@solidstarters/solid-core 1.2.157 → 1.2.159

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solidstarters/solid-core",
-  "version": "1.2.157",
+  "version": "1.2.159",
   "description": "This module is a NestJS module containing all the required core providers required by a Solid application",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -38,6 +38,7 @@
     "@aws-sdk/s3-request-presigner": "^3.828.0",
     "@elasticemail/elasticemail-client": "^4.0.23",
     "@hapi/joi": "^17.1.1",
+    "@nest-lab/throttler-storage-redis": "^1.1.0",
     "@nestjs/schedule": "^6.0.0",
     "@nestjs/throttler": "^6.4.0",
     "amqplib": "^0.10.4",

package/src/config/cache.options.ts

@@ -1,7 +1,7 @@
 import { CacheModuleAsyncOptions } from '@nestjs/cache-manager';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { redisStore } from 'cache-manager-redis-store';
-import { isNumber } from 'class-validator';
+import { isRedisConfigured } from 'src/helpers/environment.helper';
 
 export const RedisOptions: CacheModuleAsyncOptions = {
     isGlobal: true,
@@ -29,8 +29,3 @@ async function createRedisStore(configService: ConfigService<Record<string, unkn
     });
 }
 
-function isRedisConfigured(configService: ConfigService): boolean {
-    const host = configService.get<string>('REDIS_HOST');
-    const port = configService.get<string>('REDIS_PORT');
-    return host && port && isNumber(parseInt(port));
-}

package/src/constants/error-messages.ts

@@ -28,7 +28,7 @@ export const ERROR_MESSAGES = {
     GOOGLE_OAUTH_PROFILE_FETCH_FAILED: 'Failed to fetch user profile from Google OAuth service',
     LOGOUT_FAILED: 'Logout failed due to an unexpected error.',
 
-    INVALID_CREDENTIALS: 'Invalid username or password specified.',
+    INVALID_CREDENTIALS: 'Invalid credentials',
     LOGIN_FAILED: 'Login Failed',
     OLD_PASSWORD_INCORRECT: 'You have specified an incorrect old password.',
     INVALID_NEW_PASSWORD: 'Invalid new password.',

package/src/controllers/authentication.controller.ts

@@ -25,7 +25,7 @@ export class AuthenticationController {
     constructor(private readonly authService: AuthenticationService) { }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only 
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('register')
     signUp(@Body() signUpDto: SignUpDto) {
         return this.authService.signUp(signUpDto);
@@ -39,7 +39,7 @@ export class AuthenticationController {
 
     @Public()
     // @UseGuards(LocalAuthGuard)
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // by default @Post does 201, we wanted 200 - hence using @HttpCode(HttpStatus.OK)
     @Post('authenticate')
     async signIn(
@@ -62,7 +62,7 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // changed since the default is 201
     @Post('refresh-tokens')
     refreshTokens(@Body() refreshTokenDto: RefreshTokenDto) {
@@ -70,14 +70,14 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('initiate/forgot-password')
     initiateForgotPassword(@Body() initiateForgotPasswordDto: InitiateForgotPasswordDto) {
         return this.authService.initiateForgotPassword(initiateForgotPasswordDto);
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('confirm/forgot-password')
     confirmForgotPassword(@Body() confirmForgotPasswordDto: ConfirmForgotPasswordDto) {
         return this.authService.confirmForgotPassword(confirmForgotPasswordDto);

package/src/factories/whatsapp.factory.ts

@@ -22,11 +22,12 @@ export class WhatsAppFactory {
 
     getWhatsappService(name: string = null): IWhatsAppTransport {
         // This is the default provider
-        const whatsappServiceName = this.commonConfiguration.whatsappProvider || name;
+        const whatsappServiceName = name || this.commonConfiguration.whatsappProvider;
         if (!whatsappServiceName) {
             throw new Error("Unable to resolve whatsapp provider")
         }
         const whatsappProviders = this.solidRegistry.getWhatsappProviders();
+
         // Return the instance which matches the whatsappServiceName
         if (!whatsappProviders.length) {
             // throw new Error("No mail providers are registered.");

package/src/helpers/environment.helper.ts

@@ -1,7 +1,16 @@
+import { ConfigService } from "@nestjs/config";
+import { isNumber } from 'class-validator';
+
 export function parseBooleanEnv(key: string, defaultValue: boolean = false): boolean {
     const value = process.env[key];
     if (value === undefined) {
         return defaultValue;
     }
     return value.toLowerCase() === 'true';
+}
+
+export function isRedisConfigured(configService: ConfigService): boolean {
+    const host = configService.get<string>('REDIS_HOST');
+    const port = configService.get<string>('REDIS_PORT');
+    return host && port && isNumber(parseInt(port));
 }

package/src/helpers/index.ts

@@ -0,0 +1,9 @@
+export function deepFreeze<T>(obj: T): T {
+  Object.getOwnPropertyNames(obj).forEach(prop => {
+    const value = (obj as any)[prop];
+    if (value && typeof value === 'object') {
+      deepFreeze(value);
+    }
+  });
+  return Object.freeze(obj);
+}

package/src/helpers/model-metadata-helper.service.ts

@@ -2,13 +2,18 @@
 
 import { Injectable, Logger } from "@nestjs/common";
 import { SolidRegistry } from "./solid-registry";
-import { In } from "typeorm";
+import { In, Repository } from "typeorm";
+import { InjectRepository } from "@nestjs/typeorm";
+import { ModelMetadata } from "src/entities/model-metadata.entity";
 
 @Injectable()
 export class ModelMetadataHelperService {
     private readonly logger = new Logger(ModelMetadataHelperService.name);
 
-    constructor(private readonly registry: SolidRegistry) {
+    constructor(private readonly registry: SolidRegistry,
+        @InjectRepository(ModelMetadata)
+        private readonly modelMetadataRepo: Repository<ModelMetadata>,
+    ) {
     }
 
     getSystemFieldsMetadata(): any[] {
@@ -105,5 +110,28 @@ export class ModelMetadataHelperService {
         return systemFieldsMetadata;
     }
 
+    async loadFieldHierarchy(modelName: any) {
+        const model = await this.modelMetadataRepo.findOne({
+            where: {
+                singularName: modelName,
+            },
+            relations: {
+                fields: true,
+                parentModel: {
+                    fields: true,
+                }
+            }
+        });
+        const fields = [];
+        if (model) {
+            // Add the fields of the current model
+            fields.push(...model.fields);
 
+            // Add the fields of the parent model
+            if (model.parentModel) {
+                fields.push(...model.parentModel.fields);
+            }
+        }
+        return fields;
+    }
 }

package/src/helpers/string.helper.ts

@@ -0,0 +1,4 @@
+export const lowerFirst = (str: string): string => {
+    if (!str) return str;
+    return str.charAt(0).toLowerCase() + str.slice(1);
+}

package/src/index.ts

@@ -279,6 +279,7 @@ export * from './factories/mail.factory'
 export * from './repository/solid-base.repository'
 export * from './repository/security-rule.repository'
 export * from './repository/field.repository'
+export * from './repository/chatter-message.repository'
 
 
 //softDeleteAwareEventSubscriber.subscriber.ts

package/src/repository/security-rule.repository.ts

@@ -8,8 +8,8 @@ import { RoleMetadata } from 'src/entities/role-metadata.entity';
 import { SecurityRule } from 'src/entities/security-rule.entity';
 import { SolidRegistry } from 'src/helpers/solid-registry';
 import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
-import { CrudHelperService } from 'src/services/crud-helper.service';
-import { DataSource, Repository, SelectQueryBuilder } from 'typeorm';
+import { CrudHelperService, FilterCombinator } from 'src/services/crud-helper.service';
+import { Brackets, DataSource, Repository, SelectQueryBuilder } from 'typeorm';
 
 @Injectable()
 export class SecurityRuleRepository extends Repository<SecurityRule> {
@@ -26,18 +26,31 @@ export class SecurityRuleRepository extends Repository<SecurityRule> {
         // Fetch the security rules for the model and roles
         const securityRules = this.solidRegistry.getSecurityRules(modelSingularName, activeUser.roles);
 
-        // Loop through the security rules and add only rules that are json parseable and have a rule
-        securityRules.forEach((rule: SecurityRule) => {
-            try {
-                // Parse the security rule and call the buildFilter method to build the query from the security rule
-                const parsedRule = JSON.parse(this.resolveSecurityRuleConfig(rule.securityRuleConfig, activeUser)) as SecurityRuleConfig;
+        // If no security rules, return the original query builder
+        if (!securityRules.length) {
+            return qb;
+        }
+
+        // Apply each security rule to the query builder. The rules are combined with OR logic at the top level.
+        qb.andWhere(new Brackets((outerQb) => {
+            for (const rule of securityRules) {
+                try {
+                    const parsedRule = JSON.parse(
+                        this.resolveSecurityRuleConfig(rule.securityRuleConfig, activeUser)
+                    ) as SecurityRuleConfig;
+
                 if (parsedRule && parsedRule.filters) {
-                    this.crudHelperService.buildFilterQuery(qb, parsedRule, securityRuleAlias);
+                        outerQb.orWhere( // combine each rule-group with OR at the outer level
+                            new Brackets((innerQb) => {
+                               this.crudHelperService.applyFilters(innerQb, parsedRule.filters, securityRuleAlias, qb); // AND within a rule
+                            })
+                        );
+                    }
+                } catch (error) {
+                    this.logger.warn(`Error parsing security rule: ${rule.securityRuleConfig}`, error);
                 }
-            } catch (error) {
-                this.logger.warn(`Error parsing security rule: ${rule.securityRuleConfig}`, error);
             }
-        });
+        }));
 
         return qb;
     }
@@ -85,7 +98,7 @@ export class SecurityRuleRepository extends Repository<SecurityRule> {
                 },
             });
             createDto['role'] = role;
-        } 
+        }
 
         if (createDto.roleUserKey) {
             const role = await roleRepository.findOne({

package/src/repository/user.repository.ts

@@ -0,0 +1,17 @@
+import { Injectable } from "@nestjs/common";
+import { User } from "src/entities/user.entity";
+import { RequestContextService } from "src/services/request-context.service";
+import { DataSource } from "typeorm";
+import { SecurityRuleRepository } from "./security-rule.repository";
+import { SolidBaseRepository } from "./solid-base.repository";
+
+@Injectable()
+export class UserRepository extends SolidBaseRepository<User> {
+    constructor(
+        readonly dataSource: DataSource,
+        readonly requestContextService: RequestContextService,
+        readonly securityRuleRepository: SecurityRuleRepository,
+    ) {
+        super(User, dataSource, requestContextService, securityRuleRepository);
+    }
+}

package/src/seeders/module-metadata-seeder.service.ts

@@ -41,7 +41,8 @@ import { CreateDashboardDto } from 'src/dtos/create-dashboard.dto';
 import { DashboardRepository } from 'src/repository/dashboard.repository';
 // import { CreateScheduledJobDto } from 'src/dtos/create-scheduled-job.dto';
 import { ScheduledJobRepository } from 'src/repository/scheduled-job.repository';
-import { CreateScheduledJobDto } from 'src/dtos/create-scheduled-job.dto';
+import { CreateScheduledJobDto } from 'src/dtos/create-scheduled-job.dto'
+import { deepFreeze } from 'src/helpers';
 
 @Injectable()
 export class ModuleMetadataSeederService {
@@ -128,7 +129,8 @@ export class ModuleMetadataSeederService {
         for (let i = 0; i < seedDataFiles.length; i++) {
 
             // Module, model & field handling.
-            const overallMetadata = seedDataFiles[i];
+            const overallMetadata = deepFreeze(seedDataFiles[i]);
+
             // const fullPath = path.join(process.cwd(), seedDataFile);
 
             // For each module metadata seed file provided, read contents, parse & convert to a variable. 
@@ -317,14 +319,20 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedMediaStorageProviders(mediaStorageProviders: any) {
+    async seedMediaStorageProviders(_mediaStorageProviders: any) {
+        const mediaStorageProviders = structuredClone(_mediaStorageProviders);
+        if (!mediaStorageProviders) {
+            return;
+        }
         for (let i = 0; i < mediaStorageProviders.length; i++) {
             const mediaStorageProivder = mediaStorageProviders[i];
             await this.mediaStorageProviderMetadataService.upsert(mediaStorageProivder);
         }
     }
 
-    async seedEmailTemplates(emailTemplates: CreateEmailTemplateDto[], moduleMetadata: CreateModuleMetadataDto) {
+    async seedEmailTemplates(_emailTemplates: CreateEmailTemplateDto[], _moduleMetadata: CreateModuleMetadataDto) {
+        const emailTemplates = structuredClone(_emailTemplates);
+        const moduleMetadata = structuredClone(_moduleMetadata);
         if (!emailTemplates) {
             return;
         }
@@ -360,7 +368,9 @@ export class ModuleMetadataSeederService {
 
     }
 
-    async seedSmsTemplates(smsTemplates: CreateSmsTemplateDto[], moduleMetadata: CreateModuleMetadataDto) {
+    async seedSmsTemplates(_smsTemplates: CreateSmsTemplateDto[], _moduleMetadata: CreateModuleMetadataDto) {
+        const smsTemplates = structuredClone(_smsTemplates);
+        const moduleMetadata = structuredClone(_moduleMetadata);
         if (!smsTemplates) {
             return;
         }
@@ -397,6 +407,7 @@ export class ModuleMetadataSeederService {
     }
 
     async seedMenus(menus: any) {
+        // const menus = structuredClone(_menus);
         if (!menus) {
             return;
         }
@@ -434,7 +445,8 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedActions(actions: any) {
+    async seedActions(_actions: any) {
+        const actions = structuredClone(_actions);
         if (!actions) {
             return;
         }
@@ -455,7 +467,8 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedViews(views: any) {
+    async seedViews(_views: any) {
+        const views = structuredClone(_views);
         if (!views) {
             return;
         }
@@ -478,7 +491,8 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedUsers(users) {
+    async seedUsers(_users) {
+        const users = structuredClone(_users);
         if (!users) {
             return;
         }
@@ -499,8 +513,8 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedModuleModelFields(moduleMetadata: CreateModuleMetadataDto) {
-
+    async seedModuleModelFields(_moduleMetadata: CreateModuleMetadataDto) {
+        const moduleMetadata = structuredClone(_moduleMetadata);
         // First we create the module. 
         // await this.moduleMetadataService.removeByName(moduleMetadata.name);
         // const module = await this.moduleMetadataService.create(moduleMetadata);
@@ -561,14 +575,16 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedSettings(createDto: CreateSettingDto) {
+    async seedSettings(_createDto: CreateSettingDto) {
+        const createDto = structuredClone(_createDto);
         const settingsArray: any[] = await this.settingsRepo.find();
         if (!settingsArray || settingsArray.length === 0) {
             this.seetingService.create(createDto);
         }
     }
 
-    async seedSecurityRules(rulesDto: CreateSecurityRuleDto[]) {
+    async seedSecurityRules(_rulesDto: CreateSecurityRuleDto[]) {
+        const rulesDto = structuredClone(_rulesDto);
         if (!rulesDto || rulesDto.length === 0) {
             this.logger.debug(`No security rules found to seed`);
             return;
@@ -578,17 +594,21 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedListOfValues(listOfValuesDto: CreateListOfValuesDto[]) {
+    async seedListOfValues(_listOfValuesDto: CreateListOfValuesDto[]) {
+        const listOfValuesDto = structuredClone(_listOfValuesDto);
         if (!listOfValuesDto || listOfValuesDto.length === 0) {
             this.logger.debug(`No List Of Values found to seed`);
             return;
         }
         for (let j = 0; j < listOfValuesDto.length; j++) {
+            const listOfValueDto = listOfValuesDto[j];
+            listOfValueDto['module'] = await this.moduleMetadataService.findOneByUserKey(listOfValueDto.moduleUserKey);
             await this.listOfValuesService.upsert(listOfValuesDto[j]);
         }
     }
 
-    async seedDashboards(dashboardDtos: CreateDashboardDto[]) {
+    async seedDashboards(_dashboardDtos: CreateDashboardDto[]) {
+        const dashboardDtos = structuredClone(_dashboardDtos);
         if (!dashboardDtos || dashboardDtos.length === 0) {
             this.logger.debug(`No dashboards found to seed`);
             return;
@@ -598,7 +618,8 @@ export class ModuleMetadataSeederService {
         }
     }
 
-    async seedScheduledJobs(createScheduledJobDto: CreateScheduledJobDto[]) {
+    async seedScheduledJobs(_createScheduledJobDto: CreateScheduledJobDto[]) {
+        const createScheduledJobDto = structuredClone(_createScheduledJobDto);
         if (!createScheduledJobDto || createScheduledJobDto.length === 0) {
             this.logger.debug(`No scheduled jobs found to seed`);
             return;

package/src/seeders/seed-data/solid-core-metadata.json

@@ -1697,6 +1697,7 @@
         "dataSourceType": "postgres",
         "userKeyFieldUserKey": "username",
         "isSystem": true,
+        "enableAuditTracking": true,
         "fields": [
           {
             "name": "fullName",
@@ -1709,7 +1710,8 @@
             "index": false,
             "private": false,
             "encrypt": false,
-            "isSystem": true
+            "isSystem": true,
+            "enableAuditTracking": true
           },
           {
             "name": "username",
@@ -1722,7 +1724,8 @@
             "index": true,
             "private": false,
             "encrypt": false,
-            "isSystem": true
+            "isSystem": true,
+            "enableAuditTracking": true
           },
           {
             "name": "email",
@@ -1735,7 +1738,8 @@
             "index": true,
             "private": false,
             "encrypt": false,
-            "isSystem": true
+            "isSystem": true,
+            "enableAuditTracking": true
           },
           {
             "name": "mobile",
@@ -1748,7 +1752,8 @@
             "index": true,
             "private": false,
             "encrypt": false,
-            "isSystem": true
+            "isSystem": true,
+            "enableAuditTracking": true
           },
           {
             "name": "password",
@@ -1884,7 +1889,8 @@
             "relationCascade": "cascade",
             "relationModelModuleName": "solid-core",
             "isSystem": true,
-            "isRelationManyToManyOwner": true
+            "isRelationManyToManyOwner": true,
+            "enableAuditTracking": true
           },
           {
             "name": "forgotPasswordConfirmedAt",
@@ -12256,5 +12262,33 @@
   ],
   "checksums": [],
   "listOfValues": [],
-  "scheduledJobs": []
+  "scheduledJobs": [],
+  "securityRules": [
+    {
+      "name": "model:User-role:Internal User",
+      "description": "Show User record for the current user only",
+      "roleUserKey": "Internal User",
+      "modelMetadataUserKey": "user",
+      "securityRuleConfig": {
+        "filters": {
+          "id": {
+            "$eq": "$activeUserId"
+          }
+        }
+      }
+    },
+    {
+      "name": "model:User-role:Admin",
+      "description": "Show All User records",
+      "roleUserKey": "Admin",
+      "modelMetadataUserKey": "user",
+      "securityRuleConfig": {
+        "filters": {
+          "id": {
+            "$ne": "0"
+          }
+        }
+      }
+    }
+  ]
 }

package/src/services/authentication.service.ts

@@ -126,7 +126,7 @@ export class AuthenticationService {
         const user = await this.resolveUser(signInDto.username, signInDto.email);
 
         if (!user) {
-            throw new UnauthorizedException(ERROR_MESSAGES.USER_NOT_FOUND);
+            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
         if (!user.active) {
             throw new UnauthorizedException(ERROR_MESSAGES.USER_NOT_ACTIVE);
@@ -136,7 +136,7 @@ export class AuthenticationService {
             user.password,
         );
         if (!isEqual) {
-            throw new UnauthorizedException(ERROR_MESSAGES.PASSWORD_INCORRECT);
+            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         return user;
@@ -759,25 +759,31 @@ export class AuthenticationService {
         // });
         const user = await this.resolveUser(initiateForgotPasswordDto.username, initiateForgotPasswordDto.email);
 
+        let isValidUser = true // Instead of throwing exceptions we will simply return success message, this is to avoid user enumeration attacks.
         if (!user) {
-            throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false            
+            // throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
         if (!user.active) {
-            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false
+            // throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         // 2. Validate if user has used a provider which is "local", only then it makes sense for us to initiate the forgot password routine. 
         if (user.lastLoginProvider !== 'local') {
-            throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false
+            // throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         // 3. Generate a 6 digit validation token, we send this token to the user over their email & mobile number (controlled using configuration).
         // 4. Save this validation token in new fields on the user record. 
-        const { token, expiresAt } = this.generateForgotPasswordToken();
-        user.verificationTokenOnForgotPassword = token;
-        user.verificationTokenOnForgotPasswordExpiresAt = expiresAt;
-        await this.userRepository.save(user);
-        this.notifyUserOnForgotPassword(user);
+        if (isValidUser) {
+            const { token, expiresAt } = this.generateForgotPasswordToken();
+            user.verificationTokenOnForgotPassword = token;
+            user.verificationTokenOnForgotPasswordExpiresAt = expiresAt;
+            await this.userRepository.save(user);
+            this.notifyUserOnForgotPassword(user);
+        }
 
         // 5. Return. 
         return {
@@ -788,8 +794,8 @@ export class AuthenticationService {
             data: {
                 user: {
                     email: user.email,
-                    mobile: user.mobile,
-                    username: user.username,
+                    // mobile: user.mobile,
+                    // username: user.username,
                 },
             }
         }
@@ -841,8 +847,8 @@ export class AuthenticationService {
         return this.dataSource.transaction(async (m) => {
             // Resolve the user id first (by username/email), but DON'T check the token in JS.
             const user = await this.resolveUserByVerificationToken(confirmForgotPasswordDto.verificationToken);
-            if (!user) throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
-            if (user.lastLoginProvider !== 'local') throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            if (!user) throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            if (user.lastLoginProvider !== 'local') throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
             if (!user.active) throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
 
             // 1) Atomically consume the token (only one request can succeed)