@solidstarters/solid-core 1.2.169 → 1.2.171

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solidstarters/solid-core",
-  "version": "1.2.169",
+  "version": "1.2.171",
   "description": "This module is a NestJS module containing all the required core providers required by a Solid application",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/config/iam.config.ts

@@ -22,7 +22,8 @@ export const iamConfig = registerAs('iam', () => {
             callbackURL: process.env.IAM_GOOGLE_OAUTH_CALLBACK_URL,
             redirectURL: process.env.IAM_GOOGLE_OAUTH_REDIRECT_URL,
         },
-        iamAutoGeneratedPassword:process.env.IAM_AUTOGENERATED_PASSWORD || true
+        iamAutoGeneratedPassword:process.env.IAM_AUTOGENERATED_PASSWORD || true,
+        passwordPepper: process.env.IAM_PASSWORD_PEPPER || '', // Adding a pepper to the password hashing process for extra security
     };
 })
 

package/src/controllers/authentication.controller.ts

@@ -1,6 +1,5 @@
-import { Body, Controller, Get, HttpCode, HttpStatus, Logger, Post, Res, UseGuards } from '@nestjs/common';
+import { Body, Controller, Get, HttpCode, HttpStatus, Logger, Post, Res } from '@nestjs/common';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
-import { SkipThrottle, ThrottlerGuard } from '@nestjs/throttler';
 import { Response } from 'express';
 import { ActiveUser } from "../decorators/active-user.decorator";
 import { Public } from '../decorators/public.decorator';
@@ -17,15 +16,15 @@ import { AuthenticationService } from '../services/authentication.service';
 // @Auth(AuthType.None)
 @Controller('iam')
 @ApiTags("Iam")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({login: true, short: true, burst: true, sustained: true}) // disable all sets by default for this controller
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({login: true, short: true, burst: true, sustained: true}) // disable all sets by default for this controller
 export class AuthenticationController {
     private readonly logger = new Logger(AuthenticationController.name);
 
     constructor(private readonly authService: AuthenticationService) { }
 
     @Public()
-    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+    // @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('register')
     signUp(@Body() signUpDto: SignUpDto) {
         return this.authService.signUp(signUpDto);
@@ -38,8 +37,7 @@ export class AuthenticationController {
     }
 
     @Public()
-    // @UseGuards(LocalAuthGuard)
-    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+    // @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // by default @Post does 201, we wanted 200 - hence using @HttpCode(HttpStatus.OK)
     @Post('authenticate')
     async signIn(
@@ -62,7 +60,7 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+    // @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // changed since the default is 201
     @Post('refresh-tokens')
     refreshTokens(@Body() refreshTokenDto: RefreshTokenDto) {
@@ -70,14 +68,14 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+    // @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('initiate/forgot-password')
     initiateForgotPassword(@Body() initiateForgotPasswordDto: InitiateForgotPasswordDto) {
         return this.authService.initiateForgotPassword(initiateForgotPasswordDto);
     }
 
     @Public()
-    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+    // @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('confirm/forgot-password')
     confirmForgotPassword(@Body() confirmForgotPasswordDto: ConfirmForgotPasswordDto) {
         return this.authService.confirmForgotPassword(confirmForgotPasswordDto);

package/src/controllers/email-template.controller.ts

@@ -1,25 +1,22 @@
-import { Body, Controller, Delete, Get, Header, Param, Patch, Post, Put, Query, UploadedFiles, UseGuards, UseInterceptors } from '@nestjs/common';
-import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
-import { PaginationQueryDto } from 'src/dtos/pagination-query.dto';
-import { Roles } from 'src/decorators/roles.decorator';
-import { EmailTemplateService } from '../services/email-template.service';
+import { Body, Controller, Delete, Get, Header, Param, Post, Put, Query, UploadedFiles, UseInterceptors } from '@nestjs/common';
+import { AnyFilesInterceptor } from '@nestjs/platform-express';
+import { ApiQuery, ApiTags } from '@nestjs/swagger';
+import { Public } from 'src/decorators/public.decorator';
 import { CreateEmailTemplateDto } from '../dtos/create-email-template.dto';
 import { UpdateEmailTemplateDto } from '../dtos/update-email-template.dto';
-import { Public } from 'src/decorators/public.decorator';
+import { EmailTemplateService } from '../services/email-template.service';
 
 
 
 // TODO: esInterop not working somehow, defaulted to using the require syntax to import Mailgen. Figure a better way to do this. 
 // import { Mailgen } from 'mailgen';
 import Mailgen = require('mailgen');
-import { AnyFilesInterceptor } from '@nestjs/platform-express';
-import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 
 @Controller('email-template')
 @ApiTags("Common")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only 
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only 
 export class EmailTemplateController {
   constructor(private readonly service: EmailTemplateService) { }
 

package/src/controllers/google-authentication.controller.ts

@@ -1,24 +1,23 @@
 import { Controller, Get, Inject, InternalServerErrorException, Query, Req, Res, UseGuards } from '@nestjs/common';
-import { AuthenticationService } from '../services/authentication.service';
+import { ConfigType } from '@nestjs/config';
+import { ApiQuery, ApiTags } from '@nestjs/swagger';
+import { Request, Response } from 'express';
+import { isGoogleOAuthConfigured } from 'src/helpers/google-oauth.helper';
+import { iamConfig } from '../config/iam.config';
 import { Auth } from '../decorators/auth.decorator';
+import { Public } from '../decorators/public.decorator';
 import { AuthType } from '../enums/auth-type.enum';
-import { ApiQuery, ApiTags } from '@nestjs/swagger';
 import { GoogleOauthGuard } from '../passport-strategies/google-oauth.strategy';
-import { Request, Response } from 'express';
-import { ConfigType } from '@nestjs/config';
+import { AuthenticationService } from '../services/authentication.service';
 import { UserService } from '../services/user.service';
-import { Public } from '../decorators/public.decorator';
-import { iamConfig } from '../config/iam.config';
-import { isGoogleOAuthConfigured } from 'src/helpers/google-oauth.helper';
-import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 
 
 @Auth(AuthType.None)
 @Controller('iam/google')
 @ApiTags("Iam")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ login: false, short: false, burst: true, sustained: true }) //Enable the login throttle only 
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ login: false, short: false, burst: true, sustained: true }) //Enable the login throttle only 
 export class GoogleAuthenticationController {
     constructor(
         @Inject(iamConfig.KEY) private iamConfiguration: ConfigType<typeof iamConfig>,

package/src/controllers/media.controller.ts

@@ -1,11 +1,10 @@
-import { Controller, Post, Body, Param, UploadedFiles, UseInterceptors, Put, Get, Query, Delete, Patch, UseGuards } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Patch, Post, Put, Query, UploadedFiles, UseInterceptors } from '@nestjs/common';
 import { AnyFilesInterceptor } from "@nestjs/platform-express";
 import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { Public } from 'src/decorators/public.decorator';
-import { MediaService } from 'src/services/media.service';
 import { CreateMediaDto } from 'src/dtos/create-media.dto';
 import { UpdateMediaDto } from 'src/dtos/update-media.dto';
-import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
+import { MediaService } from 'src/services/media.service';
 
 enum ShowSoftDeleted {
   INCLUSIVE = "inclusive",
@@ -14,8 +13,8 @@ enum ShowSoftDeleted {
 
 @ApiTags('Solid Core')
 @Controller('media')
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
 export class MediaController {
   constructor(private readonly service: MediaService) {}
 
@@ -49,7 +48,7 @@ export class MediaController {
   }
 
   @Public()
-  @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
+  // @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
   @ApiBearerAuth("jwt")
   @Post('/upload')
   @UseInterceptors(AnyFilesInterceptor())

package/src/controllers/model-metadata.controller.ts

@@ -1,16 +1,15 @@
-import { Body, Controller, Delete, Get, Logger, Param, ParseIntPipe, Post, Put, Query, UseGuards } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Logger, Param, ParseIntPipe, Post, Put, Query } from '@nestjs/common';
 import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { Public } from 'src/decorators/public.decorator';
 import { BasicFilterDto } from '../dtos/basic-filters.dto';
 import { CreateModelMetadataDto } from '../dtos/create-model-metadata.dto';
 import { UpdateModelMetaDataDto } from '../dtos/update-model-metadata.dto';
 import { ModelMetadataService } from '../services/model-metadata.service';
-import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 @Controller('model-metadata')
 @ApiTags("App Builder")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
 export class ModelMetadataController {
     private logger = new Logger('ModelMetadataController');
 
@@ -35,7 +34,7 @@ export class ModelMetadataController {
     }
 
     @Public()
-    @SkipThrottle({ burst: false, short: true, login: true, sustained: true }) //Enable burst only
+    // @SkipThrottle({ burst: false, short: true, login: true, sustained: true }) //Enable burst only
     @Get('public')
     async findManyPublic() {
         const basicFilterDto: BasicFilterDto = {
@@ -65,7 +64,7 @@ export class ModelMetadataController {
     }
 
     @Public()
-    @SkipThrottle({ short: false, burst: true, login: true, sustained: true }) //Enable short only
+    // @SkipThrottle({ short: false, burst: true, login: true, sustained: true }) //Enable short only
     @Post('/update-user-key')
     updateUserKey(@Body() data: any) {
         return this.modelMetadataService.updateUserKey(data);

package/src/controllers/otp-authentication.controller.ts

@@ -14,8 +14,8 @@ import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 @Auth(AuthType.None)
 @Controller('iam/otp')
 @ApiTags("Iam")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
 export class OTPAuthenticationController {
     constructor(private readonly authService: AuthenticationService) { }
 

package/src/controllers/service.controller.ts

@@ -1,19 +1,18 @@
-import { Body, Controller, Get, Logger, Post, UseGuards } from '@nestjs/common';
-import { Public } from 'src/decorators/public.decorator';
-import { SolidRegistry } from '../helpers/solid-registry';
+import { Body, Controller, Get, Logger, Post } from '@nestjs/common';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
-import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
-import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
 import { ActiveUser } from 'src/decorators/active-user.decorator';
+import { Public } from 'src/decorators/public.decorator';
+import { ErrorMapperService } from 'src/helpers/error-mapper.service';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
 import { AiInteractionService } from 'src/services/ai-interaction.service';
 import { MqMessageService } from 'src/services/mq-message.service';
-import { ErrorMapperService } from 'src/helpers/error-mapper.service';
+import { SolidRegistry } from '../helpers/solid-registry';
 
 
 @Controller('')
 @ApiTags("Common")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) // Skip all
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ short: true, login: true, burst: true, sustained: true }) // Skip all
 export class ServiceController {
     private readonly logger = new Logger(ServiceController.name);
 
@@ -87,7 +86,7 @@ export class ServiceController {
     }
 
     @Public()
-    @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
+    // @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
     @Post('seed')
     async seedData(@Body() seedData: any) {
         const seeder = this.solidRegistry

package/src/controllers/sms-template.controller.ts

@@ -1,7 +1,6 @@
-import { Body, Controller, Delete, Get, Param, Post, Put, Query, UploadedFiles, UseGuards, UseInterceptors } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Post, Put, Query, UploadedFiles, UseInterceptors } from '@nestjs/common';
 import { AnyFilesInterceptor } from '@nestjs/platform-express';
 import { ApiQuery, ApiTags } from '@nestjs/swagger';
-import { SkipThrottle, ThrottlerGuard } from '@nestjs/throttler';
 import { Public } from 'src/decorators/public.decorator';
 import { CreateSmsTemplateDto } from '../dtos/create-sms-template.dto';
 import { UpdateSmsTemplateDto } from '../dtos/update-sms-template.dto';
@@ -10,8 +9,8 @@ import { SmsTemplateService } from '../services/sms-template.service';
 
 @Controller('sms-template')
 @ApiTags("Common")
-@UseGuards(ThrottlerGuard)
-@SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
+// @UseGuards(ThrottlerGuard)
+// @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
 export class SmsTemplateController {
   constructor(private readonly service: SmsTemplateService) { }
 

package/src/entities/user.entity.ts

@@ -102,4 +102,13 @@ export class User extends CommonEntity {
     @OneToMany(() => UserViewMetadata, userViewMetadata => userViewMetadata.user, { cascade: true })
     // don't send to client
     userViewMetadata: UserViewMetadata[];
+    // dont send to client
+    @Column({ type: "varchar", default: "bcrypt" })
+    passwordScheme: string;
+    // dont send to client
+    @Column({ type: "int", default: 1 })
+    passwordSchemeVersion: number;
+    // dont send to client
+    @Column({ type: "timestamp", nullable: true })
+    rehashedAt: Date;
 }

package/src/filters/http-exception.filter.ts

@@ -33,7 +33,7 @@ export class HttpExceptionFilter implements ExceptionFilter {
         // Canonical code + static message
         const code: ErrorCode = this.errorMapper.mapException(exception);
         const defaultStatus = this.errorMapper.getHttpStatus(code);
-        const message = code === 'unknown-error' ? `${exception?.message}` : this.errorMapper.getMessage(code);
+        const message = code === 'solidx-unknown-error' ? `${exception?.message}` : this.errorMapper.getMessage(code);
 
         const status = explicitStatus ?? defaultStatus ?? 500;
 

package/src/helpers/error-mapper.service.ts

@@ -1,40 +1,6 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { SolidRegistry } from 'src/helpers/solid-registry';
 import { ErrorCode, ErrorMeta, ErrorRule, IErrorCodeProvider } from 'src/interfaces';
-
-// export const ERROR_CODES = [
-//     'db-duplicate-key',
-//     'db-foreign-key-error',
-//     'solidx-mcp-server-unavailable',
-//     'unknown-error',
-// ] as const;
-
-// export type ErrorCode = typeof ERROR_CODES[number];
-
-// type ErrorMeta = {
-//     message: string;
-//     httpStatus?: number;
-// };
-
-// const ERROR_MESSAGES: Record<ErrorCode, ErrorMeta> = {
-//     'db-duplicate-key': {
-//         message: 'Duplicate key violation. A record with these values already exists.',
-//         httpStatus: 409,
-//     },
-//     'db-foreign-key-error': {
-//         message: 'Foreign key constraint prevents this operation due to related records.',
-//         httpStatus: 409,
-//     },
-//     'solidx-mcp-server-unavailable': {
-//         message: 'SolidX MCP server is unreachable. Please verify the MCP endpoint.',
-//         httpStatus: 503,
-//     },
-//     'unknown-error': {
-//         message: 'An unexpected error occurred.',
-//         httpStatus: 500,
-//     },
-// };
-
 @Injectable()
 export class ErrorMapperService {
     private readonly logger = new Logger(ErrorMapperService.name);
@@ -76,7 +42,7 @@ export class ErrorMapperService {
                 this.logger.warn(`Error rule threw in match(): code=${rule.code} provider? — ${e}`);
             }
         }
-        return 'unknown-error';
+        return 'solidx-unknown-error';
     }
 
     private lookupMeta(code: ErrorCode): ErrorMeta | undefined {

package/src/helpers/field-crud-managers/PasswordFieldCrudManager.ts

@@ -10,11 +10,10 @@ export interface PasswordFieldOptions {
     regexPattern: string | undefined | null;
     fieldName: string | undefined | null;
     isUpdate: Boolean;
+    hashingService: HashingService | undefined | null;
 }
 
 export class PasswordFieldCrudManager implements FieldCrudManager {
-    private hashingService: HashingService = new BcryptService(); //FIXME: The bcrypt service injected here probably can be optimized to be a singleton
-
     constructor(private readonly options: PasswordFieldOptions) {
     }
 
@@ -47,7 +46,9 @@ export class PasswordFieldCrudManager implements FieldCrudManager {
 
     async transformForCreate(dto: any): Promise<any> {
         if(dto[this.options.fieldName]){
-            dto[this.options.fieldName] = await this.hashingService.hash(dto[this.options.fieldName]);
+            dto[this.options.fieldName] = await this.options.hashingService.hash(dto[this.options.fieldName]);
+            dto['passwordScheme'] = this.options.hashingService.name(); //Don't want to expose this in dto  // e.g., 'bcrypt'
+            dto['passwordHashVersion'] = this.options.hashingService.currentVersion(); //Don't want to expose this in dto // e.g., 1, 2, ...
         }
         return dto;
     }

package/src/helpers/model-metadata-helper.service.ts

@@ -122,7 +122,7 @@ export class ModelMetadataHelperService {
                 }
             }
         });
-        const fields = [];
+        const fields: any[] = [];
         if (model) {
             // Add the fields of the current model
             fields.push(...model.fields);

package/src/passport-strategies/local.strategy.ts

@@ -15,7 +15,7 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
     }
 
     async validate(username: string, password: string): Promise<any> {
-        const user = await this.authService.validateUser({ username, password, email: null });
+        const user = await this.authService.validateUserAndRehashPasswordIfRequired({ username, password, email: null });
         if (!user) {
             throw new UnauthorizedException();
         }

package/src/seeders/seed-data/solid-core-metadata.json

@@ -2115,6 +2115,49 @@
             "relationCreateInverse": true,
             "relationModelModuleName": "solid-core",
             "isSystem": true
+          },
+          {
+            "name": "passwordScheme",
+            "displayName": "Password Scheme",
+            "type": "selectionStatic",
+            "ormType": "varchar",
+            "length": 256,
+            "required": true,
+            "index": false,
+            "isSystem": true,
+            "columnName": "password_scheme",
+            "defaultValue": "bcrypt",
+            "selectionValueType": "string",
+            "selectionStaticValues": [
+              "bcrypt:bcrypt"
+            ]
+          },
+          {
+            "name": "passwordSchemeVersion",
+            "displayName": "Password Scheme Version",
+            "type": "int",
+            "ormType": "integer",
+            "length": 512,
+            "required": true,
+            "defaultValue": 1,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "rehashedAt",
+            "displayName": "Password Rehashed At",
+            "type": "datetime",
+            "ormType": "timestamp",
+            "length": 512,
+            "required": false,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
           }
         ]
       },

package/src/services/authentication.service.ts

@@ -112,6 +112,20 @@ export class AuthenticationService {
         });
     }
 
+    async updatePasswordDetails(user: User, newPassword: string) {
+        user.password = await this.hashingService.hash(newPassword);
+        user.passwordScheme = this.hashingService.name();
+        user.passwordSchemeVersion = this.hashingService.currentVersion();
+        user.rehashedAt = new Date();
+        await this.userRepository.update(user.id, {
+            password: user.password,
+            passwordScheme: user.passwordScheme,
+            passwordSchemeVersion: user.passwordSchemeVersion,
+            rehashedAt: user.rehashedAt
+        });
+        return user;
+    }
+
     async resolveUserByVerificationToken(token: string) {
         return await this.userRepository.findOne({
             where: { verificationTokenOnForgotPassword: token },
@@ -119,7 +133,7 @@ export class AuthenticationService {
         });
     }
 
-    async validateUser(signInDto: SignInDto) {
+    async validateUserAndRehashPasswordIfRequired(signInDto: SignInDto) {
 
         const user = await this.resolveUser(signInDto.username, signInDto.email);
 
@@ -132,11 +146,19 @@ export class AuthenticationService {
         const isEqual = await this.hashingService.compare(
             signInDto.password,
             user.password,
+            user.passwordSchemeVersion
         );
         if (!isEqual) {
             throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
+        // If we reach here means that the user has been validated successfully.
+        // Now we check if the password needs to be rehashed based on the current hashing scheme and version.
+        if (this.hashingService.needsRehash(user.password, user.passwordSchemeVersion)) {
+            const rehashedUser = await this.updatePasswordDetails(user, signInDto.password);
+            return rehashedUser;
+        }
+
         return user;
     }
 
@@ -241,6 +263,8 @@ export class AuthenticationService {
         }
 
         user.password = pwd;
+        user.passwordScheme = this.hashingService.name(); // e.g. bcrypt
+        user.passwordSchemeVersion = this.hashingService.currentVersion(); // e.g. 1, 2, 3 ...
         user.active = isUserActive;
         return { user, pwd, autoGeneratedPwd };
     }
@@ -520,7 +544,7 @@ export class AuthenticationService {
     }
 
     async signIn(signInDto: SignInDto) {
-        const user = await this.validateUser(signInDto);
+        const user = await this.validateUserAndRehashPasswordIfRequired(signInDto);
 
         // TODO: Unset the password etc...
         const tokens = await this.generateTokens(user);
@@ -720,6 +744,7 @@ export class AuthenticationService {
         const isEqual = await this.hashingService.compare(
             changePasswordDto.currentPassword,
             user.password,
+            user.passwordSchemeVersion
         );
         if (!isEqual) {
             throw new UnauthorizedException(ERROR_MESSAGES.INCORRECT_CURRENT_PASSWORD);
@@ -728,6 +753,8 @@ export class AuthenticationService {
         // Update Password
         const newPwd = await this.hashingService.hash(changePasswordDto.newPassword);
         user.password = changePasswordDto.newPassword;
+        user.passwordScheme = this.hashingService.name(); // e.g. bcrypt
+        user.passwordSchemeVersion = this.hashingService.currentVersion(); // e.g. 1, 2, 3 ...
 
         // Everytime the user changes the password we reset the forcePasswordChange flag back to false. 
         user.forcePasswordChange = false;
@@ -872,9 +899,11 @@ export class AuthenticationService {
 
             // 2) Now update the password & history (still inside the same transaction)
             const pwdHash = await this.hashingService.hash(confirmForgotPasswordDto.password);
+            const pwdScheme = this.hashingService.name(); // e.g. bcrypt
+            const pwdSchemeVersion = this.hashingService.currentVersion(); // e.g. 1, 2, 3 ...
 
             // Check reuse with your existing method (ensure it looks at hashes).
-            await m.getRepository(User).update({ id: user.id }, { password: pwdHash });
+            await m.getRepository(User).update({ id: user.id }, { password: pwdHash, passwordScheme: pwdScheme, passwordSchemeVersion: pwdSchemeVersion});
             this.notifyUserOnPasswordChanged(user);
 
             return {

package/src/services/bcrypt.service.ts

@@ -1,15 +1,53 @@
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
+import { ConfigType } from '@nestjs/config';
+import { compare as bcryptCompare, genSalt, hash as bcryptHash } from 'bcrypt';
+import { iamConfig } from 'src/config/iam.config';
 import { HashingService } from './hashing.service';
-import { genSalt, hash, compare } from 'bcrypt';
 
 @Injectable()
 export class BcryptService implements HashingService {
+    constructor(
+        @Inject(iamConfig.KEY)
+        private readonly iamConfiguration: ConfigType<typeof iamConfig>,
+    ) { }
+
+    private readonly rounds = 12;
+    private readonly pepper = this.iamConfiguration.passwordPepper ?? '';
+
     async hash(data: string | Buffer): Promise<string> {
-        const salt = await genSalt();
-        return hash(data, salt);
+        const salt = await genSalt(this.rounds);
+        const normalized = this.normalize(data, this.currentVersion());
+        return bcryptHash(normalized, salt);
+    }
+
+    async compare(
+        data: string | Buffer,
+        hashed: string,
+        hashVersion: number = this.currentVersion()
+    ): Promise<boolean> {
+        const normalized = this.normalize(data, hashVersion);
+        return bcryptCompare(normalized, hashed);
+    }
+
+    needsRehash(_hashed: string, hashVersion: number = this.currentVersion()): boolean {
+        return hashVersion < this.currentVersion();
     }
 
-    compare(data: string | Buffer, encrypted: string): Promise<boolean> {
-        return compare(data, encrypted);
+    /** Current hashing policy version (bump when you change rounds/pepper rules) */
+    currentVersion(): number {
+        return 2;
     }
-}
+
+    /** Name of the hashing scheme */
+    name(): string {
+        return 'bcrypt';
+    }
+
+    /** Normalize input based on version & pepper policy */
+    private normalize(data: string | Buffer, version: number): string {
+        const plain = typeof data === 'string' ? data : data.toString('utf8');
+        const usePepper = version >= 2 && this.pepper.length > 0;
+        return usePepper ? plain + this.pepper : plain;
+    }
+
+}

package/src/services/crud.service.ts

@@ -38,6 +38,7 @@ import { isArray } from "class-validator";
 import { ERROR_MESSAGES } from "src/constants/error-messages";
 import { SUCCESS_MESSAGES } from "src/constants/success-messages";
 import { RequestContextService } from "./request-context.service";
+import { HashingService } from "./hashing.service";
 
 export class CRUDService<T> { // Add two generic value i.e Person,CreatePersonDto, so we get the proper types in our service
 
@@ -307,7 +308,7 @@ export class CRUDService<T> { // Add two generic value i.e Person,CreatePersonDt
                 return new DateFieldCrudManager(options);
             }
             case SolidFieldType.password: {
-                const options = { ...commonOptions, min: fieldMetadata.min, max: fieldMetadata.max, regexPattern: fieldMetadata.regexPattern };
+                const options = { ...commonOptions, min: fieldMetadata.min, max: fieldMetadata.max, regexPattern: fieldMetadata.regexPattern, hashingService: this.moduleRef.get(HashingService, { strict: false }) };
                 return new PasswordFieldCrudManager(options);
             }
             case SolidFieldType.mediaSingle: