@spinajs/rbac-http 2.0.86 → 2.0.87

package/lib/cjs/2fa/SpeakEasy2FaToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SpeakEasy2FaToken.d.ts","sourceRoot":"","sources":["../../../src/2fa/SpeakEasy2FaToken.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAEzD,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAErC,OAAO,EAAE,GAAG,EAAU,MAAM,cAAc,CAAC;AAE3C,qBACa,iBAAkB,SAAQ,qBAAqB;IAE1D,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC;IAGtB,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC;;IAMZ,OAAO,CAAC,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAmBxD,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC;IAMpC,SAAS,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvC,aAAa,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;CAIzD"}

package/lib/cjs/2fa/SpeakEasy2FaToken.js

@@ -0,0 +1,91 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SpeakEasy2FaToken = void 0;
+const di_1 = require("@spinajs/di");
+const interfaces_js_1 = require("../interfaces.js");
+const speakeasy = __importStar(require("speakeasy"));
+const configuration_1 = require("@spinajs/configuration");
+const log_1 = require("@spinajs/log");
+let SpeakEasy2FaToken = class SpeakEasy2FaToken extends interfaces_js_1.TwoFactorAuthProvider {
+    constructor() {
+        super();
+    }
+    execute(_) {
+        // empty, speakasy works offline eg. google authenticator
+        // we dont send any email or sms
+        return Promise.resolve();
+    }
+    async verifyToken(token, user) {
+        const meta = user.Metadata.find((x) => x.Key === '2fa_speakeasy_token');
+        if (!meta || meta.Value === '') {
+            this.Log.trace(`Cannot verify 2fa token, no 2fa token for user ${user.Id}`);
+            return false;
+        }
+        const verified = speakeasy.totp.verify({
+            secret: meta.Value,
+            encoding: 'base32',
+            token,
+            window: 5,
+        });
+        return verified;
+    }
+    async initialize(user) {
+        const secret = speakeasy.generateSecret(this.Config);
+        await (user.Metadata['2fa_speakeasy_token'] = secret.base32);
+        return secret.base32;
+    }
+    async isEnabled(user) {
+        const val = await user.Metadata['2fa_enabled'];
+        return val;
+    }
+    async isInitialized(user) {
+        const val = await user.Metadata['2fa_speakeasy_token'];
+        return val !== '';
+    }
+};
+__decorate([
+    (0, configuration_1.Config)('rbac.speakeasy'),
+    __metadata("design:type", Object)
+], SpeakEasy2FaToken.prototype, "Config", void 0);
+__decorate([
+    (0, log_1.Logger)('SPEAKEASY_2FA_TOKEN'),
+    __metadata("design:type", log_1.Log)
+], SpeakEasy2FaToken.prototype, "Log", void 0);
+SpeakEasy2FaToken = __decorate([
+    (0, di_1.Injectable)(interfaces_js_1.TwoFactorAuthProvider),
+    __metadata("design:paramtypes", [])
+], SpeakEasy2FaToken);
+exports.SpeakEasy2FaToken = SpeakEasy2FaToken;
+//# sourceMappingURL=SpeakEasy2FaToken.js.map

package/lib/cjs/2fa/SpeakEasy2FaToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SpeakEasy2FaToken.js","sourceRoot":"","sources":["../../../src/2fa/SpeakEasy2FaToken.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oCAAyC;AACzC,oDAAyD;AACzD,qDAAuC;AAEvC,0DAAgD;AAChD,sCAA2C;AAGpC,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,qCAAqB;IAO1D;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAEM,OAAO,CAAC,CAAO;QACpB,yDAAyD;QACzD,gCAAgC;QAChC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,IAAU;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;QAExE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,EAAE,EAAE;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YAE5E,OAAO,KAAK,CAAC;SACd;QAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;YACrC,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,QAAQ,EAAE,QAAQ;YAClB,KAAK;YACL,MAAM,EAAE,CAAC;SACV,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7D,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,IAAU;QAC/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC/C,OAAO,GAAc,CAAC;IACxB,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAU;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QACvD,OAAO,GAAG,KAAK,EAAE,CAAC;IACpB,CAAC;CACF,CAAA;AAlDC;IAAC,IAAA,sBAAM,EAAC,gBAAgB,CAAC;;iDACH;AAEtB;IAAC,IAAA,YAAM,EAAC,qBAAqB,CAAC;8BACf,SAAG;8CAAC;AALR,iBAAiB;IAD7B,IAAA,eAAU,EAAC,qCAAqB,CAAC;;GACrB,iBAAiB,CAmD7B;AAnDY,8CAAiB"}

package/lib/cjs/config/rbac-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-http.d.ts","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":"AAKA,QAAA,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;YAsBR;;eAEG;;;;;CASR,CAAC;AAEF,eAAe,QAAQ,CAAC"}

package/lib/cjs/config/rbac-http.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = require("path");
+function dir(path) {
+    return (0, path_1.resolve)((0, path_1.normalize)((0, path_1.join)(process.cwd(), path)));
+}
+const rbacHttp = {
+    system: {
+        dirs: {
+            controllers: [dir('./../controllers')],
+            locales: [dir('./../locales')],
+            views: [dir('./../views')],
+        },
+    },
+    rbac: {
+        twoFactorAuth: {
+            enabled: true,
+            service: 'SpeakEasy2FaToken',
+        },
+        fingerprint: {
+            enabled: false,
+            maxDevices: 3,
+            service: 'FingerprintJs',
+        },
+        password: {
+            // password reset token ttl in minutes
+            tokenTTL: 60,
+            /**
+             * Block account after invalid login attempts
+             */
+            blockAfterAttempts: 3,
+        },
+    },
+    http: {
+    // middlewares: [
+    //   // add global user from session middleware
+    // ],
+    },
+};
+exports.default = rbacHttp;
+//# sourceMappingURL=rbac-http.js.map

package/lib/cjs/config/rbac-http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":";;AAAA,+BAAgD;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,IAAA,cAAO,EAAC,IAAA,gBAAS,EAAC,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AACD,MAAM,QAAQ,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACtC,OAAO,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC9B,KAAK,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;SAC3B;KACF;IACD,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,mBAAmB;SAC7B;QACD,WAAW,EAAE;YACX,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,eAAe;SACzB;QACD,QAAQ,EAAE;YACR,sCAAsC;YACtC,QAAQ,EAAE,EAAE;YAEZ;;eAEG;YACH,kBAAkB,EAAE,CAAC;SACtB;KACF;IACD,IAAI,EAAE;IACJ,iBAAiB;IACjB,+CAA+C;IAC/C,KAAK;KACN;CACF,CAAC;AAEF,kBAAe,QAAQ,CAAC"}

package/lib/cjs/controllers/LoginController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LoginController.d.ts","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAe,cAAc,EAAE,YAAY,EAAyB,UAAU,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACjK,OAAO,EAAE,YAAY,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,0BAA0B,EAAW,eAAe,EAAQ,IAAI,IAAI,SAAS,EAAqC,MAAM,eAAe,CAAC;AAExM,OAAO,EAA6B,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAElF,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAK7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAOpE,qBACa,eAAgB,SAAQ,cAAc;IAEjD,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IAGvC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAK3C,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAGxC,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAGxC,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;IAGvD,SAAS,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;IAGnD,SAAS,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;IAGhE,SAAS,CAAC,wBAAwB,EAAE,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;IAGjE,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC;IAIhB,cAAc,CAAS,WAAW,EAAE,OAAO,EAAkB,MAAM,EAAE,MAAM;IAexF;;;;;OAKG;IAGU,kBAAkB;IAMlB,KAAK,CAAS,WAAW,EAAE,YAAY;IAavC,cAAc,CAAU,KAAK,EAAE,MAAM,EAAU,GAAG,EAAE,kBAAkB;IA0EtE,cAAc,CAAS,KAAK,EAAE,YAAY;IAgC1C,MAAM,CAAW,IAAI,EAAE,MAAM;cAW1B,YAAY,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,OAAO;CAoFlE"}

package/lib/cjs/controllers/LoginController.js

@@ -0,0 +1,307 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LoginController = void 0;
+const exceptions_1 = require("@spinajs/exceptions");
+const userLogin_dto_js_1 = require("../dto/userLogin-dto.js");
+const http_1 = require("@spinajs/http");
+const rbac_1 = require("@spinajs/rbac");
+const di_1 = require("@spinajs/di");
+const configuration_1 = require("@spinajs/configuration");
+const interfaces_js_1 = require("../interfaces.js");
+const queue_1 = require("@spinajs/queue");
+const NotLoggedPolicy_js_1 = require("../policies/NotLoggedPolicy.js");
+const LoggedPolicy_js_1 = require("../policies/LoggedPolicy.js");
+const UserPassordRestore_js_1 = require("../events/UserPassordRestore.js");
+const restore_password_dto_js_1 = require("../dto/restore-password-dto.js");
+const uuid_1 = require("uuid");
+const luxon_1 = require("luxon");
+const rbac_2 = require("@spinajs/rbac");
+const UserLoginSuccess_js_1 = require("../events/UserLoginSuccess.js");
+let LoginController = class LoginController extends http_1.BaseController {
+    async loginFederated(credentials, caller) {
+        const strategy = this.FederatedLoginStrategies.find((x) => x.callerCheck(caller));
+        if (!strategy) {
+            throw new exceptions_1.InvalidOperation(`No auth stragegy registered for caller ${caller}`);
+        }
+        const result = await strategy.authenticate(credentials);
+        if (!result.Error) {
+            // proceed with standard authentication
+            return await this.authenticate(result.User);
+        }
+        return new http_1.Unauthorized(result.Error);
+    }
+    /**
+     *
+     * Api call for listing avaible federated login strategies
+     *
+     * @returns response with avaible login strategies
+     */
+    async federatedLoginList() {
+        return new http_1.Ok(this.FederatedLoginStrategies.map((x) => x.Name));
+    }
+    async login(credentials) {
+        const result = await this.AuthProvider.authenticate(credentials.Email, credentials.Password);
+        if (!result.Error) {
+            // proceed with standard authentication
+            return await this.authenticate(result.User);
+        }
+        return new http_1.Unauthorized(result.Error);
+    }
+    async setNewPassword(token, pwd) {
+        const user = await rbac_1.User.query()
+            .innerJoin(rbac_1.UserMetadata, function () {
+            this.where({
+                Key: 'password:reset:token',
+                Value: token,
+            });
+        })
+            .populate('Metadata')
+            .first();
+        if (!user) {
+            return new http_1.NotFound({
+                error: {
+                    code: 'ERR_USER_NOT_FOUND',
+                    message: 'No user found for this reset token',
+                },
+            });
+        }
+        const val = (await user.Metadata['password:reset:start']);
+        const now = luxon_1.DateTime.now().plus({ seconds: -this.PasswordResetTokenTTL });
+        if (val < now) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_RESET_TOKEN_EXPIRED',
+                    message: 'Password reset token expired',
+                },
+            });
+        }
+        if (!this.PasswordValidationService.check(pwd.Password)) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_PASSWORD_RULE',
+                    message: 'Invalid password, does not match password rules',
+                },
+            });
+        }
+        if (pwd.Password !== pwd.ConfirmPassword) {
+            return new http_1.BadRequest({
+                error: {
+                    code: 'ERR_PASSWORD_NOT_MATCH',
+                    message: 'Password and repeat password does not match',
+                },
+            });
+        }
+        const hashedPassword = await this.PasswordProvider.hash(pwd.Password);
+        user.Password = hashedPassword;
+        await user.update();
+        /**
+         * Delete all reset related meta for user
+         */
+        await user.Metadata.delete(/password:reset.*/);
+        // add to action list
+        await user.Actions.add(new rbac_2.UserAction({
+            Persistent: true,
+            Action: 'password:reset',
+        }));
+        // inform others
+        await this.Queue.emit(new rbac_1.UserPasswordChanged(user.Uuid));
+    }
+    async forgotPassword(login) {
+        const user = await this.AuthProvider.getByEmail(login.Email);
+        if (!user.IsActive || user.IsBanned || user.DeletedAt !== null) {
+            return new exceptions_1.InvalidOperation('User is inactive, banned or deleted. Contact system administrator');
+        }
+        const token = (0, uuid_1.v4)();
+        // assign meta to user
+        await (user.Metadata['password:reset'] = true);
+        await (user.Metadata['password:reset:token'] = token);
+        await (user.Metadata['password:reset:start'] = luxon_1.DateTime.now());
+        await user.Actions.add(new rbac_2.UserAction({
+            Action: 'user:password:reset',
+            Data: luxon_1.DateTime.now().toISO(),
+            Persistent: true,
+        }));
+        await this.Queue.emit(new UserPassordRestore_js_1.UserPasswordRestore(user.Uuid, token));
+        return new http_1.Ok({
+            reset_token: token,
+            ttl: this.PasswordResetTokenTTL,
+        });
+    }
+    async logout(ssid) {
+        if (!ssid) {
+            return new http_1.Ok();
+        }
+        await this.SessionProvider.delete(ssid);
+        // send empty cookie to confirm session deletion
+        return new http_1.CookieResponse('ssid', null, this.SessionExpirationTime);
+    }
+    async authenticate(user, federated) {
+        if (!user) {
+            return new http_1.Unauthorized({
+                error: {
+                    message: 'login or password incorrect',
+                },
+            });
+        }
+        await user.Metadata.populate();
+        const session = new rbac_1.Session();
+        const dUser = user.dehydrate();
+        session.Data.set('User', dUser);
+        // we found user but we still dont know if is authorized
+        // eg. 2fa auth is not performed
+        // create session, but user is not yet authorized
+        session.Data.set('Authorized', false);
+        // if its federated login, skip 2fa - assume
+        // external login service provided it
+        if (this.TwoFactorConfig.enabled || !federated) {
+            await this.SessionProvider.save(session);
+            const enabledForUser = await this.TwoFactorAuthProvider.isEnabled(user);
+            /**
+             * if 2fa is enabled for user, proceed
+             */
+            if (enabledForUser) {
+                /**
+                 * check if 2fa system is initialized for user eg. private key is generated.
+                 */
+                const isInitialized = await this.TwoFactorAuthProvider.isInitialized(user);
+                if (!isInitialized) {
+                    const twoFaResult = await this.TwoFactorAuthProvider.initialize(user);
+                    return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                        toFactorAuth: true,
+                        twoFactorAuthFirstTime: true,
+                        method: this.TwoFactorConfig.service,
+                        data: twoFaResult,
+                    }, { httpOnly: true });
+                }
+                // give chance to execute 2fa eg. send sms or email
+                await this.TwoFactorAuthProvider.execute(user);
+                // return session to identify user
+                // and only info that twoFactor auth is requested
+                return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, {
+                    toFactorAuth: true,
+                }, { httpOnly: true });
+            }
+        }
+        // 2fa is not enabled, so we found user, it means it is logged
+        session.Data.set('Authorized', true);
+        await this.SessionProvider.save(session);
+        await this.Queue.emit(new UserLoginSuccess_js_1.UserLoginSuccess(user.Uuid));
+        user.LastLoginAt = luxon_1.DateTime.now();
+        await user.update();
+        // BEWARE: httpOnly coockie, only accesible via http method in browser
+        // return coockie session id with additional user data
+        return new http_1.CookieResponse('ssid', session.SessionId, this.SessionExpirationTime, true, dUser, { httpOnly: true });
+    }
+};
+__decorate([
+    (0, di_1.Autoinject)(),
+    __metadata("design:type", configuration_1.Configuration)
+], LoginController.prototype, "Configuration", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.auth'),
+    __metadata("design:type", rbac_1.AuthProvider)
+], LoginController.prototype, "AuthProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], LoginController.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.session.expiration', {
+        defaultValue: 120,
+    }),
+    __metadata("design:type", Number)
+], LoginController.prototype, "SessionExpirationTime", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.password_reset.ttl'),
+    __metadata("design:type", Number)
+], LoginController.prototype, "PasswordResetTokenTTL", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.twoFactorAuth'),
+    __metadata("design:type", interfaces_js_1.TwoFactorAuthProvider)
+], LoginController.prototype, "TwoFactorAuthProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.fingerprint.provider'),
+    __metadata("design:type", interfaces_js_1.FingerprintProvider)
+], LoginController.prototype, "FingerprintProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.password.validation'),
+    __metadata("design:type", rbac_1.PasswordValidationProvider)
+], LoginController.prototype, "PasswordValidationService", void 0);
+__decorate([
+    (0, di_1.Autoinject)(rbac_1.FederatedAuthProvider),
+    __metadata("design:type", Array)
+], LoginController.prototype, "FederatedLoginStrategies", void 0);
+__decorate([
+    (0, di_1.Autoinject)(),
+    __metadata("design:type", rbac_1.PasswordProvider)
+], LoginController.prototype, "PasswordProvider", void 0);
+__decorate([
+    (0, di_1.Autoinject)(queue_1.QueueClient),
+    __metadata("design:type", queue_1.QueueClient)
+], LoginController.prototype, "Queue", void 0);
+__decorate([
+    (0, http_1.Post)('federated-login'),
+    (0, http_1.Policy)(NotLoggedPolicy_js_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Body)()),
+    __param(1, (0, http_1.Header)('Host')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, String]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "loginFederated", null);
+__decorate([
+    (0, http_1.Get)(),
+    (0, http_1.Policy)(NotLoggedPolicy_js_1.NotLoggedPolicy),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "federatedLoginList", null);
+__decorate([
+    (0, http_1.Post)(),
+    (0, http_1.Policy)(NotLoggedPolicy_js_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [userLogin_dto_js_1.UserLoginDto]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "login", null);
+__decorate([
+    (0, http_1.Post)('new-password'),
+    (0, http_1.Policy)(NotLoggedPolicy_js_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Query)()),
+    __param(1, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, restore_password_dto_js_1.RestorePasswordDto]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "setNewPassword", null);
+__decorate([
+    (0, http_1.Post)('forgot-password'),
+    (0, http_1.Policy)(NotLoggedPolicy_js_1.NotLoggedPolicy),
+    __param(0, (0, http_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [userLogin_dto_js_1.UserLoginDto]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "forgotPassword", null);
+__decorate([
+    (0, http_1.Get)(),
+    (0, http_1.Policy)(LoggedPolicy_js_1.LoggedPolicy),
+    __param(0, (0, http_1.Cookie)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String]),
+    __metadata("design:returntype", Promise)
+], LoginController.prototype, "logout", null);
+LoginController = __decorate([
+    (0, http_1.BasePath)('user/auth')
+], LoginController);
+exports.LoginController = LoginController;
+//# sourceMappingURL=LoginController.js.map

package/lib/cjs/controllers/LoginController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,oDAAuD;AACvD,8DAAuD;AACvD,wCAAiK;AACjK,wCAAwM;AACxM,oCAAyC;AACzC,0DAAkF;AAElF,oDAA8E;AAC9E,0CAA6C;AAE7C,uEAAiE;AACjE,iEAA2D;AAC3D,2EAAsE;AACtE,4EAAoE;AAEpE,+BAAoC;AACpC,iCAAiC;AACjC,wCAA2C;AAC3C,uEAAiE;AAG1D,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,qBAAc;IAsCpC,AAAN,KAAK,CAAC,cAAc,CAAS,WAAoB,EAAkB,MAAc;QACtF,MAAM,QAAQ,GAAG,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QAClF,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,IAAI,6BAAgB,CAAC,0CAA0C,MAAM,EAAE,CAAC,CAAC;SAChF;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,uCAAuC;YACvC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SAC7C;QAED,OAAO,IAAI,mBAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAED;;;;;OAKG;IAGU,AAAN,KAAK,CAAC,kBAAkB;QAC7B,OAAO,IAAI,SAAE,CAAC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAClE,CAAC;IAIY,AAAN,KAAK,CAAC,KAAK,CAAS,WAAyB;QAClD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE7F,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,uCAAuC;YACvC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SAC7C;QAED,OAAO,IAAI,mBAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAIY,AAAN,KAAK,CAAC,cAAc,CAAU,KAAa,EAAU,GAAuB;QACjF,MAAM,IAAI,GAAG,MAAM,WAAI,CAAC,KAAK,EAAE;aAC5B,SAAS,CAAC,mBAAY,EAAE;YACvB,IAAI,CAAC,KAAK,CAAC;gBACT,GAAG,EAAE,sBAAsB;gBAC3B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC,CAAC;aACD,QAAQ,CAAC,UAAU,CAAC;aACpB,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,eAAQ,CAAC;gBAClB,KAAK,EAAE;oBACL,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,oCAAoC;iBAC9C;aACF,CAAC,CAAC;SACJ;QAED,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAa,CAAC;QACtE,MAAM,GAAG,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC,CAAC;QAE1E,IAAI,GAAG,GAAG,GAAG,EAAE;YACb,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EAAE,8BAA8B;iBACxC;aACF,CAAC,CAAC;SACJ;QAED,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE;YACvD,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,iDAAiD;iBAC3D;aACF,CAAC,CAAC;SACJ;QAED,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,eAAe,EAAE;YACxC,OAAO,IAAI,iBAAU,CAAC;gBACpB,KAAK,EAAE;oBACL,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,6CAA6C;iBACvD;aACF,CAAC,CAAC;SACJ;QAED,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAE/B,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEpB;;WAEG;QACH,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAE/C,qBAAqB;QACrB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CACpB,IAAI,iBAAU,CAAC;YACb,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CACH,CAAC;QAEF,gBAAgB;QAChB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,0BAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5D,CAAC;IAIY,AAAN,KAAK,CAAC,cAAc,CAAS,KAAmB;QACrD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE7D,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE;YAC9D,OAAO,IAAI,6BAAgB,CAAC,mEAAmE,CAAC,CAAC;SAClG;QAED,MAAM,KAAK,GAAG,IAAA,SAAM,GAAE,CAAC;QAEvB,sBAAsB;QACtB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;QAE/D,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CACpB,IAAI,iBAAU,CAAC;YACb,MAAM,EAAE,qBAAqB;YAC7B,IAAI,EAAE,gBAAQ,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE;YAC5B,UAAU,EAAE,IAAI;SACjB,CAAC,CACH,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,2CAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;QAEjE,OAAO,IAAI,SAAE,CAAC;YACZ,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,IAAI,CAAC,qBAAqB;SAChC,CAAC,CAAC;IACL,CAAC;IAIY,AAAN,KAAK,CAAC,MAAM,CAAW,IAAY;QACxC,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,SAAE,EAAE,CAAC;SACjB;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtE,CAAC;IAES,KAAK,CAAC,YAAY,CAAC,IAAe,EAAE,SAAmB;QAC/D,IAAI,CAAC,IAAI,EAAE;YACT,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;SACJ;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,IAAI,cAAO,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhC,wDAAwD;QACxD,gCAAgC;QAChC,iDAAiD;QACjD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEtC,4CAA4C;QAC5C,qCAAqC;QACrC,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE;YAC9C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAExE;;eAEG;YACH,IAAI,cAAc,EAAE;gBAClB;;mBAEG;gBACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;gBAC3E,IAAI,CAAC,aAAa,EAAE;oBAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;oBAEtE,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;wBACE,YAAY,EAAE,IAAI;wBAClB,sBAAsB,EAAE,IAAI;wBAC5B,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO;wBACpC,IAAI,EAAE,WAAW;qBAClB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;iBACH;gBAED,mDAAmD;gBACnD,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE/C,kCAAkC;gBAClC,iDAAiD;gBACjD,OAAO,IAAI,qBAAc,CACvB,MAAM,EACN,OAAO,CAAC,SAAS,EACjB,IAAI,CAAC,qBAAqB,EAC1B,IAAI,EACJ;oBACE,YAAY,EAAE,IAAI;iBACnB,EACD,EAAE,QAAQ,EAAE,IAAI,EAAE,CACnB,CAAC;aACH;SACF;QAED,8DAA8D;QAC9D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACrC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,sCAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEvD,IAAI,CAAC,WAAW,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEpB,sEAAsE;QACtE,sDAAsD;QACtD,OAAO,IAAI,qBAAc,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,qBAAqB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpH,CAAC;CACF,CAAA;AAxRC;IAAC,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAEvC;IAAC,IAAA,iCAAiB,EAAC,WAAW,CAAC;8BACP,mBAAY;qDAAC;AAErC;IAAC,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;wDAAC;AAE3C;IAAC,IAAA,sBAAM,EAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAExC;IAAC,IAAA,sBAAM,EAAC,yBAAyB,CAAC;;8DACM;AAExC;IAAC,IAAA,iCAAiB,EAAC,oBAAoB,CAAC;8BACP,qCAAqB;8DAAC;AAEvD;IAAC,IAAA,iCAAiB,EAAC,2BAA2B,CAAC;8BAChB,mCAAmB;4DAAC;AAEnD;IAAC,IAAA,iCAAiB,EAAC,0BAA0B,CAAC;8BACT,iCAA0B;kEAAC;AAEhE;IAAC,IAAA,eAAU,EAAC,4BAAqB,CAAC;;iEAC+B;AAEjE;IAAC,IAAA,eAAU,GAAE;8BACe,uBAAgB;yDAAC;AAE7C;IAAC,IAAA,eAAU,EAAC,mBAAW,CAAC;8BACP,mBAAW;8CAAC;AAIhB;IAFZ,IAAA,WAAI,EAAC,iBAAiB,CAAC;IACvB,IAAA,aAAM,EAAC,oCAAe,CAAC;IACK,WAAA,IAAA,WAAI,GAAE,CAAA;IAAwB,WAAA,IAAA,aAAM,EAAC,MAAM,CAAC,CAAA;;;;qDAaxE;AAUY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,oCAAe,CAAC;;;;yDAGvB;AAIY;IAFZ,IAAA,WAAI,GAAE;IACN,IAAA,aAAM,EAAC,oCAAe,CAAC;IACJ,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAc,+BAAY;;4CASnD;AAIY;IAFZ,IAAA,WAAI,EAAC,cAAc,CAAC;IACpB,IAAA,aAAM,EAAC,oCAAe,CAAC;IACK,WAAA,IAAA,YAAK,GAAE,CAAA;IAAiB,WAAA,IAAA,WAAI,GAAE,CAAA;;6CAAM,4CAAkB;;qDAsElF;AAIY;IAFZ,IAAA,WAAI,EAAC,iBAAiB,CAAC;IACvB,IAAA,aAAM,EAAC,oCAAe,CAAC;IACK,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAQ,+BAAY;;qDA4BtD;AAIY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,8BAAY,CAAC;IACA,WAAA,IAAA,aAAM,GAAE,CAAA;;;;6CAS5B;AAnMU,eAAe;IAD3B,IAAA,eAAQ,EAAC,WAAW,CAAC;GACT,eAAe,CAyR3B;AAzRY,0CAAe"}

package/lib/cjs/controllers/TwoFactorAuthController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TwoFactorAuthController.d.ts","sourceRoot":"","sources":["../../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAoB,EAAE,EAAQ,YAAY,EAAE,MAAM,eAAe,CAAC;AACzF,OAAO,EAAE,eAAe,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,eAAe,CAAC;AAMnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAIzD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,qBAEa,uBAAwB,SAAQ,cAAc;IAEzD,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC;IAG7B,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;IAG1C,WAAW,CAAS,MAAM,EAAE,SAAS,EAAU,KAAK,EAAE,QAAQ,EAAY,IAAI,EAAE,MAAM;CAoBpG"}

package/lib/cjs/controllers/TwoFactorAuthController.js

@@ -0,0 +1,71 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoFactorAuthController = void 0;
+const token_dto_js_1 = require("./../dto/token-dto.js");
+const http_1 = require("@spinajs/http");
+const rbac_1 = require("@spinajs/rbac");
+const http_2 = require("@spinajs/http");
+const decorators_js_1 = require("../decorators.js");
+const _2FaPolicy_js_1 = require("../policies/2FaPolicy.js");
+const configuration_1 = require("@spinajs/configuration");
+const interfaces_js_1 = require("../interfaces.js");
+const luxon_1 = require("luxon");
+const UserLoginSuccess_js_1 = require("../events/UserLoginSuccess.js");
+const di_1 = require("@spinajs/di");
+const queue_1 = require("@spinajs/queue");
+let TwoFactorAuthController = class TwoFactorAuthController extends http_1.BaseController {
+    async verifyToken(logged, token, ssid) {
+        const result = await this.TwoFactorAuthProvider.verifyToken(token.Token, logged);
+        if (result) {
+            return new http_1.Unauthorized(`invalid token`);
+        }
+        logged.LastLoginAt = luxon_1.DateTime.now();
+        await logged.update();
+        await this.Queue.emit(new UserLoginSuccess_js_1.UserLoginSuccess(logged.Uuid));
+        await this.SessionProvider.save(ssid, {
+            Authorized: true,
+            TwoFactorAuth_check: true,
+        });
+        // return user data
+        return new http_1.Ok(logged.dehydrate());
+    }
+};
+__decorate([
+    (0, di_1.Autoinject)(queue_1.QueueClient),
+    __metadata("design:type", queue_1.QueueClient)
+], TwoFactorAuthController.prototype, "Queue", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], TwoFactorAuthController.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.twoFactorAuth'),
+    __metadata("design:type", interfaces_js_1.TwoFactorAuthProvider)
+], TwoFactorAuthController.prototype, "TwoFactorAuthProvider", void 0);
+__decorate([
+    (0, http_1.Post)('2fa/verify'),
+    __param(0, (0, decorators_js_1.User)()),
+    __param(1, (0, http_2.Body)()),
+    __param(2, (0, http_1.Cookie)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [rbac_1.User, token_dto_js_1.TokenDto, String]),
+    __metadata("design:returntype", Promise)
+], TwoFactorAuthController.prototype, "verifyToken", null);
+TwoFactorAuthController = __decorate([
+    (0, http_1.BasePath)('user/auth'),
+    (0, http_2.Policy)(_2FaPolicy_js_1.TwoFacRouteEnabled)
+], TwoFactorAuthController);
+exports.TwoFactorAuthController = TwoFactorAuthController;
+//# sourceMappingURL=TwoFactorAuthController.js.map

package/lib/cjs/controllers/TwoFactorAuthController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TwoFactorAuthController.js","sourceRoot":"","sources":["../../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAAiD;AACjD,wCAAyF;AACzF,wCAAmE;AACnE,wCAA6C;AAE7C,oDAAwC;AACxC,4DAA8D;AAC9D,0DAA2D;AAC3D,oDAAyD;AACzD,iCAAiC;AACjC,uEAAiE;AACjE,oCAAyC;AACzC,0CAA6C;AAItC,IAAM,uBAAuB,GAA7B,MAAM,uBAAwB,SAAQ,qBAAc;IAW5C,AAAN,KAAK,CAAC,WAAW,CAAS,MAAiB,EAAU,KAAe,EAAY,IAAY;QACjG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEjF,IAAI,MAAM,EAAE;YACV,OAAO,IAAI,mBAAY,CAAC,eAAe,CAAC,CAAC;SAC1C;QAED,MAAM,CAAC,WAAW,GAAG,gBAAQ,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;QAEtB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,sCAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAEzD,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE;YACpC,UAAU,EAAE,IAAI;YAChB,mBAAmB,EAAE,IAAI;SAC1B,CAAC,CAAC;QAEH,mBAAmB;QACnB,OAAO,IAAI,SAAE,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACpC,CAAC;CACF,CAAA;AA9BC;IAAC,IAAA,eAAU,EAAC,mBAAW,CAAC;8BACP,mBAAW;sDAAC;AAE7B;IAAC,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;gEAAC;AAE3C;IAAC,IAAA,iCAAiB,EAAC,oBAAoB,CAAC;8BACP,qCAAqB;sEAAC;AAG1C;IADZ,IAAA,WAAI,EAAC,YAAY,CAAC;IACO,WAAA,IAAA,oBAAI,GAAE,CAAA;IAAqB,WAAA,IAAA,WAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,aAAM,GAAE,CAAA;;qCAA7C,WAAS,EAAiB,uBAAQ;;0DAmB1E;AA9BU,uBAAuB;IAFnC,IAAA,eAAQ,EAAC,WAAW,CAAC;IACrB,IAAA,aAAM,EAAC,kCAAkB,CAAC;GACd,uBAAuB,CA+BnC;AA/BY,0DAAuB"}

package/lib/cjs/controllers/UserAdminController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserAdminController.d.ts","sourceRoot":"","sources":["../../../src/controllers/UserAdminController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAY,MAAM,eAAe,CAAC;AAGzD,qBAEa,eAAgB,SAAQ,cAAc;CAuElD"}

package/lib/cjs/controllers/UserAdminController.js

@@ -0,0 +1,19 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UsersController = void 0;
+const http_1 = require("@spinajs/http");
+const decorators_js_1 = require("./../decorators.js");
+let UsersController = class UsersController extends http_1.BaseController {
+};
+UsersController = __decorate([
+    (0, decorators_js_1.Resource)('user'),
+    (0, http_1.BasePath)('user')
+], UsersController);
+exports.UsersController = UsersController;
+//# sourceMappingURL=UserAdminController.js.map

package/lib/cjs/controllers/UserAdminController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserAdminController.js","sourceRoot":"","sources":["../../../src/controllers/UserAdminController.ts"],"names":[],"mappings":";;;;;;;;;AAAA,wCAAyD;AACzD,sDAA8C;AAIvC,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,qBAAc;CAuElD,CAAA;AAvEY,eAAe;IAF3B,IAAA,wBAAQ,EAAC,MAAM,CAAC;IAChB,IAAA,eAAQ,EAAC,MAAM,CAAC;GACJ,eAAe,CAuE3B;AAvEY,0CAAe"}

package/lib/cjs/controllers/UserController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserController.d.ts","sourceRoot":"","sources":["../../../src/controllers/UserController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACrF,OAAO,EAAE,cAAc,EAAiB,EAAE,EAAuB,MAAM,eAAe,CAAC;AAQvF,qBAEa,cAAe,SAAQ,cAAc;IAEhD,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC;IAGhC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAI9B,OAAO,CAAS,IAAI,EAAE,SAAS,EAAY,IAAI,EAAE,MAAM;IAkBvD,WAAW,CAAS,IAAI,EAAE,SAAS,EAAU,GAAG,EAAE,WAAW;CAgB3E"}