@skyapp-labs/blueprint-backend-core 1.0.9

package/dist/modules/sessions/entities/refresh-token.entity.js

@@ -0,0 +1,77 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RefreshToken = exports.RevokeReason = void 0;
+const typeorm_1 = require("typeorm");
+const base_entity_1 = require("../../../common/base/base.entity");
+const user_entity_1 = require("../../users/entities/user.entity");
+var RevokeReason;
+(function (RevokeReason) {
+    RevokeReason["ROTATED"] = "rotated";
+    RevokeReason["LOGOUT"] = "logout";
+    RevokeReason["REUSE_DETECTED"] = "reuse_detected";
+    RevokeReason["ADMIN"] = "admin";
+})(RevokeReason || (exports.RevokeReason = RevokeReason = {}));
+let RefreshToken = class RefreshToken extends base_entity_1.BaseEntity {
+};
+exports.RefreshToken = RefreshToken;
+__decorate([
+    (0, typeorm_1.Index)(),
+    (0, typeorm_1.Column)({ name: 'user_id' }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "userId", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'token_hash' }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "tokenHash", void 0);
+__decorate([
+    (0, typeorm_1.Index)(),
+    (0, typeorm_1.Column)({ name: 'family_id' }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "familyId", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'provider_refresh_token', nullable: true }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "providerRefreshToken", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'device_info', nullable: true }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "deviceInfo", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'ip_address', nullable: true }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "ipAddress", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'expires_at', type: 'timestamptz' }),
+    __metadata("design:type", Date)
+], RefreshToken.prototype, "expiresAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'is_revoked', default: false }),
+    __metadata("design:type", Boolean)
+], RefreshToken.prototype, "isRevoked", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'revoke_reason',
+        type: 'enum',
+        enum: RevokeReason,
+        nullable: true,
+    }),
+    __metadata("design:type", String)
+], RefreshToken.prototype, "revokeReason", void 0);
+__decorate([
+    (0, typeorm_1.ManyToOne)(() => user_entity_1.User, { onDelete: 'CASCADE' }),
+    (0, typeorm_1.JoinColumn)({ name: 'user_id' }),
+    __metadata("design:type", user_entity_1.User)
+], RefreshToken.prototype, "user", void 0);
+exports.RefreshToken = RefreshToken = __decorate([
+    (0, typeorm_1.Entity)('refresh_tokens')
+], RefreshToken);
+//# sourceMappingURL=refresh-token.entity.js.map

package/dist/modules/sessions/entities/refresh-token.entity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.entity.js","sourceRoot":"","sources":["../../../../modules/sessions/entities/refresh-token.entity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAAuE;AACvE,kEAA8D;AAC9D,kEAAwD;AAExD,IAAY,YAKX;AALD,WAAY,YAAY;IACvB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,iDAAiC,CAAA;IACjC,+BAAe,CAAA;AAChB,CAAC,EALW,YAAY,4BAAZ,YAAY,QAKvB;AAGM,IAAM,YAAY,GAAlB,MAAM,YAAa,SAAQ,wBAAU;CA2C3C,CAAA;AA3CY,oCAAY;AAGxB;IAFC,IAAA,eAAK,GAAE;IACP,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;;4CACZ;AAGhB;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;;+CACZ;AASnB;IAFC,IAAA,eAAK,GAAE;IACP,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;;8CACZ;AAGlB;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;0DAC7B;AAG9B;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;gDAC5B;AAGpB;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;+CAC5B;AAGnB;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BACxC,IAAI;+CAAC;AAGjB;IADC,IAAA,gBAAM,EAAC,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;;+CAC3B;AAQpB;IANC,IAAA,gBAAM,EAAC;QACP,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,IAAI;KACd,CAAC;;kDAC0B;AAI5B;IAFC,IAAA,mBAAS,EAAC,GAAG,EAAE,CAAC,kBAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAC9C,IAAA,oBAAU,EAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;8BACzB,kBAAI;0CAAC;uBA1CA,YAAY;IADxB,IAAA,gBAAM,EAAC,gBAAgB,CAAC;GACZ,YAAY,CA2CxB"}

package/dist/modules/sessions/index.d.ts

@@ -0,0 +1,4 @@
+export * from './entities/refresh-token.entity';
+export * from './services/token.service';
+export * from './sessions.module';
+//# sourceMappingURL=index.d.ts.map

package/dist/modules/sessions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../modules/sessions/index.ts"],"names":[],"mappings":"AAAA,cAAc,iCAAiC,CAAC;AAChD,cAAc,0BAA0B,CAAC;AACzC,cAAc,mBAAmB,CAAC"}

package/dist/modules/sessions/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./entities/refresh-token.entity"), exports);
+__exportStar(require("./services/token.service"), exports);
+__exportStar(require("./sessions.module"), exports);
+//# sourceMappingURL=index.js.map

package/dist/modules/sessions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../modules/sessions/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kEAAgD;AAChD,2DAAyC;AACzC,oDAAkC"}

package/dist/modules/sessions/services/token.service.d.ts

@@ -0,0 +1,42 @@
+import { JwtService } from '@nestjs/jwt';
+import { Repository } from 'typeorm';
+import IORedis from 'ioredis';
+import { RefreshToken, RevokeReason } from '../entities/refresh-token.entity';
+import { TokenResponse } from '../../auth/dto/token.dto';
+import { UserRolesService } from '../../roles/services/user-roles.service';
+import { User } from '../../users/entities/user.entity';
+import { SettingsService } from '../../settings/services/settings.service';
+export declare class TokenService {
+    private readonly jwtService;
+    private readonly userRolesService;
+    private readonly refreshTokenRepository;
+    private readonly redis;
+    private readonly settingsService;
+    private readonly logger;
+    constructor(jwtService: JwtService, userRolesService: UserRolesService, refreshTokenRepository: Repository<RefreshToken>, redis: IORedis | null, settingsService: SettingsService);
+    createTemporaryToken(userId: string): Promise<string>;
+    verifyTemporaryToken(token: string): Promise<string>;
+    createPhoneVerifiedToken(phoneNumber: string): Promise<string>;
+    verifyPhoneVerifiedToken(token: string): Promise<string>;
+    createEmailVerifiedToken(email: string): Promise<string>;
+    verifyEmailVerifiedToken(token: string): Promise<string>;
+    generateTokens({ user, familyId, deviceInfo, ipAddress, providerRefreshToken, }: {
+        user: User;
+        familyId?: string;
+        deviceInfo?: string;
+        ipAddress?: string;
+        providerRefreshToken?: string;
+    }): Promise<TokenResponse>;
+    rotateRefreshToken(rawRefreshToken: string, deviceInfo?: string, ipAddress?: string): Promise<TokenResponse>;
+    generateTokensForUserId(userId: string, familyId: string, providerRefreshToken?: string, deviceInfo?: string, ipAddress?: string): Promise<TokenResponse>;
+    private get accessTokenExpiresInMs();
+    revokeRefreshToken(tokenId: string, reason?: RevokeReason): Promise<void>;
+    revokeAllUserTokens(userId: string, reason?: RevokeReason): Promise<void>;
+    getUserActiveSessions(userId: string): Promise<RefreshToken[]>;
+    getRefreshTokenById(tokenId: string): Promise<RefreshToken | null>;
+    private saveRefreshToken;
+    private markRevoked;
+    private revokeFamilyTokens;
+    private assertRedis;
+}
+//# sourceMappingURL=token.service.d.ts.map

package/dist/modules/sessions/services/token.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../../../modules/sessions/services/token.service.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAIrC,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAC9E,OAAO,EAAc,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yCAAyC,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,MAAM,kCAAkC,CAAC;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,0CAA0C,CAAC;AAkB3E,qBACa,YAAY;IAIvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IAEjC,OAAO,CAAC,QAAQ,CAAC,sBAAsB;IAGvC,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,eAAe;IAVjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAGtC,UAAU,EAAE,UAAU,EACtB,gBAAgB,EAAE,gBAAgB,EAElC,sBAAsB,EAAE,UAAU,CAAC,YAAY,CAAC,EAGhD,KAAK,EAAE,OAAO,GAAG,IAAI,EACrB,eAAe,EAAE,eAAe;IAU5C,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqBrD,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAcpD,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqB9D,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAcxD,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAexD,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAWxD,cAAc,CAAC,EACpB,IAAI,EACJ,QAAQ,EACR,UAAU,EACV,SAAS,EACT,oBAAoB,GACpB,EAAE;QACF,IAAI,EAAE,IAAI,CAAC;QACX,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;KAC9B,GAAG,OAAO,CAAC,aAAa,CAAC;IAmCpB,kBAAkB,CACvB,eAAe,EAAE,MAAM,EACvB,UAAU,CAAC,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC;IA+CnB,uBAAuB,CAC5B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,oBAAoB,CAAC,EAAE,MAAM,EAC7B,UAAU,CAAC,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC;IAkCzB,OAAO,KAAK,sBAAsB,GAMjC;IAEK,kBAAkB,CACvB,OAAO,EAAE,MAAM,EACf,MAAM,GAAE,YAAkC,GACxC,OAAO,CAAC,IAAI,CAAC;IAOV,mBAAmB,CACxB,MAAM,EAAE,MAAM,EACd,MAAM,GAAE,YAAkC,GACxC,OAAO,CAAC,IAAI,CAAC;IASV,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAO9D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;YAM1D,gBAAgB;YAyBhB,WAAW;YAIX,kBAAkB;IAOhC,OAAO,CAAC,WAAW;CAOnB"}

package/dist/modules/sessions/services/token.service.js

@@ -0,0 +1,253 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var TokenService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenService = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const typeorm_1 = require("@nestjs/typeorm");
+const typeorm_2 = require("typeorm");
+const crypto_1 = require("crypto");
+const argon2 = __importStar(require("argon2"));
+const ms_1 = __importDefault(require("ms"));
+const refresh_token_entity_1 = require("../entities/refresh-token.entity");
+const user_roles_service_1 = require("../../roles/services/user-roles.service");
+const redis_module_1 = require("../../../config/redis.module");
+const settings_service_1 = require("../../settings/services/settings.service");
+const settings_keys_1 = require("../../settings/constants/settings.keys");
+const KEY_TMP_LOGIN = 'tmp:login:';
+const KEY_TMP_PHONE = 'tmp:phone_verified:';
+const KEY_TMP_EMAIL = 'tmp:email_verified:';
+let TokenService = TokenService_1 = class TokenService {
+    constructor(jwtService, userRolesService, refreshTokenRepository, redis, settingsService) {
+        this.jwtService = jwtService;
+        this.userRolesService = userRolesService;
+        this.refreshTokenRepository = refreshTokenRepository;
+        this.redis = redis;
+        this.settingsService = settingsService;
+        this.logger = new common_1.Logger(TokenService_1.name);
+    }
+    async createTemporaryToken(userId) {
+        this.assertRedis('createTemporaryToken');
+        const ttl = this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_TEMPORARY_TTL_SECONDS);
+        const token = (0, crypto_1.randomUUID)();
+        const result = await this.redis.set(`${KEY_TMP_LOGIN}${token}`, userId, 'EX', ttl, 'NX');
+        if (result !== 'OK') {
+            throw new common_1.ServiceUnavailableException('Failed to store temporary token in Redis');
+        }
+        return token;
+    }
+    async verifyTemporaryToken(token) {
+        this.assertRedis('verifyTemporaryToken');
+        const userId = await this.redis.getdel(`${KEY_TMP_LOGIN}${token}`);
+        if (!userId) {
+            throw new common_1.UnauthorizedException('Invalid or expired temporary token');
+        }
+        return userId;
+    }
+    async createPhoneVerifiedToken(phoneNumber) {
+        this.assertRedis('createPhoneVerifiedToken');
+        const ttl = this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_TEMPORARY_TTL_SECONDS);
+        const token = (0, crypto_1.randomUUID)();
+        const result = await this.redis.set(`${KEY_TMP_PHONE}${token}`, phoneNumber, 'EX', ttl, 'NX');
+        if (result !== 'OK') {
+            throw new common_1.ServiceUnavailableException('Failed to store phone-verified token in Redis');
+        }
+        return token;
+    }
+    async verifyPhoneVerifiedToken(token) {
+        this.assertRedis('verifyPhoneVerifiedToken');
+        const phoneNumber = await this.redis.getdel(`${KEY_TMP_PHONE}${token}`);
+        if (!phoneNumber) {
+            throw new common_1.UnauthorizedException('Invalid or expired phone-verified token');
+        }
+        return phoneNumber;
+    }
+    async createEmailVerifiedToken(email) {
+        this.assertRedis('createEmailVerifiedToken');
+        const ttl = this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_TEMPORARY_TTL_SECONDS);
+        const token = (0, crypto_1.randomUUID)();
+        const result = await this.redis.set(`${KEY_TMP_EMAIL}${token}`, email, 'EX', ttl, 'NX');
+        if (result !== 'OK') {
+            throw new common_1.ServiceUnavailableException('Failed to store email-verified token in Redis');
+        }
+        return token;
+    }
+    async verifyEmailVerifiedToken(token) {
+        this.assertRedis('verifyEmailVerifiedToken');
+        const email = await this.redis.getdel(`${KEY_TMP_EMAIL}${token}`);
+        if (!email) {
+            throw new common_1.UnauthorizedException('Invalid or expired email-verified token');
+        }
+        return email;
+    }
+    async generateTokens({ user, familyId, deviceInfo, ipAddress, providerRefreshToken, }) {
+        const permissions = await this.userRolesService.getUserPermissionSlugs(user.id);
+        const payload = {
+            sub: user.id,
+            permissions,
+        };
+        const accessToken = await this.jwtService.signAsync(payload, {
+            expiresIn: this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_ACCESS_EXPIRES_IN),
+        });
+        const resolvedFamilyId = familyId ?? (0, crypto_1.randomUUID)();
+        const secret = (0, crypto_1.randomUUID)();
+        const tokenHash = await argon2.hash(secret);
+        const savedToken = await this.saveRefreshToken(user.id, tokenHash, resolvedFamilyId, providerRefreshToken, deviceInfo, ipAddress);
+        return {
+            accessToken,
+            refreshToken: `${savedToken.id}.${secret}`,
+            expiresIn: this.accessTokenExpiresInMs,
+        };
+    }
+    async rotateRefreshToken(rawRefreshToken, deviceInfo, ipAddress) {
+        const parts = rawRefreshToken.split('.');
+        if (parts.length !== 2) {
+            throw new common_1.UnauthorizedException('Invalid refresh token format');
+        }
+        const [tokenId, secret] = parts;
+        const record = await this.refreshTokenRepository.findOne({ where: { id: tokenId } });
+        if (!record) {
+            throw new common_1.UnauthorizedException('Invalid refresh token');
+        }
+        const isValid = await argon2.verify(record.tokenHash, secret);
+        if (!isValid) {
+            throw new common_1.UnauthorizedException('Invalid refresh token');
+        }
+        if (record.isRevoked) {
+            this.logger.warn(`Refresh token reuse detected for user ${record.userId}, family ${record.familyId}. Revoking all family tokens.`);
+            await this.revokeFamilyTokens(record.familyId, refresh_token_entity_1.RevokeReason.REUSE_DETECTED);
+            throw new common_1.UnauthorizedException('Session invalidated due to suspicious activity. Please log in again.');
+        }
+        if (new Date() > record.expiresAt) {
+            await this.markRevoked(record.id, refresh_token_entity_1.RevokeReason.ROTATED);
+            throw new common_1.UnauthorizedException('Refresh token expired');
+        }
+        await this.markRevoked(record.id, refresh_token_entity_1.RevokeReason.ROTATED);
+        return this.generateTokensForUserId(record.userId, record.familyId, deviceInfo, ipAddress);
+    }
+    async generateTokensForUserId(userId, familyId, providerRefreshToken, deviceInfo, ipAddress) {
+        const permissions = await this.userRolesService.getUserPermissionSlugs(userId);
+        const payload = {
+            sub: userId,
+            permissions,
+        };
+        const accessToken = await this.jwtService.signAsync(payload, {
+            expiresIn: this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_ACCESS_EXPIRES_IN),
+        });
+        const secret = (0, crypto_1.randomUUID)();
+        const tokenHash = await argon2.hash(secret);
+        const savedToken = await this.saveRefreshToken(userId, tokenHash, familyId, providerRefreshToken, deviceInfo, ipAddress);
+        return {
+            accessToken,
+            refreshToken: `${savedToken.id}.${secret}`,
+            expiresIn: this.accessTokenExpiresInMs,
+        };
+    }
+    get accessTokenExpiresInMs() {
+        return (0, ms_1.default)(this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_ACCESS_EXPIRES_IN));
+    }
+    async revokeRefreshToken(tokenId, reason = refresh_token_entity_1.RevokeReason.LOGOUT) {
+        const token = await this.refreshTokenRepository.findOne({ where: { id: tokenId } });
+        if (!token)
+            throw new common_1.NotFoundException('Token not found');
+        if (token.isRevoked)
+            throw new common_1.ForbiddenException('Token already revoked');
+        await this.markRevoked(token.id, reason);
+    }
+    async revokeAllUserTokens(userId, reason = refresh_token_entity_1.RevokeReason.LOGOUT) {
+        await this.refreshTokenRepository.update({ userId, isRevoked: false }, { isRevoked: true, revokeReason: reason });
+    }
+    async getUserActiveSessions(userId) {
+        return this.refreshTokenRepository.find({
+            where: { userId, isRevoked: false },
+            order: { createdAt: 'DESC' },
+        });
+    }
+    async getRefreshTokenById(tokenId) {
+        return this.refreshTokenRepository.findOne({ where: { id: tokenId } });
+    }
+    async saveRefreshToken(userId, tokenHash, familyId, providerRefreshToken, deviceInfo, ipAddress) {
+        const ttlDays = this.settingsService.get(settings_keys_1.SETTING_KEYS.TOKENS_REFRESH_TTL_DAYS);
+        const expiresAt = new Date();
+        expiresAt.setDate(expiresAt.getDate() + ttlDays);
+        return this.refreshTokenRepository.save(this.refreshTokenRepository.create({
+            userId,
+            tokenHash,
+            familyId,
+            providerRefreshToken,
+            deviceInfo,
+            ipAddress,
+            expiresAt,
+        }));
+    }
+    async markRevoked(id, reason) {
+        await this.refreshTokenRepository.update(id, { isRevoked: true, revokeReason: reason });
+    }
+    async revokeFamilyTokens(familyId, reason) {
+        await this.refreshTokenRepository.update({ familyId, isRevoked: false }, { isRevoked: true, revokeReason: reason });
+    }
+    assertRedis(method) {
+        if (!this.redis) {
+            throw new common_1.ServiceUnavailableException(`TokenService.${method} requires Redis. Set REDIS_ENABLED=true in your environment.`);
+        }
+    }
+};
+exports.TokenService = TokenService;
+exports.TokenService = TokenService = TokenService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(2, (0, typeorm_1.InjectRepository)(refresh_token_entity_1.RefreshToken)),
+    __param(3, (0, common_1.Optional)()),
+    __param(3, (0, common_1.Inject)(redis_module_1.REDIS_CLIENT)),
+    __metadata("design:paramtypes", [jwt_1.JwtService,
+        user_roles_service_1.UserRolesService,
+        typeorm_2.Repository, Object, settings_service_1.SettingsService])
+], TokenService);
+//# sourceMappingURL=token.service.js.map

package/dist/modules/sessions/services/token.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.service.js","sourceRoot":"","sources":["../../../../modules/sessions/services/token.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CASwB;AACxB,qCAAyC;AACzC,6CAAmD;AACnD,qCAAqC;AACrC,mCAAoC;AACpC,+CAAiC;AACjC,4CAAoB;AAEpB,2EAA8E;AAE9E,gFAA2E;AAE3E,+DAA4D;AAC5D,+EAA2E;AAC3E,0EAAsE;AAatE,MAAM,aAAa,GAAG,YAAY,CAAC;AACnC,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAC5C,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAGrC,IAAM,YAAY,oBAAlB,MAAM,YAAY;IAGxB,YACkB,UAAsB,EACtB,gBAAkC,EAEnD,sBAAiE,EAGjE,KAAsC,EACrB,eAAgC;QAPhC,eAAU,GAAV,UAAU,CAAY;QACtB,qBAAgB,GAAhB,gBAAgB,CAAkB;QAElC,2BAAsB,GAAtB,sBAAsB,CAA0B;QAGhD,UAAK,GAAL,KAAK,CAAgB;QACrB,oBAAe,GAAf,eAAe,CAAiB;QAVjC,WAAM,GAAG,IAAI,eAAM,CAAC,cAAY,CAAC,IAAI,CAAC,CAAC;IAWrD,CAAC;IASJ,KAAK,CAAC,oBAAoB,CAAC,MAAc;QACxC,IAAI,CAAC,WAAW,CAAC,sBAAsB,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAS,4BAAY,CAAC,4BAA4B,CAAC,CAAC;QACxF,MAAM,KAAK,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,GAAG,CACnC,GAAG,aAAa,GAAG,KAAK,EAAE,EAC1B,MAAM,EACN,IAAI,EACJ,GAAG,EACH,IAAI,CACJ,CAAC;QACF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,IAAI,oCAA2B,CAAC,0CAA0C,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAMD,KAAK,CAAC,oBAAoB,CAAC,KAAa;QACvC,IAAI,CAAC,WAAW,CAAC,sBAAsB,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,MAAM,CAAC,GAAG,aAAa,GAAG,KAAK,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,IAAI,8BAAqB,CAAC,oCAAoC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,MAAM,CAAC;IACf,CAAC;IAOD,KAAK,CAAC,wBAAwB,CAAC,WAAmB;QACjD,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAS,4BAAY,CAAC,4BAA4B,CAAC,CAAC;QACxF,MAAM,KAAK,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,GAAG,CACnC,GAAG,aAAa,GAAG,KAAK,EAAE,EAC1B,WAAW,EACX,IAAI,EACJ,GAAG,EACH,IAAI,CACJ,CAAC;QACF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,IAAI,oCAA2B,CAAC,+CAA+C,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAMD,KAAK,CAAC,wBAAwB,CAAC,KAAa;QAC3C,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,MAAM,CAAC,GAAG,aAAa,GAAG,KAAK,EAAE,CAAC,CAAC;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,MAAM,IAAI,8BAAqB,CAAC,yCAAyC,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,WAAW,CAAC;IACpB,CAAC;IAOD,KAAK,CAAC,wBAAwB,CAAC,KAAa;QAC3C,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAS,4BAAY,CAAC,4BAA4B,CAAC,CAAC;QACxF,MAAM,KAAK,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,GAAG,CAAC,GAAG,aAAa,GAAG,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACzF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,IAAI,oCAA2B,CAAC,+CAA+C,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAMD,KAAK,CAAC,wBAAwB,CAAC,KAAa;QAC3C,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAM,CAAC,MAAM,CAAC,GAAG,aAAa,GAAG,KAAK,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,8BAAqB,CAAC,yCAAyC,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAID,KAAK,CAAC,cAAc,CAAC,EACpB,IAAI,EACJ,QAAQ,EACR,UAAU,EACV,SAAS,EACT,oBAAoB,GAOpB;QACA,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEhF,MAAM,OAAO,GAAe;YAC3B,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,WAAW;SACX,CAAC;QAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,EAAE;YAC5D,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,CAClC,4BAAY,CAAC,wBAAwB,CACxB;SACd,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,QAAQ,IAAI,IAAA,mBAAU,GAAE,CAAC;QAClD,MAAM,MAAM,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,gBAAgB,EAChB,oBAAoB,EACpB,UAAU,EACV,SAAS,CACT,CAAC;QAEF,OAAO;YACN,WAAW;YACX,YAAY,EAAE,GAAG,UAAU,CAAC,EAAE,IAAI,MAAM,EAAE;YAC1C,SAAS,EAAE,IAAI,CAAC,sBAAsB;SACtC,CAAC;IACH,CAAC;IAID,KAAK,CAAC,kBAAkB,CACvB,eAAuB,EACvB,UAAmB,EACnB,SAAkB;QAIlB,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,8BAAqB,CAAC,8BAA8B,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;QAEhC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAErF,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC1D,CAAC;QAGD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAEtB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,yCAAyC,MAAM,CAAC,MAAM,YAAY,MAAM,CAAC,QAAQ,+BAA+B,CAChH,CAAC;YACF,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAAE,mCAAY,CAAC,cAAc,CAAC,CAAC;YAC5E,MAAM,IAAI,8BAAqB,CAC9B,sEAAsE,CACtE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,IAAI,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,mCAAY,CAAC,OAAO,CAAC,CAAC;YACxD,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC1D,CAAC;QAGD,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,mCAAY,CAAC,OAAO,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAC5F,CAAC;IAMD,KAAK,CAAC,uBAAuB,CAC5B,MAAc,EACd,QAAgB,EAChB,oBAA6B,EAC7B,UAAmB,EACnB,SAAkB;QAElB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAE/E,MAAM,OAAO,GAAe;YAC3B,GAAG,EAAE,MAAM;YACX,WAAW;SACX,CAAC;QAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,EAAE;YAC5D,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,CAClC,4BAAY,CAAC,wBAAwB,CACxB;SACd,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,oBAAoB,EACpB,UAAU,EACV,SAAS,CACT,CAAC;QAEF,OAAO;YACN,WAAW;YACX,YAAY,EAAE,GAAG,UAAU,CAAC,EAAE,IAAI,MAAM,EAAE;YAC1C,SAAS,EAAE,IAAI,CAAC,sBAAsB;SACtC,CAAC;IACH,CAAC;IAID,IAAY,sBAAsB;QACjC,OAAO,IAAA,YAAE,EACR,IAAI,CAAC,eAAe,CAAC,GAAG,CACvB,4BAAY,CAAC,wBAAwB,CACnB,CACnB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CACvB,OAAe,EACf,SAAuB,mCAAY,CAAC,MAAM;QAE1C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,0BAAiB,CAAC,iBAAiB,CAAC,CAAC;QAC3D,IAAI,KAAK,CAAC,SAAS;YAAE,MAAM,IAAI,2BAAkB,CAAC,uBAAuB,CAAC,CAAC;QAC3E,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,mBAAmB,CACxB,MAAc,EACd,SAAuB,mCAAY,CAAC,MAAM;QAE1C,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,CACvC,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,EAC5B,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,CACzC,CAAC;IACH,CAAC;IAID,KAAK,CAAC,qBAAqB,CAAC,MAAc;QACzC,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC;YACvC,KAAK,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE;YACnC,KAAK,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;SAC5B,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe;QACxC,OAAO,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;IACxE,CAAC;IAIO,KAAK,CAAC,gBAAgB,CAC7B,MAAc,EACd,SAAiB,EACjB,QAAgB,EAChB,oBAA6B,EAC7B,UAAmB,EACnB,SAAkB;QAElB,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAS,4BAAY,CAAC,uBAAuB,CAAC,CAAC;QACvF,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC;QAEjD,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAAI,CACtC,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC;YAClC,MAAM;YACN,SAAS;YACT,QAAQ;YACR,oBAAoB;YACpB,UAAU;YACV,SAAS;YACT,SAAS;SACT,CAAC,CACF,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,EAAU,EAAE,MAAoB;QACzD,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,CAAC;IACzF,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,MAAoB;QACtE,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,CACvC,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,EAC9B,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,CACzC,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,MAAc;QACjC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,oCAA2B,CACpC,gBAAgB,MAAM,8DAA8D,CACpF,CAAC;QACH,CAAC;IACF,CAAC;CACD,CAAA;AArVY,oCAAY;uBAAZ,YAAY;IADxB,IAAA,mBAAU,GAAE;IAOV,WAAA,IAAA,0BAAgB,EAAC,mCAAY,CAAC,CAAA;IAE9B,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,2BAAY,CAAC,CAAA;qCALQ,gBAAU;QACJ,qCAAgB;QAEV,oBAAU,UAIjB,kCAAe;GAXtC,YAAY,CAqVxB"}

package/dist/modules/sessions/sessions.module.d.ts

@@ -0,0 +1,3 @@
+export declare class SessionsModule {
+}
+//# sourceMappingURL=sessions.module.d.ts.map

package/dist/modules/sessions/sessions.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.module.d.ts","sourceRoot":"","sources":["../../../modules/sessions/sessions.module.ts"],"names":[],"mappings":"AAQA,qBAMa,cAAc;CAAG"}

package/dist/modules/sessions/sessions.module.js

@@ -0,0 +1,28 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionsModule = void 0;
+const common_1 = require("@nestjs/common");
+const typeorm_1 = require("@nestjs/typeorm");
+const token_service_1 = require("./services/token.service");
+const session_controller_1 = require("./controllers/session.controller");
+const refresh_token_entity_1 = require("./entities/refresh-token.entity");
+const roles_module_1 = require("../roles/roles.module");
+const auth_core_module_1 = require("../auth/auth-core/auth-core.module");
+let SessionsModule = class SessionsModule {
+};
+exports.SessionsModule = SessionsModule;
+exports.SessionsModule = SessionsModule = __decorate([
+    (0, common_1.Module)({
+        imports: [typeorm_1.TypeOrmModule.forFeature([refresh_token_entity_1.RefreshToken]), roles_module_1.RolesModule, auth_core_module_1.AuthCoreModule],
+        controllers: [session_controller_1.SessionController],
+        providers: [token_service_1.TokenService],
+        exports: [token_service_1.TokenService],
+    })
+], SessionsModule);
+//# sourceMappingURL=sessions.module.js.map

package/dist/modules/sessions/sessions.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.module.js","sourceRoot":"","sources":["../../../modules/sessions/sessions.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAwC;AACxC,6CAAgD;AAChD,4DAAwD;AACxD,yEAAqE;AACrE,0EAA+D;AAC/D,wDAAoD;AACpD,yEAAoE;AAQ7D,IAAM,cAAc,GAApB,MAAM,cAAc;CAAG,CAAA;AAAjB,wCAAc;yBAAd,cAAc;IAN1B,IAAA,eAAM,EAAC;QACP,OAAO,EAAE,CAAC,uBAAa,CAAC,UAAU,CAAC,CAAC,mCAAY,CAAC,CAAC,EAAE,0BAAW,EAAE,iCAAc,CAAC;QAChF,WAAW,EAAE,CAAC,sCAAiB,CAAC;QAChC,SAAS,EAAE,CAAC,4BAAY,CAAC;QACzB,OAAO,EAAE,CAAC,4BAAY,CAAC;KACvB,CAAC;GACW,cAAc,CAAG"}

package/dist/modules/settings/constants/settings.defaults.d.ts

@@ -0,0 +1,60 @@
+export interface TestOtpIdentifier {
+    identifier: string;
+    channel: 'sms' | 'email';
+    code: string;
+}
+export declare const SETTING_DEFAULTS: {
+    readonly 'otp.ttl_seconds': 300;
+    readonly 'otp.max_attempts': 5;
+    readonly 'otp.resend_cooldown_seconds': 60;
+    readonly 'otp.rate_limit_max': 3;
+    readonly 'otp.rate_limit_window_seconds': 600;
+    readonly 'otp.ip_rate_limit_max': 20;
+    readonly 'otp.ip_rate_limit_window_seconds': 600;
+    readonly 'otp.sms_template': "Your verification code is: {code}. Do not share this code with anyone.";
+    readonly 'otp.email_subject': "Your verification code";
+    readonly 'otp.email_html_template': "<!DOCTYPE html>\n<html lang=\"en\">\n<head><meta charset=\"UTF-8\"><meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"></head>\n<body style=\"margin:0;padding:0;background:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif\">\n  <table width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" style=\"padding:40px 0\">\n    <tr><td align=\"center\">\n      <table width=\"480\" cellpadding=\"0\" cellspacing=\"0\" style=\"background:#ffffff;border-radius:8px;padding:40px;box-shadow:0 1px 3px rgba(0,0,0,0.1)\">\n        <tr><td>\n          <h2 style=\"margin:0 0 8px;font-size:20px;color:#111827\">Verification code</h2>\n          <p style=\"margin:0 0 24px;font-size:14px;color:#6b7280\">Use the code below to verify your identity. It expires in <strong>5 minutes</strong>.</p>\n          <div style=\"background:#f9fafb;border:1px solid #e5e7eb;border-radius:6px;padding:20px;text-align:center;letter-spacing:8px;font-size:32px;font-weight:700;color:#111827;font-family:monospace\">\n            {code}\n          </div>\n          <p style=\"margin:24px 0 0;font-size:12px;color:#9ca3af\">If you did not request this code, you can safely ignore this email.</p>\n        </td></tr>\n      </table>\n    </td></tr>\n  </table>\n</body>\n</html>";
+    readonly 'otp.email_text_template': "Your verification code is: {code}\n\nThis code expires in 5 minutes. Do not share it with anyone.";
+    readonly 'tokens.refresh_ttl_days': 7;
+    readonly 'tokens.temporary_ttl_seconds': 300;
+    readonly 'tokens.access_expires_in': "15m";
+    readonly 'tokens.invite_ttl_days': 7;
+    readonly 'tokens.password_reset_ttl_seconds': 1800;
+    readonly 'test.otp_identifiers': TestOtpIdentifier[];
+    readonly 'auth.provider': "native";
+    readonly 'auth.method': "email";
+    readonly 'auth.default_role_slug': "user";
+    readonly 'login.ip_rate_limit_max': 10;
+    readonly 'login.ip_rate_limit_window_seconds': 900;
+    readonly 'login.lockout_max_attempts': 10;
+    readonly 'login.lockout_duration_seconds': 900;
+    readonly 'health.max_heap_mb': 300;
+    readonly 'health.max_rss_mb': 500;
+    readonly 'health.queue_depth_threshold': 500;
+    readonly 'sms.active_provider': "twilio";
+    readonly 'sms.twilio_from_number': "";
+    readonly 'sms.twilio_account_sid': "";
+    readonly 'sms.twilio_auth_token': "";
+    readonly 'sms.termii_api_key': "";
+    readonly 'sms.termii_sender_id': "";
+    readonly 'sms.infobip_api_key': "";
+    readonly 'sms.infobip_sender_id': "";
+    readonly 'sms.infobip_base_url': "";
+    readonly 'sms.smartsms_token': "";
+    readonly 'sms.smartsms_sender_id': "";
+    readonly 'email.active_provider': "resend";
+    readonly 'email.from_address': "";
+    readonly 'email.resend_api_key': "";
+    readonly 'email.sendgrid_api_key': "";
+    readonly 'email.mailgun_api_key': "";
+    readonly 'email.mailgun_domain': "";
+    readonly 'email.smtp_host': "";
+    readonly 'email.smtp_port': 587;
+    readonly 'email.smtp_user': "";
+    readonly 'email.smtp_pass': "";
+    readonly 'firebase.project_id': "";
+    readonly 'firebase.client_email': "";
+    readonly 'firebase.private_key': "";
+    readonly 'firebase.api_key': "";
+};
+//# sourceMappingURL=settings.defaults.d.ts.map

package/dist/modules/settings/constants/settings.defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.defaults.d.ts","sourceRoot":"","sources":["../../../../modules/settings/constants/settings.defaults.ts"],"names":[],"mappings":"AAeA,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,KAAK,GAAG,OAAO,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;CACb;AA8BD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;qCAyBE,iBAAiB,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiDN,CAAC"}

package/dist/modules/settings/constants/settings.defaults.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SETTING_DEFAULTS = void 0;
+const OTP_EMAIL_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"></head>
+<body style="margin:0;padding:0;background:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif">
+  <table width="100%" cellpadding="0" cellspacing="0" style="padding:40px 0">
+    <tr><td align="center">
+      <table width="480" cellpadding="0" cellspacing="0" style="background:#ffffff;border-radius:8px;padding:40px;box-shadow:0 1px 3px rgba(0,0,0,0.1)">
+        <tr><td>
+          <h2 style="margin:0 0 8px;font-size:20px;color:#111827">Verification code</h2>
+          <p style="margin:0 0 24px;font-size:14px;color:#6b7280">Use the code below to verify your identity. It expires in <strong>5 minutes</strong>.</p>
+          <div style="background:#f9fafb;border:1px solid #e5e7eb;border-radius:6px;padding:20px;text-align:center;letter-spacing:8px;font-size:32px;font-weight:700;color:#111827;font-family:monospace">
+            {code}
+          </div>
+          <p style="margin:24px 0 0;font-size:12px;color:#9ca3af">If you did not request this code, you can safely ignore this email.</p>
+        </td></tr>
+      </table>
+    </td></tr>
+  </table>
+</body>
+</html>`;
+exports.SETTING_DEFAULTS = {
+    'otp.ttl_seconds': 300,
+    'otp.max_attempts': 5,
+    'otp.resend_cooldown_seconds': 60,
+    'otp.rate_limit_max': 3,
+    'otp.rate_limit_window_seconds': 600,
+    'otp.ip_rate_limit_max': 20,
+    'otp.ip_rate_limit_window_seconds': 600,
+    'otp.sms_template': 'Your verification code is: {code}. Do not share this code with anyone.',
+    'otp.email_subject': 'Your verification code',
+    'otp.email_html_template': OTP_EMAIL_HTML,
+    'otp.email_text_template': 'Your verification code is: {code}\n\nThis code expires in 5 minutes. Do not share it with anyone.',
+    'tokens.refresh_ttl_days': 7,
+    'tokens.temporary_ttl_seconds': 300,
+    'tokens.access_expires_in': '15m',
+    'tokens.invite_ttl_days': 7,
+    'tokens.password_reset_ttl_seconds': 1800,
+    'test.otp_identifiers': [],
+    'auth.provider': 'native',
+    'auth.method': 'email',
+    'auth.default_role_slug': 'user',
+    'login.ip_rate_limit_max': 10,
+    'login.ip_rate_limit_window_seconds': 900,
+    'login.lockout_max_attempts': 10,
+    'login.lockout_duration_seconds': 900,
+    'health.max_heap_mb': 300,
+    'health.max_rss_mb': 500,
+    'health.queue_depth_threshold': 500,
+    'sms.active_provider': 'twilio',
+    'sms.twilio_from_number': '',
+    'sms.twilio_account_sid': '',
+    'sms.twilio_auth_token': '',
+    'sms.termii_api_key': '',
+    'sms.termii_sender_id': '',
+    'sms.infobip_api_key': '',
+    'sms.infobip_sender_id': '',
+    'sms.infobip_base_url': '',
+    'sms.smartsms_token': '',
+    'sms.smartsms_sender_id': '',
+    'email.active_provider': 'resend',
+    'email.from_address': '',
+    'email.resend_api_key': '',
+    'email.sendgrid_api_key': '',
+    'email.mailgun_api_key': '',
+    'email.mailgun_domain': '',
+    'email.smtp_host': '',
+    'email.smtp_port': 587,
+    'email.smtp_user': '',
+    'email.smtp_pass': '',
+    'firebase.project_id': '',
+    'firebase.client_email': '',
+    'firebase.private_key': '',
+    'firebase.api_key': '',
+};
+//# sourceMappingURL=settings.defaults.js.map

package/dist/modules/settings/constants/settings.defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.defaults.js","sourceRoot":"","sources":["../../../../modules/settings/constants/settings.defaults.ts"],"names":[],"mappings":";;;AA0BA,MAAM,cAAc,GAAG;;;;;;;;;;;;;;;;;;;QAmBf,CAAC;AAII,QAAA,gBAAgB,GAAG;IAE/B,iBAAiB,EAAE,GAAG;IACtB,kBAAkB,EAAE,CAAC;IACrB,6BAA6B,EAAE,EAAE;IACjC,oBAAoB,EAAE,CAAC;IACvB,+BAA+B,EAAE,GAAG;IACpC,uBAAuB,EAAE,EAAE;IAC3B,kCAAkC,EAAE,GAAG;IACvC,kBAAkB,EAAE,wEAAwE;IAC5F,mBAAmB,EAAE,wBAAwB;IAC7C,yBAAyB,EAAE,cAAc;IACzC,yBAAyB,EACxB,mGAAmG;IAGpG,yBAAyB,EAAE,CAAC;IAC5B,8BAA8B,EAAE,GAAG;IACnC,0BAA0B,EAAE,KAAK;IACjC,wBAAwB,EAAE,CAAC;IAC3B,mCAAmC,EAAE,IAAI;IAKzC,sBAAsB,EAAE,EAAyB;IAGjD,eAAe,EAAE,QAAQ;IACzB,aAAa,EAAE,OAAO;IACtB,wBAAwB,EAAE,MAAM;IAGhC,yBAAyB,EAAE,EAAE;IAC7B,oCAAoC,EAAE,GAAG;IACzC,4BAA4B,EAAE,EAAE;IAChC,gCAAgC,EAAE,GAAG;IAGrC,oBAAoB,EAAE,GAAG;IACzB,mBAAmB,EAAE,GAAG;IACxB,8BAA8B,EAAE,GAAG;IAGnC,qBAAqB,EAAE,QAAQ;IAC/B,wBAAwB,EAAE,EAAE;IAC5B,wBAAwB,EAAE,EAAE;IAC5B,uBAAuB,EAAE,EAAE;IAC3B,oBAAoB,EAAE,EAAE;IACxB,sBAAsB,EAAE,EAAE;IAC1B,qBAAqB,EAAE,EAAE;IACzB,uBAAuB,EAAE,EAAE;IAC3B,sBAAsB,EAAE,EAAE;IAC1B,oBAAoB,EAAE,EAAE;IACxB,wBAAwB,EAAE,EAAE;IAG5B,uBAAuB,EAAE,QAAQ;IACjC,oBAAoB,EAAE,EAAE;IACxB,sBAAsB,EAAE,EAAE;IAC1B,wBAAwB,EAAE,EAAE;IAC5B,uBAAuB,EAAE,EAAE;IAC3B,sBAAsB,EAAE,EAAE;IAC1B,iBAAiB,EAAE,EAAE;IACrB,iBAAiB,EAAE,GAAG;IACtB,iBAAiB,EAAE,EAAE;IACrB,iBAAiB,EAAE,EAAE;IAIrB,qBAAqB,EAAE,EAAE;IACzB,uBAAuB,EAAE,EAAE;IAC3B,sBAAsB,EAAE,EAAE;IAC1B,kBAAkB,EAAE,EAAE;CACqB,CAAC"}