, rolesRepo, userRolesRepo, options, notifier) {
-        this.usersRepo = usersRepo;
+    constructor(appUsersRepo, securityUsersRepo, refreshTokenRepo, passwordResetRepo, rolesRepo, userRolesRepo, options, notifier) {
+        this.appUsersRepo = appUsersRepo;
+        this.securityUsersRepo = securityUsersRepo;
         this.refreshTokenRepo = refreshTokenRepo;
         this.passwordResetRepo = passwordResetRepo;
         this.rolesRepo = rolesRepo;
@@ -50,45 +54,53 @@ let SecurityAuthService = class SecurityAuthService {
     }
     async register(params) {
         const email = (0, validation_1.sanitizeEmail)(params.email);
-        const existing = await this.usersRepo.findOne({ where: { email } });
+        const existing = await this.appUsersRepo.findOne({ where: { email } });
         if (existing) {
             throw new common_1.BadRequestException("Email already in use");
         }
-        const user = await this.usersRepo.save(this.usersRepo.create({
+        const appUser = await this.appUsersRepo.save(this.appUsersRepo.create({
+            id: (0, uuid_1.v7)(),
             email,
+        }));
+        const securityUser = await this.securityUsersRepo.save(this.securityUsersRepo.create({
+            userId: appUser.id,
             passwordHash: await (0, bcryptjs_1.hash)(params.password, PASSWORD_ROUNDS),
-            firstName: params.firstName ?? null,
-            lastName: params.lastName ?? null,
             emailVerifiedAt: null,
             emailVerificationToken: null,
             adminApprovedAt: null,
             isActive: true,
         }));
-        const verificationToken = await this.createEmailVerificationToken(user.id);
+        const verificationToken = await this.createEmailVerificationToken(appUser.id);
         if (this.notifier.sendEmailVerification) {
             await this.notifier.sendEmailVerification({
-                email: user.email,
+                email: appUser.email,
                 token: verificationToken,
             });
         }
         return {
             success: true,
-            user: await this.toSafeUser(user),
+            user: await this.toSafeUser(appUser, securityUser),
             debugToken: verificationToken,
         };
     }
     async login(params) {
         const email = (0, validation_1.sanitizeEmail)(params.email);
-        const user = await this.usersRepo.findOne({ where: { email } });
-        if (!user) {
+        const appUser = await this.appUsersRepo.findOne({ where: { email } });
+        if (!appUser) {
+            throw new common_1.UnauthorizedException("Invalid credentials");
+        }
+        const securityUser = await this.securityUsersRepo.findOne({
+            where: { userId: appUser.id },
+        });
+        if (!securityUser) {
             throw new common_1.UnauthorizedException("Invalid credentials");
         }
-        const ok = await (0, bcryptjs_1.compare)(params.password, user.passwordHash);
+        const ok = await (0, bcryptjs_1.compare)(params.password, securityUser.passwordHash);
         if (!ok) {
             throw new common_1.UnauthorizedException("Invalid credentials");
         }
-        this.assertCanAuthenticate(user);
-        return this.issueTokens(user);
+        this.assertCanAuthenticate(securityUser);
+        return this.issueTokens(appUser, securityUser);
     }
     async refresh(refreshToken) {
         const record = await this.findValidRefreshToken(refreshToken);
@@ -96,14 +108,20 @@ let SecurityAuthService = class SecurityAuthService {
             throw new common_1.UnauthorizedException("Invalid refresh token");
         }
         await this.refreshTokenRepo.update({ id: record.id }, { revokedAt: new Date() });
-        const user = await this.usersRepo.findOne({
+        const appUser = await this.appUsersRepo.findOne({
             where: { id: record.userId ?? "" },
         });
-        if (!user) {
+        if (!appUser) {
             throw new common_1.UnauthorizedException("User not found");
         }
-        this.assertCanAuthenticate(user);
-        return this.issueTokens(user);
+        const securityUser = await this.securityUsersRepo.findOne({
+            where: { userId: appUser.id },
+        });
+        if (!securityUser) {
+            throw new common_1.UnauthorizedException("User not found");
+        }
+        this.assertCanAuthenticate(securityUser);
+        return this.issueTokens(appUser, securityUser);
     }
     async logout(refreshToken) {
         if (!refreshToken) {
@@ -116,34 +134,43 @@ let SecurityAuthService = class SecurityAuthService {
         return { success: true };
     }
     async changePassword(params) {
-        const user = await this.usersRepo.findOne({ where: { id: params.userId } });
-        if (!user) {
+        const securityUser = await this.securityUsersRepo.findOne({
+            where: { userId: params.userId },
+        });
+        if (!securityUser) {
             throw new common_1.BadRequestException("User not found");
         }
-        const ok = await (0, bcryptjs_1.compare)(params.currentPassword, user.passwordHash);
+        const ok = await (0, bcryptjs_1.compare)(params.currentPassword, securityUser.passwordHash);
         if (!ok) {
             throw new common_1.UnauthorizedException("Current password is incorrect");
         }
-        await this.usersRepo.update({ id: user.id }, { passwordHash: await (0, bcryptjs_1.hash)(params.newPassword, PASSWORD_ROUNDS) });
+        await this.securityUsersRepo.update({ userId: securityUser.userId }, { passwordHash: await (0, bcryptjs_1.hash)(params.newPassword, PASSWORD_ROUNDS) });
         return { success: true };
     }
     async requestForgotPassword(emailInput) {
         const email = (0, validation_1.sanitizeEmail)(emailInput);
-        const user = await this.usersRepo.findOne({ where: { email } });
-        if (!user) {
+        const appUser = await this.appUsersRepo.findOne({ where: { email } });
+        if (!appUser) {
+            return { success: true };
+        }
+        const securityUser = await this.securityUsersRepo.findOne({
+            where: { userId: appUser.id },
+        });
+        if (!securityUser) {
             return { success: true };
         }
         const token = (0, crypto_1.randomBytes)(EMAIL_TOKEN_BYTES).toString("hex");
         const expiresAt = new Date(Date.now() +
             (this.options.passwordResetTokenExpiresInMinutes ?? 30) * 60_000);
         await this.passwordResetRepo.save(this.passwordResetRepo.create({
-            userId: user.id,
+            id: (0, uuid_1.v7)(),
+            userId: appUser.id,
             token,
             expiresAt,
             usedAt: null,
         }));
         if (this.notifier.sendPasswordReset) {
-            await this.notifier.sendPasswordReset({ email: user.email, token });
+            await this.notifier.sendPasswordReset({ email: appUser.email, token });
         }
         return { success: true };
     }
@@ -152,23 +179,29 @@ let SecurityAuthService = class SecurityAuthService {
         if (!reset || reset.usedAt || reset.expiresAt.getTime() <= Date.now()) {
             throw new common_1.BadRequestException("Invalid password reset token");
         }
-        await this.usersRepo.update({ id: reset.userId }, { passwordHash: await (0, bcryptjs_1.hash)(newPassword, PASSWORD_ROUNDS) });
+        await this.securityUsersRepo.update({ userId: reset.userId }, { passwordHash: await (0, bcryptjs_1.hash)(newPassword, PASSWORD_ROUNDS) });
         await this.passwordResetRepo.update({ id: reset.id }, { usedAt: new Date() });
         return { success: true };
     }
     async verifyEmailByToken(token) {
-        const user = await this.usersRepo.findOne({
+        const user = await this.securityUsersRepo.findOne({
             where: { emailVerificationToken: token },
         });
         if (!user) {
             throw new common_1.BadRequestException("Invalid verification token");
         }
-        await this.usersRepo.update({ id: user.id }, { emailVerifiedAt: new Date(), emailVerificationToken: null });
+        await this.securityUsersRepo.update({ userId: user.userId }, { emailVerifiedAt: new Date(), emailVerificationToken: null });
         return { success: true };
     }
     async getMyRoles(userId) {
         return { userId, roles: await this.getUserRoleKeys(userId) };
     }
+    async getUserIdByVerificationToken(token) {
+        const user = await this.securityUsersRepo.findOne({
+            where: { emailVerificationToken: token },
+        });
+        return user?.userId ?? null;
+    }
     assertCanAuthenticate(user) {
         if (!user.isActive) {
             throw new common_1.UnauthorizedException("Account is inactive");
@@ -181,17 +214,17 @@ let SecurityAuthService = class SecurityAuthService {
             throw new common_1.UnauthorizedException("Admin approval required");
         }
     }
-    async issueTokens(user) {
-        const roles = await this.getUserRoleKeys(user.id);
+    async issueTokens(appUser, securityUser) {
+        const roles = await this.getUserRoleKeys(appUser.id);
         const accessTokenExpiresIn = this.options.accessTokenExpiresIn ?? "15m";
-        const accessToken = (0, jsonwebtoken_1.sign)({ sub: user.id, email: user.email, roles }, this.options.jwtSecret, { expiresIn: accessTokenExpiresIn });
+        const accessToken = (0, jsonwebtoken_1.sign)({ sub: appUser.id, email: appUser.email, roles }, this.options.jwtSecret, { expiresIn: accessTokenExpiresIn });
         const refreshToken = (0, crypto_1.randomBytes)(REFRESH_TOKEN_BYTES).toString("hex");
         const refreshTokenHash = await (0, bcryptjs_1.hash)(refreshToken, PASSWORD_ROUNDS);
         const refreshTokenExpiresAt = new Date(Date.now() +
             (this.options.refreshTokenExpiresInDays ?? 30) * 24 * 60 * 60 * 1000);
         await this.refreshTokenRepo.save(this.refreshTokenRepo.create({
-            id: (0, crypto_1.randomUUID)(),
-            userId: user.id,
+            id: (0, uuid_1.v7)(),
+            userId: appUser.id,
             tokenHash: refreshTokenHash,
             expiresAt: refreshTokenExpiresAt,
             revokedAt: null,
@@ -201,12 +234,12 @@ let SecurityAuthService = class SecurityAuthService {
             accessTokenExpiresIn,
             refreshToken,
             refreshTokenExpiresAt,
-            user: await this.toSafeUser(user),
+            user: await this.toSafeUser(appUser, securityUser),
         };
     }
     async createEmailVerificationToken(userId) {
         const token = (0, crypto_1.randomBytes)(EMAIL_TOKEN_BYTES).toString("hex");
-        await this.usersRepo.update({ id: userId }, { emailVerificationToken: token });
+        await this.securityUsersRepo.update({ userId }, { emailVerificationToken: token });
         return token;
     }
     async findValidRefreshToken(token, onlyUnexpired = true) {
@@ -236,18 +269,16 @@ let SecurityAuthService = class SecurityAuthService {
         const roles = await this.rolesRepo.find({ where: { id: (0, typeorm_2.In)(roleIds) } });
         return roles.map((role) => (0, roles_1.normalizeRoleName)(role.roleKey)).sort();
     }
-    async toSafeUser(user) {
+    async toSafeUser(appUser, securityUser) {
         return {
-            id: user.id,
-            email: user.email,
-            firstName: user.firstName,
-            lastName: user.lastName,
+            id: appUser.id,
+            email: appUser.email,
             phone: null,
-            roles: await this.getUserRoleKeys(user.id),
-            emailVerifiedAt: user.emailVerifiedAt,
+            roles: await this.getUserRoleKeys(appUser.id),
+            emailVerifiedAt: securityUser.emailVerifiedAt,
             phoneVerifiedAt: null,
-            adminApprovedAt: user.adminApprovedAt,
-            isActive: user.isActive,
+            adminApprovedAt: securityUser.adminApprovedAt,
+            isActive: securityUser.isActive,
         };
     }
 };
@@ -255,15 +286,17 @@ exports.SecurityAuthService = SecurityAuthService;
 exports.SecurityAuthService = SecurityAuthService = __decorate([
     (0, common_1.Injectable)(),
     __param(0, (0, typeorm_1.InjectRepository)(app_user_entity_1.AppUserEntity)),
-    __param(1, (0, typeorm_1.InjectRepository)(refresh_token_entity_1.RefreshTokenEntity)),
-    __param(2, (0, typeorm_1.InjectRepository)(password_reset_token_entity_1.PasswordResetTokenEntity)),
-    __param(3, (0, typeorm_1.InjectRepository)(security_role_entity_1.SecurityRoleEntity)),
-    __param(4, (0, typeorm_1.InjectRepository)(security_user_role_entity_1.SecurityUserRoleEntity)),
-    __param(5, (0, common_1.Inject)(security_auth_constants_1.SECURITY_AUTH_OPTIONS)),
-    __param(6, (0, common_1.Inject)(tokens_1.SECURITY_WORKFLOW_NOTIFIER)),
+    __param(1, (0, typeorm_1.InjectRepository)(security_user_entity_1.SecurityUserEntity)),
+    __param(2, (0, typeorm_1.InjectRepository)(refresh_token_entity_1.RefreshTokenEntity)),
+    __param(3, (0, typeorm_1.InjectRepository)(password_reset_token_entity_1.PasswordResetTokenEntity)),
+    __param(4, (0, typeorm_1.InjectRepository)(security_role_entity_1.SecurityRoleEntity)),
+    __param(5, (0, typeorm_1.InjectRepository)(security_user_role_entity_1.SecurityUserRoleEntity)),
+    __param(6, (0, common_1.Inject)(security_auth_constants_1.SECURITY_AUTH_OPTIONS)),
+    __param(7, (0, common_1.Inject)(tokens_1.SECURITY_WORKFLOW_NOTIFIER)),
     __metadata("design:paramtypes", [typeorm_2.Repository,
         typeorm_2.Repository,
         typeorm_2.Repository,
         typeorm_2.Repository,
+        typeorm_2.Repository,
         typeorm_2.Repository, Object, Object])
 ], SecurityAuthService);

package/dist/nest/security-auth.service.test.js CHANGED Viewed

@@ -8,11 +8,13 @@ vitest_1.vi.mock("bcryptjs", () => ({
 }));
 vitest_1.vi.mock("crypto", () => ({
     randomBytes: vitest_1.vi.fn(() => ({ toString: () => "token-bytes" })),
-    randomUUID: vitest_1.vi.fn(() => "uuid-1"),
 }));
 vitest_1.vi.mock("jsonwebtoken", () => ({
     sign: vitest_1.vi.fn(() => "signed-access-token"),
 }));
+vitest_1.vi.mock("uuid", () => ({
+    v7: vitest_1.vi.fn(() => "uuid-1"),
+}));
 const bcryptjs_1 = require("bcryptjs");
 const jsonwebtoken_1 = require("jsonwebtoken");
 const security_auth_service_1 = require("./security-auth.service");
@@ -32,22 +34,24 @@ const makeNotifier = () => ({
 const makeUser = () => ({
     id: "user-1",
     email: "user@example.com",
+});
+const makeSecurityUser = () => ({
+    userId: "user-1",
     passwordHash: "hashed:Secret123",
-    firstName: "A",
-    lastName: "B",
     emailVerifiedAt: new Date("2026-01-01T00:00:00.000Z"),
     emailVerificationToken: null,
     adminApprovedAt: new Date("2026-01-01T00:00:00.000Z"),
     isActive: true,
 });
 const setup = () => {
-    const usersRepo = makeRepo();
+    const appUsersRepo = makeRepo();
+    const securityUsersRepo = makeRepo();
     const refreshTokenRepo = makeRepo();
     const passwordResetRepo = makeRepo();
     const rolesRepo = makeRepo();
     const userRolesRepo = makeRepo();
     const notifier = makeNotifier();
-    const service = new security_auth_service_1.SecurityAuthService(usersRepo, refreshTokenRepo, passwordResetRepo, rolesRepo, userRolesRepo, {
+    const service = new security_auth_service_1.SecurityAuthService(appUsersRepo, securityUsersRepo, refreshTokenRepo, passwordResetRepo, rolesRepo, userRolesRepo, {
         jwtSecret: "secret",
         accessTokenExpiresIn: "15m",
         refreshTokenExpiresInDays: 30,
@@ -57,7 +61,8 @@ const setup = () => {
     }, notifier);
     return {
         service,
-        usersRepo,
+        appUsersRepo,
+        securityUsersRepo,
         refreshTokenRepo,
         passwordResetRepo,
         rolesRepo,
@@ -70,30 +75,30 @@ const setup = () => {
         vitest_1.vi.clearAllMocks();
     });
     (0, vitest_1.it)("registers user and sends verification", async () => {
-        const { service, usersRepo, userRolesRepo, rolesRepo, notifier } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
-        usersRepo.save.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, securityUsersRepo, userRolesRepo, rolesRepo, notifier, } = setup();
+        appUsersRepo.findOne.mockResolvedValue(null);
+        appUsersRepo.save.mockResolvedValue(makeUser());
+        securityUsersRepo.save.mockResolvedValue(makeSecurityUser());
         userRolesRepo.find.mockResolvedValue([]);
         rolesRepo.find.mockResolvedValue([]);
         const result = await service.register({
             email: "USER@example.com",
             password: "Secret123",
-            firstName: "A",
-            lastName: "B",
         });
         (0, vitest_1.expect)(result.success).toBe(true);
-        (0, vitest_1.expect)(usersRepo.create).toHaveBeenCalledWith(vitest_1.expect.objectContaining({ email: "user@example.com" }));
+        (0, vitest_1.expect)(appUsersRepo.create).toHaveBeenCalledWith(vitest_1.expect.objectContaining({ email: "user@example.com" }));
         (0, vitest_1.expect)(notifier.sendEmailVerification).toHaveBeenCalled();
     });
     (0, vitest_1.it)("rejects duplicate email on register", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         await (0, vitest_1.expect)(service.register({ email: "user@example.com", password: "Secret123" })).rejects.toBeInstanceOf(common_1.BadRequestException);
     });
     (0, vitest_1.it)("handles login success and auth failures", async () => {
-        const { service, usersRepo, userRolesRepo, rolesRepo, refreshTokenRepo } = setup();
+        const { service, appUsersRepo, securityUsersRepo, userRolesRepo, rolesRepo, refreshTokenRepo, } = setup();
         const user = makeUser();
-        usersRepo.findOne.mockResolvedValue(user);
+        appUsersRepo.findOne.mockResolvedValue(user);
+        securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
         userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
         rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "admin" }]);
         const auth = await service.login({
@@ -103,27 +108,28 @@ const setup = () => {
         (0, vitest_1.expect)(auth.accessToken).toBe("signed-access-token");
         (0, vitest_1.expect)(jsonwebtoken_1.sign).toHaveBeenCalled();
         (0, vitest_1.expect)(refreshTokenRepo.save).toHaveBeenCalled();
-        usersRepo.findOne.mockResolvedValue(null);
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.login({ email: "none@example.com", password: "Secret123" })).rejects.toBeInstanceOf(common_1.UnauthorizedException);
     });
     (0, vitest_1.it)("blocks login when account is inactive or missing approvals", async () => {
-        const { service, usersRepo } = setup();
-        const inactive = { ...makeUser(), isActive: false };
-        usersRepo.findOne.mockResolvedValue(inactive);
-        await (0, vitest_1.expect)(service.login({ email: inactive.email, password: "Secret123" })).rejects.toThrow("Account is inactive");
-        usersRepo.findOne.mockResolvedValue({
-            ...makeUser(),
+        const { service, appUsersRepo, securityUsersRepo } = setup();
+        const inactive = { ...makeSecurityUser(), isActive: false };
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
+        securityUsersRepo.findOne.mockResolvedValue(inactive);
+        await (0, vitest_1.expect)(service.login({ email: "x@example.com", password: "Secret123" })).rejects.toThrow("Account is inactive");
+        securityUsersRepo.findOne.mockResolvedValue({
+            ...makeSecurityUser(),
             emailVerifiedAt: null,
         });
         await (0, vitest_1.expect)(service.login({ email: "x@example.com", password: "Secret123" })).rejects.toThrow("Email verification required");
-        usersRepo.findOne.mockResolvedValue({
-            ...makeUser(),
+        securityUsersRepo.findOne.mockResolvedValue({
+            ...makeSecurityUser(),
             adminApprovedAt: null,
         });
         await (0, vitest_1.expect)(service.login({ email: "x@example.com", password: "Secret123" })).rejects.toThrow("Admin approval required");
     });
     (0, vitest_1.it)("refreshes and revokes tokens", async () => {
-        const { service, usersRepo, refreshTokenRepo, userRolesRepo, rolesRepo } = setup();
+        const { service, appUsersRepo, securityUsersRepo, refreshTokenRepo, userRolesRepo, rolesRepo, } = setup();
         refreshTokenRepo.find.mockResolvedValue([
             {
                 id: "rt1",
@@ -132,7 +138,8 @@ const setup = () => {
                 expiresAt: new Date(Date.now() + 60_000),
             },
         ]);
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
+        securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
         userRolesRepo.find.mockResolvedValue([]);
         rolesRepo.find.mockResolvedValue([]);
         const result = await service.refresh("token-bytes");
@@ -144,7 +151,7 @@ const setup = () => {
         });
     });
     (0, vitest_1.it)("rejects invalid refresh token and missing refresh user", async () => {
-        const { service, refreshTokenRepo, usersRepo } = setup();
+        const { service, refreshTokenRepo, appUsersRepo } = setup();
         refreshTokenRepo.find.mockResolvedValue([]);
         await (0, vitest_1.expect)(service.refresh("bad-token")).rejects.toThrow("Invalid refresh token");
         refreshTokenRepo.find.mockResolvedValue([
@@ -155,18 +162,18 @@ const setup = () => {
                 expiresAt: new Date(Date.now() + 60_000),
             },
         ]);
-        usersRepo.findOne.mockResolvedValue(null);
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.refresh("token-bytes")).rejects.toThrow("User not found");
     });
     (0, vitest_1.it)("changes password", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, securityUsersRepo } = setup();
+        securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
         await (0, vitest_1.expect)(service.changePassword({
             userId: "user-1",
             currentPassword: "Secret123",
             newPassword: "NewPass1",
         })).resolves.toEqual({ success: true });
-        usersRepo.findOne.mockResolvedValue(null);
+        securityUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.changePassword({
             userId: "missing",
             currentPassword: "Secret123",
@@ -174,8 +181,9 @@ const setup = () => {
         })).rejects.toThrow("User not found");
     });
     (0, vitest_1.it)("handles forgot/reset password flow", async () => {
-        const { service, usersRepo, passwordResetRepo, notifier } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, securityUsersRepo, passwordResetRepo, notifier, } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
+        securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
         passwordResetRepo.findOne.mockResolvedValue({
             id: "pr1",
             userId: "user-1",
@@ -193,8 +201,8 @@ const setup = () => {
         });
     });
     (0, vitest_1.it)("returns success for unknown forgot email and rejects bad reset token", async () => {
-        const { service, usersRepo, passwordResetRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
+        const { service, appUsersRepo, passwordResetRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.requestForgotPassword("none@example.com")).resolves.toEqual({
             success: true,
         });
@@ -210,10 +218,8 @@ const setup = () => {
         await (0, vitest_1.expect)(service.resetPassword("bad", "x")).rejects.toThrow("Invalid password reset token");
     });
     (0, vitest_1.it)("verifies email token and reads user roles", async () => {
-        const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
-        usersRepo.findOne
-            .mockResolvedValueOnce(makeUser())
-            .mockResolvedValueOnce(makeUser());
+        const { service, securityUsersRepo, userRolesRepo, rolesRepo } = setup();
+        securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
         userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
         rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "coach" }]);
         await (0, vitest_1.expect)(service.verifyEmailByToken("token-bytes")).resolves.toEqual({
@@ -225,8 +231,8 @@ const setup = () => {
         });
     });
     (0, vitest_1.it)("rejects invalid email verification token", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
+        const { service, securityUsersRepo } = setup();
+        securityUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.verifyEmailByToken("missing")).rejects.toThrow("Invalid verification token");
     });
     (0, vitest_1.it)("handles refresh with expired matching token", async () => {

package/dist/nest/security-workflows.module.js CHANGED Viewed

@@ -15,6 +15,7 @@ const security_admin_guard_1 = require("./security-admin.guard");
 const security_jwt_guard_1 = require("./security-jwt.guard");
 const app_user_entity_1 = require("./entities/app-user.entity");
 const security_role_entity_1 = require("./entities/security-role.entity");
+const security_user_entity_1 = require("./entities/security-user.entity");
 const security_user_role_entity_1 = require("./entities/security-user-role.entity");
 const security_workflows_controller_1 = require("./security-workflows.controller");
 const security_workflows_service_1 = require("./security-workflows.service");
@@ -34,6 +35,7 @@ let SecurityWorkflowsModule = SecurityWorkflowsModule_1 = class SecurityWorkflow
             imports: [
                 typeorm_1.TypeOrmModule.forFeature([
                     app_user_entity_1.AppUserEntity,
+                    security_user_entity_1.SecurityUserEntity,
                     security_role_entity_1.SecurityRoleEntity,
                     security_user_role_entity_1.SecurityUserRoleEntity,
                 ]),

package/dist/nest/security-workflows.service.d.ts CHANGED Viewed

@@ -1,14 +1,16 @@
 import { Repository } from "typeorm";
 import { AppUserEntity } from "./entities/app-user.entity";
 import { SecurityRoleEntity } from "./entities/security-role.entity";
+import { SecurityUserEntity } from "./entities/security-user.entity";
 import { SecurityUserRoleEntity } from "./entities/security-user-role.entity";
 import { SecurityWorkflowNotifier } from "./contracts";
 export declare class SecurityWorkflowsService {
-    private readonly usersRepo;
+    private readonly appUsersRepo;
+    private readonly securityUsersRepo;
     private readonly rolesRepo;
     private readonly userRolesRepo;
     private readonly notifier;
-    constructor(usersRepo: Repository<AppUserEntity>, rolesRepo: Repository<SecurityRoleEntity>, userRolesRepo: Repository<SecurityUserRoleEntity>, notifier: SecurityWorkflowNotifier);
+    constructor(appUsersRepo: Repository<AppUserEntity>, securityUsersRepo: Repository<SecurityUserEntity>, rolesRepo: Repository<SecurityRoleEntity>, userRolesRepo: Repository<SecurityUserRoleEntity>, notifier: SecurityWorkflowNotifier);
     markEmailVerifiedAndNotifyAdmins(userId: string): Promise<{
         success: true;
         notified: false;