@tstdl/base 0.85.13 → 0.86.0-beta1

package/authentication/server/authentication.service.js

@@ -1,315 +1,279 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var authentication_service_exports = {};
-__export(authentication_service_exports, {
-  AuthenticationService: () => AuthenticationService,
-  AuthenticationServiceOptions: () => AuthenticationServiceOptions
-});
-module.exports = __toCommonJS(authentication_service_exports);
-var import_container = require("../../container/index.js");
-var import_invalid_token_error = require("../../error/invalid-token.error.js");
-var import_not_implemented_error = require("../../error/not-implemented.error.js");
-var import_alphabet = require("../../utils/alphabet.js");
-var import_cryptography = require("../../utils/cryptography.js");
-var import_date_time = require("../../utils/date-time.js");
-var import_equals = require("../../utils/equals.js");
-var import_jwt = require("../../utils/jwt.js");
-var import_random = require("../../utils/random.js");
-var import_type_guards = require("../../utils/type-guards.js");
-var import_units = require("../../utils/units.js");
-var import_authentication_credentials_repository = require("./authentication-credentials.repository.js");
-var import_authentication_secret_requirements_validator = require("./authentication-secret-requirements.validator.js");
-var import_authentication_secret_reset_handler = require("./authentication-secret-reset.handler.js");
-var import_authentication_session_repository = require("./authentication-session.repository.js");
-var import_authentication_subject_resolver = require("./authentication-subject.resolver.js");
-var import_authentication_token_payload_provider = require("./authentication-token-payload.provider.js");
-var import_helper = require("./helper.js");
-var __decorate = function(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function")
-    r = Reflect.decorate(decorators, target, key, desc);
-  else
-    for (var i = decorators.length - 1; i >= 0; i--)
-      if (d = decorators[i])
-        r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
 };
-var __metadata = function(k, v) {
-  if (typeof Reflect === "object" && typeof Reflect.metadata === "function")
-    return Reflect.metadata(k, v);
-};
-var __param = function(paramIndex, decorator) {
-  return function(target, key) {
-    decorator(target, key, paramIndex);
-  };
-};
-class AuthenticationServiceOptions {
-  /**
-   * Secrets used for signing tokens and refreshTokens
-   * If single secret is provided, multiple secrets are derived internally
-   */
-  secret;
-  /** Token version, forces refresh on mismatch (useful if payload changes) */
-  version;
-  /** How long a token is valid */
-  tokenTimeToLive;
-  /** How long a refresh token is valid. Implies session time to live. */
-  refreshTokenTimeToLive;
-  /** How long a secret reset token is valid. */
-  secretResetTokenTimeToLive;
+import { afterResolve, inject, optional, singleton } from '../../container/index.js';
+import { InvalidTokenError } from '../../error/invalid-token.error.js';
+import { NotImplementedError } from '../../error/not-implemented.error.js';
+import { Alphabet } from '../../utils/alphabet.js';
+import { deriveBytesMultiple, importPbkdf2Key } from '../../utils/cryptography.js';
+import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-time.js';
+import { binaryEquals } from '../../utils/equals.js';
+import { createJwtTokenString } from '../../utils/jwt.js';
+import { getRandomBytes, getRandomString } from '../../utils/random.js';
+import { isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
+import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
+import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
+import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
+import { AuthenticationSecretResetHandler } from './authentication-secret-reset.handler.js';
+import { AuthenticationSessionRepository } from './authentication-session.repository.js';
+import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
+import { AuthenticationTokenPayloadProvider, GetTokenPayloadContextAction } from './authentication-token-payload.provider.js';
+import { getRefreshTokenFromString, getSecretResetTokenFromString, getTokenFromString } from './helper.js';
+export class AuthenticationServiceOptions {
+    /**
+     * Secrets used for signing tokens and refreshTokens
+     * If single secret is provided, multiple secrets are derived internally
+     */
+    secret;
+    /** Token version, forces refresh on mismatch (useful if payload changes) */
+    version;
+    /** How long a token is valid */
+    tokenTimeToLive;
+    /** How long a refresh token is valid. Implies session time to live. */
+    refreshTokenTimeToLive;
+    /** How long a secret reset token is valid. */
+    secretResetTokenTimeToLive;
 }
 const SIGNING_SECRETS_LENGTH = 64;
-let AuthenticationService = class AuthenticationService2 {
-  credentialsRepository;
-  sessionRepository;
-  authenticationSecretRequirementsValidator;
-  tokenPayloadProvider;
-  subjectResolver;
-  authenticationResetSecretHandler;
-  options;
-  secret;
-  tokenVersion;
-  tokenTimeToLive;
-  refreshTokenTimeToLive;
-  secretResetTokenTimeToLive;
-  derivedTokenSigningSecret;
-  derivedRefreshTokenSigningSecret;
-  derivedSecretResetTokenSigningSecret;
-  constructor(credentialsRepository, sessionRepository, authenticationSecretRequirementsValidator, subjectResolver, tokenPayloadProvider, authenticationResetSecretHandler, options) {
-    this.credentialsRepository = credentialsRepository;
-    this.sessionRepository = sessionRepository;
-    this.authenticationSecretRequirementsValidator = authenticationSecretRequirementsValidator;
-    this.subjectResolver = subjectResolver;
-    this.tokenPayloadProvider = tokenPayloadProvider;
-    this.authenticationResetSecretHandler = authenticationResetSecretHandler;
-    this.options = options;
-    this.tokenVersion = options.version ?? 1;
-    this.tokenTimeToLive = options.tokenTimeToLive ?? 5 * import_units.millisecondsPerMinute;
-    this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? 5 * import_units.millisecondsPerDay;
-    this.secretResetTokenTimeToLive = options.secretResetTokenTimeToLive ?? 10 * import_units.millisecondsPerMinute;
-  }
-  async [import_container.afterResolve]() {
-    await this.initialize();
-  }
-  async initialize() {
-    if ((0, import_type_guards.isString)(this.options.secret) || (0, import_type_guards.isBinaryData)(this.options.secret)) {
-      await this.deriveSigningSecrets(this.options.secret);
-    } else {
-      this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
-      this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
-      this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
+export let AuthenticationService = class AuthenticationService {
+    credentialsRepository;
+    sessionRepository;
+    authenticationSecretRequirementsValidator;
+    tokenPayloadProvider;
+    subjectResolver;
+    authenticationResetSecretHandler;
+    options;
+    secret;
+    tokenVersion;
+    tokenTimeToLive;
+    refreshTokenTimeToLive;
+    secretResetTokenTimeToLive;
+    derivedTokenSigningSecret;
+    derivedRefreshTokenSigningSecret;
+    derivedSecretResetTokenSigningSecret;
+    constructor(credentialsRepository, sessionRepository, authenticationSecretRequirementsValidator, subjectResolver, tokenPayloadProvider, authenticationResetSecretHandler, options) {
+        this.credentialsRepository = credentialsRepository;
+        this.sessionRepository = sessionRepository;
+        this.authenticationSecretRequirementsValidator = authenticationSecretRequirementsValidator;
+        this.subjectResolver = subjectResolver;
+        this.tokenPayloadProvider = tokenPayloadProvider;
+        this.authenticationResetSecretHandler = authenticationResetSecretHandler;
+        this.options = options;
+        this.tokenVersion = options.version ?? 1;
+        this.tokenTimeToLive = options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
+        this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
+        this.secretResetTokenTimeToLive = options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
+    }
+    async [afterResolve]() {
+        await this.initialize();
+    }
+    async initialize() {
+        if (isString(this.options.secret) || isBinaryData(this.options.secret)) {
+            await this.deriveSigningSecrets(this.options.secret);
+        }
+        else {
+            this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
+            this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
+            this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
+        }
+    }
+    async setCredentials(subject, secret) {
+        const actualSubject = await this.resolveSubject(subject);
+        await this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
+        const salt = getRandomBytes(32);
+        const hash = await this.getHash(secret, salt);
+        const credentials = {
+            subject: actualSubject,
+            hashVersion: 1,
+            salt,
+            hash
+        };
+        await this.credentialsRepository.save(credentials);
+    }
+    async authenticate(subject, secret) {
+        const actualSubject = await this.resolveSubject(subject);
+        const credentials = await this.credentialsRepository.tryLoadBySubject(actualSubject);
+        if (isUndefined(credentials)) {
+            return { success: false };
+        }
+        const hash = await this.getHash(secret, credentials.salt);
+        const valid = binaryEquals(hash, credentials.hash);
+        if (valid) {
+            return { success: true, subject: credentials.subject };
+        }
+        return { success: false };
+    }
+    async getToken(subject, authenticationData) {
+        const actualSubject = await this.resolveSubject(subject);
+        const now = currentTimestamp();
+        const end = now + this.refreshTokenTimeToLive;
+        const session = await this.sessionRepository.insert({
+            subject: actualSubject,
+            begin: now,
+            end,
+            refreshTokenHashVersion: 0,
+            refreshTokenSalt: new Uint8Array(),
+            refreshTokenHash: new Uint8Array()
+        });
+        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
+        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
+        const refreshToken = await this.createRefreshToken(actualSubject, session.id, end);
+        await this.sessionRepository.extend(session.id, {
+            end,
+            refreshTokenHashVersion: 1,
+            refreshTokenSalt: refreshToken.salt,
+            refreshTokenHash: refreshToken.hash
+        });
+        return { token, jsonToken, refreshToken: refreshToken.token };
+    }
+    async endSession(sessionId) {
+        const now = currentTimestamp();
+        await this.sessionRepository.end(sessionId, now);
+    }
+    async refresh(refreshToken, authenticationData) {
+        const validatedToken = await this.validateRefreshToken(refreshToken);
+        const sessionId = validatedToken.payload.sessionId;
+        const session = await this.sessionRepository.load(sessionId);
+        const hash = await this.getHash(validatedToken.payload.secret, session.refreshTokenSalt);
+        if (session.end <= currentTimestamp()) {
+            throw new InvalidTokenError('Session is expired.');
+        }
+        if (!binaryEquals(hash, session.refreshTokenHash)) {
+            throw new InvalidTokenError('Invalid refresh token.');
+        }
+        const now = currentTimestamp();
+        const newEnd = now + this.refreshTokenTimeToLive;
+        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, timestamp: now });
+        const newRefreshToken = await this.createRefreshToken(validatedToken.payload.subject, sessionId, newEnd);
+        await this.sessionRepository.extend(sessionId, {
+            end: newEnd,
+            refreshTokenHashVersion: 1,
+            refreshTokenSalt: newRefreshToken.salt,
+            refreshTokenHash: newRefreshToken.hash
+        });
+        return { token, jsonToken, refreshToken: newRefreshToken.token };
+    }
+    async initResetSecret(subject) {
+        if (isUndefined(this.authenticationResetSecretHandler)) {
+            throw new NotImplementedError();
+        }
+        const actualSubject = await this.resolveSubject(subject);
+        const secretResetToken = await this.createSecretResetToken(actualSubject, currentTimestamp() + this.secretResetTokenTimeToLive);
+        const initSecretResetData = {
+            subject: actualSubject,
+            token: secretResetToken.token
+        };
+        await this.authenticationResetSecretHandler.handleInitSecretReset(initSecretResetData);
+    }
+    async resetSecret(tokenString, newSecret) {
+        const token = await this.validateSecretResetToken(tokenString);
+        await this.setCredentials(token.payload.subject, newSecret);
+    }
+    async checkSecret(secret) {
+        return this.authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
+    }
+    async validateToken(token) {
+        return getTokenFromString(token, this.tokenVersion, this.derivedTokenSigningSecret);
+    }
+    async validateRefreshToken(token) {
+        return getRefreshTokenFromString(token, this.derivedRefreshTokenSigningSecret);
+    }
+    async validateSecretResetToken(token) {
+        return getSecretResetTokenFromString(token, this.derivedSecretResetTokenSigningSecret);
+    }
+    async resolveSubject(subject) {
+        return this.subjectResolver?.resolveSubject(subject) ?? subject;
     }
-  }
-  async setCredentials(subject, secret) {
-    const actualSubject = await this.resolveSubject(subject);
-    await this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
-    const salt = (0, import_random.getRandomBytes)(32);
-    const hash = await this.getHash(secret, salt);
-    const credentials = {
-      subject: actualSubject,
-      hashVersion: 1,
-      salt,
-      hash
-    };
-    await this.credentialsRepository.save(credentials);
-  }
-  async authenticate(subject, secret) {
-    const actualSubject = await this.resolveSubject(subject);
-    const credentials = await this.credentialsRepository.tryLoadBySubject(actualSubject);
-    if ((0, import_type_guards.isUndefined)(credentials)) {
-      return { success: false };
+    /** Creates a token without session or refresh token and is not saved in database */
+    async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp = currentTimestamp() }) {
+        const header = {
+            v: tokenVersion ?? this.tokenVersion,
+            alg: 'HS256',
+            typ: 'JWT'
+        };
+        const payload = {
+            jti: jwtId ?? getRandomString(24, Alphabet.LowerUpperCaseNumbers),
+            iat: issuedAt ?? timestampToTimestampSeconds(timestamp),
+            exp: expiration ?? timestampToTimestampSeconds(timestamp + this.tokenTimeToLive),
+            refreshTokenExp: timestampToTimestampSeconds(refreshTokenExpiration),
+            sessionId,
+            subject,
+            ...additionalTokenPayload
+        };
+        const jsonToken = {
+            header,
+            payload
+        };
+        const token = await createJwtTokenString(jsonToken, this.derivedTokenSigningSecret);
+        return { token, jsonToken };
     }
-    const hash = await this.getHash(secret, credentials.salt);
-    const valid = (0, import_equals.binaryEquals)(hash, credentials.hash);
-    if (valid) {
-      return { success: true, subject: credentials.subject };
+    /** Creates a refresh token without session or something else. */
+    async createRefreshToken(subject, sessionId, expirationTimestamp) {
+        const secret = getRandomString(64, Alphabet.LowerUpperCaseNumbers);
+        const salt = getRandomBytes(32);
+        const hash = await this.getHash(secret, salt);
+        const jsonToken = {
+            header: {
+                alg: 'HS256',
+                typ: 'JWT'
+            },
+            payload: {
+                exp: timestampToTimestampSeconds(expirationTimestamp),
+                subject,
+                sessionId,
+                secret
+            }
+        };
+        const token = await createJwtTokenString(jsonToken, this.derivedRefreshTokenSigningSecret);
+        return { token, jsonToken, salt, hash: new Uint8Array(hash) };
     }
-    return { success: false };
-  }
-  async getToken(subject, authenticationData) {
-    const actualSubject = await this.resolveSubject(subject);
-    const now = (0, import_date_time.currentTimestamp)();
-    const end = now + this.refreshTokenTimeToLive;
-    const session = await this.sessionRepository.insert({
-      subject: actualSubject,
-      begin: now,
-      end,
-      refreshTokenHashVersion: 0,
-      refreshTokenSalt: new Uint8Array(),
-      refreshTokenHash: new Uint8Array()
-    });
-    const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(actualSubject, authenticationData, { action: import_authentication_token_payload_provider.GetTokenPayloadContextAction.GetToken });
-    const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-    const refreshToken = await this.createRefreshToken(actualSubject, session.id, end);
-    await this.sessionRepository.extend(session.id, {
-      end,
-      refreshTokenHashVersion: 1,
-      refreshTokenSalt: refreshToken.salt,
-      refreshTokenHash: refreshToken.hash
-    });
-    return { token, jsonToken, refreshToken: refreshToken.token };
-  }
-  async endSession(sessionId) {
-    const now = (0, import_date_time.currentTimestamp)();
-    await this.sessionRepository.end(sessionId, now);
-  }
-  async refresh(refreshToken, authenticationData) {
-    const validatedToken = await this.validateRefreshToken(refreshToken);
-    const sessionId = validatedToken.payload.sessionId;
-    const session = await this.sessionRepository.load(sessionId);
-    const hash = await this.getHash(validatedToken.payload.secret, session.refreshTokenSalt);
-    if (session.end <= (0, import_date_time.currentTimestamp)()) {
-      throw new import_invalid_token_error.InvalidTokenError("Session is expired.");
+    async createSecretResetToken(subject, expirationTimestamp) {
+        const jsonToken = {
+            header: {
+                alg: 'HS256',
+                typ: 'JWT'
+            },
+            payload: {
+                exp: timestampToTimestampSeconds(expirationTimestamp),
+                subject
+            }
+        };
+        const token = await createJwtTokenString(jsonToken, this.derivedSecretResetTokenSigningSecret);
+        return { token, jsonToken };
     }
-    if (!(0, import_equals.binaryEquals)(hash, session.refreshTokenHash)) {
-      throw new import_invalid_token_error.InvalidTokenError("Invalid refresh token.");
+    async deriveSigningSecrets(secret) {
+        const key = await importPbkdf2Key(secret);
+        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: 500000, salt: new Uint8Array() };
+        const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await deriveBytesMultiple(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
+        this.derivedTokenSigningSecret = derivedTokenSigningSecret;
+        this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
+        this.derivedSecretResetTokenSigningSecret = derivedSecretResetTokenSigningSecret;
     }
-    const now = (0, import_date_time.currentTimestamp)();
-    const newEnd = now + this.refreshTokenTimeToLive;
-    const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(session.subject, authenticationData, { action: import_authentication_token_payload_provider.GetTokenPayloadContextAction.Refresh });
-    const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, timestamp: now });
-    const newRefreshToken = await this.createRefreshToken(validatedToken.payload.subject, sessionId, newEnd);
-    await this.sessionRepository.extend(sessionId, {
-      end: newEnd,
-      refreshTokenHashVersion: 1,
-      refreshTokenSalt: newRefreshToken.salt,
-      refreshTokenHash: newRefreshToken.hash
-    });
-    return { token, jsonToken, refreshToken: newRefreshToken.token };
-  }
-  async initResetSecret(subject) {
-    if ((0, import_type_guards.isUndefined)(this.authenticationResetSecretHandler)) {
-      throw new import_not_implemented_error.NotImplementedError();
+    async getHash(secret, salt) {
+        const key = await importPbkdf2Key(secret);
+        const hash = await globalThis.crypto.subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-512', iterations: 250000, salt }, key, 512);
+        return new Uint8Array(hash);
     }
-    const actualSubject = await this.resolveSubject(subject);
-    const secretResetToken = await this.createSecretResetToken(actualSubject, (0, import_date_time.currentTimestamp)() + this.secretResetTokenTimeToLive);
-    const initSecretResetData = {
-      subject: actualSubject,
-      token: secretResetToken.token
-    };
-    await this.authenticationResetSecretHandler.handleInitSecretReset(initSecretResetData);
-  }
-  async resetSecret(tokenString, newSecret) {
-    const token = await this.validateSecretResetToken(tokenString);
-    await this.setCredentials(token.payload.subject, newSecret);
-  }
-  async checkSecret(secret) {
-    return this.authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
-  }
-  async validateToken(token) {
-    return (0, import_helper.getTokenFromString)(token, this.tokenVersion, this.derivedTokenSigningSecret);
-  }
-  async validateRefreshToken(token) {
-    return (0, import_helper.getRefreshTokenFromString)(token, this.derivedRefreshTokenSigningSecret);
-  }
-  async validateSecretResetToken(token) {
-    return (0, import_helper.getSecretResetTokenFromString)(token, this.derivedSecretResetTokenSigningSecret);
-  }
-  async resolveSubject(subject) {
-    return this.subjectResolver?.resolveSubject(subject) ?? subject;
-  }
-  /** Creates a token without session or refresh token and is not saved in database */
-  async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp = (0, import_date_time.currentTimestamp)() }) {
-    const header = {
-      v: tokenVersion ?? this.tokenVersion,
-      alg: "HS256",
-      typ: "JWT"
-    };
-    const payload = {
-      jti: jwtId ?? (0, import_random.getRandomString)(24, import_alphabet.Alphabet.LowerUpperCaseNumbers),
-      iat: issuedAt ?? (0, import_date_time.timestampToTimestampSeconds)(timestamp),
-      exp: expiration ?? (0, import_date_time.timestampToTimestampSeconds)(timestamp + this.tokenTimeToLive),
-      refreshTokenExp: (0, import_date_time.timestampToTimestampSeconds)(refreshTokenExpiration),
-      sessionId,
-      subject,
-      ...additionalTokenPayload
-    };
-    const jsonToken = {
-      header,
-      payload
-    };
-    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedTokenSigningSecret);
-    return { token, jsonToken };
-  }
-  /** Creates a refresh token without session or something else. */
-  async createRefreshToken(subject, sessionId, expirationTimestamp) {
-    const secret = (0, import_random.getRandomString)(64, import_alphabet.Alphabet.LowerUpperCaseNumbers);
-    const salt = (0, import_random.getRandomBytes)(32);
-    const hash = await this.getHash(secret, salt);
-    const jsonToken = {
-      header: {
-        alg: "HS256",
-        typ: "JWT"
-      },
-      payload: {
-        exp: (0, import_date_time.timestampToTimestampSeconds)(expirationTimestamp),
-        subject,
-        sessionId,
-        secret
-      }
-    };
-    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedRefreshTokenSigningSecret);
-    return { token, jsonToken, salt, hash: new Uint8Array(hash) };
-  }
-  async createSecretResetToken(subject, expirationTimestamp) {
-    const jsonToken = {
-      header: {
-        alg: "HS256",
-        typ: "JWT"
-      },
-      payload: {
-        exp: (0, import_date_time.timestampToTimestampSeconds)(expirationTimestamp),
-        subject
-      }
-    };
-    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedSecretResetTokenSigningSecret);
-    return { token, jsonToken };
-  }
-  async deriveSigningSecrets(secret) {
-    const key = await (0, import_cryptography.importPbkdf2Key)(secret);
-    const algorithm = { name: "PBKDF2", hash: "SHA-512", iterations: 5e5, salt: new Uint8Array() };
-    const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await (0, import_cryptography.deriveBytesMultiple)(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
-    this.derivedTokenSigningSecret = derivedTokenSigningSecret;
-    this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
-    this.derivedSecretResetTokenSigningSecret = derivedSecretResetTokenSigningSecret;
-  }
-  async getHash(secret, salt) {
-    const key = await (0, import_cryptography.importPbkdf2Key)(secret);
-    const hash = await globalThis.crypto.subtle.deriveBits({ name: "PBKDF2", hash: "SHA-512", iterations: 25e4, salt }, key, 512);
-    return new Uint8Array(hash);
-  }
 };
 AuthenticationService = __decorate([
-  (0, import_container.singleton)(),
-  __param(3, (0, import_container.inject)(import_authentication_subject_resolver.AuthenticationSubjectResolver)),
-  __param(3, (0, import_container.optional)()),
-  __param(4, (0, import_container.inject)(import_authentication_token_payload_provider.AuthenticationTokenPayloadProvider)),
-  __param(4, (0, import_container.optional)()),
-  __param(5, (0, import_container.inject)(import_authentication_secret_reset_handler.AuthenticationSecretResetHandler)),
-  __param(5, (0, import_container.optional)()),
-  __metadata("design:paramtypes", [
-    import_authentication_credentials_repository.AuthenticationCredentialsRepository,
-    import_authentication_session_repository.AuthenticationSessionRepository,
-    import_authentication_secret_requirements_validator.AuthenticationSecretRequirementsValidator,
-    Object,
-    Object,
-    Object,
-    AuthenticationServiceOptions
-  ])
+    singleton(),
+    __param(3, inject(AuthenticationSubjectResolver)),
+    __param(3, optional()),
+    __param(4, inject(AuthenticationTokenPayloadProvider)),
+    __param(4, optional()),
+    __param(5, inject(AuthenticationSecretResetHandler)),
+    __param(5, optional()),
+    __metadata("design:paramtypes", [AuthenticationCredentialsRepository,
+        AuthenticationSessionRepository,
+        AuthenticationSecretRequirementsValidator, Object, Object, Object, AuthenticationServiceOptions])
 ], AuthenticationService);