@spinajs/rbac-http 2.0.26 → 2.0.38

package/lib/2fa/SpeakEasy2FaToken.d.ts

@@ -0,0 +1,13 @@
+import { TwoFactorAuthProvider } from '../interfaces';
+import { User } from '@spinajs/rbac';
+import { Log } from '@spinajs/log';
+export declare class SpeakEasy2FaToken extends TwoFactorAuthProvider {
+    protected Config: any;
+    protected Log: Log;
+    constructor();
+    execute(_: User): Promise<void>;
+    verifyToken(token: string, user: User): Promise<boolean>;
+    initialize(user: User): Promise<any>;
+    isEnabled(user: User): Promise<boolean>;
+    isInitialized(user: User): Promise<boolean>;
+}

package/lib/2fa/SpeakEasy2FaToken.js

@@ -0,0 +1,92 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SpeakEasy2FaToken = void 0;
+const di_1 = require("@spinajs/di");
+const interfaces_1 = require("../interfaces");
+const speakeasy = __importStar(require("speakeasy"));
+const rbac_1 = require("@spinajs/rbac");
+const configuration_1 = require("@spinajs/configuration");
+const log_1 = require("@spinajs/log");
+let SpeakEasy2FaToken = class SpeakEasy2FaToken extends interfaces_1.TwoFactorAuthProvider {
+    constructor() {
+        super();
+    }
+    execute(_) {
+        // empty, speakasy works offline eg. google authenticator
+        // we dont send any email or sms
+        return Promise.resolve();
+    }
+    async verifyToken(token, user) {
+        const meta = user.Metadata.find((x) => x.Key === '2fa_speakeasy_token');
+        if (!meta || meta.Value === '') {
+            this.Log.trace(`Cannot verify 2fa token, no 2fa token for user ${user.Id}`);
+            return false;
+        }
+        const verified = speakeasy.totp.verify({
+            secret: meta.Value,
+            encoding: 'base32',
+            token,
+            window: 5,
+        });
+        return verified;
+    }
+    async initialize(user) {
+        const secret = speakeasy.generateSecret(this.Config);
+        await user.Metadata.add(new rbac_1.UserMetadata({ Value: secret.base32, Key: '2fa_speakeasy_token' }));
+        return secret.base32;
+    }
+    async isEnabled(user) {
+        const meta = user.Metadata.find((x) => x.Key === '2fa_enabled');
+        return meta ? meta.asBoolean() : false;
+    }
+    async isInitialized(user) {
+        const meta = user.Metadata.find((x) => x.Key === '2fa_speakeasy_token');
+        return meta ? meta.Value !== '' : false;
+    }
+};
+__decorate([
+    (0, configuration_1.Config)('rbac.speakeasy'),
+    __metadata("design:type", Object)
+], SpeakEasy2FaToken.prototype, "Config", void 0);
+__decorate([
+    (0, log_1.Logger)('SPEAKEASY_2FA_TOKEN'),
+    __metadata("design:type", log_1.Log)
+], SpeakEasy2FaToken.prototype, "Log", void 0);
+SpeakEasy2FaToken = __decorate([
+    (0, di_1.Injectable)(interfaces_1.TwoFactorAuthProvider),
+    __metadata("design:paramtypes", [])
+], SpeakEasy2FaToken);
+exports.SpeakEasy2FaToken = SpeakEasy2FaToken;
+//# sourceMappingURL=SpeakEasy2FaToken.js.map

package/lib/2fa/SpeakEasy2FaToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SpeakEasy2FaToken.js","sourceRoot":"","sources":["../../src/2fa/SpeakEasy2FaToken.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oCAAyC;AACzC,8CAAsD;AACtD,qDAAuC;AACvC,wCAAmD;AACnD,0DAAgD;AAChD,sCAA2C;AAG3C,IAAa,iBAAiB,GAA9B,MAAa,iBAAkB,SAAQ,kCAAqB;IAO1D;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAEM,OAAO,CAAC,CAAO;QACpB,yDAAyD;QACzD,gCAAgC;QAChC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACM,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,IAAU;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;QAExE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,EAAE,EAAE;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YAE5E,OAAO,KAAK,CAAC;SACd;QAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;YACrC,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,QAAQ,EAAE,QAAQ;YAClB,KAAK;YACL,MAAM,EAAE,CAAC;SACV,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IACM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,mBAAY,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC,CAAC;QAChG,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACM,KAAK,CAAC,SAAS,CAAC,IAAU;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,aAAa,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IACzC,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAU;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IAC1C,CAAC;CACF,CAAA;AA9CC;IADC,IAAA,sBAAM,EAAC,gBAAgB,CAAC;;iDACH;AAGtB;IADC,IAAA,YAAM,EAAC,qBAAqB,CAAC;8BACf,SAAG;8CAAC;AALR,iBAAiB;IAD7B,IAAA,eAAU,EAAC,kCAAqB,CAAC;;GACrB,iBAAiB,CAgD7B;AAhDY,8CAAiB"}

package/lib/config/rbac-http.js

@@ -12,6 +12,17 @@ module.exports = {
             views: [dir('./../views')],
         },
     },
+    rbac: {
+        twoFactorAuth: {
+            enabled: true,
+            service: 'google-auth-2fa',
+        },
+        fingerprint: {
+            enabled: true,
+            maxDevices: 3,
+            service: 'fingerprintjs',
+        },
+    },
     http: {
         middlewares: [
         // add global user from session middleware

package/lib/config/rbac-http.js.map

@@ -1 +1 @@
-{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../src/config/rbac-http.ts"],"names":[],"mappings":";;AAAA,+BAAgD;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,IAAA,cAAO,EAAC,IAAA,gBAAS,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AACD,MAAM,CAAC,OAAO,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACtC,OAAO,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC9B,KAAK,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;SAC3B;KACF;IACD,IAAI,EAAE;QACJ,WAAW,EAAE;QACX,0CAA0C;SAC3C;KACF;CACF,CAAC"}
+{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../src/config/rbac-http.ts"],"names":[],"mappings":";;AAAA,+BAAgD;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,IAAA,cAAO,EAAC,IAAA,gBAAS,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AACD,MAAM,CAAC,OAAO,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACtC,OAAO,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC9B,KAAK,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;SAC3B;KACF;IACD,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,iBAAiB;SAC3B;QACD,WAAW,EAAE;YACX,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,eAAe;SACzB;KACF;IACD,IAAI,EAAE;QACJ,WAAW,EAAE;QACX,0CAA0C;SAC3C;KACF;CACF,CAAC"}

package/lib/controllers/LoginController.d.ts

@@ -1,12 +1,18 @@
-import { LoginDto } from './../dto/login-dto';
+import { UserLoginDto } from '../dto/userLogin-dto';
 import { BaseController, Ok, CookieResponse, Unauthorized, NotAllowed } from '@spinajs/http';
 import { AuthProvider, SessionProvider, User as UserModel } from '@spinajs/rbac';
 import { Configuration } from '@spinajs/configuration';
+import { FingerpringConfig, FingerprintProvider, TwoFactorAuthConfig, TwoFactorAuthProvider } from '../interfaces';
 export declare class LoginController extends BaseController {
     protected Configuration: Configuration;
     protected AuthProvider: AuthProvider;
     protected SessionProvider: SessionProvider;
     protected SessionExpirationTime: number;
-    login(credentials: LoginDto, logged: UserModel): Promise<Unauthorized | CookieResponse | NotAllowed>;
+    protected TwoFactorConfig: TwoFactorAuthConfig;
+    protected FingerPrintConfig: FingerpringConfig;
+    protected TwoFactorAuthProvider: TwoFactorAuthProvider;
+    protected FingerprintPrivider: FingerprintProvider;
+    resolveAsync(): Promise<void>;
+    login(credentials: UserLoginDto, logged: UserModel): Promise<Unauthorized | CookieResponse | NotAllowed>;
     logout(ssid: string): Promise<Ok | CookieResponse>;
 }

package/lib/controllers/LoginController.js

@@ -16,7 +16,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.LoginController = void 0;
-const login_dto_1 = require("./../dto/login-dto");
+const userLogin_dto_1 = require("../dto/userLogin-dto");
 const http_1 = require("@spinajs/http");
 const rbac_1 = require("@spinajs/rbac");
 const di_1 = require("@spinajs/di");
@@ -24,6 +24,20 @@ const configuration_1 = require("@spinajs/configuration");
 const decorators_1 = require("./../decorators");
 const lodash_1 = __importDefault(require("lodash"));
 let LoginController = class LoginController extends http_1.BaseController {
+    async resolveAsync() {
+        if (this.TwoFactorConfig.enabled) {
+            if (!di_1.DI.check(this.TwoFactorConfig.service)) {
+                throw new di_1.ServiceNotFound(`2FA provider ${this.TwoFactorConfig.service} not registered in DI container`);
+            }
+            this.TwoFactorAuthProvider = di_1.DI.resolve(this.TwoFactorConfig.service);
+        }
+        if (this.FingerPrintConfig.enabled) {
+            if (!di_1.DI.check(this.FingerPrintConfig.service)) {
+                throw new di_1.ServiceNotFound(`Fingerprint provider ${this.FingerPrintConfig.service} not registered in DI container`);
+            }
+            this.FingerprintPrivider = di_1.DI.resolve(this.FingerPrintConfig.service);
+        }
+    }
     async login(credentials, logged) {
         if (logged) {
             return new http_1.NotAllowed('User already logged in. Please logout before trying to authorize.');
@@ -38,11 +52,47 @@ let LoginController = class LoginController extends http_1.BaseController {
         }
         await user.Metadata.populate();
         const session = new rbac_1.Session();
-        const sData = user.dehydrate();
-        session.Data.set('User', sData);
+        const dUser = user.dehydrate();
+        session.Data.set('User', dUser);
+        // we found user but we still dont know if is authorized
+        // eg. 2fa auth is not performed
+        // create session, but user is not yet authorized
+        session.Data.set('Authorized', false);
+        await this.SessionProvider.save(session);
+        if (this.TwoFactorConfig.enabled) {
+            const enabledForUser = await this.TwoFactorAuthProvider.isEnabled(user);
+            /**
+             * if 2fa is enabled for user, proceed
+             */
+            if (enabledForUser) {
+                /**
+                 * check if 2fa system is initialized for user eg. private key is generated.
+                 */
+                const isInitialized = await this.TwoFactorAuthProvider.isInitialized(user);
+                if (!isInitialized) {
+                    const twoFaResult = await this.TwoFactorAuthProvider.initialize(user);
+                    return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                        toFactorAuth: true,
+                        initialize: true,
+                        method: this.TwoFactorConfig.service,
+                        data: twoFaResult,
+                    }, { httpOnly: true });
+                }
+                // give chance to execute 2fa eg. send sms or email
+                await this.TwoFactorAuthProvider.execute(user);
+                // return session to identify user
+                // and only info that twoFactor auth is requested
+                return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                    toFactorAuth: true,
+                }, { httpOnly: true });
+            }
+        }
+        // 2fa is not enabled, so we found user, it means it is logged
+        session.Data.set('Authorized', true);
         await this.SessionProvider.save(session);
         // BEWARE: httpOnly coockie, only accesible via http method in browser
-        return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, lodash_1.default.omit(sData, ['Id']), { httpOnly: true });
+        // return coockie session id with additional user data
+        return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, lodash_1.default.omit(dUser, ['Id']), { httpOnly: true });
     }
     async logout(ssid) {
         if (!ssid) {
@@ -69,12 +119,20 @@ __decorate([
     (0, configuration_1.Config)('rbac.session.expiration', 120),
     __metadata("design:type", Number)
 ], LoginController.prototype, "SessionExpirationTime", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.twoFactorAuth'),
+    __metadata("design:type", Object)
+], LoginController.prototype, "TwoFactorConfig", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.fingerprint'),
+    __metadata("design:type", Object)
+], LoginController.prototype, "FingerPrintConfig", void 0);
 __decorate([
     (0, http_1.Post)(),
     __param(0, (0, http_1.Body)()),
     __param(1, (0, decorators_1.User)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [login_dto_1.LoginDto, rbac_1.User]),
+    __metadata("design:paramtypes", [userLogin_dto_1.UserLoginDto, rbac_1.User]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "login", null);
 __decorate([

package/lib/controllers/LoginController.js.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AAAA,kDAA8C;AAC9C,wCAAgI;AAChI,wCAA0F;AAC1F,oCAAyC;AACzC,0DAA+D;AAC/D,gDAAuC;AACvC,oDAAuB;AAGvB,IAAa,eAAe,GAA5B,MAAa,eAAgB,SAAQ,qBAAc;IAc1C,KAAK,CAAC,KAAK,CAAS,WAAqB,EAAU,MAAiB;QACzE,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,iBAAU,CAAC,mEAAmE,CAAC,CAAC;SAC5F;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE3F,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;SACJ;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,IAAI,cAAO,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAE/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,sEAAsE;QACtE,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,qBAAqB,EAAE,IAAI,EAAE,gBAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpI,CAAC;IAGM,KAAK,CAAC,MAAM,CAAW,IAAY;QACxC,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,SAAE,EAAE,CAAC;SACjB;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtE,CAAC;CACF,CAAA;AAnDC;IADC,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAGvC;IADC,IAAA,eAAU,GAAE;8BACW,mBAAY;qDAAC;AAGrC;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;wDAAC;AAG3C;IADC,IAAA,sBAAM,EAAC,yBAAyB,EAAE,GAAG,CAAC;;8DACC;AAGxC;IADC,IAAA,WAAI,GAAE;IACa,WAAA,IAAA,WAAI,GAAE,CAAA;IAAyB,WAAA,IAAA,iBAAI,GAAE,CAAA;;qCAAjB,oBAAQ,EAAkB,WAAS;;4CA0B1E;AAGD;IADC,IAAA,UAAG,GAAE;IACe,WAAA,IAAA,aAAM,GAAE,CAAA;;;;6CAS5B;AApDU,eAAe;IAD3B,IAAA,eAAQ,EAAC,WAAW,CAAC;GACT,eAAe,CAqD3B;AArDY,0CAAe"}
+{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AAAA,wDAAoD;AACpD,wCAAgI;AAChI,wCAA0F;AAC1F,oCAA8D;AAC9D,0DAA+D;AAC/D,gDAAuC;AACvC,oDAAuB;AAIvB,IAAa,eAAe,GAA5B,MAAa,eAAgB,SAAQ,qBAAc;IAuB1C,KAAK,CAAC,YAAY;QACvB,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE;YAChC,IAAI,CAAC,OAAE,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE;gBAC3C,MAAM,IAAI,oBAAe,CAAC,gBAAgB,IAAI,CAAC,eAAe,CAAC,OAAO,iCAAiC,CAAC,CAAC;aAC1G;YACD,IAAI,CAAC,qBAAqB,GAAG,OAAE,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;SACvE;QAED,IAAI,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE;YAClC,IAAI,CAAC,OAAE,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE;gBAC7C,MAAM,IAAI,oBAAe,CAAC,wBAAwB,IAAI,CAAC,iBAAiB,CAAC,OAAO,iCAAiC,CAAC,CAAC;aACpH;YACD,IAAI,CAAC,mBAAmB,GAAG,OAAE,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;SACvE;IACH,CAAC;IAGM,KAAK,CAAC,KAAK,CAAS,WAAyB,EAAU,MAAiB;QAC7E,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,iBAAU,CAAC,mEAAmE,CAAC,CAAC;SAC5F;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE3F,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;SACJ;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,IAAI,cAAO,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhC,wDAAwD;QACxD,gCAAgC;QAChC,iDAAiD;QACjD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEtC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE;YAChC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAExE;;eAEG;YACH,IAAI,cAAc,EAAE;gBAClB;;mBAEG;gBACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;gBAC3E,IAAI,CAAC,aAAa,EAAE;oBAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;oBAEtE,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;wBACE,YAAY,EAAE,IAAI;wBAClB,UAAU,EAAE,IAAI;wBAChB,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO;wBACpC,IAAI,EAAE,WAAW;qBAClB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;iBACH;gBAED,mDAAmD;gBACnD,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE/C,kCAAkC;gBAClC,iDAAiD;gBACjD,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;oBACE,YAAY,EAAE,IAAI;iBACnB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;aACH;SACF;QAED,8DAA8D;QAC9D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACrC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,sEAAsE;QACtE,sDAAsD;QACtD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,qBAAqB,EAAE,IAAI,EAAE,gBAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpI,CAAC;IAGM,KAAK,CAAC,MAAM,CAAW,IAAY;QACxC,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,SAAE,EAAE,CAAC;SACjB;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtE,CAAC;CACF,CAAA;AArIC;IADC,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAGvC;IADC,IAAA,eAAU,GAAE;8BACW,mBAAY;qDAAC;AAGrC;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;wDAAC;AAG3C;IADC,IAAA,sBAAM,EAAC,yBAAyB,EAAE,GAAG,CAAC;;8DACC;AAGxC;IADC,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;wDACkB;AAG/C;IADC,IAAA,sBAAM,EAAC,kBAAkB,CAAC;;0DACoB;AAuB/C;IADC,IAAA,WAAI,GAAE;IACa,WAAA,IAAA,WAAI,GAAE,CAAA;IAA6B,WAAA,IAAA,iBAAI,GAAE,CAAA;;qCAArB,4BAAY,EAAkB,WAAS;;4CAkF9E;AAGD;IADC,IAAA,UAAG,GAAE;IACe,WAAA,IAAA,aAAM,GAAE,CAAA;;;;6CAS5B;AAtIU,eAAe;IAD3B,IAAA,eAAQ,EAAC,WAAW,CAAC;GACT,eAAe,CAuI3B;AAvIY,0CAAe"}

package/lib/controllers/TwoFactorAuthController.d.ts

@@ -0,0 +1,11 @@
+import { TokenDto } from './../dto/token-dto';
+import { BaseController, Ok, Unauthorized } from '@spinajs/http';
+import { SessionProvider, User as UserModel } from '@spinajs/rbac';
+import { TwoFactorAuthConfig, TwoFactorAuthProvider } from '../interfaces';
+export declare class TwoFactorAuthController extends BaseController {
+    protected TwoFactorConfig: TwoFactorAuthConfig;
+    protected SessionProvider: SessionProvider;
+    protected TwoFactorAuthProvider: TwoFactorAuthProvider;
+    resolveAsync(): Promise<void>;
+    verifyToken(logged: UserModel, token: TokenDto, ssid: string): Promise<Ok | Unauthorized>;
+}

package/lib/controllers/TwoFactorAuthController.js

@@ -0,0 +1,72 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoFactorAuthController = void 0;
+const token_dto_1 = require("./../dto/token-dto");
+const http_1 = require("@spinajs/http");
+const rbac_1 = require("@spinajs/rbac");
+const http_2 = require("@spinajs/http");
+const lodash_1 = __importDefault(require("lodash"));
+const decorators_1 = require("../decorators");
+const _2FaPolicy_1 = require("../policies/2FaPolicy");
+const configuration_1 = require("@spinajs/configuration");
+const di_1 = require("@spinajs/di");
+let TwoFactorAuthController = class TwoFactorAuthController extends http_1.BaseController {
+    async resolveAsync() {
+        if (this.TwoFactorConfig.enabled) {
+            if (!di_1.DI.check(this.TwoFactorConfig.service)) {
+                throw new di_1.ServiceNotFound(`2FA provider ${this.TwoFactorConfig.service} not registered in DI container`);
+            }
+            this.TwoFactorAuthProvider = di_1.DI.resolve(this.TwoFactorConfig.service);
+        }
+    }
+    async verifyToken(logged, token, ssid) {
+        const result = await this.TwoFactorAuthProvider.verifyToken(token.Token, logged);
+        if (result) {
+            return new http_1.Unauthorized(`invalid token`);
+        }
+        const session = await this.SessionProvider.restore(ssid);
+        session.Data.set('Authorized', true);
+        session.Data.set('2fa_check', true);
+        await this.SessionProvider.save(session);
+        // return user data
+        return new http_1.Ok(lodash_1.default.omit(logged.dehydrate(), ['Id']));
+    }
+};
+__decorate([
+    (0, configuration_1.Config)('rbac.twoFactorAuth'),
+    __metadata("design:type", Object)
+], TwoFactorAuthController.prototype, "TwoFactorConfig", void 0);
+__decorate([
+    (0, di_1.Autoinject)(),
+    __metadata("design:type", rbac_1.SessionProvider)
+], TwoFactorAuthController.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, http_1.Post)('2fa/verify'),
+    __param(0, (0, decorators_1.User)()),
+    __param(1, (0, http_2.Body)()),
+    __param(2, (0, http_1.Cookie)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [rbac_1.User, token_dto_1.TokenDto, String]),
+    __metadata("design:returntype", Promise)
+], TwoFactorAuthController.prototype, "verifyToken", null);
+TwoFactorAuthController = __decorate([
+    (0, http_1.BasePath)('user/auth'),
+    (0, http_2.Policy)(_2FaPolicy_1.TwoFacRouteEnabled)
+], TwoFactorAuthController);
+exports.TwoFactorAuthController = TwoFactorAuthController;
+//# sourceMappingURL=TwoFactorAuthController.js.map

package/lib/controllers/TwoFactorAuthController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TwoFactorAuthController.js","sourceRoot":"","sources":["../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AAAA,kDAA8C;AAC9C,wCAAyF;AACzF,wCAAmE;AACnE,wCAA6C;AAC7C,oDAAuB;AACvB,8CAAqC;AACrC,sDAA2D;AAC3D,0DAAgD;AAEhD,oCAA8D;AAI9D,IAAa,uBAAuB,GAApC,MAAa,uBAAwB,SAAQ,qBAAc;IASlD,KAAK,CAAC,YAAY;QACvB,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE;YAChC,IAAI,CAAC,OAAE,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE;gBAC3C,MAAM,IAAI,oBAAe,CAAC,gBAAgB,IAAI,CAAC,eAAe,CAAC,OAAO,iCAAiC,CAAC,CAAC;aAC1G;YACD,IAAI,CAAC,qBAAqB,GAAG,OAAE,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;SACvE;IACH,CAAC;IAGM,KAAK,CAAC,WAAW,CAAS,MAAiB,EAAU,KAAe,EAAY,IAAY;QACjG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEjF,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,mBAAY,CAAC,eAAe,CAAC,CAAC;SAC1C;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAEpC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,mBAAmB;QACnB,OAAO,IAAI,SAAE,CAAC,gBAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;CACF,CAAA;AAjCC;IADC,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;gEACkB;AAG/C;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;gEAAC;AAc3C;IADC,IAAA,WAAI,EAAC,YAAY,CAAC;IACO,WAAA,IAAA,iBAAI,GAAE,CAAA;IAAqB,WAAA,IAAA,WAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,aAAM,GAAE,CAAA;;qCAA7C,WAAS,EAAiB,oBAAQ;;0DAe1E;AAlCU,uBAAuB;IAFnC,IAAA,eAAQ,EAAC,WAAW,CAAC;IACrB,IAAA,aAAM,EAAC,+BAAkB,CAAC;GACd,uBAAuB,CAmCnC;AAnCY,0DAAuB"}

package/lib/controllers/UserController.d.ts

@@ -1,4 +1,5 @@
 import { PasswordDto } from '../dto/password-dto';
+import { UserLoginDto } from '../dto/login-dto';
 import { User as UserModel, PasswordProvider, SessionProvider } from '@spinajs/rbac';
 import { BaseController, Ok } from '@spinajs/http';
 export declare class UserController extends BaseController {
@@ -6,5 +7,6 @@ export declare class UserController extends BaseController {
     protected CoockieSecret: string;
     protected SessionProvider: SessionProvider;
     refresh(user: UserModel, ssid: string): Promise<Ok>;
+    restorePassword(_login: UserLoginDto): Promise<void>;
     newPassword(login: string, pwd: PasswordDto): Promise<Ok>;
 }

package/lib/controllers/UserController.js

@@ -40,6 +40,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.UserController = void 0;
 const password_dto_1 = require("../dto/password-dto");
+const login_dto_1 = require("../dto/login-dto");
 const rbac_1 = require("@spinajs/rbac");
 const http_1 = require("@spinajs/http");
 const exceptions_1 = require("@spinajs/exceptions");
@@ -48,10 +49,12 @@ const decorators_1 = require("../decorators");
 const configuration_1 = require("@spinajs/configuration");
 const cs = __importStar(require("cookie-signature"));
 const lodash_1 = __importDefault(require("lodash"));
+const http_2 = require("@spinajs/http");
 let UserController = class UserController extends http_1.BaseController {
     async refresh(user, ssid) {
         // get user data from db
         await user.refresh();
+        await user.Metadata.populate();
         // refresh session data from DB
         const sId = cs.unsign(ssid, this.CoockieSecret);
         if (sId) {
@@ -62,6 +65,7 @@ let UserController = class UserController extends http_1.BaseController {
         }
         return new http_1.Ok(lodash_1.default.omit(user.dehydrate(), ['Id']));
     }
+    async restorePassword(_login) { }
     async newPassword(login, pwd) {
         if (pwd.Password !== pwd.ConfirmPassword) {
             throw new exceptions_1.InvalidArgument('password does not match');
@@ -69,7 +73,7 @@ let UserController = class UserController extends http_1.BaseController {
         const user = await rbac_1.User.where({ Login: login }).firstOrFail();
         const isValid = await this.PasswordProvider.verify(user.Password, pwd.OldPassword);
         if (!isValid) {
-            throw new exceptions_1.Forbidden('Invalid login or password');
+            throw new exceptions_1.Forbidden('old password do not match');
         }
         const hashedPassword = await this.PasswordProvider.hash(pwd.Password);
         user.Password = hashedPassword;
@@ -98,6 +102,13 @@ __decorate([
     __metadata("design:paramtypes", [rbac_1.User, String]),
     __metadata("design:returntype", Promise)
 ], UserController.prototype, "refresh", null);
+__decorate([
+    (0, http_2.Post)('password/restore'),
+    __param(0, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [login_dto_1.UserLoginDto]),
+    __metadata("design:returntype", Promise)
+], UserController.prototype, "restorePassword", null);
 __decorate([
     (0, http_1.Patch)('/password/:login'),
     __param(0, (0, http_1.Param)()),

package/lib/controllers/UserController.js.map

@@ -1 +1 @@
-{"version":3,"file":"UserController.js","sourceRoot":"","sources":["../../src/controllers/UserController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,sDAAkD;AAClD,wCAAqF;AACrF,wCAA8F;AAC9F,oDAAiE;AACjE,oCAAyC;AACzC,8CAA2D;AAC3D,0DAAgD;AAChD,qDAAuC;AACvC,oDAAuB;AAIvB,IAAa,cAAc,GAA3B,MAAa,cAAe,SAAQ,qBAAc;IAYzC,KAAK,CAAC,OAAO,CAAS,IAAe,EAAY,IAAY;QAClE,wBAAwB;QACxB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAErB,+BAA+B;QAC/B,MAAM,GAAG,GAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAChE,IAAI,GAAG,EAAE;YACP,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,OAAO,EAAE;gBACX,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;aAC5C;SACF;QAED,OAAO,IAAI,SAAE,CAAC,gBAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IAGM,KAAK,CAAC,WAAW,CAAU,KAAa,EAAU,GAAgB;QACvE,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,eAAe,EAAE;YACxC,MAAM,IAAI,4BAAe,CAAC,yBAAyB,CAAC,CAAC;SACtD;QAED,MAAM,IAAI,GAAG,MAAM,WAAS,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAEnF,IAAI,CAAC,OAAO,EAAE;YACZ,MAAM,IAAI,sBAAS,CAAC,2BAA2B,CAAC,CAAC;SAClD;QAED,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAC/B,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,OAAO,IAAI,SAAE,EAAE,CAAC;IAClB,CAAC;CACF,CAAA;AA5CC;IADC,IAAA,eAAU,GAAE;8BACe,uBAAgB;wDAAC;AAG7C;IADC,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;qDACG;AAGhC;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;uDAAC;AAI3C;IAFC,IAAA,UAAG,GAAE;IACL,IAAA,uBAAU,EAAC,SAAS,CAAC;IACA,WAAA,IAAA,iBAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,aAAM,GAAE,CAAA;;qCAApB,WAAS;;6CAc3C;AAGD;IADC,IAAA,YAAK,EAAC,kBAAkB,CAAC;IACA,WAAA,IAAA,YAAK,GAAE,CAAA;IAAiB,WAAA,IAAA,WAAI,GAAE,CAAA;;6CAAM,0BAAW;;iDAgBxE;AA7CU,cAAc;IAF1B,IAAA,eAAQ,EAAC,MAAM,CAAC;IAChB,IAAA,qBAAQ,EAAC,MAAM,CAAC;GACJ,cAAc,CA8C1B;AA9CY,wCAAc"}
+{"version":3,"file":"UserController.js","sourceRoot":"","sources":["../../src/controllers/UserController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,sDAAkD;AAClD,gDAAgD;AAChD,wCAAqF;AACrF,wCAA8F;AAC9F,oDAAiE;AACjE,oCAAyC;AACzC,8CAA2D;AAC3D,0DAAgD;AAChD,qDAAuC;AACvC,oDAAuB;AACvB,wCAAqC;AAIrC,IAAa,cAAc,GAA3B,MAAa,cAAe,SAAQ,qBAAc;IAYzC,KAAK,CAAC,OAAO,CAAS,IAAe,EAAY,IAAY;QAClE,wBAAwB;QACxB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,+BAA+B;QAC/B,MAAM,GAAG,GAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAChE,IAAI,GAAG,EAAE;YACP,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,OAAO,EAAE;gBACX,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;aAC5C;SACF;QAED,OAAO,IAAI,SAAE,CAAC,gBAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IAGM,KAAK,CAAC,eAAe,CAAS,MAAoB,IAAG,CAAC;IAGtD,KAAK,CAAC,WAAW,CAAU,KAAa,EAAU,GAAgB;QACvE,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,eAAe,EAAE;YACxC,MAAM,IAAI,4BAAe,CAAC,yBAAyB,CAAC,CAAC;SACtD;QAED,MAAM,IAAI,GAAG,MAAM,WAAS,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAEnF,IAAI,CAAC,OAAO,EAAE;YACZ,MAAM,IAAI,sBAAS,CAAC,2BAA2B,CAAC,CAAC;SAClD;QAED,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAC/B,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,OAAO,IAAI,SAAE,EAAE,CAAC;IAClB,CAAC;CACF,CAAA;AAhDC;IADC,IAAA,eAAU,GAAE;8BACe,uBAAgB;wDAAC;AAG7C;IADC,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;qDACG;AAGhC;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;uDAAC;AAI3C;IAFC,IAAA,UAAG,GAAE;IACL,IAAA,uBAAU,EAAC,SAAS,CAAC;IACA,WAAA,IAAA,iBAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,aAAM,GAAE,CAAA;;qCAApB,WAAS;;6CAe3C;AAGD;IADC,IAAA,WAAI,EAAC,kBAAkB,CAAC;IACK,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAS,wBAAY;;qDAAI;AAG7D;IADC,IAAA,YAAK,EAAC,kBAAkB,CAAC;IACA,WAAA,IAAA,YAAK,GAAE,CAAA;IAAiB,WAAA,IAAA,WAAI,GAAE,CAAA;;6CAAM,0BAAW;;iDAgBxE;AAjDU,cAAc;IAF1B,IAAA,eAAQ,EAAC,MAAM,CAAC;IAChB,IAAA,qBAAQ,EAAC,MAAM,CAAC;GACJ,cAAc,CAkD1B;AAlDY,wCAAc"}

package/lib/decorators.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Session = exports.User = exports.Permission = exports.Resource = exports.setRbacMetadata = exports.ACL_CONTROLLER_DESCRIPTOR = void 0;
 const http_1 = require("@spinajs/http");
-const policies_1 = require("./policies");
+const RbacPolicy_1 = require("./policies/RbacPolicy");
 exports.ACL_CONTROLLER_DESCRIPTOR = Symbol('ACL_CONTROLLER_DESCRIPTOR_SYMBOL');
 function setRbacMetadata(target, callback) {
     let metadata = Reflect.getMetadata(exports.ACL_CONTROLLER_DESCRIPTOR, target.prototype || target);
@@ -43,7 +43,7 @@ function descriptor(callback) {
  */
 function Resource(resource, permission = 'readOwn') {
     return descriptor((metadata, target) => {
-        (0, http_1.Policy)(policies_1.RbacPolicy)(target, null, null);
+        (0, http_1.Policy)(RbacPolicy_1.RbacPolicy)(target, null, null);
         metadata.Resource = resource;
         metadata.Permission = permission;
     });
@@ -69,7 +69,7 @@ function Permission(permission = 'readOwn') {
             }
             metadata.Routes.set(propertyKey, route);
         }
-        (0, http_1.Policy)(policies_1.RbacPolicy)(target, propertyKey, null);
+        (0, http_1.Policy)(RbacPolicy_1.RbacPolicy)(target, propertyKey, null);
     });
 }
 exports.Permission = Permission;

package/lib/decorators.js.map

@@ -1 +1 @@
-{"version":3,"file":"decorators.js","sourceRoot":"","sources":["../src/decorators.ts"],"names":[],"mappings":";;;AACA,wCAAyD;AACzD,yCAAwC;AAE3B,QAAA,yBAAyB,GAAG,MAAM,CAAC,kCAAkC,CAAC,CAAC;AAEpF,SAAgB,eAAe,CAAC,MAAW,EAAE,QAAyC;IACpF,IAAI,QAAQ,GAAoB,OAAO,CAAC,WAAW,CAAC,iCAAyB,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;IAC3G,IAAI,CAAC,QAAQ,EAAE;QACb,QAAQ,GAAG;YACT,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,IAAI,GAAG,EAA0C;YACzD,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,OAAO,CAAC,cAAc,CAAC,iCAAyB,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;KACzF;IAED,IAAI,QAAQ,EAAE;QACZ,QAAQ,CAAC,QAAQ,CAAC,CAAC;KACpB;AACH,CAAC;AAfD,0CAeC;AAED,SAAS,UAAU,CAAC,QAA0I;IAC5J,OAAO,CAAC,MAAW,EAAE,WAA4B,EAAE,iBAA8C,EAAE,EAAE;QACnG,IAAI,QAAQ,GAAoB,OAAO,CAAC,WAAW,CAAC,iCAAyB,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;QAC3G,IAAI,CAAC,QAAQ,EAAE;YACb,QAAQ,GAAG;gBACT,QAAQ,EAAE,EAAE;gBACZ,MAAM,EAAE,IAAI,GAAG,EAA0C;gBACzD,UAAU,EAAE,SAAS;aACtB,CAAC;YAEF,OAAO,CAAC,cAAc,CAAC,iCAAyB,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;SACzF;QAED,IAAI,QAAQ,EAAE;YACZ,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC;SAC5D;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,QAAQ,CAAC,QAAgB,EAAE,aAA6B,SAAS;IAC/E,OAAO,UAAU,CAAC,CAAC,QAAyB,EAAE,MAAW,EAAE,EAAE;QAC3D,IAAA,aAAM,EAAC,qBAAU,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAEvC,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC7B,QAAQ,CAAC,UAAU,GAAG,UAAU,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAPD,4BAOC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,aAA6B,SAAS;IAC/D,OAAO,UAAU,CAAC,CAAC,QAAyB,EAAE,MAAW,EAAE,WAAmB,EAAE,EAAE;QAChF,IAAI,KAAK,GAAmC,IAAI,CAAC;QAEjD,IAAI,WAAW,EAAE;YACf,IAAI,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;gBACpC,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;aAC1C;iBAAM;gBACL,KAAK,GAAG;oBACN,UAAU,EAAE,UAAU;iBACvB,CAAC;aACH;YAED,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;SACzC;QAED,IAAA,aAAM,EAAC,qBAAU,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAlBD,gCAkBC;AAED;;GAEG;AACH,SAAgB,IAAI;IAClB,OAAO,IAAA,YAAK,EAAC,IAAA,gBAAS,EAAC,SAAS,CAAC,CAAC,CAAC;AACrC,CAAC;AAFD,oBAEC;AAED;;GAEG;AACH,SAAgB,OAAO;IACrB,OAAO,IAAA,YAAK,EAAC,IAAA,gBAAS,EAAC,YAAY,CAAC,CAAC,CAAC;AACxC,CAAC;AAFD,0BAEC"}
+{"version":3,"file":"decorators.js","sourceRoot":"","sources":["../src/decorators.ts"],"names":[],"mappings":";;;AACA,wCAAyD;AACzD,sDAAmD;AAEtC,QAAA,yBAAyB,GAAG,MAAM,CAAC,kCAAkC,CAAC,CAAC;AAEpF,SAAgB,eAAe,CAAC,MAAW,EAAE,QAAyC;IACpF,IAAI,QAAQ,GAAoB,OAAO,CAAC,WAAW,CAAC,iCAAyB,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;IAC3G,IAAI,CAAC,QAAQ,EAAE;QACb,QAAQ,GAAG;YACT,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,IAAI,GAAG,EAA0C;YACzD,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,OAAO,CAAC,cAAc,CAAC,iCAAyB,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;KACzF;IAED,IAAI,QAAQ,EAAE;QACZ,QAAQ,CAAC,QAAQ,CAAC,CAAC;KACpB;AACH,CAAC;AAfD,0CAeC;AAED,SAAS,UAAU,CAAC,QAA0I;IAC5J,OAAO,CAAC,MAAW,EAAE,WAA4B,EAAE,iBAA8C,EAAE,EAAE;QACnG,IAAI,QAAQ,GAAoB,OAAO,CAAC,WAAW,CAAC,iCAAyB,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;QAC3G,IAAI,CAAC,QAAQ,EAAE;YACb,QAAQ,GAAG;gBACT,QAAQ,EAAE,EAAE;gBACZ,MAAM,EAAE,IAAI,GAAG,EAA0C;gBACzD,UAAU,EAAE,SAAS;aACtB,CAAC;YAEF,OAAO,CAAC,cAAc,CAAC,iCAAyB,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;SACzF;QAED,IAAI,QAAQ,EAAE;YACZ,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC;SAC5D;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,QAAQ,CAAC,QAAgB,EAAE,aAA6B,SAAS;IAC/E,OAAO,UAAU,CAAC,CAAC,QAAyB,EAAE,MAAW,EAAE,EAAE;QAC3D,IAAA,aAAM,EAAC,uBAAU,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAEvC,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC7B,QAAQ,CAAC,UAAU,GAAG,UAAU,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAPD,4BAOC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,aAA6B,SAAS;IAC/D,OAAO,UAAU,CAAC,CAAC,QAAyB,EAAE,MAAW,EAAE,WAAmB,EAAE,EAAE;QAChF,IAAI,KAAK,GAAmC,IAAI,CAAC;QAEjD,IAAI,WAAW,EAAE;YACf,IAAI,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;gBACpC,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;aAC1C;iBAAM;gBACL,KAAK,GAAG;oBACN,UAAU,EAAE,UAAU;iBACvB,CAAC;aACH;YAED,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;SACzC;QAED,IAAA,aAAM,EAAC,uBAAU,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAlBD,gCAkBC;AAED;;GAEG;AACH,SAAgB,IAAI;IAClB,OAAO,IAAA,YAAK,EAAC,IAAA,gBAAS,EAAC,SAAS,CAAC,CAAC,CAAC;AACrC,CAAC;AAFD,oBAEC;AAED;;GAEG;AACH,SAAgB,OAAO;IACrB,OAAO,IAAA,YAAK,EAAC,IAAA,gBAAS,EAAC,YAAY,CAAC,CAAC,CAAC;AACxC,CAAC;AAFD,0BAEC"}

package/lib/dto/login-dto.d.ts

@@ -7,15 +7,10 @@ export declare const LoginDtoSchema: {
             type: string;
             format: string;
         };
-        Password: {
-            type: string;
-            maxLength: number;
-        };
     };
     required: string[];
 };
-export declare class LoginDto {
+export declare class UserLoginDto {
     Email: string;
-    Password: string;
     constructor(data: any);
 }

package/lib/dto/login-dto.js

@@ -9,26 +9,25 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LoginDto = exports.LoginDtoSchema = void 0;
+exports.UserLoginDto = exports.LoginDtoSchema = void 0;
 const validation_1 = require("@spinajs/validation");
 exports.LoginDtoSchema = {
     $schema: 'http://json-schema.org/draft-07/schema#',
-    title: 'User login DTO',
+    title: 'login DTO',
     type: 'object',
     properties: {
         Login: { type: 'string', format: 'email' },
-        Password: { type: 'string', maxLength: 32 },
     },
-    required: ['Email', 'Password'],
+    required: ['Email'],
 };
-let LoginDto = class LoginDto {
+let UserLoginDto = class UserLoginDto {
     constructor(data) {
         Object.assign(this, data);
     }
 };
-LoginDto = __decorate([
+UserLoginDto = __decorate([
     (0, validation_1.Schema)(exports.LoginDtoSchema),
     __metadata("design:paramtypes", [Object])
-], LoginDto);
-exports.LoginDto = LoginDto;
+], UserLoginDto);
+exports.UserLoginDto = UserLoginDto;
 //# sourceMappingURL=login-dto.js.map

package/lib/dto/login-dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"login-dto.js","sourceRoot":"","sources":["../../src/dto/login-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,cAAc,GAAG;IAC5B,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,gBAAgB;IACvB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE;QAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;KAC5C;IACD,QAAQ,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC;CAChC,CAAC;AAGF,IAAa,QAAQ,GAArB,MAAa,QAAQ;IAKnB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,QAAQ;IADpB,IAAA,mBAAM,EAAC,sBAAc,CAAC;;GACV,QAAQ,CAQpB;AARY,4BAAQ"}
+{"version":3,"file":"login-dto.js","sourceRoot":"","sources":["../../src/dto/login-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,cAAc,GAAG;IAC5B,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE;KAC3C;IACD,QAAQ,EAAE,CAAC,OAAO,CAAC;CACpB,CAAC;AAGF,IAAa,YAAY,GAAzB,MAAa,YAAY;IAGvB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AANY,YAAY;IADxB,IAAA,mBAAM,EAAC,sBAAc,CAAC;;GACV,YAAY,CAMxB;AANY,oCAAY"}

package/lib/dto/token-dto.d.ts

@@ -0,0 +1,15 @@
+export declare const TokenDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        Token: {
+            type: string;
+            maxLength: number;
+        };
+    };
+};
+export declare class TokenDto {
+    Token: string;
+    constructor(data: any);
+}

package/lib/dto/token-dto.js

@@ -0,0 +1,32 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenDto = exports.TokenDtoSchema = void 0;
+const validation_1 = require("@spinajs/validation");
+exports.TokenDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'Token DTO',
+    type: 'object',
+    properties: {
+        Token: { type: 'string', maxLength: 64 },
+    },
+};
+let TokenDto = class TokenDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+TokenDto = __decorate([
+    (0, validation_1.Schema)(exports.TokenDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], TokenDto);
+exports.TokenDto = TokenDto;
+//# sourceMappingURL=token-dto.js.map

package/lib/dto/token-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-dto.js","sourceRoot":"","sources":["../../src/dto/token-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAChC,QAAA,cAAc,GAAG;IAC5B,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;KACzC;CACF,CAAC;AAGF,IAAa,QAAQ,GAArB,MAAa,QAAQ;IAGnB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AANY,QAAQ;IADpB,IAAA,mBAAM,EAAC,sBAAc,CAAC;;GACV,QAAQ,CAMpB;AANY,4BAAQ"}

package/lib/dto/userLogin-dto.d.ts

@@ -0,0 +1,21 @@
+export declare const UserLoginDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        Login: {
+            type: string;
+            format: string;
+        };
+        Password: {
+            type: string;
+            maxLength: number;
+        };
+    };
+    required: string[];
+};
+export declare class UserLoginDto {
+    Email: string;
+    Password: string;
+    constructor(data: any);
+}

package/lib/dto/userLogin-dto.js

@@ -0,0 +1,34 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserLoginDto = exports.UserLoginDtoSchema = void 0;
+const validation_1 = require("@spinajs/validation");
+exports.UserLoginDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'User login DTO',
+    type: 'object',
+    properties: {
+        Login: { type: 'string', format: 'email' },
+        Password: { type: 'string', maxLength: 32 },
+    },
+    required: ['Email', 'Password'],
+};
+let UserLoginDto = class UserLoginDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+UserLoginDto = __decorate([
+    (0, validation_1.Schema)(exports.UserLoginDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], UserLoginDto);
+exports.UserLoginDto = UserLoginDto;
+//# sourceMappingURL=userLogin-dto.js.map

package/lib/dto/userLogin-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userLogin-dto.js","sourceRoot":"","sources":["../../src/dto/userLogin-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,kBAAkB,GAAG;IAChC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,gBAAgB;IACvB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE;QAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;KAC5C;IACD,QAAQ,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC;CAChC,CAAC;AAGF,IAAa,YAAY,GAAzB,MAAa,YAAY;IAKvB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,YAAY;IADxB,IAAA,mBAAM,EAAC,0BAAkB,CAAC;;GACd,YAAY,CAQxB;AARY,oCAAY"}

package/lib/index.d.ts

@@ -1,7 +1,7 @@
 export * from './decorators';
 export * from './interfaces';
 export * from './middlewares';
-export * from './policies';
+export * from './policies/RbacPolicy';
 export * from './controllers/LoginController';
 export * from './controllers/UserController';
 export * from './transformers';

package/lib/index.js

@@ -17,7 +17,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./decorators"), exports);
 __exportStar(require("./interfaces"), exports);
 __exportStar(require("./middlewares"), exports);
-__exportStar(require("./policies"), exports);
+__exportStar(require("./policies/RbacPolicy"), exports);
 __exportStar(require("./controllers/LoginController"), exports);
 __exportStar(require("./controllers/UserController"), exports);
 __exportStar(require("./transformers"), exports);

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+CAA6B;AAC7B,+CAA6B;AAC7B,gDAA8B;AAC9B,6CAA2B;AAC3B,gEAA8C;AAC9C,+DAA6C;AAC7C,iDAA+B;AAC/B,+CAA6B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+CAA6B;AAC7B,+CAA6B;AAC7B,gDAA8B;AAC9B,wDAAsC;AACtC,gEAA8C;AAC9C,+DAA6C;AAC7C,iDAA+B;AAC/B,+CAA6B"}

package/lib/interfaces.d.ts

@@ -28,3 +28,40 @@ export interface IRbacRoutePermissionDescriptor {
      */
     Permission: PermissionType;
 }
+export declare abstract class TwoFactorAuthProvider {
+    /**
+     * generate secret key if this provider use is needs it or null
+     */
+    abstract initialize(user: User): Promise<any | null>;
+    /**
+     * Perform action eg. send sms or email. Some 2fac implementations do nothing eg. google auth or hardware keys
+     */
+    abstract execute(user: User): Promise<void>;
+    /**
+     * verifies token send by user
+     */
+    abstract verifyToken(token: string, user: User): Promise<boolean>;
+    /**
+     * Checks if 2fa is enabled for given user
+     */
+    abstract isEnabled(user: User): Promise<boolean>;
+    /**
+     * Checks if 2fa is initialized eg. some
+     * 2fa systems requires to generate private software key and pass it
+     * to user ( like google authenticator)
+     */
+    abstract isInitialized(user: User): Promise<boolean>;
+}
+export declare abstract class FingerprintProvider {
+}
+export interface AuthProvider {
+}
+export interface TwoFactorAuthConfig {
+    enabled: boolean;
+    service: string;
+}
+export interface FingerpringConfig {
+    enabled: boolean;
+    maxDevices: number;
+    service: string;
+}

package/lib/interfaces.js

@@ -1,3 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.FingerprintProvider = exports.TwoFactorAuthProvider = void 0;
+class TwoFactorAuthProvider {
+}
+exports.TwoFactorAuthProvider = TwoFactorAuthProvider;
+class FingerprintProvider {
+}
+exports.FingerprintProvider = FingerprintProvider;
 //# sourceMappingURL=interfaces.js.map

package/lib/interfaces.js.map

@@ -1 +1 @@
-{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../src/interfaces.ts"],"names":[],"mappings":""}
+{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../src/interfaces.ts"],"names":[],"mappings":";;;AAqCA,MAAsB,qBAAqB;CA2B1C;AA3BD,sDA2BC;AAED,MAAsB,mBAAmB;CAAG;AAA5C,kDAA4C"}

package/lib/policies/2FaPolicy.d.ts

@@ -0,0 +1,7 @@
+import { BasePolicy } from '@spinajs/http';
+import { TwoFactorAuthConfig } from '../interfaces';
+export declare class TwoFacRouteEnabled extends BasePolicy {
+    protected TwoFactorConfig: TwoFactorAuthConfig;
+    isEnabled(): boolean;
+    execute(): Promise<void>;
+}

package/lib/policies/2FaPolicy.js

@@ -0,0 +1,32 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoFacRouteEnabled = void 0;
+const exceptions_1 = require("@spinajs/exceptions");
+const configuration_1 = require("@spinajs/configuration");
+const http_1 = require("@spinajs/http");
+class TwoFacRouteEnabled extends http_1.BasePolicy {
+    isEnabled() {
+        return true;
+    }
+    execute() {
+        if (this.TwoFactorConfig.enabled === false) {
+            throw new exceptions_1.InvalidOperation('2 factor auth is not enabled');
+        }
+        return Promise.resolve();
+    }
+}
+__decorate([
+    (0, configuration_1.Config)('rbac.twoFactorAuth'),
+    __metadata("design:type", Object)
+], TwoFacRouteEnabled.prototype, "TwoFactorConfig", void 0);
+exports.TwoFacRouteEnabled = TwoFacRouteEnabled;
+//# sourceMappingURL=2FaPolicy.js.map

package/lib/policies/2FaPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"2FaPolicy.js","sourceRoot":"","sources":["../../src/policies/2FaPolicy.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAAuD;AACvD,0DAAgD;AAChD,wCAA2C;AAG3C,MAAa,kBAAmB,SAAQ,iBAAU;IAIzC,SAAS;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IACM,OAAO;QACZ,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,KAAK,KAAK,EAAE;YAC1C,MAAM,IAAI,6BAAgB,CAAC,8BAA8B,CAAC,CAAC;SAC5D;QAED,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;CACF;AAZC;IADC,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;2DACkB;AAFjD,gDAcC"}

package/lib/policies/AuthPolicy.d.ts

@@ -0,0 +1,9 @@
+import { BasePolicy, IController, IRoute, Request as sRequest } from '@spinajs/http';
+/**
+ * Simple policy to only check if user is authorized ( do not check permissions for routes)
+ * Usefull if we want to give acces for all logged users
+ */
+export declare class AuthPolicy extends BasePolicy {
+    isEnabled(_action: IRoute, _instance: IController): boolean;
+    execute(req: sRequest): Promise<void>;
+}

package/lib/policies/AuthPolicy.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthPolicy = void 0;
+const http_1 = require("@spinajs/http");
+const exceptions_1 = require("@spinajs/exceptions");
+/**
+ * Simple policy to only check if user is authorized ( do not check permissions for routes)
+ * Usefull if we want to give acces for all logged users
+ */
+class AuthPolicy extends http_1.BasePolicy {
+    isEnabled(_action, _instance) {
+        // acl is always on if set
+        return true;
+    }
+    async execute(req) {
+        if (!req.storage || !req.storage.user || !req.storage.session.Data.get('Authorized')) {
+            throw new exceptions_1.Forbidden('user not logged or session expired');
+        }
+        return Promise.resolve();
+    }
+}
+exports.AuthPolicy = AuthPolicy;
+//# sourceMappingURL=AuthPolicy.js.map

package/lib/policies/AuthPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthPolicy.js","sourceRoot":"","sources":["../../src/policies/AuthPolicy.ts"],"names":[],"mappings":";;;AAAA,wCAAqF;AACrF,oDAAgD;AAEhD;;;GAGG;AACH,MAAa,UAAW,SAAQ,iBAAU;IACjC,SAAS,CAAC,OAAe,EAAE,SAAsB;QACtD,0BAA0B;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,GAAa;QAChC,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE;YACpF,MAAM,IAAI,sBAAS,CAAC,oCAAoC,CAAC,CAAC;SAC3D;QAED,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;CACF;AAbD,gCAaC"}

package/lib/policies/RbacPolicy.d.ts

@@ -0,0 +1,15 @@
+import { AccessControl, Permission } from 'accesscontrol';
+import { BasePolicy, IController, IRoute, Request as sRequest } from '@spinajs/http';
+import { User } from '@spinajs/rbac';
+/**
+ * Checks if user is logged, authorized & have proper permissions
+ */
+export declare class RbacPolicy extends BasePolicy {
+    protected Ac: AccessControl;
+    constructor();
+    isEnabled(_action: IRoute, _instance: IController): boolean;
+    execute(req: sRequest, action: IRoute, instance: IController): Promise<void>;
+}
+export declare function checkRbacPermission(role: string | string[], resource: string, permission: string): Permission;
+export declare function checkUserPermission(user: User, resource: string, permission: string): Permission;
+export declare function checkRoutePermission(req: sRequest, resource: string, permission: string): Permission;

package/lib/policies/RbacPolicy.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkRoutePermission = exports.checkUserPermission = exports.checkRbacPermission = exports.RbacPolicy = void 0;
+const http_1 = require("@spinajs/http");
+const exceptions_1 = require("@spinajs/exceptions");
+const decorators_1 = require("../decorators");
+const di_1 = require("@spinajs/di");
+/**
+ * Checks if user is logged, authorized & have proper permissions
+ */
+class RbacPolicy extends http_1.BasePolicy {
+    constructor() {
+        super();
+        this.Ac = di_1.DI.get('AccessControl');
+    }
+    isEnabled(_action, _instance) {
+        // acl is always on if set
+        return true;
+    }
+    async execute(req, action, instance) {
+        var _a, _b;
+        const descriptor = Reflect.getMetadata(decorators_1.ACL_CONTROLLER_DESCRIPTOR, instance);
+        let permission = (_a = descriptor.Permission) !== null && _a !== void 0 ? _a : '';
+        // check if route has its own permission
+        if (descriptor.Routes.has(action.Method)) {
+            permission = (_b = descriptor.Routes.get(action.Method).Permission) !== null && _b !== void 0 ? _b : '';
+        }
+        if (!descriptor || !descriptor.Permission) {
+            throw new exceptions_1.Forbidden(`no route permission or resources assigned`);
+        }
+        if (!req.storage || !req.storage.user || !req.storage.session.Data.get('Authorized')) {
+            throw new exceptions_1.Forbidden('user not logged or session expired');
+        }
+        if (!checkRoutePermission(req, descriptor.Resource, permission).granted) {
+            throw new exceptions_1.Forbidden(`role(s) ${req.storage.user.Role} does not have permission ${permission} for resource ${descriptor.Resource}`);
+        }
+    }
+}
+exports.RbacPolicy = RbacPolicy;
+function checkRbacPermission(role, resource, permission) {
+    const ac = di_1.DI.get('AccessControl');
+    return ac.can(role)[permission](resource);
+}
+exports.checkRbacPermission = checkRbacPermission;
+function checkUserPermission(user, resource, permission) {
+    const ac = di_1.DI.get('AccessControl');
+    if (!user) {
+        return null;
+    }
+    return ac.can(user.Role)[permission](resource);
+}
+exports.checkUserPermission = checkUserPermission;
+function checkRoutePermission(req, resource, permission) {
+    if (!req.storage || !req.storage.user) {
+        return null;
+    }
+    return checkUserPermission(req.storage.user, resource, permission);
+}
+exports.checkRoutePermission = checkRoutePermission;
+//# sourceMappingURL=RbacPolicy.js.map

package/lib/policies/RbacPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RbacPolicy.js","sourceRoot":"","sources":["../../src/policies/RbacPolicy.ts"],"names":[],"mappings":";;;AACA,wCAAqF;AACrF,oDAAgD;AAChD,8CAA0D;AAE1D,oCAAiC;AAGjC;;GAEG;AACH,MAAa,UAAW,SAAQ,iBAAU;IAGxC;QACE,KAAK,EAAE,CAAC;QAER,IAAI,CAAC,EAAE,GAAG,OAAE,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACpC,CAAC;IAEM,SAAS,CAAC,OAAe,EAAE,SAAsB;QACtD,0BAA0B;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,GAAa,EAAE,MAAc,EAAE,QAAqB;;QACvE,MAAM,UAAU,GAAoB,OAAO,CAAC,WAAW,CAAC,sCAAyB,EAAE,QAAQ,CAAC,CAAC;QAC7F,IAAI,UAAU,GAAG,MAAA,UAAU,CAAC,UAAU,mCAAI,EAAE,CAAC;QAE7C,wCAAwC;QACxC,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;YACxC,UAAU,GAAG,MAAA,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,mCAAI,EAAE,CAAC;SACpE;QAED,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE;YACzC,MAAM,IAAI,sBAAS,CAAC,2CAA2C,CAAC,CAAC;SAClE;QAED,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE;YACpF,MAAM,IAAI,sBAAS,CAAC,oCAAoC,CAAC,CAAC;SAC3D;QAED,IAAI,CAAC,oBAAoB,CAAC,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,OAAO,EAAE;YACvE,MAAM,IAAI,sBAAS,CAAC,WAAW,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,6BAA6B,UAAU,iBAAiB,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;SACpI;IACH,CAAC;CACF;AAnCD,gCAmCC;AAED,SAAgB,mBAAmB,CAAC,IAAuB,EAAE,QAAgB,EAAE,UAAkB;IAC/F,MAAM,EAAE,GAAG,OAAE,CAAC,GAAG,CAAgB,eAAe,CAAC,CAAC;IAClD,OAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAS,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAHD,kDAGC;AAED,SAAgB,mBAAmB,CAAC,IAAU,EAAE,QAAgB,EAAE,UAAkB;IAClF,MAAM,EAAE,GAAG,OAAE,CAAC,GAAG,CAAgB,eAAe,CAAC,CAAC;IAElD,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,IAAI,CAAC;KACb;IAED,OAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAS,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,CAAC;AAC1D,CAAC;AARD,kDAQC;AAED,SAAgB,oBAAoB,CAAC,GAAa,EAAE,QAAgB,EAAE,UAAkB;IACtF,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE;QACrC,OAAO,IAAI,CAAC;KACb;IAED,OAAO,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;AACrE,CAAC;AAND,oDAMC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@spinajs/rbac-http",
-  "version": "2.0.26",
+  "version": "2.0.38",
   "description": "HTTP API for user session & permissions",
   "main": "lib/index.js",
   "private": false,
@@ -38,20 +38,24 @@
   },
   "homepage": "https://github.com/spinajs/main#readme",
   "dependencies": {
-    "@spinajs/configuration": "^2.0.19",
-    "@spinajs/di": "^2.0.19",
+    "@spinajs/configuration": "^2.0.38",
+    "@spinajs/di": "^2.0.38",
     "@spinajs/exceptions": "^2.0.12",
-    "@spinajs/http": "^2.0.25",
-    "@spinajs/log": "^2.0.19",
-    "@spinajs/orm": "^2.0.19",
-    "@spinajs/orm-http": "^2.0.26",
-    "@spinajs/rbac": "^2.0.26",
-    "@spinajs/reflection": "^2.0.19",
+    "@spinajs/http": "^2.0.38",
+    "@spinajs/log": "^2.0.38",
+    "@spinajs/orm": "^2.0.38",
+    "@spinajs/orm-http": "^2.0.38",
+    "@spinajs/rbac": "^2.0.38",
+    "@spinajs/reflection": "^2.0.38",
     "accesscontrol": "^2.2.1",
-    "luxon": "^2.4.0"
+    "luxon": "^2.4.0",
+    "qrcode": "^1.5.1",
+    "speakeasy": "^2.0.0"
   },
   "devDependencies": {
-    "@spinajs/orm-sqlite": "^2.0.26"
+    "@spinajs/orm-sqlite": "^2.0.38",
+    "@types/qrcode": "^1.4.2",
+    "@types/speakeasy": "^2.0.7"
   },
-  "gitHead": "6cc486b8c6d95f3632767f2796496f9807487508"
+  "gitHead": "5ea5440ee9db49595f531592ebdbc6d69f457082"
 }