@tinyrack/tinyauth-server 0.0.7

package/dist/services/passkey.service.js

@@ -0,0 +1,199 @@
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
+import { UserPasskeyEntitySchema, } from "../entities/user-passkey.entity.js";
+import { e } from "../schemas/error.js";
+export class PasskeyService {
+    rpName = 'TinyRack Auth';
+    mikro;
+    config;
+    constructor(mikro, config) {
+        this.mikro = mikro;
+        this.config = config;
+    }
+    /**
+     * Get rpId from config or extract from server.public_origin hostname
+     */
+    getRpId() {
+        const passkeyConfig = this.config.auth.passkey;
+        if (passkeyConfig.rp_id) {
+            return passkeyConfig.rp_id;
+        }
+        const hostUrl = new URL(this.config.server.public_origin);
+        return hostUrl.hostname;
+    }
+    /**
+     * Get allowed origins from config or use server.public_origin
+     */
+    getOrigins() {
+        const passkeyConfig = this.config.auth.passkey;
+        if (passkeyConfig.origins && passkeyConfig.origins.length > 0) {
+            return passkeyConfig.origins;
+        }
+        return [this.config.server.public_origin];
+    }
+    /**
+     * Generate registration options for a user
+     */
+    async generateRegistrationOptions(user) {
+        // Get existing passkeys to exclude
+        const existingPasskeys = await this.mikro.userPasskey.findByUserSub(user.sub);
+        const options = await generateRegistrationOptions({
+            rpName: this.rpName,
+            rpID: this.getRpId(),
+            userName: user.email,
+            userDisplayName: user.email,
+            // Don't prompt for additional authenticator info
+            attestationType: 'none',
+            // Prevent re-registering existing credentials
+            excludeCredentials: existingPasskeys.map((passkey) => ({
+                id: passkey.credential_id,
+                ...(passkey.transports ? { transports: passkey.transports } : {}),
+            })),
+            authenticatorSelection: {
+                // Prefer resident keys for passwordless authentication
+                residentKey: 'preferred',
+                userVerification: 'preferred',
+            },
+        });
+        return options;
+    }
+    /**
+     * Verify registration response and save passkey
+     */
+    async verifyRegistration(user, response, expectedChallenge, passkeyName) {
+        const verification = await verifyRegistrationResponse({
+            response,
+            expectedChallenge,
+            expectedOrigin: this.getOrigins(),
+            expectedRPID: this.getRpId(),
+        });
+        if (!verification.verified || !verification.registrationInfo) {
+            throw new e.PasskeyVerificationFailed.Error();
+        }
+        const { credential, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+        // Check if credential already exists
+        const exists = await this.mikro.userPasskey.existsByCredentialId(credential.id);
+        if (exists) {
+            throw new e.PasskeyAlreadyExists.Error();
+        }
+        // Create and save passkey
+        const passkey = this.mikro.em.create(UserPasskeyEntitySchema, {
+            user: user.sub,
+            credential_id: credential.id,
+            public_key: isoBase64URL.fromBuffer(credential.publicKey),
+            counter: Number(credential.counter),
+            device_type: credentialDeviceType,
+            backed_up: credentialBackedUp,
+            transports: response.response.transports ?? null,
+            name: passkeyName ?? null,
+            aaguid: verification.registrationInfo.aaguid ?? null,
+        });
+        this.mikro.em.persist(passkey);
+        await this.mikro.em.flush();
+        return passkey;
+    }
+    /**
+     * Generate authentication options
+     * If userSub is provided, allow only that user's passkeys
+     * If not provided, allow discoverable credentials (usernameless)
+     */
+    async generateAuthenticationOptions(userSub) {
+        let allowCredentials;
+        if (userSub) {
+            const userPasskeys = await this.mikro.userPasskey.findByUserSub(userSub);
+            allowCredentials = userPasskeys.map((passkey) => ({
+                id: passkey.credential_id,
+                ...(passkey.transports && {
+                    transports: passkey.transports,
+                }),
+            }));
+        }
+        const options = await generateAuthenticationOptions({
+            rpID: this.getRpId(),
+            userVerification: 'preferred',
+            // Empty array allows discoverable credentials
+            allowCredentials: allowCredentials || [],
+        });
+        return options;
+    }
+    /**
+     * Verify authentication response
+     * Returns the user if verification succeeds
+     */
+    async verifyAuthentication(response, expectedChallenge) {
+        // Find the passkey by credential ID
+        const passkey = await this.mikro.userPasskey.findByCredentialId(response.id);
+        if (!passkey) {
+            throw new e.PasskeyNotFound.Error();
+        }
+        const verification = await verifyAuthenticationResponse({
+            response,
+            expectedChallenge,
+            expectedOrigin: this.getOrigins(),
+            expectedRPID: this.getRpId(),
+            credential: {
+                id: passkey.credential_id,
+                publicKey: isoBase64URL.toBuffer(passkey.public_key),
+                counter: passkey.counter,
+                ...(passkey.transports && {
+                    transports: passkey.transports,
+                }),
+            },
+        });
+        if (!verification.verified) {
+            throw new e.PasskeyVerificationFailed.Error();
+        }
+        // Update counter for replay attack prevention
+        passkey.counter = verification.authenticationInfo.newCounter;
+        await this.mikro.em.flush();
+        return passkey.user.getEntity();
+    }
+    /**
+     * Get all passkeys for a user
+     */
+    async getUserPasskeys(userSub) {
+        const passkeys = await this.mikro.userPasskey.findByUserSub(userSub);
+        return passkeys.map((p) => ({
+            id: p.id,
+            credential_id: p.credential_id,
+            name: p.name ?? null,
+            device_type: p.device_type,
+            backed_up: p.backed_up,
+            created_at: p.created_at,
+        }));
+    }
+    /**
+     * Delete a passkey
+     */
+    async deletePasskey(userSub, passkeyId, options) {
+        const passkey = await this.mikro.userPasskey.findByUserSubAndId(userSub, passkeyId);
+        if (!passkey) {
+            throw new e.PasskeyNotFound.Error();
+        }
+        const passkeyCount = await this.mikro.userPasskey.countByUserSub(userSub);
+        // Check if this is the last auth method
+        if (passkeyCount === 1 && !options.hasOtherAuthMethods) {
+            throw new e.CannotRemoveLastPasskey.Error();
+        }
+        // Prevent deleting last passkey when 2FA is required and no TOTP exists
+        if (options.secondFactorRequired) {
+            const willHaveNoPasskeys = passkeyCount === 1;
+            if (willHaveNoPasskeys && !options.hasOtherSecondFactor) {
+                throw new e.CannotRemoveLastSecondFactor.Error();
+            }
+        }
+        await this.mikro.userPasskey.deleteByUserSubAndId(userSub, passkeyId);
+    }
+    /**
+     * Rename a passkey
+     */
+    async renamePasskey(userSub, passkeyId, name) {
+        const passkey = await this.mikro.userPasskey.findByUserSubAndId(userSub, passkeyId);
+        if (!passkey) {
+            throw new e.PasskeyNotFound.Error();
+        }
+        passkey.name = name;
+        await this.mikro.em.flush();
+    }
+}
+//# sourceMappingURL=passkey.service.js.map

package/dist/services/passkey.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey.service.js","sourceRoot":"","sources":["../../src/services/passkey.service.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAE9D,OAAO,EAEL,uBAAuB,GACxB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAsBxC,MAAM,OAAO,cAAc;IACR,MAAM,GAAW,eAAe,CAAC;IAEjC,KAAK,CAAe;IACpB,MAAM,CAAwB;IAC/C,YAAmB,KAAmB,EAAE,MAA6B;QACnE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACK,OAAO;QACb,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/C,IAAI,aAAa,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,aAAa,CAAC,KAAK,CAAC;QAC7B,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,OAAO,OAAO,CAAC,QAAQ,CAAC;IAC1B,CAAC;IAED;;OAEG;IACK,UAAU;QAChB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/C,IAAI,aAAa,CAAC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO,aAAa,CAAC,OAAO,CAAC;QAC/B,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,2BAA2B,CACtC,IAAgB;QAEhB,mCAAmC;QACnC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CACjE,IAAI,CAAC,GAAG,CACT,CAAC;QAEF,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;YACpB,QAAQ,EAAE,IAAI,CAAC,KAAK;YACpB,eAAe,EAAE,IAAI,CAAC,KAAK;YAC3B,iDAAiD;YACjD,eAAe,EAAE,MAAM;YACvB,8CAA8C;YAC9C,kBAAkB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACrD,EAAE,EAAE,OAAO,CAAC,aAAa;gBACzB,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClE,CAAC,CAAC;YACH,sBAAsB,EAAE;gBACtB,uDAAuD;gBACvD,WAAW,EAAE,WAAW;gBACxB,gBAAgB,EAAE,WAAW;aAC9B;SACF,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,kBAAkB,CAC7B,IAAgB,EAChB,QAAkC,EAClC,iBAAyB,EACzB,WAAoB;QAEpB,MAAM,YAAY,GAAG,MAAM,0BAA0B,CAAC;YACpD,QAAQ;YACR,iBAAiB;YACjB,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE;YACjC,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE;SAC7B,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;YAC7D,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,GAC5D,YAAY,CAAC,gBAAgB,CAAC;QAEhC,qCAAqC;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,oBAAoB,CAC9D,UAAU,CAAC,EAAE,CACd,CAAC;QACF,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,CAAC,oBAAoB,CAAC,KAAK,EAAE,CAAC;QAC3C,CAAC;QAED,0BAA0B;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,uBAAuB,EAAE;YAC5D,IAAI,EAAE,IAAI,CAAC,GAAG;YACd,aAAa,EAAE,UAAU,CAAC,EAAE;YAC5B,UAAU,EAAE,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;YACzD,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC;YACnC,WAAW,EAAE,oBAAoB;YACjC,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI;YAChD,IAAI,EAAE,WAAW,IAAI,IAAI;YACzB,MAAM,EAAE,YAAY,CAAC,gBAAgB,CAAC,MAAM,IAAI,IAAI;SACrD,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,6BAA6B,CACxC,OAAgB;QAEhB,IAAI,gBAES,CAAC;QAEd,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACzE,gBAAgB,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBAChD,EAAE,EAAE,OAAO,CAAC,aAAa;gBACzB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI;oBACxB,UAAU,EAAE,OAAO,CAAC,UAAU;iBAC/B,CAAC;aACH,CAAC,CAAC,CAAC;QACN,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,6BAA6B,CAAC;YAClD,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;YACpB,gBAAgB,EAAE,WAAW;YAC7B,8CAA8C;YAC9C,gBAAgB,EAAE,gBAAgB,IAAI,EAAE;SACzC,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,oBAAoB,CAC/B,QAAoC,EACpC,iBAAyB;QAEzB,oCAAoC;QACpC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAC7D,QAAQ,CAAC,EAAE,CACZ,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,4BAA4B,CAAC;YACtD,QAAQ;YACR,iBAAiB;YACjB,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE;YACjC,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE;YAC5B,UAAU,EAAE;gBACV,EAAE,EAAE,OAAO,CAAC,aAAa;gBACzB,SAAS,EAAE,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC;gBACpD,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI;oBACxB,UAAU,EAAE,OAAO,CAAC,UAAU;iBAC/B,CAAC;aACH;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;QAED,8CAA8C;QAC9C,OAAO,CAAC,OAAO,GAAG,YAAY,CAAC,kBAAkB,CAAC,UAAU,CAAC;QAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,eAAe,CAAC,OAAe;QAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACrE,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI;YACpB,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,UAAU,EAAE,CAAC,CAAC,UAAU;SACzB,CAAC,CAAC,CAAC;IACN,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,aAAa,CACxB,OAAe,EACf,SAAiB,EACjB,OAIC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAC7D,OAAO,EACP,SAAS,CACV,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAE1E,wCAAwC;QACxC,IAAI,YAAY,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;YACvD,MAAM,IAAI,CAAC,CAAC,uBAAuB,CAAC,KAAK,EAAE,CAAC;QAC9C,CAAC;QAED,wEAAwE;QACxE,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YACjC,MAAM,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC;YAC9C,IAAI,kBAAkB,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACxD,MAAM,IAAI,CAAC,CAAC,4BAA4B,CAAC,KAAK,EAAE,CAAC;YACnD,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,oBAAoB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACxE,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,aAAa,CACxB,OAAe,EACf,SAAiB,EACjB,IAAY;QAEZ,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAC7D,OAAO,EACP,SAAS,CACV,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QACpB,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;CACF"}

package/dist/services/password-auth.service.d.ts

@@ -0,0 +1,24 @@
+import type { Loaded } from '@mikro-orm/core';
+import type { UserEntity } from '../entities/user.entity.ts';
+import { type PasswordPolicy } from '../lib/password-policy.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { SecurityService } from './security.service.ts';
+export declare class PasswordAuthService {
+    private readonly mikro;
+    private readonly securityService;
+    private readonly passwordPolicy;
+    constructor(mikro: MikroService, securityService: SecurityService, passwordPolicy: PasswordPolicy);
+    authenticateByEmailAndPassword(params: {
+        email: string;
+        password: string;
+    }): Promise<Loaded<UserEntity, 'password_hash' | 'passkeys' | 'totps', '*', never>>;
+    createDatabaseUser(params: {
+        email: string;
+        password: string;
+    }): Promise<UserEntity>;
+    setPasswordForUser(user: UserEntity, password: string): Promise<void>;
+    changePassword(user: UserEntity, currentPassword: string, newPassword: string): Promise<void>;
+    removePassword(user: UserEntity, currentPassword: string): Promise<void>;
+    replacePassword(user: UserEntity, newPassword: string): Promise<void>;
+}
+//# sourceMappingURL=password-auth.service.d.ts.map

package/dist/services/password-auth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-auth.service.d.ts","sourceRoot":"","sources":["../../src/services/password-auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;gBAG9C,KAAK,EAAE,YAAY,EACnB,eAAe,EAAE,eAAe,EAChC,cAAc,EAAE,cAAc;IAOnB,8BAA8B,CAAC,MAAM,EAAE;QAClD,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CACT,MAAM,CAAC,UAAU,EAAE,eAAe,GAAG,UAAU,GAAG,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CACvE;IAsBY,kBAAkB,CAAC,MAAM,EAAE;QACtC,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,UAAU,CAAC;IAaV,kBAAkB,CAC7B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAcH,cAAc,CACzB,IAAI,EAAE,UAAU,EAChB,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAsBH,cAAc,CACzB,IAAI,EAAE,UAAU,EAChB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,IAAI,CAAC;IAmCH,eAAe,CAC1B,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;CAMjB"}

package/dist/services/password-auth.service.js

@@ -0,0 +1,87 @@
+import { assertPasswordPolicy, } from "../lib/password-policy.js";
+import { e } from "../schemas/error.js";
+export class PasswordAuthService {
+    mikro;
+    securityService;
+    passwordPolicy;
+    constructor(mikro, securityService, passwordPolicy) {
+        this.mikro = mikro;
+        this.securityService = securityService;
+        this.passwordPolicy = passwordPolicy;
+    }
+    async authenticateByEmailAndPassword(params) {
+        const err = new e.InvalidEmailOrPassword.Error();
+        const user = await this.mikro.user.findActiveByEmailForPasswordAuth(params.email);
+        if (!user.password_hash) {
+            throw err;
+        }
+        const isValid = await this.securityService.verifyPassword(user.password_hash, params.password);
+        if (!isValid) {
+            throw err;
+        }
+        return user;
+    }
+    async createDatabaseUser(params) {
+        assertPasswordPolicy(params.password, this.passwordPolicy);
+        const passwordHash = await this.securityService.hashPassword(params.password);
+        return this.mikro.user.register({
+            email: params.email,
+            passwordHash,
+        });
+    }
+    async setPasswordForUser(user, password) {
+        if (user.managed_by === 'config') {
+            throw new e.UserNotEditable.Error();
+        }
+        await this.mikro.em.populate(user, ['password_hash']);
+        if (user.hasPassword()) {
+            throw new e.PasswordAlreadySet.Error();
+        }
+        await this.replacePassword(user, password);
+    }
+    async changePassword(user, currentPassword, newPassword) {
+        if (user.managed_by === 'config') {
+            throw new e.UserNotEditable.Error();
+        }
+        await this.mikro.em.populate(user, ['password_hash']);
+        if (!user.password_hash) {
+            throw new e.PasswordNotSet.Error();
+        }
+        const isValid = await this.securityService.verifyPassword(user.password_hash, currentPassword);
+        if (!isValid) {
+            throw new e.InvalidCurrentPassword.Error();
+        }
+        await this.replacePassword(user, newPassword);
+    }
+    async removePassword(user, currentPassword) {
+        if (user.managed_by === 'config') {
+            throw new e.UserNotEditable.Error();
+        }
+        await this.mikro.em.populate(user, ['password_hash']);
+        if (!user.password_hash) {
+            throw new e.PasswordNotSet.Error();
+        }
+        const isValid = await this.securityService.verifyPassword(user.password_hash, currentPassword);
+        if (!isValid) {
+            throw new e.InvalidCurrentPassword.Error();
+        }
+        const oauthCount = await this.mikro.userOAuth.countByUser(user.sub);
+        const hasTotp = await this.mikro.userTotp.isRegistered(user.sub);
+        const passkeyCount = await this.mikro.userPasskey.countByUserSub(user.sub);
+        const hasSecondFactor = hasTotp || passkeyCount > 0;
+        if (oauthCount === 0) {
+            if (hasSecondFactor) {
+                throw new e.CannotRemovePasswordWithSecondFactorOnly.Error();
+            }
+            throw new e.CannotRemoveLastAuthMethod.Error();
+        }
+        user.password_hash = null;
+        await this.mikro.em.flush();
+    }
+    async replacePassword(user, newPassword) {
+        assertPasswordPolicy(newPassword, this.passwordPolicy);
+        user.password_hash = await this.securityService.hashPassword(newPassword);
+        await this.mikro.em.flush();
+    }
+}
+//# sourceMappingURL=password-auth.service.js.map

package/dist/services/password-auth.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-auth.service.js","sourceRoot":"","sources":["../../src/services/password-auth.service.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,oBAAoB,GAErB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAIxC,MAAM,OAAO,mBAAmB;IACb,KAAK,CAAe;IACpB,eAAe,CAAkB;IACjC,cAAc,CAAiB;IAEhD,YACE,KAAmB,EACnB,eAAgC,EAChC,cAA8B;QAE9B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;IACvC,CAAC;IAEM,KAAK,CAAC,8BAA8B,CAAC,MAG3C;QAGC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,EAAE,CAAC;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CACjE,MAAM,CAAC,KAAK,CACb,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CACvD,IAAI,CAAC,aAAa,EAClB,MAAM,CAAC,QAAQ,CAChB,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,MAG/B;QACC,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAE3D,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,YAAY,CAC1D,MAAM,CAAC,QAAQ,CAChB,CAAC;QAEF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC9B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY;SACb,CAAC,CAAC;IACL,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,IAAgB,EAChB,QAAgB;QAEhB,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC;QAEtD,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,IAAgB,EAChB,eAAuB,EACvB,WAAmB;QAEnB,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC;QAEtD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CACvD,IAAI,CAAC,aAAa,EAClB,eAAe,CAChB,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAChD,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,IAAgB,EAChB,eAAuB;QAEvB,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC;QAEtD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CACvD,IAAI,CAAC,aAAa,EAClB,eAAe,CAChB,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3E,MAAM,eAAe,GAAG,OAAO,IAAI,YAAY,GAAG,CAAC,CAAC;QAEpD,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,CAAC,CAAC,wCAAwC,CAAC,KAAK,EAAE,CAAC;YAC/D,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,0BAA0B,CAAC,KAAK,EAAE,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC1B,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,IAAgB,EAChB,WAAmB;QAEnB,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAEvD,IAAI,CAAC,aAAa,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC1E,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;CACF"}

package/dist/services/password-reset.service.d.ts

@@ -0,0 +1,31 @@
+import type { IPasswordResetEntity } from '../entities/password-reset.entity.ts';
+import type { UserEntity } from '../entities/user.entity.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { PasswordAuthService } from './password-auth.service.ts';
+export declare class PasswordResetService {
+    private readonly mikro;
+    private readonly passwordAuthService;
+    constructor(mikro: MikroService, passwordAuthService: PasswordAuthService);
+    /**
+     * Generate password reset token for a user
+     * Invalidates all previous unused tokens
+     */
+    generateToken(params: {
+        userSub: string;
+        expiresInHours?: number;
+    }): Promise<IPasswordResetEntity>;
+    /**
+     * Request password reset for an email
+     * Returns token entity if user exists and is database-managed
+     */
+    requestPasswordReset(email: string): Promise<IPasswordResetEntity | null>;
+    /**
+     * Reset password with token
+     * Verifies token and updates user password
+     */
+    resetPassword(params: {
+        token: string;
+        password: string;
+    }): Promise<UserEntity>;
+}
+//# sourceMappingURL=password-reset.service.d.ts.map

package/dist/services/password-reset.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.service.d.ts","sourceRoot":"","sources":["../../src/services/password-reset.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AACjF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAE7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAsB;gBAExD,KAAK,EAAE,YAAY,EACnB,mBAAmB,EAAE,mBAAmB;IAM1C;;;OAGG;IACG,aAAa,CAAC,MAAM,EAAE;QAC1B,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IASjC;;;OAGG;IACG,oBAAoB,CACxB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAkBvC;;;OAGG;IACG,aAAa,CAAC,MAAM,EAAE;QAC1B,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,UAAU,CAAC;CAqBxB"}

package/dist/services/password-reset.service.js

@@ -0,0 +1,54 @@
+import { e } from "../schemas/error.js";
+export class PasswordResetService {
+    mikro;
+    passwordAuthService;
+    constructor(mikro, passwordAuthService) {
+        this.mikro = mikro;
+        this.passwordAuthService = passwordAuthService;
+    }
+    /**
+     * Generate password reset token for a user
+     * Invalidates all previous unused tokens
+     */
+    async generateToken(params) {
+        const token = await this.mikro.passwordReset.generateToken({
+            userSub: params.userSub,
+            expiresInHours: params.expiresInHours || 1,
+        });
+        return token;
+    }
+    /**
+     * Request password reset for an email
+     * Returns token entity if user exists and is database-managed
+     */
+    async requestPasswordReset(email) {
+        const user = await this.mikro.user.findOneOrFail({ email }, {
+            failHandler: () => new e.UserNotFound.Error(),
+        });
+        if (user.managed_by !== 'database') {
+            throw new e.UserNotEditable.Error();
+        }
+        const token = await this.generateToken({ userSub: user.sub });
+        await this.mikro.em.flush();
+        return token;
+    }
+    /**
+     * Reset password with token
+     * Verifies token and updates user password
+     */
+    async resetPassword(params) {
+        const resetEntity = await this.mikro.passwordReset.verifyToken(params.token);
+        if (!resetEntity) {
+            throw new e.InvalidPasswordResetToken.Error();
+        }
+        const user = await resetEntity.user.loadOrFail({
+            failHandler: () => new e.UserNotFound.Error(),
+        });
+        if (user.managed_by === 'config') {
+            throw new e.UserNotEditable.Error();
+        }
+        await this.passwordAuthService.replacePassword(user, params.password);
+        return user;
+    }
+}
+//# sourceMappingURL=password-reset.service.js.map

package/dist/services/password-reset.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.service.js","sourceRoot":"","sources":["../../src/services/password-reset.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAIxC,MAAM,OAAO,oBAAoB;IACd,KAAK,CAAe;IACpB,mBAAmB,CAAsB;IAC1D,YACE,KAAmB,EACnB,mBAAwC;QAExC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,MAGnB;QACC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,aAAa,CAAC;YACzD,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,CAAC;SAC3C,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CACxB,KAAa;QAEb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAC9C,EAAE,KAAK,EAAE,EACT;YACE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE;SAC9C,CACF,CAAC;QAEF,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,MAGnB;QACC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,WAAW,CAC5D,MAAM,CAAC,KAAK,CACb,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7C,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE;SAC9C,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,mBAAmB,CAAC,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEtE,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/services/scheduler.service.d.ts

@@ -0,0 +1,15 @@
+import type { SchedulerConfig } from '../lib/config/index.ts';
+import type { Logger } from '../lib/logger.ts';
+import type { CleanupService } from './cleanup.service.ts';
+export declare class SchedulerService {
+    private readonly cleanupService;
+    private readonly logger;
+    private readonly schedulerConfig;
+    private handle;
+    constructor(schedulerConfig: SchedulerConfig | undefined, cleanupService: CleanupService, logger: Logger);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    isRunning(): boolean;
+    getNextRunAt(): Date | null;
+}
+//# sourceMappingURL=scheduler.service.d.ts.map

package/dist/services/scheduler.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scheduler.service.d.ts","sourceRoot":"","sources":["../../src/services/scheduler.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAmB,MAAM,wBAAwB,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA8B;IAE9D,OAAO,CAAC,MAAM,CAAgC;gBAG5C,eAAe,EAAE,eAAe,GAAG,SAAS,EAC5C,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,MAAM;IAaH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA2BtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAW3B,SAAS,IAAI,OAAO;IAIpB,YAAY,IAAI,IAAI,GAAG,IAAI;CAGnC"}

package/dist/services/scheduler.service.js

@@ -0,0 +1,52 @@
+export class SchedulerService {
+    cleanupService;
+    logger;
+    schedulerConfig;
+    handle = null;
+    constructor(schedulerConfig, cleanupService, logger) {
+        this.schedulerConfig = schedulerConfig;
+        this.cleanupService = cleanupService;
+        this.logger = logger;
+        this.logger.info({
+            enabled: this.schedulerConfig !== undefined,
+        }, 'Scheduler initialized');
+    }
+    async start() {
+        if (!this.schedulerConfig || this.handle) {
+            return;
+        }
+        const handle = await this.schedulerConfig.start({
+            runCleanup: async () => {
+                try {
+                    await this.cleanupService.runAll({
+                        dryRun: false,
+                        verbose: false,
+                    });
+                }
+                catch (err) {
+                    this.logger.error({ err }, 'Scheduled cleanup failed');
+                }
+            },
+        });
+        this.handle = handle;
+        this.logger.info({
+            nextRunAt: this.getNextRunAt(),
+        }, 'Scheduler started');
+    }
+    async stop() {
+        if (!this.handle) {
+            return;
+        }
+        const handle = this.handle;
+        this.handle = null;
+        await handle.stop();
+        this.logger.info('Scheduler stopped');
+    }
+    isRunning() {
+        return this.handle !== null;
+    }
+    getNextRunAt() {
+        return this.handle?.getNextRunAt?.() ?? null;
+    }
+}
+//# sourceMappingURL=scheduler.service.js.map

package/dist/services/scheduler.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scheduler.service.js","sourceRoot":"","sources":["../../src/services/scheduler.service.ts"],"names":[],"mappings":"AAIA,MAAM,OAAO,gBAAgB;IACV,cAAc,CAAiB;IAC/B,MAAM,CAAS;IACf,eAAe,CAA8B;IAEtD,MAAM,GAA2B,IAAI,CAAC;IAE9C,YACE,eAA4C,EAC5C,cAA8B,EAC9B,MAAc;QAEd,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,OAAO,EAAE,IAAI,CAAC,eAAe,KAAK,SAAS;SAC5C,EACD,uBAAuB,CACxB,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,KAAK;QAChB,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACzC,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC;YAC9C,UAAU,EAAE,KAAK,IAAI,EAAE;gBACrB,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;wBAC/B,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,KAAK;qBACf,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,0BAA0B,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,SAAS,EAAE,IAAI,CAAC,YAAY,EAAE;SAC/B,EACD,mBAAmB,CACpB,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,IAAI;QACf,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACxC,CAAC;IAEM,SAAS;QACd,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC;IAC9B,CAAC;IAEM,YAAY;QACjB,OAAO,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,IAAI,IAAI,CAAC;IAC/C,CAAC;CACF"}

package/dist/services/security.service.d.ts

@@ -0,0 +1,17 @@
+import type { TinyAuthRuntimeConfig } from '../lib/config/index.ts';
+export type OpaquePurpose = 'oauth-code' | 'totp-recovery';
+export declare class SecurityService {
+    private readonly hashMasterSecret;
+    private readonly pbkdf2Iterations;
+    private readonly purposeKeyCache;
+    constructor(config: TinyAuthRuntimeConfig);
+    private resolvePurposeKey;
+    private hashPbkdf2Secret;
+    private verifyPbkdf2Secret;
+    hashPassword(password: string): Promise<string>;
+    verifyPassword(hash: string, password: string): Promise<boolean>;
+    hashClientSecret(clientSecret: string): Promise<string>;
+    verifyClientSecret(hash: string, clientSecret: string): Promise<boolean>;
+    hashOpaqueToken(purpose: OpaquePurpose, value: string): Promise<string>;
+}
+//# sourceMappingURL=security.service.d.ts.map

package/dist/services/security.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.service.d.ts","sourceRoot":"","sources":["../../src/services/security.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAoBpE,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,eAAe,CAAC;AAU3D,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAa;IAC9C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2C;gBAExD,MAAM,EAAE,qBAAqB;YAUlC,iBAAiB;YAiBjB,gBAAgB;YAyBhB,kBAAkB;IAyBnB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/C,cAAc,CACzB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAIN,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIvD,kBAAkB,CAC7B,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC;IAIN,eAAe,CAC1B,OAAO,EAAE,aAAa,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC;CAUnB"}

package/dist/services/security.service.js

@@ -0,0 +1,82 @@
+import { fromBase64Url } from "../lib/base64url.js";
+import { derivePbkdf2Bytes, derivePurposeKeyBytes, formatOpaqueHash, formatPbkdf2Hash, getRandomBytes, parsePbkdf2Hash, signOpaqueValue, timingSafeEqualBytes, } from "../lib/crypto.js";
+const PBKDF2_ALGORITHM = 'pbkdf2-sha256';
+const HMAC_ALGORITHM = 'hmac-sha256';
+const HASH_FORMAT_VERSION = 1;
+const HKDF_CONTEXT = 'tinyauth-hash-master-v1';
+const PBKDF2_SALT_BYTES = 16;
+const PBKDF2_DERIVED_KEY_BYTES = 32;
+const PURPOSE_LABELS = {
+    password: 'password-v1',
+    'client-secret': 'client-secret-v1',
+    'oauth-code': 'oauth-code-v1',
+    'totp-recovery': 'totp-recovery-v1',
+};
+export class SecurityService {
+    hashMasterSecret;
+    pbkdf2Iterations;
+    purposeKeyCache = new Map();
+    constructor(config) {
+        const decodedSecret = fromBase64Url(config.security.hash_secret);
+        if (decodedSecret.length !== 32) {
+            throw new Error('security.hash_secret must decode to 32 bytes.');
+        }
+        this.hashMasterSecret = decodedSecret;
+        this.pbkdf2Iterations = config.security.pbkdf2_iterations;
+    }
+    async resolvePurposeKey(purpose) {
+        const cached = this.purposeKeyCache.get(purpose);
+        if (cached) {
+            return cached;
+        }
+        const derivation = derivePurposeKeyBytes(globalThis.crypto, this.hashMasterSecret, HKDF_CONTEXT, PURPOSE_LABELS[purpose], PBKDF2_DERIVED_KEY_BYTES);
+        this.purposeKeyCache.set(purpose, derivation);
+        return derivation;
+    }
+    async hashPbkdf2Secret(purpose, secret) {
+        const crypto = globalThis.crypto;
+        const purposeKey = await this.resolvePurposeKey(purpose);
+        const salt = getRandomBytes(PBKDF2_SALT_BYTES);
+        const digest = await derivePbkdf2Bytes(crypto, purposeKey, secret, salt, this.pbkdf2Iterations, PBKDF2_DERIVED_KEY_BYTES);
+        return formatPbkdf2Hash({
+            algorithm: PBKDF2_ALGORITHM,
+            version: HASH_FORMAT_VERSION,
+            iterations: this.pbkdf2Iterations,
+            salt,
+            digest,
+        });
+    }
+    async verifyPbkdf2Secret(purpose, hash, secret) {
+        const parsed = parsePbkdf2Hash(hash, PBKDF2_ALGORITHM);
+        if (!parsed || parsed.version !== HASH_FORMAT_VERSION) {
+            return false;
+        }
+        const crypto = globalThis.crypto;
+        const purposeKey = await this.resolvePurposeKey(purpose);
+        const derived = await derivePbkdf2Bytes(crypto, purposeKey, secret, parsed.salt, parsed.iterations, PBKDF2_DERIVED_KEY_BYTES);
+        return timingSafeEqualBytes(derived, parsed.digest);
+    }
+    async hashPassword(password) {
+        return this.hashPbkdf2Secret('password', password);
+    }
+    async verifyPassword(hash, password) {
+        return this.verifyPbkdf2Secret('password', hash, password);
+    }
+    async hashClientSecret(clientSecret) {
+        return this.hashPbkdf2Secret('client-secret', clientSecret);
+    }
+    async verifyClientSecret(hash, clientSecret) {
+        return this.verifyPbkdf2Secret('client-secret', hash, clientSecret);
+    }
+    async hashOpaqueToken(purpose, value) {
+        const crypto = globalThis.crypto;
+        const purposeKey = await this.resolvePurposeKey(purpose);
+        const digest = await signOpaqueValue(crypto, purposeKey, value);
+        return formatOpaqueHash({
+            algorithm: HMAC_ALGORITHM,
+            version: HASH_FORMAT_VERSION,
+            digest,
+        });
+    }
+}
+//# sourceMappingURL=security.service.js.map

package/dist/services/security.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.service.js","sourceRoot":"","sources":["../../src/services/security.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,eAAe,EACf,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,gBAAgB,GAAG,eAAe,CAAC;AACzC,MAAM,cAAc,GAAG,aAAa,CAAC;AACrC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,YAAY,GAAG,yBAAyB,CAAC;AAC/C,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAMpC,MAAM,cAAc,GAA4B;IAC9C,QAAQ,EAAE,aAAa;IACvB,eAAe,EAAE,kBAAkB;IACnC,YAAY,EAAE,eAAe;IAC7B,eAAe,EAAE,kBAAkB;CACpC,CAAC;AAEF,MAAM,OAAO,eAAe;IACT,gBAAgB,CAAa;IAC7B,gBAAgB,CAAS;IACzB,eAAe,GAAG,IAAI,GAAG,EAAgC,CAAC;IAE3E,YAAmB,MAA6B;QAC9C,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACjE,IAAI,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,CAAC,gBAAgB,GAAG,aAAa,CAAC;QACtC,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC;IAC5D,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,CACtC,UAAU,CAAC,MAAM,EACjB,IAAI,CAAC,gBAAgB,EACrB,YAAY,EACZ,cAAc,CAAC,OAAO,CAAC,EACvB,wBAAwB,CACzB,CAAC;QACF,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC9C,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,OAAsB,EACtB,MAAc;QAEd,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC,MAAM,EACN,UAAU,EACV,MAAM,EACN,IAAI,EACJ,IAAI,CAAC,gBAAgB,EACrB,wBAAwB,CACzB,CAAC;QAEF,OAAO,gBAAgB,CAAC;YACtB,SAAS,EAAE,gBAAgB;YAC3B,OAAO,EAAE,mBAAmB;YAC5B,UAAU,EAAE,IAAI,CAAC,gBAAgB;YACjC,IAAI;YACJ,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAC9B,OAAsB,EACtB,IAAY,EACZ,MAAc;QAEd,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QAEvD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,mBAAmB,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,iBAAiB,CACrC,MAAM,EACN,UAAU,EACV,MAAM,EACN,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,UAAU,EACjB,wBAAwB,CACzB,CAAC;QAEF,OAAO,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACtD,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,QAAgB;QACxC,OAAO,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACrD,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,IAAY,EACZ,QAAgB;QAEhB,OAAO,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC7D,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAAC,YAAoB;QAChD,OAAO,IAAI,CAAC,gBAAgB,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,IAAY,EACZ,YAAoB;QAEpB,OAAO,IAAI,CAAC,kBAAkB,CAAC,eAAe,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC;IACtE,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,OAAsB,EACtB,KAAa;QAEb,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAChE,OAAO,gBAAgB,CAAC;YACtB,SAAS,EAAE,cAAc;YACzB,OAAO,EAAE,mBAAmB;YAC5B,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF"}