@tstdl/base 0.86.0-beta2 → 0.86.0-beta3

package/authentication/server/authentication.service.js

@@ -1,279 +1,323 @@
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
 };
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var authentication_service_exports = {};
+__export(authentication_service_exports, {
+  AuthenticationService: () => AuthenticationService,
+  AuthenticationServiceOptions: () => AuthenticationServiceOptions
+});
+module.exports = __toCommonJS(authentication_service_exports);
+var import_invalid_token_error = require("../../error/invalid-token.error.js");
+var import_not_implemented_error = require("../../error/not-implemented.error.js");
+var import_injector = require("../../injector/index.js");
+var import_alphabet = require("../../utils/alphabet.js");
+var import_cryptography = require("../../utils/cryptography.js");
+var import_date_time = require("../../utils/date-time.js");
+var import_equals = require("../../utils/equals.js");
+var import_jwt = require("../../utils/jwt.js");
+var import_random = require("../../utils/random.js");
+var import_type_guards = require("../../utils/type-guards.js");
+var import_units = require("../../utils/units.js");
+var import_authentication_credentials_repository = require("./authentication-credentials.repository.js");
+var import_authentication_secret_requirements_validator = require("./authentication-secret-requirements.validator.js");
+var import_authentication_secret_reset_handler = require("./authentication-secret-reset.handler.js");
+var import_authentication_session_repository = require("./authentication-session.repository.js");
+var import_authentication_subject_resolver = require("./authentication-subject.resolver.js");
+var import_authentication_token_payload_provider = require("./authentication-token-payload.provider.js");
+var import_helper = require("./helper.js");
+var __decorate = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function")
+    r = Reflect.decorate(decorators, target, key, desc);
+  else
+    for (var i = decorators.length - 1; i >= 0; i--)
+      if (d = decorators[i])
+        r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-import { afterResolve, inject, optional, singleton } from '../../container/index.js';
-import { InvalidTokenError } from '../../error/invalid-token.error.js';
-import { NotImplementedError } from '../../error/not-implemented.error.js';
-import { Alphabet } from '../../utils/alphabet.js';
-import { deriveBytesMultiple, importPbkdf2Key } from '../../utils/cryptography.js';
-import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-time.js';
-import { binaryEquals } from '../../utils/equals.js';
-import { createJwtTokenString } from '../../utils/jwt.js';
-import { getRandomBytes, getRandomString } from '../../utils/random.js';
-import { isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
-import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
-import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
-import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
-import { AuthenticationSecretResetHandler } from './authentication-secret-reset.handler.js';
-import { AuthenticationSessionRepository } from './authentication-session.repository.js';
-import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
-import { AuthenticationTokenPayloadProvider, GetTokenPayloadContextAction } from './authentication-token-payload.provider.js';
-import { getRefreshTokenFromString, getSecretResetTokenFromString, getTokenFromString } from './helper.js';
-export class AuthenticationServiceOptions {
-    /**
-     * Secrets used for signing tokens and refreshTokens
-     * If single secret is provided, multiple secrets are derived internally
-     */
-    secret;
-    /** Token version, forces refresh on mismatch (useful if payload changes) */
-    version;
-    /** How long a token is valid */
-    tokenTimeToLive;
-    /** How long a refresh token is valid. Implies session time to live. */
-    refreshTokenTimeToLive;
-    /** How long a secret reset token is valid. */
-    secretResetTokenTimeToLive;
+var __metadata = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function")
+    return Reflect.metadata(k, v);
+};
+var __param = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+class AuthenticationServiceOptions {
+  /**
+   * Secrets used for signing tokens and refreshTokens
+   * If single secret is provided, multiple secrets are derived internally
+   */
+  secret;
+  /** Token version, forces refresh on mismatch (useful if payload changes) */
+  version;
+  /** How long a token is valid */
+  tokenTimeToLive;
+  /** How long a refresh token is valid. Implies session time to live. */
+  refreshTokenTimeToLive;
+  /** How long a secret reset token is valid. */
+  secretResetTokenTimeToLive;
 }
 const SIGNING_SECRETS_LENGTH = 64;
-export let AuthenticationService = class AuthenticationService {
-    credentialsRepository;
-    sessionRepository;
-    authenticationSecretRequirementsValidator;
-    tokenPayloadProvider;
-    subjectResolver;
-    authenticationResetSecretHandler;
-    options;
-    secret;
-    tokenVersion;
-    tokenTimeToLive;
-    refreshTokenTimeToLive;
-    secretResetTokenTimeToLive;
-    derivedTokenSigningSecret;
-    derivedRefreshTokenSigningSecret;
-    derivedSecretResetTokenSigningSecret;
-    constructor(credentialsRepository, sessionRepository, authenticationSecretRequirementsValidator, subjectResolver, tokenPayloadProvider, authenticationResetSecretHandler, options) {
-        this.credentialsRepository = credentialsRepository;
-        this.sessionRepository = sessionRepository;
-        this.authenticationSecretRequirementsValidator = authenticationSecretRequirementsValidator;
-        this.subjectResolver = subjectResolver;
-        this.tokenPayloadProvider = tokenPayloadProvider;
-        this.authenticationResetSecretHandler = authenticationResetSecretHandler;
-        this.options = options;
-        this.tokenVersion = options.version ?? 1;
-        this.tokenTimeToLive = options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
-        this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
-        this.secretResetTokenTimeToLive = options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
-    }
-    async [afterResolve]() {
-        await this.initialize();
-    }
-    async initialize() {
-        if (isString(this.options.secret) || isBinaryData(this.options.secret)) {
-            await this.deriveSigningSecrets(this.options.secret);
-        }
-        else {
-            this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
-            this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
-            this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
-        }
-    }
-    async setCredentials(subject, secret) {
-        const actualSubject = await this.resolveSubject(subject);
-        await this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
-        const salt = getRandomBytes(32);
-        const hash = await this.getHash(secret, salt);
-        const credentials = {
-            subject: actualSubject,
-            hashVersion: 1,
-            salt,
-            hash
-        };
-        await this.credentialsRepository.save(credentials);
-    }
-    async authenticate(subject, secret) {
-        const actualSubject = await this.resolveSubject(subject);
-        const credentials = await this.credentialsRepository.tryLoadBySubject(actualSubject);
-        if (isUndefined(credentials)) {
-            return { success: false };
-        }
-        const hash = await this.getHash(secret, credentials.salt);
-        const valid = binaryEquals(hash, credentials.hash);
-        if (valid) {
-            return { success: true, subject: credentials.subject };
-        }
-        return { success: false };
-    }
-    async getToken(subject, authenticationData) {
-        const actualSubject = await this.resolveSubject(subject);
-        const now = currentTimestamp();
-        const end = now + this.refreshTokenTimeToLive;
-        const session = await this.sessionRepository.insert({
-            subject: actualSubject,
-            begin: now,
-            end,
-            refreshTokenHashVersion: 0,
-            refreshTokenSalt: new Uint8Array(),
-            refreshTokenHash: new Uint8Array()
-        });
-        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
-        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-        const refreshToken = await this.createRefreshToken(actualSubject, session.id, end);
-        await this.sessionRepository.extend(session.id, {
-            end,
-            refreshTokenHashVersion: 1,
-            refreshTokenSalt: refreshToken.salt,
-            refreshTokenHash: refreshToken.hash
-        });
-        return { token, jsonToken, refreshToken: refreshToken.token };
-    }
-    async endSession(sessionId) {
-        const now = currentTimestamp();
-        await this.sessionRepository.end(sessionId, now);
-    }
-    async refresh(refreshToken, authenticationData) {
-        const validatedToken = await this.validateRefreshToken(refreshToken);
-        const sessionId = validatedToken.payload.sessionId;
-        const session = await this.sessionRepository.load(sessionId);
-        const hash = await this.getHash(validatedToken.payload.secret, session.refreshTokenSalt);
-        if (session.end <= currentTimestamp()) {
-            throw new InvalidTokenError('Session is expired.');
-        }
-        if (!binaryEquals(hash, session.refreshTokenHash)) {
-            throw new InvalidTokenError('Invalid refresh token.');
-        }
-        const now = currentTimestamp();
-        const newEnd = now + this.refreshTokenTimeToLive;
-        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
-        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, timestamp: now });
-        const newRefreshToken = await this.createRefreshToken(validatedToken.payload.subject, sessionId, newEnd);
-        await this.sessionRepository.extend(sessionId, {
-            end: newEnd,
-            refreshTokenHashVersion: 1,
-            refreshTokenSalt: newRefreshToken.salt,
-            refreshTokenHash: newRefreshToken.hash
-        });
-        return { token, jsonToken, refreshToken: newRefreshToken.token };
-    }
-    async initResetSecret(subject) {
-        if (isUndefined(this.authenticationResetSecretHandler)) {
-            throw new NotImplementedError();
-        }
-        const actualSubject = await this.resolveSubject(subject);
-        const secretResetToken = await this.createSecretResetToken(actualSubject, currentTimestamp() + this.secretResetTokenTimeToLive);
-        const initSecretResetData = {
-            subject: actualSubject,
-            token: secretResetToken.token
-        };
-        await this.authenticationResetSecretHandler.handleInitSecretReset(initSecretResetData);
-    }
-    async resetSecret(tokenString, newSecret) {
-        const token = await this.validateSecretResetToken(tokenString);
-        await this.setCredentials(token.payload.subject, newSecret);
-    }
-    async checkSecret(secret) {
-        return this.authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
-    }
-    async validateToken(token) {
-        return getTokenFromString(token, this.tokenVersion, this.derivedTokenSigningSecret);
-    }
-    async validateRefreshToken(token) {
-        return getRefreshTokenFromString(token, this.derivedRefreshTokenSigningSecret);
-    }
-    async validateSecretResetToken(token) {
-        return getSecretResetTokenFromString(token, this.derivedSecretResetTokenSigningSecret);
+let AuthenticationService = class AuthenticationService2 {
+  credentialsRepository;
+  sessionRepository;
+  authenticationSecretRequirementsValidator;
+  tokenPayloadProvider;
+  subjectResolver;
+  authenticationResetSecretHandler;
+  options;
+  secret;
+  tokenVersion;
+  tokenTimeToLive;
+  refreshTokenTimeToLive;
+  secretResetTokenTimeToLive;
+  derivedTokenSigningSecret;
+  derivedRefreshTokenSigningSecret;
+  derivedSecretResetTokenSigningSecret;
+  constructor(credentialsRepository, sessionRepository, authenticationSecretRequirementsValidator, subjectResolver, tokenPayloadProvider, authenticationResetSecretHandler, options) {
+    this.credentialsRepository = credentialsRepository;
+    this.sessionRepository = sessionRepository;
+    this.authenticationSecretRequirementsValidator = authenticationSecretRequirementsValidator;
+    this.subjectResolver = subjectResolver;
+    this.tokenPayloadProvider = tokenPayloadProvider;
+    this.authenticationResetSecretHandler = authenticationResetSecretHandler;
+    this.options = options;
+    this.tokenVersion = options.version ?? 1;
+    this.tokenTimeToLive = options.tokenTimeToLive ?? 5 * import_units.millisecondsPerMinute;
+    this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? 5 * import_units.millisecondsPerDay;
+    this.secretResetTokenTimeToLive = options.secretResetTokenTimeToLive ?? 10 * import_units.millisecondsPerMinute;
+  }
+  async [import_injector.afterResolve]() {
+    await this.initialize();
+  }
+  async initialize() {
+    if ((0, import_type_guards.isString)(this.options.secret) || (0, import_type_guards.isBinaryData)(this.options.secret)) {
+      await this.deriveSigningSecrets(this.options.secret);
+    } else {
+      this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
+      this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
+      this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
     }
-    async resolveSubject(subject) {
-        return this.subjectResolver?.resolveSubject(subject) ?? subject;
+  }
+  async setCredentials(subject, secret, options) {
+    const actualSubject = await this.resolveSubject(subject);
+    if (options?.skipValidation != true) {
+      await this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
     }
-    /** Creates a token without session or refresh token and is not saved in database */
-    async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp = currentTimestamp() }) {
-        const header = {
-            v: tokenVersion ?? this.tokenVersion,
-            alg: 'HS256',
-            typ: 'JWT'
-        };
-        const payload = {
-            jti: jwtId ?? getRandomString(24, Alphabet.LowerUpperCaseNumbers),
-            iat: issuedAt ?? timestampToTimestampSeconds(timestamp),
-            exp: expiration ?? timestampToTimestampSeconds(timestamp + this.tokenTimeToLive),
-            refreshTokenExp: timestampToTimestampSeconds(refreshTokenExpiration),
-            sessionId,
-            subject,
-            ...additionalTokenPayload
-        };
-        const jsonToken = {
-            header,
-            payload
-        };
-        const token = await createJwtTokenString(jsonToken, this.derivedTokenSigningSecret);
-        return { token, jsonToken };
+    const salt = (0, import_random.getRandomBytes)(32);
+    const hash = await this.getHash(secret, salt);
+    const credentials = {
+      subject: actualSubject,
+      hashVersion: 1,
+      salt,
+      hash
+    };
+    await this.credentialsRepository.save(credentials);
+  }
+  async authenticate(subject, secret) {
+    const actualSubject = await this.resolveSubject(subject);
+    const credentials = await this.credentialsRepository.tryLoadBySubject(actualSubject);
+    if ((0, import_type_guards.isUndefined)(credentials)) {
+      return { success: false };
     }
-    /** Creates a refresh token without session or something else. */
-    async createRefreshToken(subject, sessionId, expirationTimestamp) {
-        const secret = getRandomString(64, Alphabet.LowerUpperCaseNumbers);
-        const salt = getRandomBytes(32);
-        const hash = await this.getHash(secret, salt);
-        const jsonToken = {
-            header: {
-                alg: 'HS256',
-                typ: 'JWT'
-            },
-            payload: {
-                exp: timestampToTimestampSeconds(expirationTimestamp),
-                subject,
-                sessionId,
-                secret
-            }
-        };
-        const token = await createJwtTokenString(jsonToken, this.derivedRefreshTokenSigningSecret);
-        return { token, jsonToken, salt, hash: new Uint8Array(hash) };
+    const hash = await this.getHash(secret, credentials.salt);
+    const valid = (0, import_equals.binaryEquals)(hash, credentials.hash);
+    if (valid) {
+      return { success: true, subject: credentials.subject };
     }
-    async createSecretResetToken(subject, expirationTimestamp) {
-        const jsonToken = {
-            header: {
-                alg: 'HS256',
-                typ: 'JWT'
-            },
-            payload: {
-                exp: timestampToTimestampSeconds(expirationTimestamp),
-                subject
-            }
-        };
-        const token = await createJwtTokenString(jsonToken, this.derivedSecretResetTokenSigningSecret);
-        return { token, jsonToken };
+    return { success: false };
+  }
+  async getToken(subject, authenticationData) {
+    const actualSubject = await this.resolveSubject(subject);
+    const now = (0, import_date_time.currentTimestamp)();
+    const end = now + this.refreshTokenTimeToLive;
+    const session = await this.sessionRepository.insert({
+      subject: actualSubject,
+      begin: now,
+      end,
+      refreshTokenHashVersion: 0,
+      refreshTokenSalt: new Uint8Array(),
+      refreshTokenHash: new Uint8Array()
+    });
+    const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(actualSubject, authenticationData, { action: import_authentication_token_payload_provider.GetTokenPayloadContextAction.GetToken });
+    const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
+    const refreshToken = await this.createRefreshToken(actualSubject, session.id, end);
+    await this.sessionRepository.extend(session.id, {
+      end,
+      refreshTokenHashVersion: 1,
+      refreshTokenSalt: refreshToken.salt,
+      refreshTokenHash: refreshToken.hash
+    });
+    return { token, jsonToken, refreshToken: refreshToken.token };
+  }
+  async endSession(sessionId) {
+    const now = (0, import_date_time.currentTimestamp)();
+    await this.sessionRepository.end(sessionId, now);
+  }
+  async refresh(refreshToken, authenticationData) {
+    const validatedToken = await this.validateRefreshToken(refreshToken);
+    const sessionId = validatedToken.payload.sessionId;
+    const session = await this.sessionRepository.load(sessionId);
+    const hash = await this.getHash(validatedToken.payload.secret, session.refreshTokenSalt);
+    if (session.end <= (0, import_date_time.currentTimestamp)()) {
+      throw new import_invalid_token_error.InvalidTokenError("Session is expired.");
     }
-    async deriveSigningSecrets(secret) {
-        const key = await importPbkdf2Key(secret);
-        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: 500000, salt: new Uint8Array() };
-        const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await deriveBytesMultiple(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
-        this.derivedTokenSigningSecret = derivedTokenSigningSecret;
-        this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
-        this.derivedSecretResetTokenSigningSecret = derivedSecretResetTokenSigningSecret;
+    if (!(0, import_equals.binaryEquals)(hash, session.refreshTokenHash)) {
+      throw new import_invalid_token_error.InvalidTokenError("Invalid refresh token.");
     }
-    async getHash(secret, salt) {
-        const key = await importPbkdf2Key(secret);
-        const hash = await globalThis.crypto.subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-512', iterations: 250000, salt }, key, 512);
-        return new Uint8Array(hash);
+    const now = (0, import_date_time.currentTimestamp)();
+    const newEnd = now + this.refreshTokenTimeToLive;
+    const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(session.subject, authenticationData, { action: import_authentication_token_payload_provider.GetTokenPayloadContextAction.Refresh });
+    const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, timestamp: now });
+    const newRefreshToken = await this.createRefreshToken(validatedToken.payload.subject, sessionId, newEnd);
+    await this.sessionRepository.extend(sessionId, {
+      end: newEnd,
+      refreshTokenHashVersion: 1,
+      refreshTokenSalt: newRefreshToken.salt,
+      refreshTokenHash: newRefreshToken.hash
+    });
+    return { token, jsonToken, refreshToken: newRefreshToken.token };
+  }
+  async initResetSecret(subject) {
+    if ((0, import_type_guards.isUndefined)(this.authenticationResetSecretHandler)) {
+      throw new import_not_implemented_error.NotImplementedError();
     }
+    const actualSubject = await this.resolveSubject(subject);
+    const secretResetToken = await this.createSecretResetToken(actualSubject, (0, import_date_time.currentTimestamp)() + this.secretResetTokenTimeToLive);
+    const initSecretResetData = {
+      subject: actualSubject,
+      token: secretResetToken.token
+    };
+    await this.authenticationResetSecretHandler.handleInitSecretReset(initSecretResetData);
+  }
+  async resetSecret(tokenString, newSecret) {
+    const token = await this.validateSecretResetToken(tokenString);
+    await this.setCredentials(token.payload.subject, newSecret);
+  }
+  async checkSecret(secret) {
+    return this.authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
+  }
+  async testSecret(secret) {
+    return this.authenticationSecretRequirementsValidator.testSecretRequirements(secret);
+  }
+  async validateSecret(secret) {
+    return this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
+  }
+  async validateToken(token) {
+    return (0, import_helper.getTokenFromString)(token, this.tokenVersion, this.derivedTokenSigningSecret);
+  }
+  async validateRefreshToken(token) {
+    return (0, import_helper.getRefreshTokenFromString)(token, this.derivedRefreshTokenSigningSecret);
+  }
+  async validateSecretResetToken(token) {
+    return (0, import_helper.getSecretResetTokenFromString)(token, this.derivedSecretResetTokenSigningSecret);
+  }
+  async resolveSubject(subject) {
+    return this.subjectResolver?.resolveSubject(subject) ?? subject;
+  }
+  /** Creates a token without session or refresh token and is not saved in database */
+  async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp = (0, import_date_time.currentTimestamp)() }) {
+    const header = {
+      v: tokenVersion ?? this.tokenVersion,
+      alg: "HS256",
+      typ: "JWT"
+    };
+    const payload = {
+      jti: jwtId ?? (0, import_random.getRandomString)(24, import_alphabet.Alphabet.LowerUpperCaseNumbers),
+      iat: issuedAt ?? (0, import_date_time.timestampToTimestampSeconds)(timestamp),
+      exp: expiration ?? (0, import_date_time.timestampToTimestampSeconds)(timestamp + this.tokenTimeToLive),
+      refreshTokenExp: (0, import_date_time.timestampToTimestampSeconds)(refreshTokenExpiration),
+      sessionId,
+      subject,
+      ...additionalTokenPayload
+    };
+    const jsonToken = {
+      header,
+      payload
+    };
+    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedTokenSigningSecret);
+    return { token, jsonToken };
+  }
+  /** Creates a refresh token without session or something else. */
+  async createRefreshToken(subject, sessionId, expirationTimestamp) {
+    const secret = (0, import_random.getRandomString)(64, import_alphabet.Alphabet.LowerUpperCaseNumbers);
+    const salt = (0, import_random.getRandomBytes)(32);
+    const hash = await this.getHash(secret, salt);
+    const jsonToken = {
+      header: {
+        alg: "HS256",
+        typ: "JWT"
+      },
+      payload: {
+        exp: (0, import_date_time.timestampToTimestampSeconds)(expirationTimestamp),
+        subject,
+        sessionId,
+        secret
+      }
+    };
+    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedRefreshTokenSigningSecret);
+    return { token, jsonToken, salt, hash: new Uint8Array(hash) };
+  }
+  async createSecretResetToken(subject, expirationTimestamp) {
+    const jsonToken = {
+      header: {
+        alg: "HS256",
+        typ: "JWT"
+      },
+      payload: {
+        exp: (0, import_date_time.timestampToTimestampSeconds)(expirationTimestamp),
+        subject
+      }
+    };
+    const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedSecretResetTokenSigningSecret);
+    return { token, jsonToken };
+  }
+  async deriveSigningSecrets(secret) {
+    const key = await (0, import_cryptography.importPbkdf2Key)(secret);
+    const algorithm = { name: "PBKDF2", hash: "SHA-512", iterations: 5e5, salt: new Uint8Array() };
+    const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await (0, import_cryptography.deriveBytesMultiple)(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
+    this.derivedTokenSigningSecret = derivedTokenSigningSecret;
+    this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
+    this.derivedSecretResetTokenSigningSecret = derivedSecretResetTokenSigningSecret;
+  }
+  async getHash(secret, salt) {
+    const key = await (0, import_cryptography.importPbkdf2Key)(secret);
+    const hash = await globalThis.crypto.subtle.deriveBits({ name: "PBKDF2", hash: "SHA-512", iterations: 25e4, salt }, key, 512);
+    return new Uint8Array(hash);
+  }
 };
 AuthenticationService = __decorate([
-    singleton(),
-    __param(3, inject(AuthenticationSubjectResolver)),
-    __param(3, optional()),
-    __param(4, inject(AuthenticationTokenPayloadProvider)),
-    __param(4, optional()),
-    __param(5, inject(AuthenticationSecretResetHandler)),
-    __param(5, optional()),
-    __metadata("design:paramtypes", [AuthenticationCredentialsRepository,
-        AuthenticationSessionRepository,
-        AuthenticationSecretRequirementsValidator, Object, Object, Object, AuthenticationServiceOptions])
+  (0, import_injector.Singleton)(),
+  __param(3, (0, import_injector.Inject)(import_authentication_subject_resolver.AuthenticationSubjectResolver)),
+  __param(3, (0, import_injector.Optional)()),
+  __param(4, (0, import_injector.Inject)(import_authentication_token_payload_provider.AuthenticationTokenPayloadProvider)),
+  __param(4, (0, import_injector.Optional)()),
+  __param(5, (0, import_injector.Inject)(import_authentication_secret_reset_handler.AuthenticationSecretResetHandler)),
+  __param(5, (0, import_injector.Optional)()),
+  __metadata("design:paramtypes", [
+    import_authentication_credentials_repository.AuthenticationCredentialsRepository,
+    import_authentication_session_repository.AuthenticationSessionRepository,
+    import_authentication_secret_requirements_validator.AuthenticationSecretRequirementsValidator,
+    Object,
+    Object,
+    Object,
+    AuthenticationServiceOptions
+  ])
 ], AuthenticationService);