@travetto/auth-model 2.0.0-alpha.3 → 3.0.0-rc.2

package/README.md

@@ -1,47 +1,49 @@
-<!-- This file was generated by the framweork and should not be modified directly -->
-<!-- Please modify https://github.com/travetto/travetto/tree/master/module/auth-model/doc.ts and execute "npm run docs" to rebuild -->
-# Model Auth Source
-## Model-based authentication and registration support for the travetto framework
+<!-- This file was generated by @travetto/doc and should not be modified directly -->
+<!-- Please modify https://github.com/travetto/travetto/tree/main/module/auth-model/doc.ts and execute "npx trv doc" to rebuild -->
+# Authentication Model
+## Authentication model support for the travetto framework
 
 **Install: @travetto/auth-model**
 ```bash
 npm install @travetto/auth-model
 ```
 
-This module provides the integration between the [Authentication](https://github.com/travetto/travetto/tree/master/module/auth#readme "Authentication scaffolding for the travetto framework") module and the [Data Modeling Support](https://github.com/travetto/travetto/tree/master/module/model#readme "Datastore abstraction for core operations."). 
+This module supports the integration between the [Authentication](https://github.com/travetto/travetto/tree/main/module/auth#readme "Authentication scaffolding for the travetto framework") module and the [Data Modeling Support](https://github.com/travetto/travetto/tree/main/module/model#readme "Datastore abstraction for core operations."). 
 
-The asset module requires an [CRUD](https://github.com/travetto/travetto/tree/master/module/model/src/service/crud.ts#L10) to provide functionality for reading and storing user information. You can use any existing providers to serve as your [CRUD](https://github.com/travetto/travetto/tree/master/module/model/src/service/crud.ts#L10), or you can roll your own.
+The asset module requires a [CRUD](https://github.com/travetto/travetto/tree/main/module/model/src/service/crud.ts#L11)-model to provide functionality for reading and storing user information. You can use any existing providers to serve as your [CRUD](https://github.com/travetto/travetto/tree/main/module/model/src/service/crud.ts#L11), or you can roll your own.
 
 **Install: provider**
 ```bash
 npm install @travetto/model-{provider}
 ```
 
-Currently, the following are packages that provide [CRUD](https://github.com/travetto/travetto/tree/master/module/model/src/service/crud.ts#L10):
+Currently, the following are packages that provide [CRUD](https://github.com/travetto/travetto/tree/main/module/model/src/service/crud.ts#L11):
    
-   *  [DynamoDB Model Support](https://github.com/travetto/travetto/tree/master/module/model-dynamodb#readme "DynamoDB backing for the travetto model module.") - @travetto/model-dynamodb
-   *  [Elasticsearch Model Source](https://github.com/travetto/travetto/tree/master/module/model-elasticsearch#readme "Elasticsearch backing for the travetto model module, with real-time modeling support for Elasticsearch mappings.") @travetto/model-elasticsearch
-   *  [Firestore Model Support](https://github.com/travetto/travetto/tree/master/module/model-firestore#readme "Firestore backing for the travetto model module.") @travetto/model-firestore
-   *  [MongoDB Model Support](https://github.com/travetto/travetto/tree/master/module/model-mongo#readme "Mongo backing for the travetto model module.") @travetto/model-mongo
-   *  [Redis Model Support](https://github.com/travetto/travetto/tree/master/module/model-redis#readme "Redis backing for the travetto model module.") @travetto/model-redis
-   *  [S3 Model Support](https://github.com/travetto/travetto/tree/master/module/model-s3#readme "S3 backing for the travetto model module.") @travetto/model-s3
-   *  [SQL Model Service](https://github.com/travetto/travetto/tree/master/module/model-sql#readme "SQL backing for the travetto model module, with real-time modeling support for SQL schemas.") @travetto/model-sql
+   *  [DynamoDB Model Support](https://github.com/travetto/travetto/tree/main/module/model-dynamodb#readme "DynamoDB backing for the travetto model module.") - @travetto/model-dynamodb
+   *  [Elasticsearch Model Source](https://github.com/travetto/travetto/tree/main/module/model-elasticsearch#readme "Elasticsearch backing for the travetto model module, with real-time modeling support for Elasticsearch mappings.") @travetto/model-elasticsearch
+   *  [Firestore Model Support](https://github.com/travetto/travetto/tree/main/module/model-firestore#readme "Firestore backing for the travetto model module.") @travetto/model-firestore
+   *  [MongoDB Model Support](https://github.com/travetto/travetto/tree/main/module/model-mongo#readme "Mongo backing for the travetto model module.") @travetto/model-mongo
+   *  [Redis Model Support](https://github.com/travetto/travetto/tree/main/module/model-redis#readme "Redis backing for the travetto model module.") @travetto/model-redis
+   *  [S3 Model Support](https://github.com/travetto/travetto/tree/main/module/model-s3#readme "S3 backing for the travetto model module.") @travetto/model-s3
+   *  [MySQL Model Service](https://github.com/travetto/travetto/tree/main/module/model-mysql#readme "MySQL backing for the travetto model module, with real-time modeling support for SQL schemas.") @travetto/model-mysql
+   *  [PostgreSQL Model Service](https://github.com/travetto/travetto/tree/main/module/model-postgres#readme "PostgreSQL backing for the travetto model module, with real-time modeling support for SQL schemas.") @travetto/model-postgres
+   *  [SQLite Model Service](https://github.com/travetto/travetto/tree/main/module/model-sqlite#readme "SQLite backing for the travetto model module, with real-time modeling support for SQL schemas.") @travetto/model-sqlite
 
-The module itself is fairly straightforward, and truly the only integration point for this module to work is defined at the model level.  The contract for authentication is established in code as providing translation to and from a [RegisteredIdentity](https://github.com/travetto/travetto/tree/master/module/auth-model/src/identity.ts#L6)
+The module itself is fairly straightforward, and truly the only integration point for this module to work is defined at the model level.  The contract for authentication is established in code as providing translation to and from a [Registered Principal](https://github.com/travetto/travetto/tree/main/module/auth-model/src/model.ts#L10)
 
-A registered identity extends the base concept of an identity, by adding in additional fields needed for local registration, specifically password management information.
+A registered principal extends the base concept of an principal, by adding in additional fields needed for local registration, specifically password management information.
 
-**Code: Registered Identity**
+**Code: Registered Principal**
 ```typescript
-export interface RegisteredIdentity extends Identity {
+export interface RegisteredPrincipal extends Principal {
   /**
    * Password hash
    */
-  hash: string;
+  hash?: string;
   /**
    * Password salt
    */
-  salt: string;
+  salt?: string;
   /**
    * Temporary Reset Token
    */
@@ -59,11 +61,11 @@ export interface RegisteredIdentity extends Identity {
 
 **Code: A valid user model**
 ```typescript
-import { Model, BaseModel } from '@travetto/model';
-import { RegisteredIdentity } from '@travetto/auth-model';
+import { Model } from '@travetto/model';
+import { RegisteredPrincipal } from '@travetto/auth-model';
 
 @Model()
-export class User extends BaseModel implements RegisteredIdentity {
+export class User implements RegisteredPrincipal {
   id: string;
   source: string;
   details: Record<string, unknown>;
@@ -78,21 +80,23 @@ export class User extends BaseModel implements RegisteredIdentity {
 
 ## Configuration
 
-Additionally, there exists a common practice of mapping various external security principals into a local contract. These external identities, as provided from countless authentication schemes, need to be homogeonized for use.  This has been handled in other frameworks by using external configuration, and creating a mapping between the two set of fields.  Within this module, the mappings are defined as functions in which you can translate to the model from an identity or to an identity from a model.
+Additionally, there exists a common practice of mapping various external security principals into a local contract. These external identities, as provided from countless authentication schemes, need to be homogenized for use.  This has been handled in other frameworks by using external configuration, and creating a mapping between the two set of fields.  Within this module, the mappings are defined as functions in which you can translate to the model from an identity or to an identity from a model.
 
 **Code: Principal Source configuration**
 ```typescript
 import { InjectableFactory } from '@travetto/di';
-import { ModelPrincipalSource, RegisteredIdentity } from '@travetto/auth-model';
+import { ModelAuthService, RegisteredPrincipal } from '@travetto/auth-model';
+import { ModelCrudSupport } from '@travetto/model';
 
 import { User } from './model';
 
 class AuthConfig {
   @InjectableFactory()
-  static getModelPrincipalSource() {
-    return new ModelPrincipalSource(
+  static getModelAuthService(svc: ModelCrudSupport) {
+    return new ModelAuthService(
+      svc,
       User,
-      (u: User) => ({    // This converts User to a RegisteredIdentity
+      (u: User) => ({    // This converts User to a RegisteredPrincipal
         source: 'model',
         provider: 'model',
         id: u.id,
@@ -104,7 +108,7 @@ class AuthConfig {
         password: u.password,
         details: u,
       }),
-      (u: Partial<RegisteredIdentity>) => User.from(({   // This converts a RegisteredIdentity to a User
+      (u: Partial<RegisteredPrincipal>) => User.from(({   // This converts a RegisteredPrincipal to a User
         id: u.id,
         permissions: [...(u.permissions || [])],
         hash: u.hash,
@@ -122,7 +126,7 @@ class AuthConfig {
 ```typescript
 import { AppError } from '@travetto/base';
 import { Injectable, Inject } from '@travetto/di';
-import { ModelPrincipalSource } from '@travetto/auth-model';
+import { ModelAuthService } from '@travetto/auth-model';
 
 import { User } from './model';
 
@@ -130,11 +134,11 @@ import { User } from './model';
 class UserService {
 
   @Inject()
-  private auth: ModelPrincipalSource<User>;
+  private auth: ModelAuthService<User>;
 
   async authenticate(identity: User) {
     try {
-      return await this.auth.authenticate(identity.id!, identity.password!);
+      return await this.auth.authenticate(identity);
     } catch (err) {
       if (err instanceof AppError && err.category === 'notfound') {
         return await this.auth.register(identity);
@@ -145,4 +149,3 @@ class UserService {
   }
 }
 ```
-

package/index.ts

@@ -1,4 +1 @@
-export * from './src/identity';
-export * from './src/principal';
-// Named export needed for proxying
-export { ModelIdentitySource } from './src/extension/auth-rest';
+export * from './src/model';

package/package.json

@@ -1,39 +1,36 @@
 {
-  "author": {
-    "email": "travetto.framework@gmail.com",
-    "name": "Travetto Framework"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "dependencies": {
-    "@travetto/auth": "^2.0.0-alpha.2",
-    "@travetto/model": "^2.0.0-alpha.3"
-  },
-  "title": "Model Auth Source",
-  "description": "Model-based authentication and registration support for the travetto framework",
-  "optionalPeerDependencies": {
-    "@travetto/auth-rest": "^2.0.0-alpha.0"
-  },
-  "homepage": "https://travetto.io",
+  "name": "@travetto/auth-model",
+  "displayName": "Authentication Model",
+  "version": "3.0.0-rc.2",
+  "description": "Authentication model support for the travetto framework",
   "keywords": [
     "authentication",
     "model",
     "travetto",
-    "registration"
+    "typescript"
   ],
+  "homepage": "https://travetto.io",
   "license": "MIT",
-  "main": "index.ts",
+  "author": {
+    "email": "travetto.framework@gmail.com",
+    "name": "Travetto Framework"
+  },
   "files": [
     "index.ts",
     "src",
     "test-support"
   ],
-  "name": "@travetto/auth-model",
+  "main": "index.ts",
   "repository": {
     "url": "https://github.com/travetto/travetto.git",
     "directory": "module/auth-model"
   },
-  "version": "2.0.0-alpha.3",
-  "gitHead": "2f2ca49b7cb4cb89ba7f565b8cf2bd5d63fb0696"
+  "dependencies": {
+    "@travetto/auth": "^3.0.0-rc.0",
+    "@travetto/model": "^3.0.0-rc.2"
+  },
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  }
 }

package/src/model.ts

@@ -0,0 +1,194 @@
+import { AppError, Util, Class } from '@travetto/base';
+import { ModelCrudSupport, ModelType, NotFoundError, OptionalId } from '@travetto/model';
+import { EnvUtil } from '@travetto/boot';
+import { AuthUtil, Principal, Authenticator, Authorizer } from '@travetto/auth';
+import { isStorageSupported } from '@travetto/model/src/internal/service/common';
+
+/**
+ * A set of registration data
+ */
+export interface RegisteredPrincipal extends Principal {
+  /**
+   * Password hash
+   */
+  hash?: string;
+  /**
+   * Password salt
+   */
+  salt?: string;
+  /**
+   * Temporary Reset Token
+   */
+  resetToken?: string;
+  /**
+   * End date for the reset token
+   */
+  resetExpires?: Date;
+  /**
+   * The actual password, only used on password set/update
+   */
+  password?: string;
+}
+
+/**
+ * A model-based auth service
+ */
+export class ModelAuthService<T extends ModelType> implements
+  Authenticator<T, RegisteredPrincipal>,
+  Authorizer<RegisteredPrincipal>
+{
+
+  #modelService: ModelCrudSupport;
+  #cls: Class<T>;
+
+  /**
+   * Build a Model Principal Source
+   *
+   * @param cls Model class for the principal
+   * @param toPrincipal Convert a model to an principal
+   * @param fromPrincipal Convert an identity to the model
+   */
+  constructor(
+    modelService: ModelCrudSupport,
+    cls: Class<T>,
+    public toPrincipal: (t: T) => RegisteredPrincipal,
+    public fromPrincipal: (t: Partial<RegisteredPrincipal>) => Partial<T>,
+  ) {
+    this.#modelService = modelService;
+    this.#cls = cls;
+  }
+
+  /**
+   * Retrieve user by id
+   * @param userId The user id to retrieve
+   */
+  async #retrieve(userId: string): Promise<T> {
+    return await this.#modelService.get<T>(this.#cls, userId);
+  }
+
+  /**
+   * Convert identity to a principal
+   * @param ident The registered identity to resolve
+   */
+  async #resolvePrincipal(ident: RegisteredPrincipal): Promise<RegisteredPrincipal> {
+    const user = await this.#retrieve(ident.id);
+    return this.toPrincipal(user);
+  }
+
+  /**
+   * Authenticate password for model id
+   * @param userId The user id to authenticate against
+   * @param password The password to authenticate against
+   */
+  async #authenticate(userId: string, password: string): Promise<RegisteredPrincipal> {
+    const ident = await this.#resolvePrincipal({ id: userId, details: {} });
+
+    const hash = await AuthUtil.generateHash(password, ident.salt!);
+    if (hash !== ident.hash) {
+      throw new AppError('Invalid password', 'authentication');
+    } else {
+      delete ident.password;
+      return ident;
+    }
+  }
+
+  async postConstruct(): Promise<void> {
+    if (isStorageSupported(this.#modelService) && EnvUtil.isDynamic()) {
+      await this.#modelService.createModel?.(this.#cls);
+    }
+  }
+
+  /**
+   * Register a user
+   * @param user The user to register
+   */
+  async register(user: OptionalId<T>): Promise<T> {
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    const ident = this.toPrincipal(user as T);
+
+    try {
+      if (ident.id) {
+        await this.#retrieve(ident.id);
+        throw new AppError('That id is already taken.', 'data');
+      }
+    } catch (err) {
+      if (!(err instanceof NotFoundError)) {
+        throw err;
+      }
+    }
+
+    const fields = await AuthUtil.generatePassword(ident.password!);
+
+    ident.password = undefined; // Clear it out on set
+
+    Object.assign(user, this.fromPrincipal(fields));
+
+    const res: T = await this.#modelService.create(this.#cls, user);
+    return res;
+  }
+
+  /**
+   * Change a password
+   * @param userId The user id to affect
+   * @param password The new password
+   * @param oldPassword The old password
+   */
+  async changePassword(userId: string, password: string, oldPassword?: string): Promise<T> {
+    const user = await this.#retrieve(userId);
+    const ident = this.toPrincipal(user);
+
+    if (oldPassword === ident.resetToken) {
+      if (ident.resetExpires && ident.resetExpires.getTime() < Date.now()) {
+        throw new AppError('Reset token has expired', 'data');
+      }
+    } else if (oldPassword !== undefined) {
+      const pw = await AuthUtil.generateHash(oldPassword, ident.salt!);
+      if (pw !== ident.hash) {
+        throw new AppError('Old password is required to change', 'authentication');
+      }
+    }
+
+    const fields = await AuthUtil.generatePassword(password);
+    Object.assign(user, this.fromPrincipal(fields));
+
+    return await this.#modelService.update(this.#cls, user);
+  }
+
+  /**
+   * Generate a reset token
+   * @param userId The user to reset for
+   */
+  async generateResetToken(userId: string): Promise<RegisteredPrincipal> {
+    const user = await this.#retrieve(userId);
+    const ident = this.toPrincipal(user);
+    const salt = await Util.uuid();
+
+    ident.resetToken = await AuthUtil.generateHash(Util.uuid(), salt, 25000, 32);
+    ident.resetExpires = Util.timeFromNow('1h');
+
+    Object.assign(user, this.fromPrincipal(ident));
+
+    await this.#modelService.update(this.#cls, user);
+
+    return ident;
+  }
+
+  /**
+   * Authorize principal into known user
+   * @param principal
+   * @returns Authorized principal
+   */
+  authorize(principal: RegisteredPrincipal): Promise<RegisteredPrincipal> {
+    return this.#resolvePrincipal(principal);
+  }
+
+  /**
+   * Authenticate entity into a principal
+   * @param payload
+   * @returns Authenticated principal
+   */
+  authenticate(payload: T): Promise<RegisteredPrincipal> {
+    const { id, password } = this.toPrincipal(payload);
+    return this.#authenticate(id, password!);
+  }
+}

package/test-support/model.ts

@@ -0,0 +1,88 @@
+import * as assert from 'assert';
+
+import { AppError, Class } from '@travetto/base';
+import { Suite, Test } from '@travetto/test';
+import { Inject, InjectableFactory } from '@travetto/di';
+import { ModelCrudSupport, Model } from '@travetto/model';
+import { InjectableSuite } from '@travetto/di/test-support/suite';
+import { ModelSuite } from '@travetto/model/test-support/suite';
+
+import { ModelAuthService, RegisteredPrincipal } from '../src/model';
+
+export const TestModelSvcⲐ = Symbol.for('@trv:auth/test-model-svc');
+
+@Model({ autoCreate: false })
+class User implements RegisteredPrincipal {
+  id: string;
+  password?: string;
+  salt?: string;
+  hash?: string;
+  resetToken?: string;
+  resetExpires?: Date;
+  permissions?: string[];
+  details: Record<string, unknown>;
+}
+
+class TestConfig {
+  @InjectableFactory()
+  static getAuthService(@Inject(TestModelSvcⲐ) svc: ModelCrudSupport): ModelAuthService<User> {
+    const src = new ModelAuthService<User>(
+      svc,
+      User,
+      u => ({ ...u, details: u, source: 'model' }),
+      reg => User.from({ ...reg })
+    );
+    return src;
+  }
+}
+
+@Suite()
+@ModelSuite()
+@InjectableSuite()
+export abstract class AuthModelServiceSuite {
+
+  serviceClass: Class;
+  configClass: Class;
+
+  @Inject()
+  authService: ModelAuthService<User>;
+
+  @Inject(TestModelSvcⲐ)
+  svc: ModelCrudSupport;
+
+  @Test()
+  async register() {
+    const pre = User.from({
+      password: 'bob',
+      details: {}
+    });
+
+    const user = await this.authService.register(pre);
+    assert.ok(user.hash);
+    assert.ok(user.id);
+  }
+
+  @Test()
+  async authenticate() {
+    const pre = User.from({
+      id: this.svc.uuid(),
+      password: 'bob',
+      details: {}
+    });
+
+    try {
+      await this.authService.authenticate(pre);
+      assert.fail('Should not have gotten here');
+    } catch (err) {
+      if (err instanceof AppError && err.category === 'notfound') {
+        const user = await this.authService.register(pre);
+        assert.ok(user.hash);
+        assert.ok(user.id);
+      } else {
+        throw err;
+      }
+    }
+
+    await assert.doesNotReject(() => this.authService.authenticate(pre));
+  }
+}

package/src/extension/auth-rest.ts

@@ -1,21 +0,0 @@
-// @file-if @travetto/auth-rest
-import { Request, Response } from '@travetto/rest';
-import { ModelType } from '@travetto/model';
-import { IdentitySource } from '@travetto/auth-rest';
-import { Identity } from '@travetto/auth';
-
-import { ModelPrincipalSource } from '../principal';
-
-/**
- * Provides an identity verification source in conjunction with the
- * provided principal source.
- */
-export class ModelIdentitySource<U extends ModelType> implements IdentitySource {
-
-  constructor(private source: ModelPrincipalSource<U>) { }
-
-  async authenticate(req: Request, res: Response): Promise<Identity | undefined> {
-    const ident = this.source.toIdentity(req.body);
-    return this.source.authenticate(ident.id!, ident.password!);
-  }
-}

package/src/identity.ts

@@ -1,27 +0,0 @@
-import { Identity } from '@travetto/auth';
-
-/**
- * An identity that can be created/registered
- */
-export interface RegisteredIdentity extends Identity {
-  /**
-   * Password hash
-   */
-  hash: string;
-  /**
-   * Password salt
-   */
-  salt: string;
-  /**
-   * Temporary Reset Token
-   */
-  resetToken?: string;
-  /**
-   * End date for the reset token
-   */
-  resetExpires?: Date;
-  /**
-   * The actual password, only used on password set/update
-   */
-  password?: string;
-}

package/src/principal.ts

@@ -1,145 +0,0 @@
-import { AppError, Util, Class } from '@travetto/base';
-import { Inject } from '@travetto/di';
-import { ModelCrudSupport, ModelType, NotFoundError } from '@travetto/model';
-import { AuthContext, AuthUtil, Principal, PrincipalSource } from '@travetto/auth';
-
-import { RegisteredIdentity } from './identity';
-
-export const AuthModelSym = Symbol.for('@trv:auth-model/model');
-
-/**
- * A model-based principal source
- */
-export class ModelPrincipalSource<T extends ModelType> implements PrincipalSource {
-
-  @Inject(AuthModelSym)
-  private modelService: ModelCrudSupport;
-
-  /**
-   * Build a Model Principal Source
-   *
-   * @param cls Model class for the principal
-   * @param toIdentity Convert a model to an identity
-   * @param fromIdentity Convert an identity to the model
-   */
-  constructor(
-    private cls: Class<T>,
-    public toIdentity: (t: T) => RegisteredIdentity,
-    public fromIdentity: (t: Partial<RegisteredIdentity>) => Partial<T>,
-  ) { }
-
-  /**
-   * Retrieve user by id
-   * @param userId The user id to retrieve
-   */
-  async retrieve(userId: string) {
-    return await this.modelService.get<T>(this.cls, userId);
-  }
-
-  /**
-   * Convert identity to a principal
-   * @param ident The registered identity to resolve
-   */
-  async resolvePrincipal(ident: RegisteredIdentity): Promise<Principal> {
-    const user = await this.retrieve(ident.id);
-    return this.toIdentity(user);
-  }
-
-  /**
-   * Authenticate password for model id
-   * @param userId The user id to authenticate against
-   * @param password The password to authenticate against
-   */
-  async authenticate(userId: string, password: string) {
-    const user = await this.retrieve(userId);
-    const ident = await this.toIdentity(user);
-
-    const hash = await AuthUtil.generateHash(password, ident.salt);
-    if (hash !== ident.hash) {
-      throw new AppError('Invalid password', 'authentication');
-    } else {
-      delete ident.password;
-      return ident;
-    }
-  }
-
-  /**
-   * Register a user
-   * @param user The user to register
-   */
-  async register(user: T) {
-    const ident = this.toIdentity(user);
-
-    try {
-      if (ident.id) {
-        await this.retrieve(ident.id);
-        throw new AppError('That id is already taken.', 'data');
-      }
-    } catch (e) {
-      if (!(e instanceof NotFoundError)) {
-        throw e;
-      }
-    }
-
-    const fields = await AuthUtil.generatePassword(ident.password!);
-
-    ident.password = undefined; // Clear it out on set
-
-    Object.assign(user, this.fromIdentity(fields));
-
-    const res: T = await this.modelService.create(this.cls, user);
-    return res;
-  }
-
-  /**
-   * Change a password
-   * @param userId The user id to affet
-   * @param password The new password
-   * @param oldPassword The old password
-   */
-  async changePassword(userId: string, password: string, oldPassword?: string) {
-    const user = await this.retrieve(userId);
-    const ident = this.toIdentity(user);
-
-    if (oldPassword !== undefined) {
-      if (oldPassword === ident.resetToken) {
-        if (ident.resetExpires && ident.resetExpires.getTime() < Date.now()) {
-          throw new AppError('Reset token has expired', 'data');
-        }
-      } else {
-        const pw = await AuthUtil.generateHash(oldPassword, ident.salt);
-        if (pw !== ident.hash) {
-          throw new AppError('Old password is required to change', 'authentication');
-        }
-      }
-    }
-
-    const fields = await AuthUtil.generatePassword(password);
-    Object.assign(user, this.fromIdentity(fields));
-
-    return await this.modelService.update(this.cls, user);
-  }
-
-  /**
-   * Generate a reset token
-   * @param userId The user to reset for
-   */
-  async generateResetToken(userId: string): Promise<RegisteredIdentity> {
-    const user = await this.retrieve(userId);
-    const ident = this.toIdentity(user);
-    const salt = await Util.uuid();
-
-    ident.resetToken = await AuthUtil.generateHash(`${new Date().getTime()}`, salt, 25000, 32);
-    ident.resetExpires = new Date(Date.now() + (60 * 60 * 1000 /* 1 hour */));
-
-    Object.assign(user, this.fromIdentity(ident));
-
-    await this.modelService.update(this.cls, user);
-
-    return ident;
-  }
-
-  async authorize(ident: RegisteredIdentity) {
-    return new AuthContext(ident, await this.resolvePrincipal(ident));
-  }
-}

package/test-support/service.ts

@@ -1,85 +0,0 @@
-import * as assert from 'assert';
-
-import { AppError } from '@travetto/base';
-import { Suite, Test } from '@travetto/test';
-import { DependencyRegistry, InjectableFactory } from '@travetto/di';
-import { BaseModelSuite } from '@travetto/model/test-support/base';
-import { ModelCrudSupport, BaseModel, Model } from '@travetto/model';
-
-import { ModelPrincipalSource, RegisteredIdentity } from '..';
-import { AuthModelSym } from '../src/principal';
-
-@Model({
-  for: AuthModelSym
-})
-class User extends BaseModel {
-  password?: string;
-  salt?: string;
-  hash?: string;
-  resetToken?: string;
-  resetExpires?: Date;
-  permissions?: string[];
-}
-
-class TestConfig {
-  @InjectableFactory()
-  static getAuthService(): ModelPrincipalSource<User> {
-    return new ModelPrincipalSource<User>(
-      User,
-      (u) => ({
-        ...(u as unknown as RegisteredIdentity),
-        details: u,
-        permissions: u.permissions ?? [],
-        source: 'model'
-      }),
-      (registered) => User.from({
-        ...(registered as User)
-      })
-    );
-  }
-}
-
-@Suite()
-export abstract class AuthModelServiceSuite extends BaseModelSuite<ModelCrudSupport> {
-
-  get principalSource() {
-    return DependencyRegistry.getInstance<ModelPrincipalSource<User>>(ModelPrincipalSource);
-  }
-
-  @Test()
-  async register() {
-    const svc = await this.principalSource;
-
-    const pre = User.from({
-      password: 'bob'
-    });
-
-    const user = await svc.register(pre);
-    assert.ok(user.hash);
-    assert.ok(user.id);
-  }
-
-  @Test()
-  async authenticate() {
-    const svc = await this.principalSource;
-
-    const pre = User.from({
-      id: '5',
-      password: 'bob'
-    });
-
-    try {
-      await svc.authenticate(pre.id!, pre.password!);
-    } catch (err) {
-      if (err instanceof AppError && err.category === 'notfound') {
-        const user = await svc.register(pre);
-        assert.ok(user.hash);
-        assert.ok(user.id);
-      } else {
-        throw err;
-      }
-    }
-
-    await assert.doesNotReject(() => svc.authenticate(pre.id!, pre.password!));
-  }
-}