@soapjs/soap-auth 0.3.2 → 0.4.0

package/.claude/settings.local.json

@@ -0,0 +1,20 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run *)",
+      "Bash(npx tsc *)",
+      "Bash(npm audit *)",
+      "Bash(npm uninstall *)",
+      "Bash(npm install *)",
+      "Bash(echo \"=== SOAP-EXPRESS src ===\" && find /Users/rad/git/soapjs/soap-express/src -type f -name \"*.ts\" | grep -v __tests__ | grep -v \".test.\" | sort && echo \"\" && echo \"=== SOAP-EXPRESS package.json ===\" && cat /Users/rad/git/soapjs/soap-express/package.json)",
+      "Bash(echo \"=== SOAP src \\(http + common\\) ===\" && find /Users/rad/git/soapjs/soap/src -type f -name \"*.ts\" | grep -v __tests__ | grep -v \".test.\" | grep -E \"\\(http|common|config\\)\" | sort)",
+      "Bash(cat /Users/rad/git/soapjs/soap/package.json | grep '\"version\"' | head -1)",
+      "Bash(grep -rln \"AuthStrategy\\\\|\\\\.configure\\(\\\\|\\\\.middleware\\(\\\\|serializeUser\\\\|AuthConfig\\\\b\" src --include=\"*.test.ts\")",
+      "Bash(grep -rln \"AuthStrategy\\\\|AuthConfig\" src/**/__tests__)",
+      "Bash(npm pack *)",
+      "Read(//Users/rad/git/soapjs/**)",
+      "Bash(npm view *)",
+      "Bash(grep -v \"^$\")"
+    ]
+  }
+}

package/build/__tests__/soap-auth.test.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const globals_1 = require("@jest/globals");
 const soap_auth_1 = require("../soap-auth");
+const memory_session_store_1 = require("../session/memory.session-store");
 describe("SoapAuth", () => {
     let soapAuth;
     const mockLogger = { error: globals_1.jest.fn(), info: globals_1.jest.fn() };
@@ -40,3 +41,96 @@ describe("SoapAuth", () => {
         expect(soapAuth.listStrategies("http")).toEqual(["jwt", "oauth"]);
     });
 });
+describe("SoapAuth.create()", () => {
+    const mockLogger = { error: globals_1.jest.fn(), info: globals_1.jest.fn(), warn: globals_1.jest.fn() };
+    const apiKeyConfig = {
+        keyType: "session",
+        extractApiKey: (ctx) => ctx?.headers?.["x-api-key"],
+        retrieveUserByApiKey: async (_key) => ({ id: "1", email: "test@test.com" }),
+    };
+    const jwtConfig = {
+        accessToken: {
+            issuer: {
+                secretKey: "test-secret-key-for-tests",
+                options: { expiresIn: "1h" },
+            },
+            verifier: { options: {} },
+        },
+        routes: {
+            login: { path: "/auth/jwt/login", method: "POST" },
+            logout: { path: "/auth/jwt/logout", method: "POST" },
+        },
+    };
+    const localConfig = {
+        credentials: {
+            extractCredentials: (ctx) => ({
+                identifier: ctx?.body?.username,
+                password: ctx?.body?.password,
+            }),
+            verifyCredentials: async (_id, _pwd) => true,
+        },
+        user: { fetchUser: async (_id) => ({ id: "1", email: "u@test.com" }) },
+        routes: {
+            login: { path: "/auth/login", method: "POST" },
+            logout: { path: "/auth/logout", method: "POST" },
+        },
+    };
+    test("registers api-key strategy from config", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({
+            http: { apiKey: apiKeyConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("api-key", "http")).toBe(true);
+    });
+    test("registers jwt as standalone HTTP strategy from http.jwt", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({
+            http: { jwt: jwtConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("jwt", "http")).toBe(true);
+    });
+    test("registers local strategy from config", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({
+            http: { local: localConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("local", "http")).toBe(true);
+    });
+    test("registers multiple HTTP strategies simultaneously", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({
+            http: { apiKey: apiKeyConfig, jwt: jwtConfig, local: localConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("api-key", "http")).toBe(true);
+        expect(auth.hasStrategy("jwt", "http")).toBe(true);
+        expect(auth.hasStrategy("local", "http")).toBe(true);
+    });
+    test("registers custom strategies from config", async () => {
+        const customStrategy = { name: "custom", authenticate: globals_1.jest.fn() };
+        const auth = await soap_auth_1.SoapAuth.create({
+            http: { custom: { myStrategy: customStrategy } },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("myStrategy", "http")).toBe(true);
+    });
+    test("registers socket JWT strategy from config", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({
+            socket: { jwt: jwtConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("jwt", "socket")).toBe(true);
+    });
+    test("returns empty SoapAuth when no strategy configs provided", async () => {
+        const auth = await soap_auth_1.SoapAuth.create({ logger: mockLogger });
+        expect(auth.listStrategies("http")).toEqual([]);
+    });
+    test("uses session handler when session config provided", async () => {
+        const store = new memory_session_store_1.MemorySessionStore();
+        const auth = await soap_auth_1.SoapAuth.create({
+            session: { secret: "test-secret", store, getSessionId: () => "sid" },
+            http: { local: localConfig },
+            logger: mockLogger,
+        });
+        expect(auth.hasStrategy("local", "http")).toBe(true);
+    });
+});

package/build/errors.d.ts

@@ -20,7 +20,7 @@ export declare class UserNotFoundError extends Error {
     constructor();
 }
 export declare class InvalidCredentialsError extends Error {
-    constructor();
+    constructor(message?: string);
 }
 export declare class MissingTokenError extends Error {
     readonly tokenType: "Access" | "Refresh";

package/build/errors.js

@@ -50,8 +50,8 @@ class UserNotFoundError extends Error {
 }
 exports.UserNotFoundError = UserNotFoundError;
 class InvalidCredentialsError extends Error {
-    constructor() {
-        super("Invalid credentials: Authentication failed.");
+    constructor(message) {
+        super(`Invalid credentials: ${message || 'Authentication failed.'}`);
         this.name = "InvalidCredentialsError";
     }
 }

package/build/index.d.ts

@@ -5,3 +5,4 @@ export * from "./tools";
 export * from "./errors";
 export * from "./types";
 export * from "./soap-auth";
+export * from "./utils/validation";

package/build/index.js

@@ -21,3 +21,4 @@ __exportStar(require("./tools"), exports);
 __exportStar(require("./errors"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./soap-auth"), exports);
+__exportStar(require("./utils/validation"), exports);

package/build/services/__tests__/password.service.test.js

@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const password_service_1 = require("../password.service");
-const soap_1 = require("@soapjs/soap");
 const globals_1 = require("@jest/globals");
 describe("PasswordService", () => {
     let service;
@@ -13,10 +12,10 @@ describe("PasswordService", () => {
         globals_1.jest.clearAllMocks();
         mockConfig = {
             validatePassword: globals_1.jest.fn(),
-            getLastPasswordChange: globals_1.jest.fn(),
+            getPasswordPasswordInfo: globals_1.jest.fn(),
             generateResetToken: globals_1.jest.fn(),
-            sendResetEmail: globals_1.jest.fn(),
-            validateResetToken: globals_1.jest.fn(),
+            sendPasswordResetEmail: globals_1.jest.fn(),
+            validatePasswordResetToken: globals_1.jest.fn(),
             updatePassword: globals_1.jest.fn(),
             passwordExpirationDays: 30,
         };
@@ -25,13 +24,13 @@ describe("PasswordService", () => {
     it("validatePassword calls config method", async () => {
         mockConfig.validatePassword.mockReturnValue(true);
         await expect(service.validatePassword(mockPassword)).resolves.toBe(true);
-        expect(mockConfig.validatePassword).toHaveBeenCalledWith(mockPassword);
+        expect(mockConfig.validatePassword).toHaveBeenCalledWith(mockPassword, undefined);
     });
-    it("getLastPasswordChange calls config method", async () => {
-        const mockDate = new Date();
-        mockConfig.getLastPasswordChange.mockReturnValue(mockDate);
-        await expect(service.getLastPasswordChange(mockIdentifier)).resolves.toBe(mockDate);
-        expect(mockConfig.getLastPasswordChange).toHaveBeenCalledWith(mockIdentifier);
+    it("getPasswordPasswordInfo calls config method", async () => {
+        const mockPasswordInfo = { type: "default" };
+        mockConfig.getPasswordPasswordInfo.mockReturnValue(mockPasswordInfo);
+        await expect(service.getPasswordPasswordInfo(mockIdentifier)).resolves.toBe(mockPasswordInfo);
+        expect(mockConfig.getPasswordPasswordInfo).toHaveBeenCalledWith(mockIdentifier);
     });
     it("generateResetToken calls config method", async () => {
         mockConfig.generateResetToken.mockResolvedValue("mock-token");
@@ -39,28 +38,36 @@ describe("PasswordService", () => {
     });
     it("sendResetEmail calls config method", async () => {
         await expect(service.sendResetEmail(mockIdentifier, "mock-token")).resolves.not.toThrow();
-        expect(mockConfig.sendResetEmail).toHaveBeenCalledWith(mockIdentifier, "mock-token");
+        expect(mockConfig.sendPasswordResetEmail).toHaveBeenCalledWith(mockIdentifier, "mock-token");
     });
     it("validateResetToken calls config method", async () => {
-        mockConfig.validateResetToken.mockResolvedValue(true);
-        await expect(service.validateResetToken("mock-token")).resolves.toBe(true);
+        mockConfig.validatePasswordResetToken.mockResolvedValue(true);
+        await expect(service.validateResetToken("mock-token")).resolves.toBeUndefined();
     });
     it("updatePassword calls config method", async () => {
         await expect(service.updatePassword(mockIdentifier, mockPassword)).resolves.not.toThrow();
-        expect(mockConfig.updatePassword).toHaveBeenCalledWith(mockIdentifier, mockPassword);
+        expect(mockConfig.updatePassword).toHaveBeenCalledWith(mockIdentifier, mockPassword, undefined);
     });
     it("isPasswordChangeRequired returns true if password is expired", async () => {
         const pastDate = new Date(Date.now() - 31 * 86400000);
-        mockConfig.getLastPasswordChange.mockResolvedValue(pastDate);
+        mockConfig.getPasswordPasswordInfo.mockResolvedValue({
+            type: "temporary",
+            lastChangeDate: pastDate,
+            expiresIn: 30 * 86400000
+        });
         await expect(service.isPasswordChangeRequired(mockIdentifier)).resolves.toBe(true);
     });
     it("isPasswordChangeRequired returns false if password is within expiration period", async () => {
         const recentDate = new Date(Date.now() - 15 * 86400000);
-        mockConfig.getLastPasswordChange.mockResolvedValue(recentDate);
+        mockConfig.getPasswordPasswordInfo.mockResolvedValue({
+            type: "temporary",
+            lastChangeDate: recentDate,
+            expiresIn: 30 * 86400000
+        });
         await expect(service.isPasswordChangeRequired(mockIdentifier)).resolves.toBe(false);
     });
-    it("isPasswordChangeRequired throws NotImplementedError if getLastPasswordChange is not defined", async () => {
+    it("isPasswordChangeRequired returns false if getPasswordPasswordInfo is not defined", async () => {
         service = new password_service_1.PasswordService({ passwordExpirationDays: 30 }, mockLogger);
-        await expect(service.isPasswordChangeRequired(mockIdentifier)).rejects.toThrow(soap_1.NotImplementedError);
+        await expect(service.isPasswordChangeRequired(mockIdentifier)).resolves.toBe(false);
     });
 });

package/build/services/__tests__/totp.service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/build/services/__tests__/totp.service.test.js

@@ -0,0 +1,120 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const totp_service_1 = require("../totp.service");
+describe("TotpService", () => {
+    const totp = new totp_service_1.TotpService();
+    describe("generateSecret", () => {
+        it("returns a non-empty base32 string", () => {
+            const secret = totp.generateSecret();
+            expect(secret).toMatch(/^[A-Z2-7]+$/);
+            expect(secret.length).toBeGreaterThan(0);
+        });
+        it("returns unique secrets", () => {
+            const a = totp.generateSecret();
+            const b = totp.generateSecret();
+            expect(a).not.toBe(b);
+        });
+    });
+    describe("generateOTP", () => {
+        it("returns a 6-digit string for a fixed timestamp", () => {
+            const secret = totp.generateSecret();
+            const code = totp.generateOTP(secret, 1000000000000);
+            expect(code).toMatch(/^\d{6}$/);
+        });
+        it("returns the same code within the same time step", () => {
+            const secret = totp.generateSecret();
+            const ts = 1000000000000;
+            expect(totp.generateOTP(secret, ts)).toBe(totp.generateOTP(secret, ts + 5000));
+        });
+        it("returns a different code in a different time step", () => {
+            const secret = totp.generateSecret();
+            const ts = 1000000000000;
+            const code1 = totp.generateOTP(secret, ts);
+            const code2 = totp.generateOTP(secret, ts + 30_000);
+            expect(code1).not.toBe(code2);
+        });
+    });
+    describe("verifyOTP", () => {
+        it("accepts a valid code at the current timestamp", () => {
+            const secret = totp.generateSecret();
+            const ts = Date.now();
+            const code = totp.generateOTP(secret, ts);
+            expect(totp.verifyOTP(secret, code, ts)).toBe(true);
+        });
+        it("accepts a code one step in the past (window = 1)", () => {
+            const secret = totp.generateSecret();
+            const ts = 1000000000000;
+            const pastCode = totp.generateOTP(secret, ts - 30_000);
+            expect(totp.verifyOTP(secret, pastCode, ts)).toBe(true);
+        });
+        it("accepts a code one step in the future (window = 1)", () => {
+            const secret = totp.generateSecret();
+            const ts = 1000000000000;
+            const futureCode = totp.generateOTP(secret, ts + 30_000);
+            expect(totp.verifyOTP(secret, futureCode, ts)).toBe(true);
+        });
+        it("rejects a code two steps old when window = 1", () => {
+            const secret = totp.generateSecret();
+            const ts = 1000000000000;
+            const oldCode = totp.generateOTP(secret, ts - 60_000);
+            expect(totp.verifyOTP(secret, oldCode, ts)).toBe(false);
+        });
+        it("rejects an invalid code", () => {
+            const secret = totp.generateSecret();
+            expect(totp.verifyOTP(secret, "000000", Date.now())).toBe(false);
+        });
+        it("rejects non-numeric input", () => {
+            const secret = totp.generateSecret();
+            expect(totp.verifyOTP(secret, "abcdef")).toBe(false);
+        });
+        it("rejects wrong-length input", () => {
+            const secret = totp.generateSecret();
+            expect(totp.verifyOTP(secret, "12345")).toBe(false);
+        });
+    });
+    describe("custom options", () => {
+        it("generates 8-digit codes when configured", () => {
+            const t8 = new totp_service_1.TotpService({ digits: 8 });
+            const secret = t8.generateSecret();
+            const code = t8.generateOTP(secret);
+            expect(code).toMatch(/^\d{8}$/);
+        });
+        it("accepts window = 0 — only the current step", () => {
+            const t0 = new totp_service_1.TotpService({ window: 0 });
+            const secret = t0.generateSecret();
+            const ts = 1000000000000;
+            const pastCode = t0.generateOTP(secret, ts - 30_000);
+            expect(t0.verifyOTP(secret, pastCode, ts)).toBe(false);
+            const current = t0.generateOTP(secret, ts);
+            expect(t0.verifyOTP(secret, current, ts)).toBe(true);
+        });
+    });
+    describe("generateQRUri", () => {
+        it("returns a valid otpauth URI", () => {
+            const secret = totp.generateSecret();
+            const uri = totp.generateQRUri(secret, "MyApp", "user@example.com");
+            expect(uri).toMatch(/^otpauth:\/\/totp\//);
+            expect(uri).toContain(secret);
+            expect(uri).toContain("issuer=MyApp");
+        });
+    });
+    describe("generateBackupCodes", () => {
+        it("returns 8 codes by default", () => {
+            const codes = totp.generateBackupCodes();
+            expect(codes).toHaveLength(8);
+        });
+        it("returns the requested count", () => {
+            const codes = totp.generateBackupCodes(10);
+            expect(codes).toHaveLength(10);
+        });
+        it("returns uppercase hex strings of 12 chars", () => {
+            const codes = totp.generateBackupCodes();
+            codes.forEach((c) => expect(c).toMatch(/^[0-9A-F]{12}$/));
+        });
+        it("returns unique codes", () => {
+            const codes = totp.generateBackupCodes(20);
+            const unique = new Set(codes);
+            expect(unique.size).toBe(20);
+        });
+    });
+});

package/build/services/auth-throttle.service.d.ts

@@ -2,8 +2,8 @@ import * as Soap from "@soapjs/soap";
 import { AuthThrottleConfig } from "../types";
 export declare class AuthThrottleService {
     private config;
-    private logger;
-    constructor(config: AuthThrottleConfig, logger: Soap.Logger);
+    private logger?;
+    constructor(config: AuthThrottleConfig, logger?: Soap.Logger);
     checkFailedAttempts(identifier: string): Promise<void>;
     incrementFailedAttempts(account: any): Promise<void>;
     resetFailedAttempts(account: any): Promise<void>;

package/build/services/auth-throttle.service.js

@@ -17,11 +17,11 @@ class AuthThrottleService {
                     (await this.config.getFailedAttempts?.(identifier)) || 0;
             }
             catch (e) {
-                this.logger.error("Check failed attempts:", e);
+                this.logger?.error("Check failed attempts:", e);
             }
             if (Number.isInteger(failedAttempts) &&
                 failedAttempts >= this.config.maxFailedAttempts) {
-                this.logger.warn(`User ${identifier} is temporarily locked out.`);
+                this.logger?.warn(`User ${identifier} is temporarily locked out.`);
                 throw new errors_1.AccountLockedError();
             }
         }

package/build/services/index.d.ts

@@ -6,3 +6,4 @@ export * from "./password.service";
 export * from "./pkce.service";
 export * from "./rate-limit.service";
 export * from "./role.service";
+export * from "./totp.service";

package/build/services/index.js

@@ -22,3 +22,4 @@ __exportStar(require("./password.service"), exports);
 __exportStar(require("./pkce.service"), exports);
 __exportStar(require("./rate-limit.service"), exports);
 __exportStar(require("./role.service"), exports);
+__exportStar(require("./totp.service"), exports);

package/build/services/password.service.d.ts

@@ -1,14 +1,16 @@
 import * as Soap from "@soapjs/soap";
-import { PasswordPolicyConfig } from "../types";
+import { NewPasswordOptions, PasswordInfo, PasswordPolicyConfig } from "../types";
 export declare class PasswordService {
     private config;
     private logger;
     constructor(config: PasswordPolicyConfig, logger: Soap.Logger);
-    validatePassword(password: string): Promise<boolean>;
-    getLastPasswordChange(identifier: string): Promise<Date>;
+    private validateConfig;
+    validatePassword(password: string, previousPassword?: string): Promise<void>;
+    getPasswordPasswordInfo(identifier: string): Promise<PasswordInfo>;
     generateResetToken(identifier: string): Promise<string>;
     sendResetEmail(identifier: string, token: string): Promise<void>;
-    validateResetToken(token: string): Promise<boolean>;
-    updatePassword(identifier: string, newPassword: string): Promise<void>;
+    validateResetToken(token: string): Promise<void>;
+    updatePassword(identifier: string, newPassword: string, passwordOptions?: NewPasswordOptions): Promise<void>;
     isPasswordChangeRequired(identifier: string): Promise<boolean>;
+    generatePassword(identifier: string, options: NewPasswordOptions): Promise<string>;
 }

package/build/services/password.service.js

@@ -22,57 +22,115 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasswordService = void 0;
 const Soap = __importStar(require("@soapjs/soap"));
+const bcrypt_1 = __importDefault(require("bcrypt"));
+const crypto_1 = __importDefault(require("crypto"));
+const validation_1 = require("../utils/validation");
+const errors_1 = require("../errors");
 class PasswordService {
     config;
     logger;
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
+        this.validateConfig(config);
     }
-    async validatePassword(password) {
-        return this.config.validatePassword?.(password);
+    validateConfig(config) {
+        try {
+            validation_1.ValidationUtils.required(config, "config");
+            validation_1.ValidationUtils.object(config, "config");
+        }
+        catch (error) {
+            if (error instanceof validation_1.ValidationError) {
+                throw error;
+            }
+            throw new validation_1.ValidationError(`Invalid PasswordService configuration: ${error.message}`);
+        }
     }
-    async getLastPasswordChange(identifier) {
-        return this.config.getLastPasswordChange?.(identifier);
+    async validatePassword(password, previousPassword) {
+        validation_1.ValidationUtils.nonEmptyString(password, "password");
+        if (previousPassword !== undefined) {
+            validation_1.ValidationUtils.nonEmptyString(previousPassword, "previousPassword");
+        }
+        return this.config.validatePassword?.(password, previousPassword);
+    }
+    async getPasswordPasswordInfo(identifier) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        return this.config.getPasswordPasswordInfo?.(identifier);
     }
     async generateResetToken(identifier) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
         if (!this.config?.generateResetToken) {
             throw new Soap.NotImplementedError("generateResetToken");
         }
         return this.config.generateResetToken?.(identifier);
     }
     async sendResetEmail(identifier, token) {
-        if (!this.config?.sendResetEmail) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.nonEmptyString(token, "token");
+        if (!this.config?.sendPasswordResetEmail) {
             throw new Soap.NotImplementedError("sendResetEmail");
         }
-        return this.config.sendResetEmail?.(identifier, token);
+        return this.config.sendPasswordResetEmail?.(identifier, token);
     }
     async validateResetToken(token) {
-        if (!this.config?.validateResetToken) {
+        validation_1.ValidationUtils.nonEmptyString(token, "token");
+        if (!this.config?.validatePasswordResetToken) {
             throw new Soap.NotImplementedError("validateResetToken");
         }
-        return this.config.validateResetToken?.(token);
+        const isValid = await this.config.validatePasswordResetToken(token);
+        if (isValid === false) {
+            throw new errors_1.ExpiredResetTokenError();
+        }
     }
-    async updatePassword(identifier, newPassword) {
+    async updatePassword(identifier, newPassword, passwordOptions) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.nonEmptyString(newPassword, "newPassword");
+        if (passwordOptions) {
+            validation_1.ValidationUtils.object(passwordOptions, "passwordOptions");
+            if (passwordOptions.type) {
+                validation_1.ValidationUtils.oneOf(passwordOptions.type, "passwordOptions.type", ["default", "one-time", "temporary"]);
+            }
+        }
         if (!this.config?.updatePassword) {
             throw new Soap.NotImplementedError("updatePassword");
         }
-        return this.config.updatePassword?.(identifier, newPassword);
+        return this.config.updatePassword?.(identifier, newPassword, passwordOptions);
     }
     async isPasswordChangeRequired(identifier) {
-        if (this.config.passwordExpirationDays) {
-            if (!this.config.getLastPasswordChange) {
-                throw new Soap.NotImplementedError("getLastPasswordChange");
-            }
-            const lastChanged = await this.config.getLastPasswordChange(identifier);
-            return (lastChanged &&
-                Date.now() - Number(lastChanged) >
-                    this.config.passwordExpirationDays * 86400000);
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        const passwordInfo = await this.config.getPasswordPasswordInfo?.(identifier);
+        if (passwordInfo &&
+            (passwordInfo.type === "one-time" ||
+                (passwordInfo.type === "temporary" &&
+                    Number.isInteger(passwordInfo.expiresIn) &&
+                    Date.now() - passwordInfo.lastChangeDate.getTime() >
+                        passwordInfo.expiresIn))) {
+            return true;
         }
         return false;
     }
+    async generatePassword(identifier, options) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.required(options, "options");
+        validation_1.ValidationUtils.object(options, "options");
+        validation_1.ValidationUtils.oneOf(options.type, "options.type", ["default", "one-time", "temporary"]);
+        let plaintext;
+        if (this.config.generatePassword) {
+            plaintext = await this.config.generatePassword(identifier, options);
+        }
+        else {
+            plaintext = crypto_1.default.randomBytes(12).toString("base64url");
+        }
+        const salt = await bcrypt_1.default.genSalt(10);
+        const hashedPassword = await bcrypt_1.default.hash(plaintext, salt);
+        await this.updatePassword(identifier, hashedPassword, options);
+        return plaintext;
+    }
 }
 exports.PasswordService = PasswordService;

package/build/services/totp.service.d.ts

@@ -0,0 +1,16 @@
+export interface TotpOptions {
+    step?: number;
+    digits?: number;
+    window?: number;
+}
+export declare class TotpService {
+    private readonly step;
+    private readonly digits;
+    private readonly window;
+    constructor(options?: TotpOptions);
+    generateSecret(byteLength?: number): string;
+    generateOTP(secret: string, timestamp?: number): string;
+    verifyOTP(secret: string, code: string, timestamp?: number): boolean;
+    generateQRUri(secret: string, issuer: string, account: string): string;
+    generateBackupCodes(count?: number): string[];
+}