@tstdl/base 0.93.178 → 0.93.180

package/authentication/server/{authentication-secret-requirements.validator.js → authentication-password-requirements.validator.js}

@@ -8,32 +8,32 @@ import { Singleton } from '../../injector/index.js';
 import { PasswordStrength } from '../../password/password-check-result.model.js';
 import { checkPassword } from '../../password/password-check.js';
 import { isNumber } from '../../utils/type-guards.js';
-import { SecretRequirementsError } from '../errors/secret-requirements.error.js';
-export class AuthenticationSecretRequirementsValidator {
+import { PasswordRequirementsError } from '../errors/password-requirements.error.js';
+export class AuthenticationPasswordRequirementsValidator {
 }
 /**
- * Default validator for secret requirements.
+ * Default validator for password requirements.
  *
  * Checks for pwned passwords and password strength.
  * - Pwned passwords are not allowed.
  * - Password strength must be at least 'medium'.
  */
-let DefaultAuthenticationSecretRequirementsValidator = class DefaultAuthenticationSecretRequirementsValidator extends AuthenticationSecretRequirementsValidator {
+let DefaultAuthenticationPasswordRequirementsValidator = class DefaultAuthenticationPasswordRequirementsValidator extends AuthenticationPasswordRequirementsValidator {
     /**
-     * Checks the secret against the requirements.
-     * @param secret The secret to check.
+     * Checks the password against the requirements.
+     * @param password The password to check.
      * @returns The result of the check.
      */
-    async checkSecretRequirements(secret) {
-        return await checkPassword(secret, { checkForPwned: true });
+    async checkPasswordRequirements(password) {
+        return await checkPassword(password, { checkForPwned: true });
     }
     /**
-     * Tests the secret against the requirements.
-     * @param secret The secret to test.
+     * Tests the password against the requirements.
+     * @param password The password to test.
      * @returns The result of the test.
      */
-    async testSecretRequirements(secret) {
-        const result = await this.checkSecretRequirements(secret);
+    async testPasswordRequirements(password) {
+        const result = await this.checkPasswordRequirements(password);
         if (isNumber(result.pwned) && (result.pwned > 0)) {
             return { success: false, reason: 'Password is exposed in data breach (https://haveibeenpwned.com/passwords).' };
         }
@@ -43,18 +43,18 @@ let DefaultAuthenticationSecretRequirementsValidator = class DefaultAuthenticati
         return { success: true };
     }
     /**
-     * Validates the secret against the requirements. Throws an error if the requirements are not met.
-     * @param secret The secret to validate.
-     * @throws {SecretRequirementsError} If the secret does not meet the requirements.
+     * Validates the password against the requirements. Throws an error if the requirements are not met.
+     * @param password The password to validate.
+     * @throws {PasswordRequirementsError} If the password does not meet the requirements.
      */
-    async validateSecretRequirements(secret) {
-        const result = await this.testSecretRequirements(secret);
+    async validatePasswordRequirements(password) {
+        const result = await this.testPasswordRequirements(password);
         if (!result.success) {
-            throw new SecretRequirementsError(result.reason);
+            throw new PasswordRequirementsError(result.reason);
         }
     }
 };
-DefaultAuthenticationSecretRequirementsValidator = __decorate([
-    Singleton({ alias: AuthenticationSecretRequirementsValidator })
-], DefaultAuthenticationSecretRequirementsValidator);
-export { DefaultAuthenticationSecretRequirementsValidator };
+DefaultAuthenticationPasswordRequirementsValidator = __decorate([
+    Singleton({ alias: AuthenticationPasswordRequirementsValidator })
+], DefaultAuthenticationPasswordRequirementsValidator);
+export { DefaultAuthenticationPasswordRequirementsValidator };

package/authentication/server/authentication.api-controller.d.ts

@@ -1,88 +1,116 @@
 /** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 import type { ApiController, ApiRequestContext, ApiServerResult } from '../../api/types.js';
+import { type Auditor } from '../../audit/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
+import { RateLimiter } from '../../rate-limit/index.js';
 import type { ObjectSchemaOrType, SchemaTestable } from '../../schema/index.js';
 import type { Record, Type } from '../../types/index.js';
 import type { AuthenticationApiDefinition } from '../authentication.api.js';
-import type { TokenResult } from './authentication.service.js';
-import { AuthenticationService } from './authentication.service.js';
+import type { LoginResult, TokenResult } from './authentication.service.js';
+import { AuthenticationService, AuthenticationServiceOptions } from './authentication.service.js';
 /**
  * API controller for authentication.
  *
  * @template AdditionalTokenPayload Type of additional token payload
  * @template AuthenticationData Type of additional authentication data
- * @template AdditionalInitSecretResetData Type of additional secret reset data
+ * @template AdditionalInitPasswordResetData Type of additional password reset data
  */
-export declare class AuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData = void> implements ApiController<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>> {
-    protected readonly authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>;
+export declare class AuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitPasswordResetData = void> implements ApiController<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>> {
+    #private;
+    protected readonly authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>;
+    protected readonly options: AuthenticationServiceOptions;
+    protected readonly subjectRateLimiter: RateLimiter;
+    protected readonly ipRateLimiter: RateLimiter;
     /**
-     * Get a token for a subject and secret.
+     * Get a token for a subject and password.
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    login({ parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'login'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'login'>>;
+    login({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'login'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'login'>>;
+    loginVerifyTotp({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'loginVerifyTotp'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'loginVerifyTotp'>>;
+    loginRecovery({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'loginRecovery'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'loginRecovery'>>;
+    initEnrollTotp({ getToken, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'initEnrollTotp'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'initEnrollTotp'>>;
+    completeEnrollTotp({ request, getToken, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'completeEnrollTotp'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'completeEnrollTotp'>>;
+    disableTotp({ request, getToken, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'disableTotp'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'disableTotp'>>;
+    disableTotpWithRecoveryCode({ request, getToken, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'disableTotpWithRecoveryCode'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'disableTotpWithRecoveryCode'>>;
+    regenerateRecoveryCodes({ request, getToken, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'regenerateRecoveryCodes'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'regenerateRecoveryCodes'>>;
+    getTotpStatus({ getToken }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'getTotpStatus'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'getTotpStatus'>>;
     /**
      * Refresh a token.
      * @param request The request context.
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    refresh({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'refresh'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'refresh'>>;
+    refresh({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'refresh'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'refresh'>>;
     /**
      * Impersonate a subject.
      * @param request The request context.
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    impersonate({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'impersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'impersonate'>>;
+    impersonate({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'impersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'impersonate'>>;
     /**
      * Unimpersonate a subject.
      * @param request The request context.
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    unimpersonate({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'unimpersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'unimpersonate'>>;
+    unimpersonate({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'unimpersonate'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'unimpersonate'>>;
     /**
      * End a session.
      * @param request The request context.
      * @returns 'ok'
      */
-    endSession({ request, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'endSession'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'endSession'>>;
-    changeSecret({ parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'changeSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'changeSecret'>>;
+    endSession({ request, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'endSession'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'endSession'>>;
+    changePassword({ request, parameters, getToken, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'changePassword'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'changePassword'>>;
     /**
-     * Initialize a secret reset.
+     * Initialize a password reset.
      * @param parameters The parameters for the request.
-     * @returns 'ok' if the secret reset was initialized.
+     * @returns 'ok' if the password reset was initialized.
      */
-    initSecretReset({ parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'initSecretReset'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'initSecretReset'>>;
+    initPasswordReset({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'initPasswordReset'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'initPasswordReset'>>;
     /**
-     * Reset a secret.
+     * Reset a password.
      * @param parameters The parameters for the request.
-     * @returns 'ok' if the secret was reset.
+     * @returns 'ok' if the password was reset.
      */
-    resetSecret({ parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'resetSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'resetSecret'>>;
+    resetPassword({ request, parameters, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'resetPassword'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'resetPassword'>>;
     /**
-     * Check a secret.
+     * Check a password.
      * @param parameters The parameters for the request.
-     * @returns The result of the secret check.
+     * @returns The result of the password check.
      */
-    checkSecret({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>>;
+    checkPassword({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'checkPassword'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'checkPassword'>>;
     /**
      * Get the current server timestamp.
      * @returns The current server timestamp in seconds.
      */
-    timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'timestamp'>;
-    protected getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
+    timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'timestamp'>;
+    /**
+     * List all active sessions for the current user.
+     * @param context The request context.
+     * @returns List of sessions.
+     */
+    listSessions({ getToken }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'listSessions'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'listSessions'>>;
+    /**
+     * Invalidate all active sessions for the current user except the current one.
+     * @param context The request context.
+     * @returns 'ok' if all other sessions were invalidated.
+     */
+    invalidateAllOtherSessions({ getToken, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'invalidateAllOtherSessions'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'invalidateAllOtherSessions'>>;
+    protected enforceRateLimit(ip: string, subjectResource: string, auditor: Auditor, targetId: string, action: string): Promise<void>;
+    protected getTokenResponse<T>(result: TokenResult<AdditionalTokenPayload>, body: NoInfer<T>): HttpServerResponse;
+    protected getLoginResponse(result: LoginResult<AdditionalTokenPayload>): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'login'>;
 }
 /**
  * Get an authentication API controller.
  * @param additionalTokenPayloadSchema Schema for additional token payload.
  * @param authenticationDataSchema Schema for additional authentication data.
- * @param additionalInitSecretResetData Schema for additional secret reset data.
+ * @param additionalInitPasswordResetData Schema for additional password reset data.
  * @returns An authentication API controller.
  * @template AdditionalTokenPayload Type of additional token payload.
  * @template AuthenticationData Type of additional authentication data.
- * @template AdditionalInitSecretResetData Type of additional secret reset data.
+ * @template AdditionalInitPasswordResetData Type of additional password reset data.
  */
-export declare function getAuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData = void>(// eslint-disable-line @typescript-eslint/explicit-function-return-type
-additionalTokenPayloadSchema: ObjectSchemaOrType<AdditionalTokenPayload>, authenticationDataSchema: SchemaTestable<AuthenticationData>, additionalInitSecretResetData: SchemaTestable<AdditionalInitSecretResetData>): Type<AuthenticationApiController<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>>;
+export declare function getAuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitPasswordResetData = void>(// eslint-disable-line @typescript-eslint/explicit-function-return-type
+additionalTokenPayloadSchema: ObjectSchemaOrType<AdditionalTokenPayload>, authenticationDataSchema: SchemaTestable<AuthenticationData>, additionalInitPasswordResetData: SchemaTestable<AdditionalInitPasswordResetData>): Type<AuthenticationApiController<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>>;

package/authentication/server/authentication.api-controller.js

@@ -5,13 +5,21 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+var _a;
+var AuthenticationApiController_1;
 import { apiController } from '../../api/server/index.js';
+import { ActorType } from '../../audit/index.js';
+import { NIL_UUID } from '../../constants.js';
+import { TooManyRequestsError } from '../../errors/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import { inject } from '../../injector/index.js';
+import { Logger } from '../../logger/logger.js';
+import { RateLimiter } from '../../rate-limit/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { isDefined } from '../../utils/type-guards.js';
+import { millisecondsPerMinute } from '../../utils/units.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
-import { AuthenticationService } from './authentication.service.js';
+import { AuthenticationService, AuthenticationServiceOptions } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
 const cookieBaseOptions = { path: '/', httpOnly: true, secure: true, sameSite: 'strict' };
 const deleteCookie = { value: '', ...cookieBaseOptions, maxAge: -1 };
@@ -20,18 +28,91 @@ const deleteCookie = { value: '', ...cookieBaseOptions, maxAge: -1 };
  *
  * @template AdditionalTokenPayload Type of additional token payload
  * @template AuthenticationData Type of additional authentication data
- * @template AdditionalInitSecretResetData Type of additional secret reset data
+ * @template AdditionalInitPasswordResetData Type of additional password reset data
  */
-let AuthenticationApiController = class AuthenticationApiController {
+let AuthenticationApiController = AuthenticationApiController_1 = class AuthenticationApiController {
+    #logger = inject(Logger, AuthenticationApiController_1.name);
     authenticationService = inject((AuthenticationService));
+    options = inject(AuthenticationServiceOptions, undefined, { optional: true }) ?? {};
+    subjectRateLimiter = inject(RateLimiter, {
+        resource: 'authentication:subject',
+        burstCapacity: this.options.bruteForceProtection?.subjectBurstCapacity ?? 10,
+        refillInterval: this.options.bruteForceProtection?.subjectRefillInterval ?? (30 * millisecondsPerMinute),
+    });
+    ipRateLimiter = inject(RateLimiter, {
+        resource: 'authentication:ip',
+        burstCapacity: this.options.bruteForceProtection?.ipBurstCapacity ?? 20,
+        refillInterval: this.options.bruteForceProtection?.ipRefillInterval ?? (5 * millisecondsPerMinute),
+    });
     /**
-     * Get a token for a subject and secret.
+     * Get a token for a subject and password.
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    async login({ parameters, getAuditor }) {
-        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor(), parameters.remember);
-        return this.getTokenResponse(result);
+    async login({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
+        const subjectResource = `${parameters.tenantId ?? NIL_UUID}:${parameters.subject}`;
+        const actualSubject = await this.authenticationService.tryResolveSubject({ tenantId: parameters.tenantId, subject: parameters.subject });
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, actualSubject?.id ?? NIL_UUID, 'login');
+        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.password, parameters.data, auditor, parameters.remember);
+        return this.getLoginResponse(result);
+    }
+    async loginVerifyTotp({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
+        const validatedChallengeToken = await this.authenticationService.validateTotpChallengeToken(parameters.challengeToken);
+        const subjectResource = `${validatedChallengeToken.payload.tenant}:${validatedChallengeToken.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, validatedChallengeToken.payload.subject, 'login-verify-totp');
+        const result = await this.authenticationService.loginVerifyTotp(parameters.challengeToken, parameters.token, auditor);
+        return this.getLoginResponse(result);
+    }
+    async loginRecovery({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
+        const validatedChallengeToken = await this.authenticationService.validateTotpChallengeToken(parameters.challengeToken);
+        const subjectResource = `${validatedChallengeToken.payload.tenant}:${validatedChallengeToken.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, validatedChallengeToken.payload.subject, 'login-recovery');
+        const result = await this.authenticationService.loginRecovery(parameters.challengeToken, parameters.recoveryCode, auditor);
+        return this.getLoginResponse(result);
+    }
+    async initEnrollTotp({ getToken, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        return await this.authenticationService.initEnrollTotp(token.payload.tenant, token.payload.subject, auditor);
+    }
+    async completeEnrollTotp({ request, getToken, parameters, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        const subjectResource = `${token.payload.tenant}:${token.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, token.payload.subject, 'complete-enroll-totp');
+        const result = await this.authenticationService.completeEnrollTotp(token.payload.tenant, token.payload.subject, parameters.token, auditor);
+        return result;
+    }
+    async disableTotp({ request, getToken, parameters, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        const subjectResource = `${token.payload.tenant}:${token.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, token.payload.subject, 'disable-totp');
+        await this.authenticationService.disableTotp(token.payload.tenant, token.payload.subject, parameters.token, auditor);
+        return 'ok';
+    }
+    async disableTotpWithRecoveryCode({ request, getToken, parameters, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        const subjectResource = `${token.payload.tenant}:${token.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, token.payload.subject, 'disable-totp-recovery');
+        await this.authenticationService.disableTotpWithRecoveryCode(token.payload.tenant, token.payload.subject, parameters.recoveryCode, auditor);
+        return 'ok';
+    }
+    async regenerateRecoveryCodes({ request, getToken, parameters, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        const subjectResource = `${token.payload.tenant}:${token.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, token.payload.subject, 'regenerate-recovery-codes');
+        const result = await this.authenticationService.regenerateRecoveryCodes(token.payload.tenant, token.payload.subject, parameters.token, auditor, { invalidateOtherSessions: parameters.invalidateOtherSessions });
+        return result;
+    }
+    async getTotpStatus({ getToken }) {
+        const token = await getToken();
+        return await this.authenticationService.getTotpStatus(token.payload.tenant, token.payload.subject);
     }
     /**
      * Refresh a token.
@@ -40,9 +121,13 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async refresh({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
         const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
-        const result = await this.authenticationService.refresh(refreshTokenString, parameters.data, undefined, await getAuditor());
-        return this.getTokenResponse(result);
+        const validatedToken = await this.authenticationService.validateRefreshToken(refreshTokenString);
+        const subjectResource = `${validatedToken.payload.tenant}:${validatedToken.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, validatedToken.payload.subject, 'refresh');
+        const result = await this.authenticationService.refreshAlreadyValidatedToken(validatedToken, parameters.data, undefined, auditor);
+        return this.getTokenResponse(result, result.jsonToken.payload);
     }
     /**
      * Impersonate a subject.
@@ -51,10 +136,11 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async impersonate({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
         const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
         const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
-        const impersonatorResult = await this.authenticationService.impersonate(tokenString, refreshTokenString, parameters.subject, parameters.data, await getAuditor());
-        return this.getTokenResponse(impersonatorResult);
+        const impersonatorResult = await this.authenticationService.impersonate(tokenString, refreshTokenString, parameters.subject, parameters.data, auditor);
+        return this.getTokenResponse(impersonatorResult, impersonatorResult.jsonToken.payload);
     }
     /**
      * Unimpersonate a subject.
@@ -63,9 +149,11 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async unimpersonate({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
+        const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
         const impersonatorRefreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'impersonatorRefreshToken') ?? '';
-        const result = await this.authenticationService.unimpersonate(impersonatorRefreshTokenString, parameters.data, await getAuditor());
-        return this.getTokenResponse(result);
+        const result = await this.authenticationService.unimpersonate(impersonatorRefreshTokenString, tokenString, parameters.data, auditor);
+        return this.getTokenResponse(result, result.jsonToken.payload);
     }
     /**
      * End a session.
@@ -90,7 +178,8 @@ let AuthenticationApiController = class AuthenticationApiController {
             }
         }
         if (isDefined(sessionId)) {
-            await this.authenticationService.endSession(sessionId, await getAuditor());
+            const auditor = await getAuditor();
+            await this.authenticationService.endSession(sessionId, auditor);
         }
         const result = 'ok';
         return new HttpServerResponse({
@@ -104,35 +193,54 @@ let AuthenticationApiController = class AuthenticationApiController {
             },
         });
     }
-    async changeSecret({ parameters, getAuditor }) {
-        await this.authenticationService.changeSecret({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.currentSecret, parameters.newSecret, await getAuditor());
+    async changePassword({ request, parameters, getToken, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        const subjectResource = `${token.payload.tenant}:${token.payload.subject}`;
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, token.payload.subject, 'change-password');
+        await this.authenticationService.changePassword({ tenantId: token.payload.tenant, subject: token.payload.subject }, parameters.currentPassword, parameters.newPassword, auditor);
         return 'ok';
     }
     /**
-     * Initialize a secret reset.
+     * Initialize a password reset.
      * @param parameters The parameters for the request.
-     * @returns 'ok' if the secret reset was initialized.
+     * @returns 'ok' if the password reset was initialized.
      */
-    async initSecretReset({ parameters, getAuditor }) {
-        await this.authenticationService.initSecretReset({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.data, await getAuditor());
+    async initPasswordReset({ request, parameters, getAuditor }) {
+        const auditor = await getAuditor();
+        const subjectResource = `${parameters.tenantId ?? NIL_UUID}:${parameters.subject}`;
+        const actualSubject = await this.authenticationService.tryResolveSubject({ tenantId: parameters.tenantId, subject: parameters.subject });
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, actualSubject?.id ?? NIL_UUID, 'init-password-reset');
+        void (async () => {
+            // we are intentionally not awaiting the initPasswordReset call here to not leak information through timing about whether the subject exists or not.
+            try {
+                await this.authenticationService.initPasswordReset({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.data, auditor);
+            }
+            catch (error) {
+                this.#logger.error(error);
+            }
+        })();
         return 'ok';
     }
     /**
-     * Reset a secret.
+     * Reset a password.
      * @param parameters The parameters for the request.
-     * @returns 'ok' if the secret was reset.
+     * @returns 'ok' if the password was reset.
      */
-    async resetSecret({ parameters, getAuditor }) {
-        await this.authenticationService.resetSecret(parameters.token, parameters.newSecret, await getAuditor());
+    async resetPassword({ request, parameters, getAuditor }) {
+        const subjectResource = parameters.token;
+        const auditor = await getAuditor();
+        await this.enforceRateLimit(request.ip, subjectResource, auditor, NIL_UUID, 'reset-password');
+        await this.authenticationService.resetPassword(parameters.token, parameters.newPassword, auditor);
         return 'ok';
     }
     /**
-     * Check a secret.
+     * Check a password.
      * @param parameters The parameters for the request.
-     * @returns The result of the secret check.
+     * @returns The result of the password check.
      */
-    async checkSecret({ parameters }) {
-        return await this.authenticationService.checkSecret(parameters.secret);
+    async checkPassword({ parameters }) {
+        return await this.authenticationService.checkPassword(parameters.password);
     }
     /**
      * Get the current server timestamp.
@@ -141,27 +249,84 @@ let AuthenticationApiController = class AuthenticationApiController {
     timestamp() {
         return currentTimestampSeconds();
     }
-    getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
-        const result = jsonToken.payload;
+    /**
+     * List all active sessions for the current user.
+     * @param context The request context.
+     * @returns List of sessions.
+     */
+    async listSessions({ getToken }) {
+        const token = await getToken();
+        const sessions = await this.authenticationService.listSessions(token.payload.tenant, token.payload.subject);
+        return sessions.map((session) => ({
+            id: session.id,
+            begin: session.begin,
+            end: session.end,
+        }));
+    }
+    /**
+     * Invalidate all active sessions for the current user except the current one.
+     * @param context The request context.
+     * @returns 'ok' if all other sessions were invalidated.
+     */
+    async invalidateAllOtherSessions({ getToken, getAuditor }) {
+        const token = await getToken();
+        const auditor = await getAuditor();
+        await this.authenticationService.invalidateAllOtherSessions(token.payload.tenant, token.payload.subject, token.payload.session, auditor);
+        return 'ok';
+    }
+    async enforceRateLimit(ip, subjectResource, auditor, targetId, action) {
+        const authAuditor = auditor.fork('authentication');
+        const ipAcquired = await this.ipRateLimiter.tryAcquire(ip);
+        if (!ipAcquired) {
+            await authAuditor.warn('rate-limit-exceeded', {
+                actorType: ActorType.Anonymous,
+                targetType: 'Subject',
+                targetId,
+                details: {
+                    type: 'ip',
+                    resource: ip,
+                    action,
+                },
+            });
+            throw new TooManyRequestsError();
+        }
+        const subjectAcquired = await this.subjectRateLimiter.tryAcquire(subjectResource);
+        if (!subjectAcquired) {
+            await authAuditor.warn('rate-limit-exceeded', {
+                actorType: ActorType.Anonymous,
+                targetType: 'Subject',
+                targetId,
+                details: {
+                    type: 'subject',
+                    resource: subjectResource,
+                    action,
+                },
+            });
+            throw new TooManyRequestsError();
+        }
+    }
+    getTokenResponse(result, body) {
+        const { token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration } = result;
         const options = {
+            statusCode: 200,
             headers: {
                 'X-Authorization': `Bearer ${token}`,
                 'X-Refresh-Token': `Bearer ${refreshToken}`,
             },
             cookies: {
-                authorization: {
-                    value: `Bearer ${token}`,
+                token: {
+                    value: token,
                     ...cookieBaseOptions,
                     expires: remember ? (jsonToken.payload.exp * 1000) : undefined,
                 },
                 refreshToken: {
-                    value: `Bearer ${refreshToken}`,
+                    value: refreshToken,
                     ...cookieBaseOptions,
                     expires: remember ? (jsonToken.payload.refreshTokenExp * 1000) : undefined,
                 },
             },
             body: {
-                json: result,
+                json: body,
             },
         };
         if (isDefined(impersonatorRefreshToken)) {
@@ -177,8 +342,18 @@ let AuthenticationApiController = class AuthenticationApiController {
         }
         return new HttpServerResponse(options);
     }
+    getLoginResponse(result) {
+        if (result.type == 'success') {
+            return this.getTokenResponse(result.result, {
+                type: 'success',
+                result: result.result.jsonToken.payload,
+                lowRecoveryCodesWarning: result.lowRecoveryCodesWarning,
+            });
+        }
+        return result;
+    }
 };
-AuthenticationApiController = __decorate([
+AuthenticationApiController = AuthenticationApiController_1 = __decorate([
     apiController(authenticationApiDefinition)
 ], AuthenticationApiController);
 export { AuthenticationApiController };
@@ -186,15 +361,15 @@ export { AuthenticationApiController };
  * Get an authentication API controller.
  * @param additionalTokenPayloadSchema Schema for additional token payload.
  * @param authenticationDataSchema Schema for additional authentication data.
- * @param additionalInitSecretResetData Schema for additional secret reset data.
+ * @param additionalInitPasswordResetData Schema for additional password reset data.
  * @returns An authentication API controller.
  * @template AdditionalTokenPayload Type of additional token payload.
  * @template AuthenticationData Type of additional authentication data.
- * @template AdditionalInitSecretResetData Type of additional secret reset data.
+ * @template AdditionalInitPasswordResetData Type of additional password reset data.
  */
 export function getAuthenticationApiController(// eslint-disable-line @typescript-eslint/explicit-function-return-type
-additionalTokenPayloadSchema, authenticationDataSchema, additionalInitSecretResetData) {
-    const apiDefinition = getAuthenticationApiDefinition(additionalTokenPayloadSchema, authenticationDataSchema, additionalInitSecretResetData);
+additionalTokenPayloadSchema, authenticationDataSchema, additionalInitPasswordResetData) {
+    const apiDefinition = getAuthenticationApiDefinition(additionalTokenPayloadSchema, authenticationDataSchema, additionalInitPasswordResetData);
     let AuthenticationApi = class AuthenticationApi extends AuthenticationApiController {
     };
     AuthenticationApi = __decorate([