@tstdl/base 0.92.141 → 0.92.143

package/ai/ai-file.service.js

@@ -62,7 +62,7 @@ let AiFileService = class AiFileService {
     }
     async getFiles(fileInputs) {
         const ids = createArray(fileInputs.length, () => crypto.randomUUID());
-        const files = await AsyncEnumerable.from(fileInputs).parallelMap(5, true, async (file, index) => this.uploadFile(file, ids[index])).toArray();
+        const files = await AsyncEnumerable.from(fileInputs).parallelMap(5, true, async (file, index) => await this.uploadFile(file, ids[index])).toArray();
         this.#logger.verbose(`Processing ${fileInputs.length} files...`);
         await this.waitForFilesActive(files);
         return files;

package/ai/ai.service.js

@@ -53,7 +53,7 @@ let AiService = AiService_1 = class AiService {
         apiKey: isUndefined(this.#options.vertex?.project) ? assertDefinedPass(this.#options.apiKey, 'Api key not defined') : undefined,
     });
     #maxOutputTokensCache = new Map();
-    defaultModel = this.#options.defaultModel ?? 'gemini-2.0-flash';
+    defaultModel = this.#options.defaultModel ?? 'gemini-2.5-flash-preview-05-20';
     createSession() {
         return new AiSession(this);
     }
@@ -157,8 +157,8 @@ let AiService = AiService_1 = class AiService {
                 catch (error) {
                     if ((i < 20) && isError(error) && (error.message.includes('429 Too Many Requests') || (error.message.includes('503 Service Unavailable')))) {
                         this.#logger.verbose('429 Too Many Requests - trying again in 15 seconds');
-                        const canceled = await cancelableTimeout(15 * millisecondsPerSecond, getShutdownSignal());
-                        if (!canceled) {
+                        const timeoutResult = await cancelableTimeout(15 * millisecondsPerSecond, getShutdownSignal());
+                        if (timeoutResult == 'timeout') {
                             continue;
                         }
                     }

package/ai/types.d.ts

@@ -53,7 +53,7 @@ export type Content = {
 };
 export type FunctionCallingMode = 'auto' | 'force' | 'none';
 export type FinishReason = 'stop' | 'maxTokens' | 'unknown';
-export type AiModel = LiteralUnion<'gemini-2.5-pro-exp-03-25' | 'gemini-2.5-flash-exp-04-17' | 'gemini-2.0-flash' | 'gemini-2.0-flash-lite', string>;
+export type AiModel = LiteralUnion<'gemini-2.5-pro-preview-05-06' | 'gemini-2.5-flash-preview-05-20', string>;
 export type GenerationOptions = {
     maxOutputTokens?: number;
     temperature?: number;

package/api/client/client.d.ts

@@ -2,7 +2,7 @@ import { HttpClient, type HttpClientOptions } from '../../http/client/index.js';
 import { type Resolvable } from '../../injector/interfaces.js';
 import type { Type } from '../../types.js';
 import { type ApiClientImplementation, type ApiDefinition, type ApiEndpointDefinition } from '../types.js';
-export type ApiClient<T extends ApiDefinition> = Type<ApiClientImplementation<T> & Resolvable<HttpClient | HttpClientOptions>, [httpClientOrOptions?: HttpClient | HttpClientOptions]>;
+export type ApiClient<T extends ApiDefinition> = Type<ApiClientImplementation<T> & Resolvable<HttpClient | HttpClientOptions>, [httpClientOrOptions?: HttpClient | HttpClientOptions]> & Pick<ApiClientImplementation<T>, 'getEndpointResource' | 'getEndpointUrl'>;
 export type ClientOptions = {
     /**
      * Url prefix

package/api/client/client.js

@@ -19,7 +19,6 @@ export const defaultOptions = {};
 export function setDefaultApiClientOptions(options) {
     copyObjectProperties(options, defaultOptions);
 }
-// eslint-disable-next-line max-lines-per-function
 export function compileClient(definition, options = defaultOptions) {
     const { resource: path, endpoints } = definition;
     const constructedApiName = toTitleCase(path[0] ?? '');
@@ -32,17 +31,24 @@ export function compileClient(definition, options = defaultOptions) {
                 this[httpClientSymbol] = (httpClientOrOptions instanceof HttpClient) ? httpClientOrOptions : inject(HttpClient, httpClientOrOptions);
                 this[apiDefinitionSymbol] = definition;
             }
-            getEndpointResource(endpoint, parameters) {
+            static getEndpointResource(endpoint, parameters) {
                 const resource = getFullApiEndpointResource({ api: definition, endpoint: resolveValueOrProvider(definition.endpoints[endpoint]), defaultPrefix: options.prefix });
                 if (isUndefined(parameters)) {
                     return resource;
                 }
                 return buildUrl(resource, parameters).parsedUrl;
             }
-            getEndpointUrl(endpoint, parameters) {
+            static getEndpointUrl(endpoint, parameters) {
                 const url = this.getEndpointResource(endpoint, parameters);
+                return new URL(url, 'http://baseurl/');
+            }
+            getEndpointUrl(endpoint, parameters) {
+                const url = api.getEndpointResource(endpoint, parameters);
                 return new URL(url, this[httpClientSymbol].options.baseUrl);
             }
+            getEndpointResource(endpoint, parameters) {
+                return api.getEndpointResource(endpoint, parameters);
+            }
         },
     }[apiName];
     Injector.registerSingleton(api, {
@@ -77,7 +83,7 @@ export function compileClient(definition, options = defaultOptions) {
                     context,
                 });
                 const response = await this[httpClientSymbol].rawRequest(request);
-                return getResponseBody(response, endpoint.result);
+                return await getResponseBody(response, endpoint.result);
             },
         }[name];
         Object.defineProperty(api.prototype, name, {

package/api/server/middlewares/content-type.middleware.js

@@ -1,3 +1,4 @@
+import { match, P } from 'ts-pattern';
 import { isDefined } from '../../../utils/type-guards.js';
 export async function contentTypeMiddleware(context, next) {
     await next();
@@ -5,11 +6,11 @@ export async function contentTypeMiddleware(context, next) {
     if (isDefined(response.headers.contentType)) {
         return;
     }
-    response.headers.contentType =
-        (isDefined(response.body?.json)) ? 'application/json; charset=utf-8'
-            : (isDefined(response.body?.text)) ? 'text/plain; charset=utf-8'
-                : (isDefined(response.body?.buffer)) ? 'application/octet-stream'
-                    : (isDefined(response.body?.stream)) ? 'application/octet-stream'
-                        : (isDefined(response.body?.events)) ? 'text/event-stream'
-                            : undefined;
+    response.headers.contentType = match(response.body)
+        .with({ json: P.select(P.nonNullable) }, () => 'application/json; charset=utf-8')
+        .with({ text: P.select(P.nonNullable) }, () => 'text/plain; charset=utf-8')
+        .with({ buffer: P.select(P.nonNullable) }, () => 'application/octet-stream')
+        .with({ stream: P.select(P.nonNullable) }, () => 'application/octet-stream')
+        .with({ events: P.select(P.nonNullable) }, () => 'text/event-stream')
+        .otherwise(() => undefined);
 }

package/api/types.js

@@ -6,7 +6,7 @@ export function defineApi(definition) {
 }
 export async function resolveApiEndpointDataProvider(request, context, provider) {
     if (isFunction(provider)) {
-        return provider(request, context);
+        return await provider(request, context);
     }
     return provider;
 }

package/authentication/client/authentication.service.js

@@ -134,7 +134,7 @@ let AuthenticationClientService = class AuthenticationClientService {
         try {
             await Promise.race([
                 this.client.endSession(),
-                timeout(150)
+                timeout(150),
             ]).catch((error) => this.logger.error(error));
         }
         finally {
@@ -197,7 +197,7 @@ let AuthenticationClientService = class AuthenticationClientService {
         await this.client.resetSecret({ token, newSecret });
     }
     async checkSecret(secret) {
-        return this.client.checkSecret({ secret });
+        return await this.client.checkSecret({ secret });
     }
     saveToken(token) {
         if (isNullOrUndefined(token)) {
@@ -223,7 +223,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     async refreshLoop() {
         while (this.disposeToken.isUnset) {
             try {
-                await this.lock.use(0, false, async () => this.refreshLoopIteration());
+                await this.lock.use(0, false, async () => await this.refreshLoopIteration());
                 await firstValueFrom(race([timer(2500), this.disposeToken, this.forceRefreshToken]));
             }
             catch {

package/authentication/server/authentication-ancillary.service.d.ts

@@ -10,12 +10,22 @@ export type GetTokenPayloadContextAction = EnumType<typeof GetTokenPayloadContex
 export type GetTokenPayloadContext = {
     action: GetTokenPayloadContextAction;
 };
+export type ResolveSubjectResult = {
+    success: true;
+    subject: string;
+} | {
+    success: false;
+    subject?: undefined;
+};
 export declare abstract class AuthenticationAncillaryService<AdditionalTokenPayload extends Record = Record<never>, AuthenticationData = void, AdditionalInitSecretResetData = void> {
     /**
      * Resolve a provided subject to the actual subject used for authentication.
      * Useful for example if you want to be able to login via mail but actual subject is the user id.
+     * @param providedSubject The subject provided by the user, e.g. an email address.
+     * @returns An object with success flag and the resolved subject if successful.
+     * If the subject cannot be resolved, return an object with success set to false.
      */
-    abstract resolveSubject(providedSubject: string): string | Promise<string>;
+    abstract resolveSubject(providedSubject: string): ResolveSubjectResult | Promise<ResolveSubjectResult>;
     abstract getTokenPayload(subject: string, authenticationData: AuthenticationData, context: GetTokenPayloadContext): AdditionalTokenPayload | Promise<AdditionalTokenPayload>;
     abstract handleInitSecretReset(data: InitSecretResetData & AdditionalInitSecretResetData): void | Promise<void>;
     /**

package/authentication/server/authentication-ancillary.service.js

@@ -1,7 +1,7 @@
 import { defineEnum } from '../../enumeration/enumeration.js';
 export const GetTokenPayloadContextAction = defineEnum('GetTokenPayloadContextAction', {
     GetToken: 'get-token',
-    Refresh: 'refresh'
+    Refresh: 'refresh',
 });
 export class AuthenticationAncillaryService {
 }

package/authentication/server/authentication-secret-requirements.validator.js

@@ -13,7 +13,7 @@ export class AuthenticationSecretRequirementsValidator {
 }
 let DefaultAuthenticationSecretRequirementsValidator = class DefaultAuthenticationSecretRequirementsValidator extends AuthenticationSecretRequirementsValidator {
     async checkSecretRequirements(secret) {
-        return checkPassword(secret, { checkForPwned: true });
+        return await checkPassword(secret, { checkForPwned: true });
     }
     async testSecretRequirements(secret) {
         const result = await this.checkSecretRequirements(secret);

package/authentication/server/authentication.api-controller.js

@@ -16,7 +16,7 @@ import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../
 import { AuthenticationService } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
 const cookieBaseOptions = { path: '/', httpOnly: true, secure: true, sameSite: 'strict' };
-const deleteCookie = { value: '', ...cookieBaseOptions, expires: -1 };
+const deleteCookie = { value: '', ...cookieBaseOptions, maxAge: -1 };
 let AuthenticationApiController = class AuthenticationApiController {
     authenticationService;
     constructor(authenticationService) {
@@ -69,11 +69,11 @@ let AuthenticationApiController = class AuthenticationApiController {
             cookies: {
                 authorization: deleteCookie,
                 refreshToken: deleteCookie,
-                impersonatorRefreshToken: deleteCookie
+                impersonatorRefreshToken: deleteCookie,
             },
             body: {
-                json: result
-            }
+                json: result,
+            },
         });
     }
     async initSecretReset({ parameters }) {
@@ -85,7 +85,7 @@ let AuthenticationApiController = class AuthenticationApiController {
         return 'ok';
     }
     async checkSecret({ parameters }) {
-        return this.authenticationService.checkSecret(parameters.secret);
+        return await this.authenticationService.checkSecret(parameters.secret);
     }
     timestamp() {
         return currentTimestamp();
@@ -94,15 +94,27 @@ let AuthenticationApiController = class AuthenticationApiController {
         const result = jsonToken.payload;
         const options = {
             cookies: {
-                authorization: { value: `Bearer ${token}`, ...cookieBaseOptions, expires: jsonToken.payload.exp * 1000 },
-                refreshToken: { value: `Bearer ${refreshToken}`, ...cookieBaseOptions, expires: jsonToken.payload.refreshTokenExp * 1000 }
+                authorization: {
+                    value: `Bearer ${token}`,
+                    ...cookieBaseOptions,
+                    expires: jsonToken.payload.exp * 1000,
+                },
+                refreshToken: {
+                    value: `Bearer ${refreshToken}`,
+                    ...cookieBaseOptions,
+                    expires: jsonToken.payload.refreshTokenExp * 1000,
+                },
             },
             body: {
-                json: result
-            }
+                json: result,
+            },
         };
         if (isDefined(impersonatorRefreshToken)) {
-            options.cookies['impersonatorRefreshToken'] = { value: `Bearer ${impersonatorRefreshToken}`, ...cookieBaseOptions, expires: assertDefinedPass(impersonatorRefreshTokenExpiration) * 1000 };
+            options.cookies['impersonatorRefreshToken'] = {
+                value: `Bearer ${impersonatorRefreshToken}`,
+                ...cookieBaseOptions,
+                expires: assertDefinedPass(impersonatorRefreshTokenExpiration) * 1000,
+            };
         }
         if (omitImpersonatorRefreshToken == true) {
             options.cookies['impersonatorRefreshToken'] = deleteCookie;

package/authentication/server/authentication.service.d.ts

@@ -51,6 +51,8 @@ export type TokenResult<AdditionalTokenPayload extends Record> = {
 export type SetCredentialsOptions = {
     /** skip validation for password strength */
     skipValidation?: boolean;
+    /** skip session invalidation */
+    skipSessionInvalidation?: boolean;
 };
 type CreateTokenResult<AdditionalTokenPayload extends Record> = {
     token: string;
@@ -63,11 +65,7 @@ type CreateRefreshTokenResult = {
     hash: Uint8Array;
 };
 export declare class AuthenticationService<AdditionalTokenPayload extends Record = Record<never>, AuthenticationData = void, AdditionalInitSecretResetData = void> implements AfterResolve {
-    private readonly credentialsRepository;
-    private readonly sessionRepository;
-    private readonly authenticationSecretRequirementsValidator;
-    private readonly authenticationAncillaryService;
-    private readonly options;
+    #private;
     private readonly tokenVersion;
     private readonly tokenTimeToLive;
     private readonly refreshTokenTimeToLive;
@@ -96,6 +94,14 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     validateToken(token: string): Promise<Token<AdditionalTokenPayload>>;
     validateRefreshToken(token: string): Promise<RefreshToken>;
     validateSecretResetToken(token: string): Promise<SecretResetToken>;
+    tryResolveSubject(subject: string): Promise<string | undefined>;
+    /**
+     * Resolves the subject to the actual subject used for authentication.
+     * This should *not* be used for public facing APIs, as it throws an error if the subject is not found that leaks if the subjects exists or not.
+     * Instead use {@link tryResolveSubject} to check if the subject exists without leaking information.
+     * @param subject The subject to resolve.
+     * @returns The resolved subject or the original subject if not found.
+     */
     resolveSubject(subject: string): Promise<string>;
     /** Creates a token without session or refresh token and is not saved in database */
     createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, impersonator: impersonatedBy, timestamp }: CreateTokenData<AdditionalTokenPayload>): Promise<CreateTokenResult<AdditionalTokenPayload>>;

package/authentication/server/authentication.service.js

@@ -6,14 +6,18 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 };
 import { ForbiddenError } from '../../errors/forbidden.error.js';
 import { InvalidTokenError } from '../../errors/invalid-token.error.js';
+import { NotFoundError } from '../../errors/not-found.error.js';
 import { NotImplementedError } from '../../errors/not-implemented.error.js';
 import { Singleton, afterResolve, inject, provide } from '../../injector/index.js';
+import { KeyValueStore } from '../../key-value-store/key-value.store.js';
+import { Logger } from '../../logger/logger.js';
 import { DatabaseConfig } from '../../orm/server/index.js';
 import { EntityRepositoryConfig, injectRepository } from '../../orm/server/repository.js';
 import { Alphabet } from '../../utils/alphabet.js';
+import { decodeBase64, encodeBase64 } from '../../utils/base64.js';
 import { deriveBytesMultiple, importPbkdf2Key } from '../../utils/cryptography.js';
 import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-time.js';
-import { binaryEquals } from '../../utils/equals.js';
+import { timingSafeBinaryEquals } from '../../utils/equals.js';
 import { createJwtTokenString } from '../../utils/jwt.js';
 import { getRandomBytes, getRandomString } from '../../utils/random.js';
 import { isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
@@ -40,15 +44,17 @@ export class AuthenticationServiceOptions {
 }
 const SIGNING_SECRETS_LENGTH = 64;
 let AuthenticationService = class AuthenticationService {
-    credentialsRepository = injectRepository(AuthenticationCredentials);
-    sessionRepository = injectRepository(AuthenticationSession);
-    authenticationSecretRequirementsValidator = inject(AuthenticationSecretRequirementsValidator);
-    authenticationAncillaryService = inject(AuthenticationAncillaryService, undefined, { optional: true });
-    options = inject(AuthenticationServiceOptions);
-    tokenVersion = this.options.version ?? 1;
-    tokenTimeToLive = this.options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
-    refreshTokenTimeToLive = this.options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
-    secretResetTokenTimeToLive = this.options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
+    #credentialsRepository = injectRepository(AuthenticationCredentials);
+    #sessionRepository = injectRepository(AuthenticationSession);
+    #authenticationSecretRequirementsValidator = inject(AuthenticationSecretRequirementsValidator);
+    #authenticationAncillaryService = inject(AuthenticationAncillaryService, undefined, { optional: true });
+    #keyValueStore = inject((KeyValueStore), 'authentication');
+    #options = inject(AuthenticationServiceOptions);
+    #logger = inject(Logger, 'authentication');
+    tokenVersion = this.#options.version ?? 1;
+    tokenTimeToLive = this.#options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
+    refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
+    secretResetTokenTimeToLive = this.#options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
     derivedTokenSigningSecret;
     derivedRefreshTokenSigningSecret;
     derivedSecretResetTokenSigningSecret;
@@ -56,37 +62,44 @@ let AuthenticationService = class AuthenticationService {
         await this.initialize();
     }
     async initialize() {
-        if (isString(this.options.secret) || isBinaryData(this.options.secret)) {
-            await this.deriveSigningSecrets(this.options.secret);
+        if (isString(this.#options.secret) || isBinaryData(this.#options.secret)) {
+            await this.deriveSigningSecrets(this.#options.secret);
         }
         else {
-            this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
-            this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
-            this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
+            this.derivedTokenSigningSecret = this.#options.secret.tokenSigningSecret;
+            this.derivedRefreshTokenSigningSecret = this.#options.secret.refreshTokenSigningSecret;
+            this.derivedSecretResetTokenSigningSecret = this.#options.secret.secretResetTokenSigningSecret;
         }
     }
     async setCredentials(subject, secret, options) {
+        // We do not need to avoid information leakage here, as this is a non-public method that is only called by a public api if the secret reset token is valid.
         const actualSubject = await this.resolveSubject(subject);
         if (options?.skipValidation != true) {
-            await this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
+            await this.#authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
         }
         const salt = getRandomBytes(32);
         const hash = await this.getHash(secret, salt);
-        await this.credentialsRepository.upsert('subject', {
-            subject: actualSubject,
-            hashVersion: 1,
-            salt,
-            hash,
+        await this.#credentialsRepository.transaction(async (tx) => {
+            await this.#credentialsRepository.withTransaction(tx).upsert('subject', {
+                subject: actualSubject,
+                hashVersion: 1,
+                salt,
+                hash,
+            });
+            if (options?.skipSessionInvalidation != true) {
+                await this.#sessionRepository.withTransaction(tx).updateManyByQuery({ subject: actualSubject }, { end: currentTimestamp() });
+            }
         });
     }
     async authenticate(subject, secret) {
-        const actualSubject = await this.resolveSubject(subject);
-        const credentials = await this.credentialsRepository.tryLoadByQuery({ subject: actualSubject });
-        if (isUndefined(credentials)) {
-            return { success: false };
-        }
+        const actualSubject = await this.tryResolveSubject(subject) ?? subject;
+        // Always try to load credentials, even if the subject is not resolved, to avoid information leakage.
+        // If the subject is not resolved, we will create a new credentials entry with an empty salt and hash.
+        // This way, we do not leak if the subject exists or not via timing attacks.
+        const credentials = await this.#credentialsRepository.tryLoadByQuery({ subject: actualSubject })
+            ?? { subject: actualSubject, salt: new Uint8Array(), hash: new Uint8Array() };
         const hash = await this.getHash(secret, credentials.salt);
-        const valid = binaryEquals(hash, credentials.hash);
+        const valid = timingSafeBinaryEquals(hash, credentials.hash);
         if (valid) {
             return { success: true, subject: credentials.subject };
         }
@@ -96,8 +109,8 @@ let AuthenticationService = class AuthenticationService {
         const actualSubject = await this.resolveSubject(subject);
         const now = currentTimestamp();
         const end = now + this.refreshTokenTimeToLive;
-        return this.sessionRepository.transaction(async (tx) => {
-            const session = await this.sessionRepository.withTransaction(tx).insert({
+        return await this.#sessionRepository.transaction(async (tx) => {
+            const session = await this.#sessionRepository.withTransaction(tx).insert({
                 subject: actualSubject,
                 begin: now,
                 end,
@@ -105,10 +118,10 @@ let AuthenticationService = class AuthenticationService {
                 refreshTokenSalt: new Uint8Array(),
                 refreshTokenHash: new Uint8Array(),
             });
-            const tokenPayload = await this.authenticationAncillaryService?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
+            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
             const refreshToken = await this.createRefreshToken(actualSubject, session.id, end, { impersonator });
-            await this.sessionRepository.withTransaction(tx).update(session.id, {
+            await this.#sessionRepository.withTransaction(tx).update(session.id, {
                 end,
                 refreshTokenHashVersion: 1,
                 refreshTokenSalt: refreshToken.salt,
@@ -119,26 +132,26 @@ let AuthenticationService = class AuthenticationService {
     }
     async endSession(sessionId) {
         const now = currentTimestamp();
-        await this.sessionRepository.update(sessionId, { end: now });
+        await this.#sessionRepository.update(sessionId, { end: now });
     }
     async refresh(refreshToken, authenticationData, { omitImpersonator = false } = {}) {
         const validatedRefreshToken = await this.validateRefreshToken(refreshToken);
         const sessionId = validatedRefreshToken.payload.sessionId;
-        const session = await this.sessionRepository.load(sessionId);
+        const session = await this.#sessionRepository.load(sessionId);
         const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
         if (session.end <= currentTimestamp()) {
             throw new InvalidTokenError('Session is expired.');
         }
-        if (!binaryEquals(hash, session.refreshTokenHash)) {
+        if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
             throw new InvalidTokenError('Invalid refresh token.');
         }
         const now = currentTimestamp();
         const impersonator = omitImpersonator ? undefined : validatedRefreshToken.payload.impersonator;
         const newEnd = now + this.refreshTokenTimeToLive;
-        const tokenPayload = await this.authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+        const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
         const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
         const newRefreshToken = await this.createRefreshToken(validatedRefreshToken.payload.subject, sessionId, newEnd, { impersonator });
-        await this.sessionRepository.update(sessionId, {
+        await this.#sessionRepository.update(sessionId, {
             end: newEnd,
             refreshTokenHashVersion: 1,
             refreshTokenSalt: newRefreshToken.salt,
@@ -149,7 +162,7 @@ let AuthenticationService = class AuthenticationService {
     async impersonate(impersonatorRoken, impersonatorRefreshToken, subject, authenticationData) {
         const validatedImpersonatorRoken = await this.validateToken(impersonatorRoken);
         const validatedImpersonatorRefreshToken = await this.validateRefreshToken(impersonatorRefreshToken);
-        const allowed = await this.authenticationAncillaryService?.canImpersonate(validatedImpersonatorRoken.payload, subject, authenticationData) ?? false;
+        const allowed = await this.#authenticationAncillaryService?.canImpersonate(validatedImpersonatorRoken.payload, subject, authenticationData) ?? false;
         if (!allowed) {
             throw new ForbiddenError('Impersonation forbidden.');
         }
@@ -161,45 +174,78 @@ let AuthenticationService = class AuthenticationService {
         };
     }
     async unimpersonate(impersonatorRefreshToken, authenticationData) {
-        return this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true });
+        return await this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true });
     }
     async initSecretReset(subject, data) {
-        if (isUndefined(this.authenticationAncillaryService)) {
+        if (isUndefined(this.#authenticationAncillaryService)) {
             throw new NotImplementedError();
         }
-        const actualSubject = await this.resolveSubject(subject);
+        const actualSubject = await this.tryResolveSubject(subject);
+        if (isUndefined(actualSubject)) {
+            this.#logger.warn(`Subject "${subject}" not found for secret reset.`);
+            /**
+             * If the subject cannot be resolved, we do not throw an error here to avoid information leakage.
+             * This is to prevent attackers from discovering valid subjects by trying to reset secrets.
+             * Instead, we simply log the attempt and return without performing any action.
+             */
+            return;
+        }
         const secretResetToken = await this.createSecretResetToken(actualSubject, currentTimestamp() + this.secretResetTokenTimeToLive);
         const initSecretResetData = {
             subject: actualSubject,
             token: secretResetToken.token,
             ...data,
         };
-        await this.authenticationAncillaryService.handleInitSecretReset(initSecretResetData);
+        await this.#authenticationAncillaryService.handleInitSecretReset(initSecretResetData);
     }
     async resetSecret(tokenString, newSecret) {
         const token = await this.validateSecretResetToken(tokenString);
         await this.setCredentials(token.payload.subject, newSecret);
     }
     async checkSecret(secret) {
-        return this.authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
+        return await this.#authenticationSecretRequirementsValidator.checkSecretRequirements(secret);
     }
     async testSecret(secret) {
-        return this.authenticationSecretRequirementsValidator.testSecretRequirements(secret);
+        return await this.#authenticationSecretRequirementsValidator.testSecretRequirements(secret);
     }
     async validateSecret(secret) {
-        return this.authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
+        await this.#authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
     }
     async validateToken(token) {
-        return getTokenFromString(token, this.tokenVersion, this.derivedTokenSigningSecret);
+        return await getTokenFromString(token, this.tokenVersion, this.derivedTokenSigningSecret);
     }
     async validateRefreshToken(token) {
-        return getRefreshTokenFromString(token, this.derivedRefreshTokenSigningSecret);
+        return await getRefreshTokenFromString(token, this.derivedRefreshTokenSigningSecret);
     }
     async validateSecretResetToken(token) {
-        return getSecretResetTokenFromString(token, this.derivedSecretResetTokenSigningSecret);
+        return await getSecretResetTokenFromString(token, this.derivedSecretResetTokenSigningSecret);
     }
+    async tryResolveSubject(subject) {
+        if (isUndefined(this.#authenticationAncillaryService)) {
+            return subject;
+        }
+        const result = await this.#authenticationAncillaryService.resolveSubject(subject);
+        if (result.success) {
+            return result.subject;
+        }
+        return undefined;
+    }
+    /**
+     * Resolves the subject to the actual subject used for authentication.
+     * This should *not* be used for public facing APIs, as it throws an error if the subject is not found that leaks if the subjects exists or not.
+     * Instead use {@link tryResolveSubject} to check if the subject exists without leaking information.
+     * @param subject The subject to resolve.
+     * @returns The resolved subject or the original subject if not found.
+     */
     async resolveSubject(subject) {
-        return this.authenticationAncillaryService?.resolveSubject(subject) ?? subject;
+        if (isUndefined(this.#authenticationAncillaryService)) {
+            return subject;
+        }
+        const result = await this.#authenticationAncillaryService.resolveSubject(subject);
+        if (result.success) {
+            return result.subject;
+        }
+        throw new NotFoundError(`Subject not found.`);
     }
     /** Creates a token without session or refresh token and is not saved in database */
     async createToken({ tokenVersion, jwtId, issuedAt, expiration, additionalTokenPayload, subject, sessionId, refreshTokenExpiration, impersonator: impersonatedBy, timestamp = currentTimestamp() }) {
@@ -262,7 +308,9 @@ let AuthenticationService = class AuthenticationService {
     }
     async deriveSigningSecrets(secret) {
         const key = await importPbkdf2Key(secret);
-        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: 500000, salt: new Uint8Array() };
+        const saltBase64 = await this.#keyValueStore.getOrSet('derivationSalt', encodeBase64(getRandomBytes(32)));
+        const salt = decodeBase64(saltBase64);
+        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: 500000, salt };
         const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await deriveBytesMultiple(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
         this.derivedTokenSigningSecret = derivedTokenSigningSecret;
         this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;

package/authentication/server/drizzle.config.js

@@ -6,6 +6,6 @@ export default defineConfig({
     schema: resolve(__dirname, '../models/schemas.js'),
     migrations: {
         schema: 'authentication',
-        table: '_migrations'
-    }
+        table: '_migrations',
+    },
 });

package/authentication/server/module.js

@@ -33,6 +33,6 @@ export async function migrateAuthenticationSchema() {
     await migrate(database, {
         migrationsSchema: 'authentication',
         migrationsTable: '_migrations',
-        migrationsFolder: import.meta.resolve('./drizzle').replace('file://', '')
+        migrationsFolder: import.meta.resolve('./drizzle').replace('file://', ''),
     });
 }

package/cancellation/token.d.ts

@@ -40,11 +40,11 @@ export declare class CancellationSignal implements PromiseLike<void>, Subscribab
     /**
      * Observable which emits when this token is set.
      */
-    readonly set$: Observable<undefined>;
+    readonly set$: Observable<void>;
     /**
      * Observable which emits when this token is unset.
      */
-    readonly unset$: Observable<undefined>;
+    readonly unset$: Observable<void>;
     /**
      * Returns a promise which is resolved when this token changes its state.
      */