@spinajs/rbac-http 2.0.28 → 2.0.44

package/lib/2fa/SpeakEasy2FaToken.d.ts

@@ -0,0 +1,13 @@
+import { TwoFactorAuthProvider } from '../interfaces';
+import { User } from '@spinajs/rbac';
+import { Log } from '@spinajs/log';
+export declare class SpeakEasy2FaToken extends TwoFactorAuthProvider {
+    protected Config: any;
+    protected Log: Log;
+    constructor();
+    execute(_: User): Promise<void>;
+    verifyToken(token: string, user: User): Promise<boolean>;
+    initialize(user: User): Promise<any>;
+    isEnabled(user: User): Promise<boolean>;
+    isInitialized(user: User): Promise<boolean>;
+}

package/lib/2fa/SpeakEasy2FaToken.js

@@ -0,0 +1,91 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SpeakEasy2FaToken = void 0;
+const di_1 = require("@spinajs/di");
+const interfaces_1 = require("../interfaces");
+const speakeasy = __importStar(require("speakeasy"));
+const configuration_1 = require("@spinajs/configuration");
+const log_1 = require("@spinajs/log");
+let SpeakEasy2FaToken = class SpeakEasy2FaToken extends interfaces_1.TwoFactorAuthProvider {
+    constructor() {
+        super();
+    }
+    execute(_) {
+        // empty, speakasy works offline eg. google authenticator
+        // we dont send any email or sms
+        return Promise.resolve();
+    }
+    async verifyToken(token, user) {
+        const meta = user.Metadata.find((x) => x.Key === '2fa_speakeasy_token');
+        if (!meta || meta.Value === '') {
+            this.Log.trace(`Cannot verify 2fa token, no 2fa token for user ${user.Id}`);
+            return false;
+        }
+        const verified = speakeasy.totp.verify({
+            secret: meta.Value,
+            encoding: 'base32',
+            token,
+            window: 5,
+        });
+        return verified;
+    }
+    async initialize(user) {
+        const secret = speakeasy.generateSecret(this.Config);
+        await (user.Metadata['2fa_speakeasy_token'] = secret.base32);
+        return secret.base32;
+    }
+    async isEnabled(user) {
+        const val = await user.Metadata['2fa_enabled'];
+        return val;
+    }
+    async isInitialized(user) {
+        const val = await user.Metadata['2fa_speakeasy_token'];
+        return val !== '';
+    }
+};
+__decorate([
+    (0, configuration_1.Config)('rbac.speakeasy'),
+    __metadata("design:type", Object)
+], SpeakEasy2FaToken.prototype, "Config", void 0);
+__decorate([
+    (0, log_1.Logger)('SPEAKEASY_2FA_TOKEN'),
+    __metadata("design:type", log_1.Log)
+], SpeakEasy2FaToken.prototype, "Log", void 0);
+SpeakEasy2FaToken = __decorate([
+    (0, di_1.Injectable)(interfaces_1.TwoFactorAuthProvider),
+    __metadata("design:paramtypes", [])
+], SpeakEasy2FaToken);
+exports.SpeakEasy2FaToken = SpeakEasy2FaToken;
+//# sourceMappingURL=SpeakEasy2FaToken.js.map

package/lib/2fa/SpeakEasy2FaToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SpeakEasy2FaToken.js","sourceRoot":"","sources":["../../src/2fa/SpeakEasy2FaToken.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oCAAyC;AACzC,8CAAsD;AACtD,qDAAuC;AAEvC,0DAAgD;AAChD,sCAA2C;AAG3C,IAAa,iBAAiB,GAA9B,MAAa,iBAAkB,SAAQ,kCAAqB;IAO1D;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAEM,OAAO,CAAC,CAAO;QACpB,yDAAyD;QACzD,gCAAgC;QAChC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,IAAU;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;QAExE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,EAAE,EAAE;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YAE5E,OAAO,KAAK,CAAC;SACd;QAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;YACrC,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,QAAQ,EAAE,QAAQ;YAClB,KAAK;YACL,MAAM,EAAE,CAAC;SACV,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7D,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,IAAU;QAC/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC/C,OAAO,GAAc,CAAC;IACxB,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAU;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QACvD,OAAO,GAAG,KAAK,EAAE,CAAC;IACpB,CAAC;CACF,CAAA;AAjDC;IADC,IAAA,sBAAM,EAAC,gBAAgB,CAAC;;iDACH;AAGtB;IADC,IAAA,YAAM,EAAC,qBAAqB,CAAC;8BACf,SAAG;8CAAC;AALR,iBAAiB;IAD7B,IAAA,eAAU,EAAC,kCAAqB,CAAC;;GACrB,iBAAiB,CAmD7B;AAnDY,8CAAiB"}

package/lib/config/rbac-http.js

@@ -12,6 +12,25 @@ module.exports = {
             views: [dir('./../views')],
         },
     },
+    rbac: {
+        twoFactorAuth: {
+            enabled: true,
+            service: 'SpeakEasy2FaToken',
+        },
+        fingerprint: {
+            enabled: false,
+            maxDevices: 3,
+            service: 'FingerprintJs',
+        },
+        password: {
+            // password reset token ttl in minutes
+            tokenTTL: 60,
+            /**
+             * Block account after invalid login attempts
+             */
+            blockAfterAttempts: 3,
+        },
+    },
     http: {
         middlewares: [
         // add global user from session middleware

package/lib/config/rbac-http.js.map

@@ -1 +1 @@
-{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../src/config/rbac-http.ts"],"names":[],"mappings":";;AAAA,+BAAgD;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,IAAA,cAAO,EAAC,IAAA,gBAAS,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AACD,MAAM,CAAC,OAAO,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACtC,OAAO,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC9B,KAAK,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;SAC3B;KACF;IACD,IAAI,EAAE;QACJ,WAAW,EAAE;QACX,0CAA0C;SAC3C;KACF;CACF,CAAC"}
+{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../src/config/rbac-http.ts"],"names":[],"mappings":";;AAAA,+BAAgD;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,IAAA,cAAO,EAAC,IAAA,gBAAS,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AACD,MAAM,CAAC,OAAO,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACtC,OAAO,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC9B,KAAK,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;SAC3B;KACF;IACD,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,mBAAmB;SAC7B;QACD,WAAW,EAAE;YACX,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,eAAe;SACzB;QACD,QAAQ,EAAE;YACR,sCAAsC;YACtC,QAAQ,EAAE,EAAE;YAEZ;;eAEG;YACH,kBAAkB,EAAE,CAAC;SACtB;KACF;IACD,IAAI,EAAE;QACJ,WAAW,EAAE;QACX,0CAA0C;SAC3C;KACF;CACF,CAAC"}

package/lib/controllers/LoginController.d.ts

@@ -1,12 +1,34 @@
-import { LoginDto } from './../dto/login-dto';
-import { BaseController, Ok, CookieResponse, Unauthorized, NotAllowed } from '@spinajs/http';
-import { AuthProvider, SessionProvider, User as UserModel } from '@spinajs/rbac';
+import { InvalidOperation } from '@spinajs/exceptions';
+import { UserLoginDto } from '../dto/userLogin-dto';
+import { BaseController, Ok, CookieResponse, Unauthorized, BadRequest, NotFound } from '@spinajs/http';
+import { AuthProvider, FederatedAuthProvider, PasswordProvider, PasswordValidationProvider, SessionProvider, User as UserModel } from '@spinajs/rbac';
 import { Configuration } from '@spinajs/configuration';
+import { FingerprintProvider, TwoFactorAuthProvider } from '../interfaces';
+import { QueueClient } from '@spinajs/queue';
+import { RestorePasswordDto } from '../dto/restore-password-dto';
 export declare class LoginController extends BaseController {
     protected Configuration: Configuration;
     protected AuthProvider: AuthProvider;
     protected SessionProvider: SessionProvider;
     protected SessionExpirationTime: number;
-    login(credentials: LoginDto, logged: UserModel): Promise<Unauthorized | CookieResponse | NotAllowed>;
+    protected PasswordResetTokenTTL: number;
+    protected TwoFactorAuthProvider: TwoFactorAuthProvider;
+    protected FingerprintProvider: FingerprintProvider;
+    protected PasswordValidationService: PasswordValidationProvider;
+    protected FederatedLoginStrategies: FederatedAuthProvider<any>[];
+    protected PasswordProvider: PasswordProvider;
+    protected Queue: QueueClient;
+    loginFederated(credentials: unknown, caller: string): Promise<Unauthorized | CookieResponse>;
+    /**
+     *
+     * Api call for listing avaible federated login strategies
+     *
+     * @returns response with avaible login strategies
+     */
+    federatedLoginList(): Promise<Ok>;
+    login(credentials: UserLoginDto): Promise<Unauthorized | CookieResponse>;
+    setNewPassword(token: string, pwd: RestorePasswordDto): Promise<BadRequest | NotFound>;
+    forgotPassword(login: UserLoginDto): Promise<InvalidOperation | Ok>;
     logout(ssid: string): Promise<Ok | CookieResponse>;
+    protected authenticate(user: UserModel, federated?: boolean): Promise<Unauthorized | CookieResponse>;
 }

package/lib/controllers/LoginController.js

@@ -11,38 +11,133 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 var __param = (this && this.__param) || function (paramIndex, decorator) {
     return function (target, key) { decorator(target, key, paramIndex); }
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.LoginController = void 0;
-const login_dto_1 = require("./../dto/login-dto");
+const exceptions_1 = require("@spinajs/exceptions");
+const userLogin_dto_1 = require("../dto/userLogin-dto");
 const http_1 = require("@spinajs/http");
 const rbac_1 = require("@spinajs/rbac");
 const di_1 = require("@spinajs/di");
 const configuration_1 = require("@spinajs/configuration");
-const decorators_1 = require("./../decorators");
-const lodash_1 = __importDefault(require("lodash"));
+const interfaces_1 = require("../interfaces");
+const queue_1 = require("@spinajs/queue");
+const NotLoggedPolicy_1 = require("../policies/NotLoggedPolicy");
+const LoggedPolicy_1 = require("../policies/LoggedPolicy");
+const UserPassordRestore_1 = require("../events/UserPassordRestore");
+const restore_password_dto_1 = require("../dto/restore-password-dto");
+const uuid_1 = require("uuid");
+const luxon_1 = require("luxon");
+const rbac_2 = require("@spinajs/rbac");
+const UserLoginSuccess_1 = require("../events/UserLoginSuccess");
 let LoginController = class LoginController extends http_1.BaseController {
-    async login(credentials, logged) {
-        if (logged) {
-            return new http_1.NotAllowed('User already logged in. Please logout before trying to authorize.');
+    async loginFederated(credentials, caller) {
+        const strategy = this.FederatedLoginStrategies.find((x) => x.callerCheck(caller));
+        if (!strategy) {
+            throw new exceptions_1.InvalidOperation(`No auth stragegy registered for caller ${caller}`);
+        }
+        const result = await strategy.authenticate(credentials);
+        if (!result.Error) {
+            // proceed with standard authentication
+            return await this.authenticate(result.User);
+        }
+        return new http_1.Unauthorized(result.Error);
+    }
+    /**
+     *
+     * Api call for listing avaible federated login strategies
+     *
+     * @returns response with avaible login strategies
+     */
+    async federatedLoginList() {
+        return new http_1.Ok(this.FederatedLoginStrategies.map((x) => x.Name));
+    }
+    async login(credentials) {
+        const result = await this.AuthProvider.authenticate(credentials.Email, credentials.Password);
+        if (!result.Error) {
+            // proceed with standard authentication
+            return await this.authenticate(result.User);
         }
-        const user = await this.AuthProvider.authenticate(credentials.Email, credentials.Password);
+        return new http_1.Unauthorized(result.Error);
+    }
+    async setNewPassword(token, pwd) {
+        const user = await rbac_1.User.query()
+            .innerJoin(rbac_1.UserMetadata, function () {
+            this.where({
+                Key: 'password:reset:token',
+                Value: token,
+            });
+        })
+            .populate('Metadata')
+            .first();
         if (!user) {
-            return new http_1.Unauthorized({
+            return new http_1.NotFound({
                 error: {
-                    message: 'login or password incorrect',
+                    code: 'ERR_USER_NOT_FOUND',
+                    message: 'No user found for this reset token',
                 },
             });
         }
-        await user.Metadata.populate();
-        const session = new rbac_1.Session();
-        const sData = user.dehydrate();
-        session.Data.set('User', sData);
-        await this.SessionProvider.save(session);
-        // BEWARE: httpOnly coockie, only accesible via http method in browser
-        return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, lodash_1.default.omit(sData, ['Id']), { httpOnly: true });
+        const val = (await user.Metadata['password:reset:start']);
+        const now = luxon_1.DateTime.now().plus({ seconds: -this.PasswordResetTokenTTL });
+        if (val < now) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_RESET_TOKEN_EXPIRED',
+                    message: 'Password reset token expired',
+                },
+            });
+        }
+        if (!this.PasswordValidationService.check(pwd.Password)) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_PASSWORD_RULE',
+                    message: 'Invalid password, does not match password rules',
+                },
+            });
+        }
+        if (pwd.Password !== pwd.ConfirmPassword) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_PASSWORD_NOT_MATCH',
+                    message: 'Password and repeat password does not match',
+                },
+            });
+        }
+        const hashedPassword = await this.PasswordProvider.hash(pwd.Password);
+        user.Password = hashedPassword;
+        await user.update();
+        /**
+         * Delete all reset related meta for user
+         */
+        await user.Metadata.delete(/password:reset.*/);
+        // add to action list
+        await user.Actions.add(new rbac_2.UserAction({
+            Persistent: true,
+            Action: 'password:reset',
+        }));
+        // inform others
+        await this.Queue.emit(new rbac_1.UserPasswordChanged(user.Uuid));
+    }
+    async forgotPassword(login) {
+        const user = await this.AuthProvider.getByEmail(login.Email);
+        if (!user.IsActive || user.IsBanned || user.DeletedAt !== null) {
+            return new exceptions_1.InvalidOperation('User is inactive, banned or deleted. Contact system administrator');
+        }
+        const token = (0, uuid_1.v4)();
+        // assign meta to user
+        await (user.Metadata['password:reset'] = true);
+        await (user.Metadata['password:reset:token'] = token);
+        await (user.Metadata['password:reset:start'] = luxon_1.DateTime.now());
+        await user.Actions.add(new rbac_2.UserAction({
+            Action: 'user:password:reset',
+            Data: luxon_1.DateTime.now().toISO(),
+            Persistent: true,
+        }));
+        await this.Queue.emit(new UserPassordRestore_1.UserPasswordRestore(user.Uuid, token));
+        return new http_1.Ok({
+            reset_token: token,
+            ttl: this.PasswordResetTokenTTL,
+        });
     }
     async logout(ssid) {
         if (!ssid) {
@@ -52,33 +147,154 @@ let LoginController = class LoginController extends http_1.BaseController {
         // send empty cookie to confirm session deletion
         return new http_1.CookieResponse('ssid', null, this.SessionExpirationTime);
     }
+    async authenticate(user, federated) {
+        if (!user) {
+            return new http_1.Unauthorized({
+                error: {
+                    message: 'login or password incorrect',
+                },
+            });
+        }
+        await user.Metadata.populate();
+        const session = new rbac_1.Session();
+        const dUser = user.dehydrate();
+        session.Data.set('User', dUser);
+        // we found user but we still dont know if is authorized
+        // eg. 2fa auth is not performed
+        // create session, but user is not yet authorized
+        session.Data.set('Authorized', false);
+        // if its federated login, skip 2fa - assume
+        // external login service provided it
+        if (this.TwoFactorConfig.enabled || !federated) {
+            await this.SessionProvider.save(session);
+            const enabledForUser = await this.TwoFactorAuthProvider.isEnabled(user);
+            /**
+             * if 2fa is enabled for user, proceed
+             */
+            if (enabledForUser) {
+                /**
+                 * check if 2fa system is initialized for user eg. private key is generated.
+                 */
+                const isInitialized = await this.TwoFactorAuthProvider.isInitialized(user);
+                if (!isInitialized) {
+                    const twoFaResult = await this.TwoFactorAuthProvider.initialize(user);
+                    return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                        toFactorAuth: true,
+                        twoFactorAuthFirstTime: true,
+                        method: this.TwoFactorConfig.service,
+                        data: twoFaResult,
+                    }, { httpOnly: true });
+                }
+                // give chance to execute 2fa eg. send sms or email
+                await this.TwoFactorAuthProvider.execute(user);
+                // return session to identify user
+                // and only info that twoFactor auth is requested
+                return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                    toFactorAuth: true,
+                }, { httpOnly: true });
+            }
+        }
+        // 2fa is not enabled, so we found user, it means it is logged
+        session.Data.set('Authorized', true);
+        await this.SessionProvider.save(session);
+        await this.Queue.emit(new UserLoginSuccess_1.UserLoginSuccess(user.Uuid));
+        user.LastLoginAt = luxon_1.DateTime.now();
+        await user.update();
+        // BEWARE: httpOnly coockie, only accesible via http method in browser
+        // return coockie session id with additional user data
+        return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, dUser, { httpOnly: true });
+    }
 };
 __decorate([
     (0, di_1.Autoinject)(),
     __metadata("design:type", configuration_1.Configuration)
 ], LoginController.prototype, "Configuration", void 0);
 __decorate([
-    (0, di_1.Autoinject)(),
+    (0, configuration_1.AutoinjectService)('rbac.auth'),
     __metadata("design:type", rbac_1.AuthProvider)
 ], LoginController.prototype, "AuthProvider", void 0);
 __decorate([
-    (0, di_1.Autoinject)(),
+    (0, configuration_1.AutoinjectService)('rbac.session'),
     __metadata("design:type", rbac_1.SessionProvider)
 ], LoginController.prototype, "SessionProvider", void 0);
 __decorate([
-    (0, configuration_1.Config)('rbac.session.expiration', 120),
+    (0, configuration_1.Config)('rbac.session.expiration', {
+        defaultValue: 120,
+    }),
     __metadata("design:type", Number)
 ], LoginController.prototype, "SessionExpirationTime", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.password_reset.ttl'),
+    __metadata("design:type", Number)
+], LoginController.prototype, "PasswordResetTokenTTL", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.twoFactorAuth'),
+    __metadata("design:type", interfaces_1.TwoFactorAuthProvider)
+], LoginController.prototype, "TwoFactorAuthProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.fingerprint.provider'),
+    __metadata("design:type", interfaces_1.FingerprintProvider)
+], LoginController.prototype, "FingerprintProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.password.validation'),
+    __metadata("design:type", rbac_1.PasswordValidationProvider)
+], LoginController.prototype, "PasswordValidationService", void 0);
+__decorate([
+    (0, di_1.Autoinject)(rbac_1.FederatedAuthProvider),
+    __metadata("design:type", Array)
+], LoginController.prototype, "FederatedLoginStrategies", void 0);
+__decorate([
+    (0, di_1.Autoinject)(),
+    __metadata("design:type", rbac_1.PasswordProvider)
+], LoginController.prototype, "PasswordProvider", void 0);
+__decorate([
+    (0, di_1.Autoinject)(queue_1.QueueClient),
+    __metadata("design:type", queue_1.QueueClient)
+], LoginController.prototype, "Queue", void 0);
+__decorate([
+    (0, http_1.Post)('federated-login'),
+    (0, http_1.Policy)(NotLoggedPolicy_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Body)()),
+    __param(1, (0, http_1.Header)('Host')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, String]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "loginFederated", null);
+__decorate([
+    (0, http_1.Get)(),
+    (0, http_1.Policy)(NotLoggedPolicy_1.NotLoggedPolicy),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "federatedLoginList", null);
 __decorate([
     (0, http_1.Post)(),
+    (0, http_1.Policy)(NotLoggedPolicy_1.NotLoggedPolicy),
     __param(0, (0, http_1.Body)()),
-    __param(1, (0, decorators_1.User)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [login_dto_1.LoginDto, rbac_1.User]),
+    __metadata("design:paramtypes", [userLogin_dto_1.UserLoginDto]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "login", null);
+__decorate([
+    (0, http_1.Post)('new-password'),
+    (0, http_1.Policy)(NotLoggedPolicy_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Query)()),
+    __param(1, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, restore_password_dto_1.RestorePasswordDto]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "setNewPassword", null);
+__decorate([
+    (0, http_1.Post)('forgot-password'),
+    (0, http_1.Policy)(NotLoggedPolicy_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [userLogin_dto_1.UserLoginDto]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "forgotPassword", null);
 __decorate([
     (0, http_1.Get)(),
+    (0, http_1.Policy)(LoggedPolicy_1.LoggedPolicy),
     __param(0, (0, http_1.Cookie)()),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", [String]),

package/lib/controllers/LoginController.js.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AAAA,kDAA8C;AAC9C,wCAAgI;AAChI,wCAA0F;AAC1F,oCAAyC;AACzC,0DAA+D;AAC/D,gDAAuC;AACvC,oDAAuB;AAGvB,IAAa,eAAe,GAA5B,MAAa,eAAgB,SAAQ,qBAAc;IAc1C,KAAK,CAAC,KAAK,CAAS,WAAqB,EAAU,MAAiB;QACzE,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,iBAAU,CAAC,mEAAmE,CAAC,CAAC;SAC5F;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE3F,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;SACJ;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,IAAI,cAAO,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAE/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,sEAAsE;QACtE,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,qBAAqB,EAAE,IAAI,EAAE,gBAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpI,CAAC;IAGM,KAAK,CAAC,MAAM,CAAW,IAAY;QACxC,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,SAAE,EAAE,CAAC;SACjB;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtE,CAAC;CACF,CAAA;AAnDC;IADC,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAGvC;IADC,IAAA,eAAU,GAAE;8BACW,mBAAY;qDAAC;AAGrC;IADC,IAAA,eAAU,GAAE;8BACc,sBAAe;wDAAC;AAG3C;IADC,IAAA,sBAAM,EAAC,yBAAyB,EAAE,GAAG,CAAC;;8DACC;AAGxC;IADC,IAAA,WAAI,GAAE;IACa,WAAA,IAAA,WAAI,GAAE,CAAA;IAAyB,WAAA,IAAA,iBAAI,GAAE,CAAA;;qCAAjB,oBAAQ,EAAkB,WAAS;;4CA0B1E;AAGD;IADC,IAAA,UAAG,GAAE;IACe,WAAA,IAAA,aAAM,GAAE,CAAA;;;;6CAS5B;AApDU,eAAe;IAD3B,IAAA,eAAQ,EAAC,WAAW,CAAC;GACT,eAAe,CAqD3B;AArDY,0CAAe"}
+{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,oDAAuD;AACvD,wDAAoD;AACpD,wCAAiK;AACjK,wCAAwM;AACxM,oCAAyC;AACzC,0DAAkF;AAElF,8CAA2E;AAC3E,0CAA6C;AAE7C,iEAA8D;AAC9D,2DAAwD;AACxD,qEAAmE;AACnE,sEAAiE;AAEjE,+BAAoC;AACpC,iCAAiC;AACjC,wCAA2C;AAC3C,iEAA8D;AAG9D,IAAa,eAAe,GAA5B,MAAa,eAAgB,SAAQ,qBAAc;IAsC1C,KAAK,CAAC,cAAc,CAAS,WAAoB,EAAkB,MAAc;QACtF,MAAM,QAAQ,GAAG,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QAClF,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,IAAI,6BAAgB,CAAC,0CAA0C,MAAM,EAAE,CAAC,CAAC;SAChF;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,uCAAuC;YACvC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SAC7C;QAED,OAAO,IAAI,mBAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAED;;;;;OAKG;IAGI,KAAK,CAAC,kBAAkB;QAC7B,OAAO,IAAI,SAAE,CAAC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAClE,CAAC;IAIM,KAAK,CAAC,KAAK,CAAS,WAAyB;QAClD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE7F,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,uCAAuC;YACvC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SAC7C;QAED,OAAO,IAAI,mBAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAIM,KAAK,CAAC,cAAc,CAAU,KAAa,EAAU,GAAuB;QACjF,MAAM,IAAI,GAAG,MAAM,WAAI,CAAC,KAAK,EAAE;aAC5B,SAAS,CAAC,mBAAY,EAAE;YACvB,IAAI,CAAC,KAAK,CAAC;gBACT,GAAG,EAAE,sBAAsB;gBAC3B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC,CAAC;aACD,QAAQ,CAAC,UAAU,CAAC;aACpB,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,eAAQ,CAAC;gBAClB,KAAK,EAAE;oBACL,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,oCAAoC;iBAC9C;aACF,CAAC,CAAC;SACJ;QAED,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAa,CAAC;QACtE,MAAM,GAAG,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC,CAAC;QAE1E,IAAI,GAAG,GAAG,GAAG,EAAE;YACb,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EAAE,8BAA8B;iBACxC;aACF,CAAC,CAAC;SACJ;QAED,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE;YACvD,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,iDAAiD;iBAC3D;aACF,CAAC,CAAC;SACJ;QAED,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,eAAe,EAAE;YACxC,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,6CAA6C;iBACvD;aACF,CAAC,CAAC;SACJ;QAED,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAE/B,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEpB;;WAEG;QACH,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAE/C,qBAAqB;QACrB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CACpB,IAAI,iBAAU,CAAC;YACb,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CACH,CAAC;QAEF,gBAAgB;QAChB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,0BAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5D,CAAC;IAIM,KAAK,CAAC,cAAc,CAAS,KAAmB;QACrD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE7D,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE;YAC9D,OAAO,IAAI,6BAAgB,CAAC,mEAAmE,CAAC,CAAC;SAClG;QAED,MAAM,KAAK,GAAG,IAAA,SAAM,GAAE,CAAC;QAEvB,sBAAsB;QACtB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;QAE/D,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CACpB,IAAI,iBAAU,CAAC;YACb,MAAM,EAAE,qBAAqB;YAC7B,IAAI,EAAE,gBAAQ,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE;YAC5B,UAAU,EAAE,IAAI;SACjB,CAAC,CACH,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,wCAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;QAEjE,OAAO,IAAI,SAAE,CAAC;YACZ,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,IAAI,CAAC,qBAAqB;SAChC,CAAC,CAAC;IACL,CAAC;IAIM,KAAK,CAAC,MAAM,CAAW,IAAY;QACxC,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,SAAE,EAAE,CAAC;SACjB;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtE,CAAC;IAES,KAAK,CAAC,YAAY,CAAC,IAAe,EAAE,SAAmB;QAC/D,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;SACJ;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,IAAI,cAAO,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhC,wDAAwD;QACxD,gCAAgC;QAChC,iDAAiD;QACjD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEtC,4CAA4C;QAC5C,qCAAqC;QACrC,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE;YAC9C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAExE;;eAEG;YACH,IAAI,cAAc,EAAE;gBAClB;;mBAEG;gBACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;gBAC3E,IAAI,CAAC,aAAa,EAAE;oBAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;oBAEtE,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;wBACE,YAAY,EAAE,IAAI;wBAClB,sBAAsB,EAAE,IAAI;wBAC5B,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO;wBACpC,IAAI,EAAE,WAAW;qBAClB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;iBACH;gBAED,mDAAmD;gBACnD,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE/C,kCAAkC;gBAClC,iDAAiD;gBACjD,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;oBACE,YAAY,EAAE,IAAI;iBACnB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;aACH;SACF;QAED,8DAA8D;QAC9D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACrC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,mCAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEvD,IAAI,CAAC,WAAW,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEpB,sEAAsE;QACtE,sDAAsD;QACtD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,qBAAqB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpH,CAAC;CACF,CAAA;AAvRC;IADC,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAGvC;IADC,IAAA,iCAAiB,EAAC,WAAW,CAAC;8BACP,mBAAY;qDAAC;AAGrC;IADC,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;wDAAC;AAK3C;IAHC,IAAA,sBAAM,EAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAGxC;IADC,IAAA,sBAAM,EAAC,yBAAyB,CAAC;;8DACM;AAGxC;IADC,IAAA,iCAAiB,EAAC,oBAAoB,CAAC;8BACP,kCAAqB;8DAAC;AAGvD;IADC,IAAA,iCAAiB,EAAC,2BAA2B,CAAC;8BAChB,gCAAmB;4DAAC;AAGnD;IADC,IAAA,iCAAiB,EAAC,0BAA0B,CAAC;8BACT,iCAA0B;kEAAC;AAGhE;IADC,IAAA,eAAU,EAAC,4BAAqB,CAAC;;iEAC+B;AAGjE;IADC,IAAA,eAAU,GAAE;8BACe,uBAAgB;yDAAC;AAG7C;IADC,IAAA,eAAU,EAAC,mBAAW,CAAC;8BACP,mBAAW;8CAAC;AAI7B;IAFC,IAAA,WAAI,EAAC,iBAAiB,CAAC;IACvB,IAAA,aAAM,EAAC,iCAAe,CAAC;IACK,WAAA,IAAA,WAAI,GAAE,CAAA;IAAwB,WAAA,IAAA,aAAM,EAAC,MAAM,CAAC,CAAA;;;;qDAaxE;AAUD;IAFC,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,iCAAe,CAAC;;;;yDAGvB;AAID;IAFC,IAAA,WAAI,GAAE;IACN,IAAA,aAAM,EAAC,iCAAe,CAAC;IACJ,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAc,4BAAY;;4CASnD;AAID;IAFC,IAAA,WAAI,EAAC,cAAc,CAAC;IACpB,IAAA,aAAM,EAAC,iCAAe,CAAC;IACK,WAAA,IAAA,YAAK,GAAE,CAAA;IAAiB,WAAA,IAAA,WAAI,GAAE,CAAA;;6CAAM,yCAAkB;;qDAsElF;AAID;IAFC,IAAA,WAAI,EAAC,iBAAiB,CAAC;IACvB,IAAA,aAAM,EAAC,iCAAe,CAAC;IACK,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAQ,4BAAY;;qDA4BtD;AAID;IAFC,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,2BAAY,CAAC;IACA,WAAA,IAAA,aAAM,GAAE,CAAA;;;;6CAS5B;AAnMU,eAAe;IAD3B,IAAA,eAAQ,EAAC,WAAW,CAAC;GACT,eAAe,CAyR3B;AAzRY,0CAAe"}

package/lib/controllers/TwoFactorAuthController.d.ts

@@ -0,0 +1,11 @@
+import { TokenDto } from './../dto/token-dto';
+import { BaseController, Ok, Unauthorized } from '@spinajs/http';
+import { SessionProvider, User as UserModel } from '@spinajs/rbac';
+import { TwoFactorAuthProvider } from '../interfaces';
+import { QueueClient } from '@spinajs/queue';
+export declare class TwoFactorAuthController extends BaseController {
+    protected Queue: QueueClient;
+    protected SessionProvider: SessionProvider;
+    protected TwoFactorAuthProvider: TwoFactorAuthProvider;
+    verifyToken(logged: UserModel, token: TokenDto, ssid: string): Promise<Ok | Unauthorized>;
+}

package/lib/controllers/TwoFactorAuthController.js

@@ -0,0 +1,71 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoFactorAuthController = void 0;
+const token_dto_1 = require("./../dto/token-dto");
+const http_1 = require("@spinajs/http");
+const rbac_1 = require("@spinajs/rbac");
+const http_2 = require("@spinajs/http");
+const decorators_1 = require("../decorators");
+const _2FaPolicy_1 = require("../policies/2FaPolicy");
+const configuration_1 = require("@spinajs/configuration");
+const interfaces_1 = require("../interfaces");
+const luxon_1 = require("luxon");
+const UserLoginSuccess_1 = require("../events/UserLoginSuccess");
+const di_1 = require("@spinajs/di");
+const queue_1 = require("@spinajs/queue");
+let TwoFactorAuthController = class TwoFactorAuthController extends http_1.BaseController {
+    async verifyToken(logged, token, ssid) {
+        const result = await this.TwoFactorAuthProvider.verifyToken(token.Token, logged);
+        if (result) {
+            return new http_1.Unauthorized(`invalid token`);
+        }
+        logged.LastLoginAt = luxon_1.DateTime.now();
+        await logged.update();
+        await this.Queue.emit(new UserLoginSuccess_1.UserLoginSuccess(logged.Uuid));
+        await this.SessionProvider.save(ssid, {
+            Authorized: true,
+            TwoFactorAuth_check: true,
+        });
+        // return user data
+        return new http_1.Ok(logged.dehydrate());
+    }
+};
+__decorate([
+    (0, di_1.Autoinject)(queue_1.QueueClient),
+    __metadata("design:type", queue_1.QueueClient)
+], TwoFactorAuthController.prototype, "Queue", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], TwoFactorAuthController.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.twoFactorAuth'),
+    __metadata("design:type", interfaces_1.TwoFactorAuthProvider)
+], TwoFactorAuthController.prototype, "TwoFactorAuthProvider", void 0);
+__decorate([
+    (0, http_1.Post)('2fa/verify'),
+    __param(0, (0, decorators_1.User)()),
+    __param(1, (0, http_2.Body)()),
+    __param(2, (0, http_1.Cookie)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [rbac_1.User, token_dto_1.TokenDto, String]),
+    __metadata("design:returntype", Promise)
+], TwoFactorAuthController.prototype, "verifyToken", null);
+TwoFactorAuthController = __decorate([
+    (0, http_1.BasePath)('user/auth'),
+    (0, http_2.Policy)(_2FaPolicy_1.TwoFacRouteEnabled)
+], TwoFactorAuthController);
+exports.TwoFactorAuthController = TwoFactorAuthController;
+//# sourceMappingURL=TwoFactorAuthController.js.map

package/lib/controllers/TwoFactorAuthController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TwoFactorAuthController.js","sourceRoot":"","sources":["../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,kDAA8C;AAC9C,wCAAyF;AACzF,wCAAmE;AACnE,wCAA6C;AAE7C,8CAAqC;AACrC,sDAA2D;AAC3D,0DAA2D;AAC3D,8CAAsD;AACtD,iCAAiC;AACjC,iEAA8D;AAC9D,oCAAyC;AACzC,0CAA6C;AAI7C,IAAa,uBAAuB,GAApC,MAAa,uBAAwB,SAAQ,qBAAc;IAWlD,KAAK,CAAC,WAAW,CAAS,MAAiB,EAAU,KAAe,EAAY,IAAY;QACjG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEjF,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,mBAAY,CAAC,eAAe,CAAC,CAAC;SAC1C;QAED,MAAM,CAAC,WAAW,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;QAEtB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,mCAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAEzD,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE;YACpC,UAAU,EAAE,IAAI;YAChB,mBAAmB,EAAE,IAAI;SAC1B,CAAC,CAAC;QAEH,mBAAmB;QACnB,OAAO,IAAI,SAAE,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACpC,CAAC;CACF,CAAA;AA7BC;IADC,IAAA,eAAU,EAAC,mBAAW,CAAC;8BACP,mBAAW;sDAAC;AAG7B;IADC,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;gEAAC;AAG3C;IADC,IAAA,iCAAiB,EAAC,oBAAoB,CAAC;8BACP,kCAAqB;sEAAC;AAGvD;IADC,IAAA,WAAI,EAAC,YAAY,CAAC;IACO,WAAA,IAAA,iBAAI,GAAE,CAAA;IAAqB,WAAA,IAAA,WAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,aAAM,GAAE,CAAA;;qCAA7C,WAAS,EAAiB,oBAAQ;;0DAmB1E;AA9BU,uBAAuB;IAFnC,IAAA,eAAQ,EAAC,WAAW,CAAC;IACrB,IAAA,aAAM,EAAC,+BAAkB,CAAC;GACd,uBAAuB,CA+BnC;AA/BY,0DAAuB"}

package/lib/controllers/UserController.d.ts

@@ -6,5 +6,5 @@ export declare class UserController extends BaseController {
     protected CoockieSecret: string;
     protected SessionProvider: SessionProvider;
     refresh(user: UserModel, ssid: string): Promise<Ok>;
-    newPassword(login: string, pwd: PasswordDto): Promise<Ok>;
+    newPassword(user: UserModel, pwd: PasswordDto): Promise<Ok>;
 }