@tstdl/base 0.90.36 → 0.90.38

package/authentication/authentication.api.d.ts

@@ -12,7 +12,7 @@ export type AuthenticationApiDefinition<AdditionalTokenPayload extends Record =
 export declare const authenticationApiDefinition: {
     resource: string;
     endpoints: {
-        token: {
+        getToken: {
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
@@ -38,6 +38,31 @@ export declare const authenticationApiDefinition: {
                 [dontWaitForValidToken]: boolean;
             };
         };
+        impersonate: {
+            resource: string;
+            method: "POST";
+            parameters: ObjectSchema<{
+                subject: string;
+                data: unknown;
+            }>;
+            result: ObjectSchema<TokenPayloadBase>;
+            credentials: true;
+            data: {
+                [dontWaitForValidToken]: boolean;
+            };
+        };
+        unimpersonate: {
+            resource: string;
+            method: "POST";
+            parameters: ObjectSchema<{
+                data: unknown;
+            }>;
+            result: ObjectSchema<TokenPayloadBase>;
+            credentials: true;
+            data: {
+                [dontWaitForValidToken]: boolean;
+            };
+        };
         endSession: {
             resource: string;
             method: "POST";
@@ -82,7 +107,7 @@ export declare const authenticationApiDefinition: {
 export declare function getAuthenticationApiDefinition<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData, AdditionalEndpoints>(additionalTokenPayloadSchema: ObjectSchemaOrType<AdditionalTokenPayload>, authenticationDataSchema: SchemaTestable<AuthenticationData>, initSecretResetDataSchema: ObjectSchemaOrType<AdditionalInitSecretResetData>, resource?: string, additionalEndpoints?: AdditionalEndpoints): {
     resource: string;
     endpoints: {
-        token: {
+        getToken: {
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
@@ -108,6 +133,31 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
                 [dontWaitForValidToken]: boolean;
             };
         };
+        impersonate: {
+            resource: string;
+            method: "POST";
+            parameters: ObjectSchema<{
+                subject: string;
+                data: AuthenticationData;
+            }>;
+            result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
+            credentials: true;
+            data: {
+                [dontWaitForValidToken]: boolean;
+            };
+        };
+        unimpersonate: {
+            resource: string;
+            method: "POST";
+            parameters: ObjectSchema<{
+                data: AuthenticationData;
+            }>;
+            result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
+            credentials: true;
+            data: {
+                [dontWaitForValidToken]: boolean;
+            };
+        };
         endSession: {
             resource: string;
             method: "POST";
@@ -150,7 +200,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
     };
 };
 export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData>(additionalTokenPayloadSchema: ObjectSchemaOrType<AdditionalTokenPayload>, authenticationDataSchema: SchemaTestable<AuthenticationData>, additionalInitSecretResetDataSchema: ObjectSchemaOrType<AdditionalInitSecretResetData>): {
-    token: {
+    getToken: {
         resource: string;
         method: "POST";
         parameters: ObjectSchema<{
@@ -176,6 +226,31 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
             [dontWaitForValidToken]: boolean;
         };
     };
+    impersonate: {
+        resource: string;
+        method: "POST";
+        parameters: ObjectSchema<{
+            subject: string;
+            data: AuthenticationData;
+        }>;
+        result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
+        credentials: true;
+        data: {
+            [dontWaitForValidToken]: boolean;
+        };
+    };
+    unimpersonate: {
+        resource: string;
+        method: "POST";
+        parameters: ObjectSchema<{
+            data: AuthenticationData;
+        }>;
+        result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
+        credentials: true;
+        data: {
+            [dontWaitForValidToken]: boolean;
+        };
+    };
     endSession: {
         resource: string;
         method: "POST";

package/authentication/authentication.api.js

@@ -23,7 +23,7 @@ export function getAuthenticationApiDefinition(additionalTokenPayloadSchema, aut
 export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSchema, authenticationDataSchema, additionalInitSecretResetDataSchema) {
     const tokenResultSchema = assign(TokenPayloadBase, additionalTokenPayloadSchema);
     return {
-        token: {
+        getToken: {
             resource: 'token',
             method: 'POST',
             parameters: explicitObject({
@@ -49,6 +49,31 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
                 [dontWaitForValidToken]: true
             }
         },
+        impersonate: {
+            resource: 'impersonate',
+            method: 'POST',
+            parameters: explicitObject({
+                subject: string(),
+                data: authenticationDataSchema
+            }),
+            result: tokenResultSchema,
+            credentials: true,
+            data: {
+                [dontWaitForValidToken]: true
+            }
+        },
+        unimpersonate: {
+            resource: 'unimpersonate',
+            method: 'POST',
+            parameters: explicitObject({
+                data: authenticationDataSchema
+            }),
+            result: tokenResultSchema,
+            credentials: true,
+            data: {
+                [dontWaitForValidToken]: true
+            }
+        },
         endSession: {
             resource: 'end-session',
             method: 'POST',

package/authentication/client/authentication.service.d.ts

@@ -10,7 +10,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     private readonly tokenUpdateBus;
     private readonly loggedOutBus;
     private readonly forceRefreshToken;
-    private readonly refreshLock;
+    private readonly lock;
     private readonly logger;
     private readonly disposeToken;
     readonly error$: import("rxjs").Observable<Error>;
@@ -29,6 +29,8 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     readonly loggedOut$: import("rxjs").Observable<void>;
     private get authenticationData();
     private set authenticationData(value);
+    private get impersonatorAuthenticationData();
+    private set impersonatorAuthenticationData(value);
     get definedToken(): TokenPayload<AdditionalTokenPayload>;
     get definedSubject(): string;
     get definedSessionId(): string;
@@ -43,6 +45,8 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     logout(): Promise<void>;
     requestRefresh(data?: AuthenticationData): void;
     refresh(data?: AuthenticationData): Promise<void>;
+    impersonate(subject: string, data?: AuthenticationData): Promise<void>;
+    unimpersonate(data?: AuthenticationData): Promise<void>;
     initResetSecret(subject: string, data: AdditionalInitSecretResetData): Promise<void>;
     resetSecret(token: string, newSecret: string): Promise<void>;
     checkSecret(secret: string): Promise<SecretCheckResult>;

package/authentication/client/authentication.service.js

@@ -30,6 +30,7 @@ import { assertDefinedPass, isDefined, isNullOrUndefined, isString, isUndefined
 import { AUTHENTICATION_API_CLIENT, INITIAL_AUTHENTICATION_DATA } from './tokens.js';
 const tokenStorageKey = 'AuthenticationService:token';
 const authenticationDataStorageKey = 'AuthenticationService:authentication-data';
+const impersonatorAuthenticationDataStorageKey = 'AuthenticationService:impersonator-authentication-data';
 const tokenUpdateBusName = 'AuthenticationService:tokenUpdate';
 const loggedOutBusName = 'AuthenticationService:loggedOut';
 const refreshLockResource = 'AuthenticationService:refresh';
@@ -39,7 +40,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     tokenUpdateBus = inject((MessageBus), tokenUpdateBusName);
     loggedOutBus = inject((MessageBus), loggedOutBusName);
     forceRefreshToken = new CancellationToken();
-    refreshLock = inject(Lock, refreshLockResource, { optional: true });
+    lock = inject(Lock, refreshLockResource);
     logger = inject(Logger, 'AuthenticationService');
     disposeToken = new CancellationToken();
     error$ = this.errorSubject.asObservable();
@@ -69,6 +70,19 @@ let AuthenticationClientService = class AuthenticationClientService {
             localStorage.setItem(authenticationDataStorageKey, json);
         }
     }
+    get impersonatorAuthenticationData() {
+        const data = localStorage.getItem(impersonatorAuthenticationDataStorageKey);
+        return isNullOrUndefined(data) ? undefined : JSON.parse(data);
+    }
+    set impersonatorAuthenticationData(data) {
+        if (isUndefined(data)) {
+            localStorage.removeItem(impersonatorAuthenticationDataStorageKey);
+        }
+        else {
+            const json = JSON.stringify(data);
+            localStorage.setItem(impersonatorAuthenticationDataStorageKey, json);
+        }
+    }
     get definedToken() {
         return assertDefinedPass(this.token(), 'No token available.');
     }
@@ -110,7 +124,7 @@ let AuthenticationClientService = class AuthenticationClientService {
         if (isDefined(data)) {
             this.setAdditionalData(data);
         }
-        const token = await this.client.token({ subject, secret, data: this.authenticationData });
+        const token = await this.client.getToken({ subject, secret, data: this.authenticationData });
         this.setNewToken(token);
     }
     async logout() {
@@ -144,6 +158,35 @@ let AuthenticationClientService = class AuthenticationClientService {
             throw error;
         }
     }
+    async impersonate(subject, data) {
+        await this.lock.use(10000, true, async () => {
+            this.impersonatorAuthenticationData = this.authenticationData;
+            this.authenticationData = data;
+            try {
+                const token = await this.client.impersonate({ subject, data: data });
+                this.setNewToken(token);
+            }
+            catch (error) {
+                await this.handleRefreshError(error);
+                throw error;
+            }
+        });
+    }
+    async unimpersonate(data) {
+        await this.lock.use(10000, true, async () => {
+            const newData = data ?? this.impersonatorAuthenticationData;
+            try {
+                const token = await this.client.unimpersonate({ data: newData });
+                this.authenticationData = newData;
+                this.impersonatorAuthenticationData = undefined;
+                this.setNewToken(token);
+            }
+            catch (error) {
+                await this.handleRefreshError(error);
+                throw error;
+            }
+        });
+    }
     async initResetSecret(subject, data) {
         await this.client.initSecretReset({ subject, data });
     }
@@ -180,12 +223,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     async refreshLoop() {
         while (this.disposeToken.isUnset) {
             try {
-                if (isDefined(this.refreshLock)) {
-                    await this.refreshLock.use(0, false, async () => this.refreshLoopIteration());
-                }
-                else {
-                    await this.refreshLoopIteration();
-                }
+                await this.lock.use(0, false, async () => this.refreshLoopIteration());
                 await firstValueFrom(race([timer(2500), this.disposeToken, this.forceRefreshToken]));
             }
             catch {

package/authentication/models/token-payload-base.model.d.ts

@@ -9,4 +9,5 @@ export declare class TokenPayloadBase {
     refreshTokenExp: number;
     sessionId: string;
     subject: string;
+    impersonator?: string;
 }

package/authentication/models/token-payload-base.model.js

@@ -19,6 +19,7 @@ export class TokenPayloadBase {
     refreshTokenExp;
     sessionId;
     subject;
+    impersonator;
 }
 __decorate([
     Property(),
@@ -44,3 +45,7 @@ __decorate([
     Property(),
     __metadata("design:type", String)
 ], TokenPayloadBase.prototype, "subject", void 0);
+__decorate([
+    Property({ optional: true }),
+    __metadata("design:type", String)
+], TokenPayloadBase.prototype, "impersonator", void 0);

package/authentication/models/token.model.d.ts

@@ -10,6 +10,7 @@ export type RefreshToken = JwtToken<{
     /** expiration timestamp in seconds */
     exp: number;
     subject: string;
+    impersonator?: string;
     sessionId: string;
     secret: string;
 }>;

package/authentication/server/authentication-ancillary.service.d.ts

@@ -0,0 +1,25 @@
+import type { Record } from '../../types.js';
+import type { TokenPayload } from '../index.js';
+import type { InitSecretResetData } from '../models/init-secret-reset-data.model.js';
+export declare enum GetTokenPayloadContextAction {
+    GetToken = 0,
+    Refresh = 1
+}
+export type GetTokenPayloadContext = {
+    action: GetTokenPayloadContextAction;
+};
+export declare abstract class AuthenticationAncillaryService<AdditionalTokenPayload extends Record = Record<never>, AuthenticationData = void, AdditionalInitSecretResetData extends Record = Record<never>> {
+    /**
+     * Resolve a provided subject to the actual subject used for authentication.
+     * Useful for example if you want to be able to login via mail but actual subject is the user id.
+     */
+    abstract resolveSubject(providedSubject: string): string | Promise<string>;
+    abstract getTokenPayload(subject: string, authenticationData: AuthenticationData, context: GetTokenPayloadContext): AdditionalTokenPayload | Promise<AdditionalTokenPayload>;
+    abstract handleInitSecretReset(data: InitSecretResetData & AdditionalInitSecretResetData): void | Promise<void>;
+    /**
+     * Check if token is allowed to impersonate subject
+     * @param token Token which tries to impersonate
+     * @param subject Subject to impersonate
+     */
+    abstract canImpersonate(token: TokenPayload<AdditionalTokenPayload>, subject: string, authenticationData: AuthenticationData): boolean | Promise<boolean>;
+}

package/authentication/server/{authentication-token-payload.provider.js → authentication-ancillary.service.js}

@@ -3,5 +3,5 @@ export var GetTokenPayloadContextAction;
     GetTokenPayloadContextAction[GetTokenPayloadContextAction["GetToken"] = 0] = "GetToken";
     GetTokenPayloadContextAction[GetTokenPayloadContextAction["Refresh"] = 1] = "Refresh";
 })(GetTokenPayloadContextAction || (GetTokenPayloadContextAction = {}));
-export class AuthenticationTokenPayloadProvider {
+export class AuthenticationAncillaryService {
 }

package/authentication/server/authentication.api-controller.d.ts

@@ -8,14 +8,16 @@ import { AuthenticationService } from './authentication.service.js';
 export declare class AuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData extends Record> implements ApiController<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>> {
     readonly authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>;
     constructor(authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>);
-    token({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'token'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'token'>>;
+    getToken({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'getToken'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'getToken'>>;
     refresh({ request, parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'refresh'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'refresh'>>;
+    impersonate({ request, parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'impersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'impersonate'>>;
+    unimpersonate({ request, parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'unimpersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'unimpersonate'>>;
     endSession({ request }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'endSession'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'endSession'>>;
     initSecretReset({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'initSecretReset'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'initSecretReset'>>;
     resetSecret({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'resetSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'resetSecret'>>;
     checkSecret({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>>;
     timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'timestamp'>;
-    protected getTokenResponse({ token, jsonToken, refreshToken }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
+    protected getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
 }
 export declare function getAuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData extends Record>(// eslint-disable-line @typescript-eslint/explicit-function-return-type
 additionalTokenPayloadSchema: ObjectSchemaOrType<AdditionalTokenPayload>, authenticationDataSchema: SchemaTestable<AuthenticationData>, additionalInitSecretResetData: ObjectSchemaOrType<AdditionalInitSecretResetData>): Type<AuthenticationApiController<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>>;

package/authentication/server/authentication.api-controller.js

@@ -11,16 +11,18 @@ import { apiController } from '../../api/server/index.js';
 import { InvalidCredentialsError } from '../../errors/invalid-credentials.error.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import { currentTimestamp } from '../../utils/date-time.js';
+import { assertDefinedPass, isDefined } from '../../utils/type-guards.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
 import { AuthenticationService } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
 const cookieBaseOptions = { path: '/', httpOnly: true, secure: true, sameSite: 'strict' };
+const deleteCookie = { value: '', ...cookieBaseOptions, expires: -1 };
 let AuthenticationApiController = class AuthenticationApiController {
     authenticationService;
     constructor(authenticationService) {
         this.authenticationService = authenticationService;
     }
-    async token({ parameters }) {
+    async getToken({ parameters }) {
         const authenticationResult = await this.authenticationService.authenticate(parameters.subject, parameters.secret);
         if (!authenticationResult.success) {
             throw new InvalidCredentialsError();
@@ -29,8 +31,19 @@ let AuthenticationApiController = class AuthenticationApiController {
         return this.getTokenResponse(result);
     }
     async refresh({ request, parameters }) {
-        const tokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
-        const result = await this.authenticationService.refresh(tokenString, parameters.data);
+        const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
+        const result = await this.authenticationService.refresh(refreshTokenString, parameters.data);
+        return this.getTokenResponse(result);
+    }
+    async impersonate({ request, parameters }) {
+        const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
+        const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
+        const impersonatorResult = await this.authenticationService.impersonate(tokenString, refreshTokenString, parameters.subject, parameters.data);
+        return this.getTokenResponse(impersonatorResult);
+    }
+    async unimpersonate({ request, parameters }) {
+        const impersonatorRefreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'impersonatorRefreshToken') ?? '';
+        const result = await this.authenticationService.refresh(impersonatorRefreshTokenString, parameters.data, { omitImpersonator: true });
         return this.getTokenResponse(result);
     }
     async endSession({ request }) {
@@ -54,8 +67,9 @@ let AuthenticationApiController = class AuthenticationApiController {
         const result = 'ok';
         return new HttpServerResponse({
             cookies: {
-                authorization: { value: '', ...cookieBaseOptions, expires: -1 },
-                refreshToken: { value: '', ...cookieBaseOptions, expires: -1 }
+                authorization: deleteCookie,
+                refreshToken: deleteCookie,
+                impersonatorRefreshToken: deleteCookie
             },
             body: {
                 json: result
@@ -76,9 +90,9 @@ let AuthenticationApiController = class AuthenticationApiController {
     timestamp() {
         return currentTimestamp();
     }
-    getTokenResponse({ token, jsonToken, refreshToken }) {
+    getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
         const result = jsonToken.payload;
-        return new HttpServerResponse({
+        const options = {
             cookies: {
                 authorization: { value: `Bearer ${token}`, ...cookieBaseOptions, expires: jsonToken.payload.exp * 1000 },
                 refreshToken: { value: `Bearer ${refreshToken}`, ...cookieBaseOptions, expires: jsonToken.payload.refreshTokenExp * 1000 }
@@ -86,7 +100,14 @@ let AuthenticationApiController = class AuthenticationApiController {
             body: {
                 json: result
             }
-        });
+        };
+        if (isDefined(impersonatorRefreshToken)) {
+            options.cookies['impersonatorRefreshToken'] = { value: `Bearer ${refreshToken}`, ...cookieBaseOptions, expires: assertDefinedPass(impersonatorRefreshTokenExpiration) * 1000 };
+        }
+        if (omitImpersonatorRefreshToken == true) {
+            options.cookies['impersonatorRefreshToken'] = deleteCookie;
+        }
+        return new HttpServerResponse(options);
     }
 };
 AuthenticationApiController = __decorate([

package/authentication/server/authentication.service.d.ts

@@ -2,13 +2,7 @@ import type { AfterResolve } from '../../injector/index.js';
 import { afterResolve } from '../../injector/index.js';
 import type { Record } from '../../types.js';
 import type { RefreshToken, SecretCheckResult, SecretResetToken, Token } from '../models/index.js';
-import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
 import type { SecretTestResult } from './authentication-secret-requirements.validator.js';
-import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
-import { AuthenticationSecretResetHandler } from './authentication-secret-reset.handler.js';
-import { AuthenticationSessionRepository } from './authentication-session.repository.js';
-import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
-import { AuthenticationTokenPayloadProvider } from './authentication-token-payload.provider.js';
 export type CreateTokenData<AdditionalTokenPayload extends Record> = {
     tokenVersion?: number;
     jwtId?: string;
@@ -17,6 +11,7 @@ export type CreateTokenData<AdditionalTokenPayload extends Record> = {
     additionalTokenPayload: AdditionalTokenPayload;
     subject: string;
     sessionId: string;
+    impersonator: string | undefined;
     refreshTokenExpiration: number;
     timestamp?: number;
 };
@@ -50,6 +45,9 @@ export type TokenResult<AdditionalTokenPayload extends Record> = {
     token: string;
     jsonToken: Token<AdditionalTokenPayload>;
     refreshToken: string;
+    omitImpersonatorRefreshToken?: boolean;
+    impersonatorRefreshToken?: string;
+    impersonatorRefreshTokenExpiration?: number;
 };
 export type SetCredentialsOptions = {
     /** skip validation for password strength */
@@ -69,11 +67,8 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     private readonly credentialsRepository;
     private readonly sessionRepository;
     private readonly authenticationSecretRequirementsValidator;
-    private readonly tokenPayloadProvider;
-    private readonly subjectResolver;
-    private readonly authenticationResetSecretHandler;
+    private readonly authenticationAncillaryService;
     private readonly options;
-    private readonly secret;
     private readonly tokenVersion;
     private readonly tokenTimeToLive;
     private readonly refreshTokenTimeToLive;
@@ -81,14 +76,19 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     private derivedTokenSigningSecret;
     private derivedRefreshTokenSigningSecret;
     private derivedSecretResetTokenSigningSecret;
-    constructor(credentialsRepository: AuthenticationCredentialsRepository, sessionRepository: AuthenticationSessionRepository, authenticationSecretRequirementsValidator: AuthenticationSecretRequirementsValidator, subjectResolver: AuthenticationSubjectResolver | undefined, tokenPayloadProvider: AuthenticationTokenPayloadProvider<AdditionalTokenPayload, AuthenticationData> | undefined, authenticationResetSecretHandler: AuthenticationSecretResetHandler<AdditionalInitSecretResetData> | undefined, options: AuthenticationServiceOptions);
     [afterResolve](): Promise<void>;
     initialize(): Promise<void>;
     setCredentials(subject: string, secret: string, options?: SetCredentialsOptions): Promise<void>;
     authenticate(subject: string, secret: string): Promise<AuthenticationResult>;
-    getToken(subject: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    getToken(subject: string, authenticationData: AuthenticationData, { impersonator }?: {
+        impersonator?: string;
+    }): Promise<TokenResult<AdditionalTokenPayload>>;
     endSession(sessionId: string): Promise<void>;
-    refresh(refreshToken: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    refresh(refreshToken: string, authenticationData: AuthenticationData, { omitImpersonator }?: {
+        omitImpersonator?: boolean;
+    }): Promise<TokenResult<AdditionalTokenPayload>>;
+    impersonate(impersonatorRoken: string, impersonatorRefreshToken: string, subject: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    unimpersonate(impersonatorRefreshToken: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
     initSecretReset(subject: string, data: AdditionalInitSecretResetData): Promise<void>;
     resetSecret(tokenString: string, newSecret: string): Promise<void>;
     checkSecret(secret: string): Promise<SecretCheckResult>;
@@ -99,9 +99,11 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     validateSecretResetToken(token: string): Promise<SecretResetToken>;
     resolveSubject(subject: string): Promise<string>;
     /** Creates a token without session or refresh token and is not saved in database */
-    createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp }: CreateTokenData<AdditionalTokenPayload>): Promise<CreateTokenResult<AdditionalTokenPayload>>;
+    createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, impersonator: impersonatedBy, timestamp }: CreateTokenData<AdditionalTokenPayload>): Promise<CreateTokenResult<AdditionalTokenPayload>>;
     /** Creates a refresh token without session or something else. */
-    createRefreshToken(subject: string, sessionId: string, expirationTimestamp: number): Promise<CreateRefreshTokenResult>;
+    createRefreshToken(subject: string, sessionId: string, expirationTimestamp: number, options?: {
+        impersonator?: string;
+    }): Promise<CreateRefreshTokenResult>;
     private createSecretResetToken;
     private deriveSigningSecrets;
     private getHash;

package/authentication/server/authentication.service.js

@@ -4,15 +4,10 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
+import { ForbiddenError } from '../../errors/forbidden.error.js';
 import { InvalidTokenError } from '../../errors/invalid-token.error.js';
 import { NotImplementedError } from '../../errors/not-implemented.error.js';
-import { Inject, Optional, Singleton, afterResolve } from '../../injector/index.js';
+import { Singleton, afterResolve, inject } from '../../injector/index.js';
 import { Alphabet } from '../../utils/alphabet.js';
 import { deriveBytesMultiple, importPbkdf2Key } from '../../utils/cryptography.js';
 import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-time.js';
@@ -21,12 +16,10 @@ import { createJwtTokenString } from '../../utils/jwt.js';
 import { getRandomBytes, getRandomString } from '../../utils/random.js';
 import { isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
 import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
+import { AuthenticationAncillaryService, GetTokenPayloadContextAction } from './authentication-ancillary.service.js';
 import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
 import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
-import { AuthenticationSecretResetHandler } from './authentication-secret-reset.handler.js';
 import { AuthenticationSessionRepository } from './authentication-session.repository.js';
-import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
-import { AuthenticationTokenPayloadProvider, GetTokenPayloadContextAction } from './authentication-token-payload.provider.js';
 import { getRefreshTokenFromString, getSecretResetTokenFromString, getTokenFromString } from './helper.js';
 export class AuthenticationServiceOptions {
     /**
@@ -45,34 +38,18 @@ export class AuthenticationServiceOptions {
 }
 const SIGNING_SECRETS_LENGTH = 64;
 let AuthenticationService = class AuthenticationService {
-    credentialsRepository;
-    sessionRepository;
-    authenticationSecretRequirementsValidator;
-    tokenPayloadProvider;
-    subjectResolver;
-    authenticationResetSecretHandler;
-    options;
-    secret;
-    tokenVersion;
-    tokenTimeToLive;
-    refreshTokenTimeToLive;
-    secretResetTokenTimeToLive;
+    credentialsRepository = inject(AuthenticationCredentialsRepository);
+    sessionRepository = inject(AuthenticationSessionRepository);
+    authenticationSecretRequirementsValidator = inject(AuthenticationSecretRequirementsValidator);
+    authenticationAncillaryService = inject(AuthenticationAncillaryService, undefined, { optional: true });
+    options = inject(AuthenticationServiceOptions);
+    tokenVersion = this.options.version ?? 1;
+    tokenTimeToLive = this.options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
+    refreshTokenTimeToLive = this.options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
+    secretResetTokenTimeToLive = this.options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
     derivedTokenSigningSecret;
     derivedRefreshTokenSigningSecret;
     derivedSecretResetTokenSigningSecret;
-    constructor(credentialsRepository, sessionRepository, authenticationSecretRequirementsValidator, subjectResolver, tokenPayloadProvider, authenticationResetSecretHandler, options) {
-        this.credentialsRepository = credentialsRepository;
-        this.sessionRepository = sessionRepository;
-        this.authenticationSecretRequirementsValidator = authenticationSecretRequirementsValidator;
-        this.subjectResolver = subjectResolver;
-        this.tokenPayloadProvider = tokenPayloadProvider;
-        this.authenticationResetSecretHandler = authenticationResetSecretHandler;
-        this.options = options;
-        this.tokenVersion = options.version ?? 1;
-        this.tokenTimeToLive = options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
-        this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
-        this.secretResetTokenTimeToLive = options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
-    }
     async [afterResolve]() {
         await this.initialize();
     }
@@ -114,7 +91,7 @@ let AuthenticationService = class AuthenticationService {
         }
         return { success: false };
     }
-    async getToken(subject, authenticationData) {
+    async getToken(subject, authenticationData, { impersonator } = {}) {
         const actualSubject = await this.resolveSubject(subject);
         const now = currentTimestamp();
         const end = now + this.refreshTokenTimeToLive;
@@ -126,9 +103,9 @@ let AuthenticationService = class AuthenticationService {
             refreshTokenSalt: new Uint8Array(),
             refreshTokenHash: new Uint8Array()
         });
-        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
-        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-        const refreshToken = await this.createRefreshToken(actualSubject, session.id, end);
+        const tokenPayload = await this.authenticationAncillaryService?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
+        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
+        const refreshToken = await this.createRefreshToken(actualSubject, session.id, end, { impersonator });
         await this.sessionRepository.extend(session.id, {
             end,
             refreshTokenHashVersion: 1,
@@ -141,11 +118,11 @@ let AuthenticationService = class AuthenticationService {
         const now = currentTimestamp();
         await this.sessionRepository.end(sessionId, now);
     }
-    async refresh(refreshToken, authenticationData) {
-        const validatedToken = await this.validateRefreshToken(refreshToken);
-        const sessionId = validatedToken.payload.sessionId;
+    async refresh(refreshToken, authenticationData, { omitImpersonator = false } = {}) {
+        const validatedRefreshToken = await this.validateRefreshToken(refreshToken);
+        const sessionId = validatedRefreshToken.payload.sessionId;
         const session = await this.sessionRepository.load(sessionId);
-        const hash = await this.getHash(validatedToken.payload.secret, session.refreshTokenSalt);
+        const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
         if (session.end <= currentTimestamp()) {
             throw new InvalidTokenError('Session is expired.');
         }
@@ -153,20 +130,38 @@ let AuthenticationService = class AuthenticationService {
             throw new InvalidTokenError('Invalid refresh token.');
         }
         const now = currentTimestamp();
+        const impersonator = omitImpersonator ? undefined : validatedRefreshToken.payload.impersonator;
         const newEnd = now + this.refreshTokenTimeToLive;
-        const tokenPayload = await this.tokenPayloadProvider?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
-        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, timestamp: now });
-        const newRefreshToken = await this.createRefreshToken(validatedToken.payload.subject, sessionId, newEnd);
+        const tokenPayload = await this.authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
+        const newRefreshToken = await this.createRefreshToken(validatedRefreshToken.payload.subject, sessionId, newEnd, { impersonator });
         await this.sessionRepository.extend(sessionId, {
             end: newEnd,
             refreshTokenHashVersion: 1,
             refreshTokenSalt: newRefreshToken.salt,
             refreshTokenHash: newRefreshToken.hash
         });
-        return { token, jsonToken, refreshToken: newRefreshToken.token };
+        return { token, jsonToken, refreshToken: newRefreshToken.token, omitImpersonatorRefreshToken: omitImpersonator };
+    }
+    async impersonate(impersonatorRoken, impersonatorRefreshToken, subject, authenticationData) {
+        const validatedImpersonatorRoken = await this.validateToken(impersonatorRoken);
+        const validatedImpersonatorRefreshToken = await this.validateRefreshToken(impersonatorRefreshToken);
+        const allowed = await this.authenticationAncillaryService?.canImpersonate(validatedImpersonatorRoken.payload, subject, authenticationData) ?? false;
+        if (!allowed) {
+            throw new ForbiddenError('Impersonation forbidden.');
+        }
+        const tokenResult = await this.getToken(subject, authenticationData, { impersonator: validatedImpersonatorRoken.payload.subject });
+        return {
+            ...tokenResult,
+            impersonatorRefreshToken,
+            impersonatorRefreshTokenExpiration: validatedImpersonatorRefreshToken.payload.exp
+        };
+    }
+    async unimpersonate(impersonatorRefreshToken, authenticationData) {
+        return this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true });
     }
     async initSecretReset(subject, data) {
-        if (isUndefined(this.authenticationResetSecretHandler)) {
+        if (isUndefined(this.authenticationAncillaryService)) {
             throw new NotImplementedError();
         }
         const actualSubject = await this.resolveSubject(subject);
@@ -176,7 +171,7 @@ let AuthenticationService = class AuthenticationService {
             token: secretResetToken.token,
             ...data
         };
-        await this.authenticationResetSecretHandler.handleInitSecretReset(initSecretResetData);
+        await this.authenticationAncillaryService.handleInitSecretReset(initSecretResetData);
     }
     async resetSecret(tokenString, newSecret) {
         const token = await this.validateSecretResetToken(tokenString);
@@ -201,10 +196,10 @@ let AuthenticationService = class AuthenticationService {
         return getSecretResetTokenFromString(token, this.derivedSecretResetTokenSigningSecret);
     }
     async resolveSubject(subject) {
-        return this.subjectResolver?.resolveSubject(subject) ?? subject;
+        return this.authenticationAncillaryService?.resolveSubject(subject) ?? subject;
     }
     /** Creates a token without session or refresh token and is not saved in database */
-    async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, timestamp = currentTimestamp() }) {
+    async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, impersonator: impersonatedBy, timestamp = currentTimestamp() }) {
         const header = {
             v: tokenVersion ?? this.tokenVersion,
             alg: 'HS256',
@@ -217,6 +212,7 @@ let AuthenticationService = class AuthenticationService {
             refreshTokenExp: timestampToTimestampSeconds(refreshTokenExpiration),
             sessionId,
             subject,
+            impersonator: impersonatedBy,
             ...additionalTokenPayload
         };
         const jsonToken = {
@@ -227,7 +223,7 @@ let AuthenticationService = class AuthenticationService {
         return { token, jsonToken };
     }
     /** Creates a refresh token without session or something else. */
-    async createRefreshToken(subject, sessionId, expirationTimestamp) {
+    async createRefreshToken(subject, sessionId, expirationTimestamp, options) {
         const secret = getRandomString(64, Alphabet.LowerUpperCaseNumbers);
         const salt = getRandomBytes(32);
         const hash = await this.getHash(secret, salt);
@@ -239,6 +235,7 @@ let AuthenticationService = class AuthenticationService {
             payload: {
                 exp: timestampToTimestampSeconds(expirationTimestamp),
                 subject,
+                impersonator: options?.impersonator,
                 sessionId,
                 secret
             }
@@ -275,15 +272,6 @@ let AuthenticationService = class AuthenticationService {
     }
 };
 AuthenticationService = __decorate([
-    Singleton(),
-    __param(3, Inject(AuthenticationSubjectResolver)),
-    __param(3, Optional()),
-    __param(4, Inject(AuthenticationTokenPayloadProvider)),
-    __param(4, Optional()),
-    __param(5, Inject(AuthenticationSecretResetHandler)),
-    __param(5, Optional()),
-    __metadata("design:paramtypes", [AuthenticationCredentialsRepository,
-        AuthenticationSessionRepository,
-        AuthenticationSecretRequirementsValidator, Object, Object, Object, AuthenticationServiceOptions])
+    Singleton()
 ], AuthenticationService);
 export { AuthenticationService };

package/authentication/server/helper.js

@@ -46,7 +46,7 @@ export async function getTokenFromString(tokenString, tokenVersion, secret) {
     if (validatedToken.header.v != tokenVersion) {
         throw new InvalidTokenError('Invalid token version');
     }
-    if ((validatedToken.payload.exp + 2500) <= currentTimestampSeconds()) {
+    if (validatedToken.payload.exp <= currentTimestampSeconds()) {
         throw new InvalidTokenError('Token expired');
     }
     return validatedToken;

package/authentication/server/index.d.ts

@@ -1,10 +1,8 @@
+export * from './authentication-ancillary.service.js';
 export * from './authentication-api-request-token.provider.js';
 export * from './authentication-credentials.repository.js';
 export * from './authentication-secret-requirements.validator.js';
-export * from './authentication-secret-reset.handler.js';
 export * from './authentication-session.repository.js';
-export * from './authentication-subject.resolver.js';
-export * from './authentication-token-payload.provider.js';
 export * from './authentication.api-controller.js';
 export * from './authentication.service.js';
 export * from './helper.js';

package/authentication/server/index.js

@@ -1,10 +1,8 @@
+export * from './authentication-ancillary.service.js';
 export * from './authentication-api-request-token.provider.js';
 export * from './authentication-credentials.repository.js';
 export * from './authentication-secret-requirements.validator.js';
-export * from './authentication-secret-reset.handler.js';
 export * from './authentication-session.repository.js';
-export * from './authentication-subject.resolver.js';
-export * from './authentication-token-payload.provider.js';
 export * from './authentication.api-controller.js';
 export * from './authentication.service.js';
 export * from './helper.js';

package/authentication/server/module.d.ts

@@ -1,9 +1,8 @@
 import type { Provider } from '../../injector/provider.js';
 import type { InjectionToken } from '../../injector/token.js';
+import { AuthenticationAncillaryService } from './authentication-ancillary.service.js';
 import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
 import { AuthenticationSessionRepository } from './authentication-session.repository.js';
-import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
-import { AuthenticationTokenPayloadProvider } from './authentication-token-payload.provider.js';
 import { AuthenticationService, AuthenticationServiceOptions } from './authentication.service.js';
 export type AuthenticationModuleConfig = {
     serviceOptions?: AuthenticationServiceOptions | Provider<AuthenticationServiceOptions>;
@@ -11,7 +10,6 @@ export type AuthenticationModuleConfig = {
     sessionRepository: InjectionToken<AuthenticationSessionRepository>;
     /** override default AuthenticationService */
     authenticationService?: InjectionToken<AuthenticationService<any, any, any>>;
-    tokenPayloadProvider?: InjectionToken<AuthenticationTokenPayloadProvider<any, any>>;
-    subjectResolver?: InjectionToken<AuthenticationSubjectResolver>;
+    authenticationAncillaryService?: InjectionToken<AuthenticationAncillaryService<any, any, any>>;
 };
 export declare function configureAuthenticationServer(config: AuthenticationModuleConfig): void;

package/authentication/server/module.js

@@ -1,10 +1,9 @@
 import { Injector } from '../../injector/injector.js';
 import { isProvider } from '../../injector/provider.js';
 import { isDefined } from '../../utils/type-guards.js';
+import { AuthenticationAncillaryService } from './authentication-ancillary.service.js';
 import { AuthenticationCredentialsRepository } from './authentication-credentials.repository.js';
 import { AuthenticationSessionRepository } from './authentication-session.repository.js';
-import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
-import { AuthenticationTokenPayloadProvider } from './authentication-token-payload.provider.js';
 import { AuthenticationService, AuthenticationServiceOptions } from './authentication.service.js';
 export function configureAuthenticationServer(config) {
     if (isDefined(config.serviceOptions)) {
@@ -18,10 +17,7 @@ export function configureAuthenticationServer(config) {
     if (isDefined(config.authenticationService)) {
         Injector.registerSingleton(AuthenticationService, { useToken: config.authenticationService });
     }
-    if (isDefined(config.tokenPayloadProvider)) {
-        Injector.registerSingleton(AuthenticationTokenPayloadProvider, { useToken: config.tokenPayloadProvider });
-    }
-    if (isDefined(config.subjectResolver)) {
-        Injector.registerSingleton(AuthenticationSubjectResolver, { useToken: config.subjectResolver });
+    if (isDefined(config.authenticationAncillaryService)) {
+        Injector.registerSingleton(AuthenticationAncillaryService, { useToken: config.authenticationAncillaryService });
     }
 }

package/examples/api/custom-authentication.js

@@ -13,7 +13,7 @@ import { Agent } from 'undici';
 import { configureApiServer } from '../../api/server/index.js';
 import { Application } from '../../application/application.js';
 import { AuthenticationClientService, configureAuthenticationClient, getAuthenticationApiClient } from '../../authentication/client/index.js';
-import { AuthenticationTokenPayloadProvider } from '../../authentication/server/authentication-token-payload.provider.js';
+import { AuthenticationAncillaryService } from '../../authentication/index.js';
 import { AuthenticationApiController } from '../../authentication/server/authentication.api-controller.js';
 import { AuthenticationService as AuthenticationServerService } from '../../authentication/server/authentication.service.js';
 import { configureAuthenticationServer } from '../../authentication/server/module.js';
@@ -68,14 +68,23 @@ __decorate([
     __metadata("design:type", String)
 ], AuthenticationData.prototype, "deviceId", void 0);
 const CustomAuthenticationApiClient = getAuthenticationApiClient(CustomTokenPaylod, AuthenticationData, emptyObjectSchema);
-let CustomTokenPayloadProvider = class CustomTokenPayloadProvider extends AuthenticationTokenPayloadProvider {
+let CustomAuthenticationAncillaryService = class CustomAuthenticationAncillaryService extends AuthenticationAncillaryService {
     getTokenPayload(_subject, authenticationData) {
         return { deviceRegistrationId: `registration:${authenticationData.deviceId}` };
     }
+    resolveSubject() {
+        throw new Error('Method not implemented.');
+    }
+    handleInitSecretReset() {
+        throw new Error('Method not implemented.');
+    }
+    canImpersonate() {
+        throw new Error('Method not implemented.');
+    }
 };
-CustomTokenPayloadProvider = __decorate([
+CustomAuthenticationAncillaryService = __decorate([
     Singleton()
-], CustomTokenPayloadProvider);
+], CustomAuthenticationAncillaryService);
 async function serverTest() {
     const authenticationService = await injectAsync(AuthenticationServerService);
     await authenticationService.setCredentials('foobar', 'supersecret-dupidupudoo9275');
@@ -101,7 +110,7 @@ function bootstrap() {
         serviceOptions: { secret: 'djp0fq23576aq' },
         credentialsRepository: MongoAuthenticationCredentialsRepository,
         sessionRepository: MongoAuthenticationSessionRepository,
-        tokenPayloadProvider: CustomTokenPayloadProvider
+        authenticationAncillaryService: CustomAuthenticationAncillaryService
     });
     configureMongoAuthenticationCredentialsRepository({ collection: 'credentials' });
     configureMongoAuthenticationSessionRepository({ collection: 'sessions' });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.90.36",
+  "version": "0.90.38",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"

package/authentication/server/authentication-secret-reset.handler.d.ts

@@ -1,4 +0,0 @@
-import type { InitSecretResetData } from '../models/init-secret-reset-data.model.js';
-export declare abstract class AuthenticationSecretResetHandler<AdditionalInitSecretResetData> {
-    abstract handleInitSecretReset(data: InitSecretResetData & AdditionalInitSecretResetData): void | Promise<void>;
-}

package/authentication/server/authentication-secret-reset.handler.js

@@ -1,2 +0,0 @@
-export class AuthenticationSecretResetHandler {
-}

package/authentication/server/authentication-subject.resolver.d.ts

@@ -1,7 +0,0 @@
-/**
- * Resolve a provided subject to the actual subject used for authentication.
- * Useful for example if you want to be able to login via mail but actual subject is the user id.
- */
-export declare abstract class AuthenticationSubjectResolver {
-    abstract resolveSubject(providedSubject: string): string | Promise<string>;
-}

package/authentication/server/authentication-subject.resolver.js

@@ -1,6 +0,0 @@
-/**
- * Resolve a provided subject to the actual subject used for authentication.
- * Useful for example if you want to be able to login via mail but actual subject is the user id.
- */
-export class AuthenticationSubjectResolver {
-}

package/authentication/server/authentication-token-payload.provider.d.ts

@@ -1,11 +0,0 @@
-import type { Record } from '../../types.js';
-export declare enum GetTokenPayloadContextAction {
-    GetToken = 0,
-    Refresh = 1
-}
-export type GetTokenPayloadContext = {
-    action: GetTokenPayloadContextAction;
-};
-export declare abstract class AuthenticationTokenPayloadProvider<AdditionalTokenPayload = Record<never>, AuthenticationData = void> {
-    abstract getTokenPayload(subject: string, authenticationData: AuthenticationData, context: GetTokenPayloadContext): AdditionalTokenPayload | Promise<AdditionalTokenPayload>;
-}