@tstdl/base 0.93.178 → 0.93.180

package/authentication/server/helper.d.ts

@@ -1,6 +1,6 @@
 import type { HttpServerRequest } from '../../http/server/index.js';
-import type { BinaryData, Record } from '../../types/index.js';
-import type { RefreshToken, SecretResetToken, Token } from '../models/index.js';
+import type { Record } from '../../types/index.js';
+import type { PasswordResetToken, RefreshToken, Token } from '../models/index.js';
 /**
  * Tries to get the authorization token string from a request.
  * @param request The request to get the token from.
@@ -13,42 +13,42 @@ export declare function tryGetAuthorizationTokenStringFromRequest(request: HttpS
  * Tries to get a token from a request.
  * @param request The request to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token or undefined if not found.
  * @throws {InvalidTokenError} If the token is invalid.
  */
-export declare function tryGetTokenFromRequest<AdditionalTokenPayload extends Record = Record<never>>(request: HttpServerRequest, tokenVersion: number, secret: string | BinaryData<ArrayBuffer>): Promise<Token<AdditionalTokenPayload> | undefined>;
+export declare function tryGetTokenFromRequest<AdditionalTokenPayload extends Record = Record<never>>(request: HttpServerRequest, tokenVersion: number, key: CryptoKey): Promise<Token<AdditionalTokenPayload> | undefined>;
 /**
  * Gets a token from a request.
  * @param request The request to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token.
  * @throws {InvalidTokenError} If the token is invalid or not found.
  */
-export declare function getTokenFromRequest<AdditionalTokenPayload extends Record = Record<never>>(request: HttpServerRequest, tokenVersion: number, secret: string | BinaryData<ArrayBuffer>): Promise<Token<AdditionalTokenPayload>>;
+export declare function getTokenFromRequest<AdditionalTokenPayload extends Record = Record<never>>(request: HttpServerRequest, tokenVersion: number, key: CryptoKey): Promise<Token<AdditionalTokenPayload>>;
 /**
  * Gets a token from a token string.
  * @param tokenString The token string to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token.
  * @throws {InvalidTokenError} If the token is invalid.
  */
-export declare function getTokenFromString<AdditionalTokenPayload extends Record = Record<never>>(tokenString: string, tokenVersion: number, secret: string | BinaryData<ArrayBuffer>): Promise<Token<AdditionalTokenPayload>>;
+export declare function getTokenFromString<AdditionalTokenPayload extends Record = Record<never>>(tokenString: string, tokenVersion: number, key: CryptoKey): Promise<Token<AdditionalTokenPayload>>;
 /**
  * Gets a refresh token from a token string.
  * @param tokenString The token string to get the refresh token from.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The refresh token.
  * @throws {InvalidTokenError} If the refresh token is invalid.
  */
-export declare function getRefreshTokenFromString(tokenString: string, secret: string | BinaryData<ArrayBuffer>): Promise<RefreshToken>;
+export declare function getRefreshTokenFromString(tokenString: string, key: CryptoKey): Promise<RefreshToken>;
 /**
- * Gets a secret reset token from a token string.
- * @param tokenString The token string to get the secret reset token from.
- * @param secret The secret to use for validation.
- * @returns The secret reset token.
- * @throws {InvalidTokenError} If the secret reset token is invalid.
+ * Gets a password reset token from a token string.
+ * @param tokenString The token string to get the password reset token from.
+ * @param key The CryptoKey to use for validation.
+ * @returns The password reset token.
+ * @throws {InvalidTokenError} If the password reset token is invalid.
  */
-export declare function getSecretResetTokenFromString(tokenString: string, secret: string | BinaryData<ArrayBuffer>): Promise<SecretResetToken>;
+export declare function getPasswordResetTokenFromString(tokenString: string, key: CryptoKey): Promise<PasswordResetToken>;

package/authentication/server/helper.js

@@ -1,7 +1,7 @@
+import { parseAndValidateJwtTokenString } from '../../cryptography/index.js';
 import { BadRequestError } from '../../errors/bad-request.error.js';
 import { InvalidTokenError } from '../../errors/invalid-token.error.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
-import { parseAndValidateJwtTokenString } from '../../utils/jwt.js';
 import { isArray, isDefined, isUndefined } from '../../utils/type-guards.js';
 /**
  * Tries to get the authorization token string from a request.
@@ -10,8 +10,8 @@ import { isArray, isDefined, isUndefined } from '../../utils/type-guards.js';
  * @param fromCookieOnly Whether to only get the token from the cookie.
  * @returns The token string or undefined if not found.
  */
-export function tryGetAuthorizationTokenStringFromRequest(request, cookieName = 'authorization', fromCookieOnly = false) {
-    const headerName = (cookieName.toLocaleLowerCase() == 'authorization')
+export function tryGetAuthorizationTokenStringFromRequest(request, cookieName = 'token', fromCookieOnly = false) {
+    const headerName = (cookieName.toLocaleLowerCase() == 'token')
         ? 'Authorization'
         : (cookieName.toLocaleLowerCase() == 'refreshtoken')
             ? 'X-Refresh-Token'
@@ -19,47 +19,46 @@ export function tryGetAuthorizationTokenStringFromRequest(request, cookieName =
                 ? 'X-Impersonator-Refresh-Token'
                 : undefined;
     const headerValue = (fromCookieOnly || isUndefined(headerName)) ? undefined : request.headers.tryGet(headerName);
-    const authorizationString = (isArray(headerValue) ? headerValue[0] : headerValue)
-        ?? request.cookies.tryGet(cookieName);
-    if (isDefined(authorizationString)) {
-        const spaceIndex = authorizationString.indexOf(' ');
+    const headerTokenString = (isArray(headerValue) ? headerValue[0] : headerValue);
+    if (isDefined(headerTokenString)) {
+        const spaceIndex = headerTokenString.indexOf(' ');
         if (spaceIndex == -1) {
-            return authorizationString;
+            throw new BadRequestError('Missing authorization scheme.');
         }
-        const authorizationScheme = authorizationString.slice(0, spaceIndex).trim().toLowerCase();
+        const authorizationScheme = headerTokenString.slice(0, spaceIndex).trim().toLowerCase();
         if (authorizationScheme != 'bearer') {
             throw new BadRequestError(`Unsupported authorization scheme "${authorizationScheme}".`);
         }
-        const authorization = authorizationString.slice(spaceIndex).trim();
+        const authorization = headerTokenString.slice(spaceIndex).trim();
         return authorization;
     }
-    return undefined;
+    return request.cookies.tryGet(cookieName);
 }
 /**
  * Tries to get a token from a request.
  * @param request The request to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token or undefined if not found.
  * @throws {InvalidTokenError} If the token is invalid.
  */
-export async function tryGetTokenFromRequest(request, tokenVersion, secret) {
+export async function tryGetTokenFromRequest(request, tokenVersion, key) {
     const tokenString = tryGetAuthorizationTokenStringFromRequest(request);
     if (isUndefined(tokenString)) {
         return undefined;
     }
-    return await getTokenFromString(tokenString, tokenVersion, secret);
+    return await getTokenFromString(tokenString, tokenVersion, key);
 }
 /**
  * Gets a token from a request.
  * @param request The request to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token.
  * @throws {InvalidTokenError} If the token is invalid or not found.
  */
-export async function getTokenFromRequest(request, tokenVersion, secret) {
-    const token = await tryGetTokenFromRequest(request, tokenVersion, secret);
+export async function getTokenFromRequest(request, tokenVersion, key) {
+    const token = await tryGetTokenFromRequest(request, tokenVersion, key);
     if (isUndefined(token)) {
         throw new InvalidTokenError('Missing authorization token');
     }
@@ -69,15 +68,15 @@ export async function getTokenFromRequest(request, tokenVersion, secret) {
  * Gets a token from a token string.
  * @param tokenString The token string to get the token from.
  * @param tokenVersion The version of the token to get.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The token.
  * @throws {InvalidTokenError} If the token is invalid.
  */
-export async function getTokenFromString(tokenString, tokenVersion, secret) {
+export async function getTokenFromString(tokenString, tokenVersion, key) {
     if (isUndefined(tokenString)) {
         throw new InvalidTokenError('Missing authorization token');
     }
-    const validatedToken = await parseAndValidateJwtTokenString(tokenString, 'HS256', secret);
+    const validatedToken = await parseAndValidateJwtTokenString(tokenString, 'KMAC256', key);
     if (validatedToken.header.v != tokenVersion) {
         throw new InvalidTokenError('Invalid token version');
     }
@@ -89,34 +88,34 @@ export async function getTokenFromString(tokenString, tokenVersion, secret) {
 /**
  * Gets a refresh token from a token string.
  * @param tokenString The token string to get the refresh token from.
- * @param secret The secret to use for validation.
+ * @param key The CryptoKey to use for validation.
  * @returns The refresh token.
  * @throws {InvalidTokenError} If the refresh token is invalid.
  */
-export async function getRefreshTokenFromString(tokenString, secret) {
+export async function getRefreshTokenFromString(tokenString, key) {
     if (isUndefined(tokenString)) {
         throw new InvalidTokenError('Missing refresh token');
     }
-    const validatedRefreshToken = await parseAndValidateJwtTokenString(tokenString, 'HS256', secret);
+    const validatedRefreshToken = await parseAndValidateJwtTokenString(tokenString, 'KMAC256', key);
     if (validatedRefreshToken.payload.exp <= currentTimestampSeconds()) {
         throw new InvalidTokenError('Refresh token expired.');
     }
     return validatedRefreshToken;
 }
 /**
- * Gets a secret reset token from a token string.
- * @param tokenString The token string to get the secret reset token from.
- * @param secret The secret to use for validation.
- * @returns The secret reset token.
- * @throws {InvalidTokenError} If the secret reset token is invalid.
+ * Gets a password reset token from a token string.
+ * @param tokenString The token string to get the password reset token from.
+ * @param key The CryptoKey to use for validation.
+ * @returns The password reset token.
+ * @throws {InvalidTokenError} If the password reset token is invalid.
  */
-export async function getSecretResetTokenFromString(tokenString, secret) {
+export async function getPasswordResetTokenFromString(tokenString, key) {
     if (isUndefined(tokenString)) {
-        throw new InvalidTokenError('Missing secret reset token');
+        throw new InvalidTokenError('Missing password reset token');
     }
-    const validatedSecretResetToken = await parseAndValidateJwtTokenString(tokenString, 'HS256', secret);
-    if (validatedSecretResetToken.payload.exp <= currentTimestampSeconds()) {
-        throw new InvalidTokenError('Secret reset token expired.');
+    const validatedPasswordResetToken = await parseAndValidateJwtTokenString(tokenString, 'KMAC256', key);
+    if (validatedPasswordResetToken.payload.exp <= currentTimestampSeconds()) {
+        throw new InvalidTokenError('Password reset token expired.');
     }
-    return validatedSecretResetToken;
+    return validatedPasswordResetToken;
 }

package/authentication/server/index.d.ts

@@ -1,6 +1,6 @@
 export * from './authentication-ancillary.service.js';
 export * from './authentication-api-request-token.provider.js';
-export * from './authentication-secret-requirements.validator.js';
+export * from './authentication-password-requirements.validator.js';
 export * from './authentication.api-controller.js';
 export * from './authentication.service.js';
 export * from './helper.js';

package/authentication/server/index.js

@@ -1,6 +1,6 @@
 export * from './authentication-ancillary.service.js';
 export * from './authentication-api-request-token.provider.js';
-export * from './authentication-secret-requirements.validator.js';
+export * from './authentication-password-requirements.validator.js';
 export * from './authentication.api-controller.js';
 export * from './authentication.service.js';
 export * from './helper.js';

package/authentication/server/module.d.ts

@@ -16,7 +16,7 @@ export declare class AuthenticationModuleConfig {
     /**
      * Options for {@link AuthenticationService}.
      */
-    serviceOptions: AuthenticationServiceOptions | Provider<AuthenticationServiceOptions>;
+    serviceOptions?: AuthenticationServiceOptions | Provider<AuthenticationServiceOptions>;
     /**
      * Override default {@link AuthenticationService}.
      */
@@ -35,7 +35,7 @@ export declare class AuthenticationModuleConfig {
  * Configures authentication server services.
  * @param config Configuration.
  */
-export declare function configureAuthenticationServer({ injector, ...config }: AuthenticationModuleConfig & {
+export declare function configureAuthenticationServer({ injector, ...config }?: AuthenticationModuleConfig & {
     injector?: Injector;
 }): void;
 /**

package/authentication/server/module.js

@@ -38,11 +38,13 @@ export class AuthenticationModuleConfig {
  * Configures authentication server services.
  * @param config Configuration.
  */
-export function configureAuthenticationServer({ injector, ...config }) {
+export function configureAuthenticationServer({ injector, ...config } = {}) {
     const targetInjector = injector ?? Injector;
     targetInjector.register(AuthenticationModuleConfig, { useValue: config });
-    targetInjector.register(AuthenticationServiceOptions, isProvider(config.serviceOptions) ? config.serviceOptions : { useValue: config.serviceOptions });
     targetInjector.register(ApiRequestTokenProvider, { useToken: AuthenticationApiRequestTokenProvider });
+    if (isDefined(config.serviceOptions)) {
+        targetInjector.register(AuthenticationServiceOptions, isProvider(config.serviceOptions) ? config.serviceOptions : { useValue: config.serviceOptions });
+    }
     if (isDefined(config.authenticationService)) {
         targetInjector.registerSingleton(AuthenticationService, { useToken: config.authenticationService });
     }

package/authentication/server/schemas.d.ts

@@ -1,19 +1,23 @@
-import { AuthenticationCredentials, AuthenticationSession, ServiceAccount, Subject, SystemAccount, User } from '../models/index.js';
+import { AuthenticationPassword, AuthenticationSession, AuthenticationTotp, AuthenticationTotpRecoveryCode, AuthenticationUsedTotpToken, ServiceAccount, Subject, SystemAccount, User } from '../models/index.js';
 export declare const authenticationSchema: import("../../orm/server/index.js").DatabaseSchema<"authentication">;
+export declare const subjectStatus: import("../../orm/enums.js").PgEnumFromEnumeration<{
+    readonly Active: "active";
+    readonly Suspended: "suspended";
+}>;
 export declare const subjectType: import("../../orm/enums.js").PgEnumFromEnumeration<{
     readonly System: "system";
     readonly User: "user";
     readonly ServiceAccount: "service-account";
 }>;
-export declare const subjectStatus: import("../../orm/enums.js").PgEnumFromEnumeration<{
+export declare const totpStatus: import("../../orm/enums.js").PgEnumFromEnumeration<{
+    readonly Pending: "pending";
     readonly Active: "active";
-    readonly Inactive: "inactive";
-    readonly Suspended: "suspended";
-    readonly PendingApproval: "pending-approval";
-    readonly Invited: "invited";
 }>;
-export declare const authenticationCredentials: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationCredentials, "authentication">;
+export declare const authenticationPasswords: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationPassword, "authentication">;
 export declare const authenticationSession: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationSession, "authentication">;
+export declare const authenticationTotp: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationTotp, "authentication">;
+export declare const authenticationTotpRecoveryCode: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationTotpRecoveryCode, "authentication">;
+export declare const authenticationUsedTotpToken: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationUsedTotpToken, "authentication">;
 export declare const serviceAccount: import("../../orm/server/types.js").PgTableFromType<typeof ServiceAccount, "authentication">;
 export declare const subject: import("../../orm/server/types.js").PgTableFromType<typeof Subject, "authentication">;
 export declare const systemAccount: import("../../orm/server/types.js").PgTableFromType<typeof SystemAccount, "authentication">;

package/authentication/server/schemas.js

@@ -1,10 +1,14 @@
 import { databaseSchema } from '../../orm/server/index.js';
-import { AuthenticationCredentials, AuthenticationSession, ServiceAccount, Subject, SubjectStatus, SubjectType, SystemAccount, User } from '../models/index.js';
+import { AuthenticationPassword, AuthenticationSession, AuthenticationTotp, AuthenticationTotpRecoveryCode, AuthenticationUsedTotpToken, ServiceAccount, Subject, SubjectStatus, SubjectType, SystemAccount, TotpStatus, User } from '../models/index.js';
 export const authenticationSchema = databaseSchema('authentication');
-export const subjectType = authenticationSchema.getEnum(SubjectType);
 export const subjectStatus = authenticationSchema.getEnum(SubjectStatus);
-export const authenticationCredentials = authenticationSchema.getTable(AuthenticationCredentials);
+export const subjectType = authenticationSchema.getEnum(SubjectType);
+export const totpStatus = authenticationSchema.getEnum(TotpStatus);
+export const authenticationPasswords = authenticationSchema.getTable(AuthenticationPassword);
 export const authenticationSession = authenticationSchema.getTable(AuthenticationSession);
+export const authenticationTotp = authenticationSchema.getTable(AuthenticationTotp);
+export const authenticationTotpRecoveryCode = authenticationSchema.getTable(AuthenticationTotpRecoveryCode);
+export const authenticationUsedTotpToken = authenticationSchema.getTable(AuthenticationUsedTotpToken);
 export const serviceAccount = authenticationSchema.getTable(ServiceAccount);
 export const subject = authenticationSchema.getTable(Subject);
 export const systemAccount = authenticationSchema.getTable(SystemAccount);

package/authentication/tests/authentication-password-requirements.validator.test.js

@@ -0,0 +1,29 @@
+import { describe, expect, it } from 'vitest';
+import { PasswordRequirementsError } from '../errors/password-requirements.error.js';
+import { DefaultAuthenticationPasswordRequirementsValidator } from '../server/authentication-password-requirements.validator.js';
+describe('DefaultAuthenticationPasswordRequirementsValidator', () => {
+    const validator = new DefaultAuthenticationPasswordRequirementsValidator();
+    it('should return success when password is strong and not pwned', async () => {
+        // A very long random string is unlikely to be pwned and will be strong
+        const result = await validator.testPasswordRequirements('Very-Strong-And-Long-Password-2026!@#$%^&*()');
+        expect(result.success).toBe(true);
+    });
+    it('should return failure when password is pwned', async () => {
+        // "password" is definitely pwned
+        const result = await validator.testPasswordRequirements('password');
+        expect(result.success).toBe(false);
+        expect(result.reason).toContain('exposed in data breach');
+    });
+    it('should return failure when password is too weak', async () => {
+        // "abc" is too weak (and likely pwned)
+        const result = await validator.testPasswordRequirements('abc');
+        expect(result.success).toBe(false);
+        expect(result.reason).toBeDefined();
+    });
+    it('should throw PasswordRequirementsError on validation failure', async () => {
+        await expect(validator.validatePasswordRequirements('abc')).rejects.toThrow(PasswordRequirementsError);
+    });
+    it('should not throw on validation success', async () => {
+        await expect(validator.validatePasswordRequirements('Very-Strong-And-Long-Password-2026!@#$%^&*()')).resolves.not.toThrow();
+    });
+});

package/authentication/tests/authentication.api-controller.test.js

@@ -1,10 +1,12 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test, vi } from 'vitest';
+import { Auditor } from '../../audit/index.js';
 import { AuthenticationClientService } from '../../authentication/client/index.js';
 import { AuthenticationAncillaryService, AuthenticationService as AuthenticationServerService } from '../../authentication/server/index.js';
 import { HttpClientOptions } from '../../http/client/index.js';
 import { HttpServer } from '../../http/server/index.js';
 import { runInInjectionContext } from '../../injector/index.js';
 import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { SubjectService } from '../server/subject.service.js';
 import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
 describe('AuthenticationApiController Integration', () => {
@@ -26,7 +28,9 @@ describe('AuthenticationApiController Integration', () => {
         };
         ({ injector, database } = await setupIntegrationTest({
             modules: { authentication: true, audit: true, keyValueStore: true, signals: true, api: true, webServer: true },
-            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+            authentication: {
+                ancillaryService: DefaultAuthenticationAncillaryService,
+            },
         }));
         await runInInjectionContext(injector, async () => {
             server = injector.resolve(HttpServer);
@@ -44,12 +48,12 @@ describe('AuthenticationApiController Integration', () => {
     });
     beforeEach(async () => {
         globalThis.localStorage?.clear();
-        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+        await clearTenantData(database, schema, ['used_totp_tokens', 'totp_recovery_code', 'totp', 'password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
     });
     test('login should work via API client', async () => {
         await runInInjectionContext(injector, async () => {
             const user = await subjectService.createUser({ tenantId, email: 'api-login@example.com', firstName: 'A', lastName: 'L' });
-            await serverService.setCredentials(user, 'Strong-Password-2026!');
+            await serverService.setPassword(user, 'Strong-Password-2026!');
             await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
             expect(service.isLoggedIn()).toBe(true);
             expect(service.subjectId()).toBe(user.id);
@@ -58,9 +62,9 @@ describe('AuthenticationApiController Integration', () => {
     test('login should work even if an expired token is present in the Authorization header', async () => {
         await runInInjectionContext(injector, async () => {
             const user = await subjectService.createUser({ tenantId, email: 'expired-token-login@example.com', firstName: 'E', lastName: 'L' });
-            await serverService.setCredentials(user, 'Strong-Password-2026!');
+            await serverService.setPassword(user, 'Strong-Password-2026!');
             // Create an expired token
-            const now = Math.floor(Date.now() / 1000);
+            const now = currentTimestampSeconds();
             const expiredTokenResult = await serverService.createToken({
                 subject: user,
                 sessionId: crypto.randomUUID(),
@@ -72,21 +76,21 @@ describe('AuthenticationApiController Integration', () => {
                 timestamp: (now - 7200) * 1000,
             });
             // Inject the expired token into the client service
-            service.updateRawTokens(expiredTokenResult.token);
+            service.updateRawTokens(`Bearer ${expiredTokenResult.token}`);
             // Now try to login
             await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
             expect(service.isLoggedIn()).toBe(true);
             expect(service.subjectId()).toBe(user.id);
         });
     });
-    test('checkSecret should work via API client', async () => {
-        const result = await service.checkSecret('abc');
+    test('checkPassword should work via API client', async () => {
+        const result = await service.checkPassword('abc');
         expect(result.strength).toBeLessThan(2);
     });
     test('refresh should work via API client', async () => {
         await runInInjectionContext(injector, async () => {
             const user = await subjectService.createUser({ tenantId, email: 'api-refresh@example.com', firstName: 'A', lastName: 'L' });
-            await serverService.setCredentials(user, 'Strong-Password-2026!');
+            await serverService.setPassword(user, 'Strong-Password-2026!');
             await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
             const initialToken = service.token()?.jti;
             await service.refresh();
@@ -97,7 +101,7 @@ describe('AuthenticationApiController Integration', () => {
         await runInInjectionContext(injector, async () => {
             const admin = await subjectService.createUser({ tenantId, email: 'api-admin@example.com', firstName: 'A', lastName: 'D' });
             const user = await subjectService.createUser({ tenantId, email: 'api-user@example.com', firstName: 'U', lastName: 'S' });
-            await serverService.setCredentials(admin, 'Admin-Pass-123!');
+            await serverService.setPassword(admin, 'Admin-Pass-123!');
             expect(await subjectService.exists(tenantId, admin.id)).toBe(true);
             expect(await subjectService.exists(tenantId, user.id)).toBe(true);
             await service.login({ tenantId, subject: admin.id }, 'Admin-Pass-123!');
@@ -108,15 +112,45 @@ describe('AuthenticationApiController Integration', () => {
             expect(service.subjectId()).toBe(admin.id);
         });
     });
-    test('secret reset should work via API client', async () => {
+    test('password reset should work via API client', async () => {
         await runInInjectionContext(injector, async () => {
             const user = await subjectService.createUser({ tenantId, email: 'api-reset@example.com', firstName: 'A', lastName: 'L' });
-            const ancillaryService = injector.resolve(AuthenticationAncillaryService);
-            await service.initResetSecret({ tenantId, subject: user.id }, undefined);
-            expect(ancillaryService.lastResetData).toBeDefined();
-            await service.resetSecret(ancillaryService.lastResetData.token, 'New-API-Pass-123!');
+            const ancillaryService = await injector.resolveAsync(AuthenticationAncillaryService);
+            await service.initPasswordReset({ tenantId, subject: user.id }, undefined);
+            await vi.waitFor(() => expect(ancillaryService.lastResetData).toBeDefined(), { timeout: 5000, interval: 50 });
+            await service.resetPassword(ancillaryService.lastResetData.token, 'New-API-Pass-123!');
             await service.login({ tenantId, subject: user.id }, 'New-API-Pass-123!');
             expect(service.isLoggedIn()).toBe(true);
         });
     });
+    test('listSessions and invalidateAllOtherSessions should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'api-sessions@example.com', firstName: 'S', lastName: 'E' });
+            await serverService.setPassword(user, 'Strong-Password-2026!');
+            // Create two sessions
+            const auditor = injector.resolve(Auditor);
+            await serverService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor);
+            await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
+            const sessions = await service.listSessions();
+            expect(sessions.length).toBe(2);
+            expect(sessions[0]).toHaveProperty('id');
+            expect(sessions[0]).toHaveProperty('begin');
+            expect(sessions[0]).toHaveProperty('end');
+            await service.invalidateAllOtherSessions();
+            const updatedSessions = await service.listSessions();
+            // Only the current session should remain
+            expect(updatedSessions.length).toBe(1);
+            expect(updatedSessions[0].id).toBe(service.sessionId());
+        });
+    });
+    test('changePassword should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'api-change-secret@example.com', firstName: 'C', lastName: 'S' });
+            await serverService.setPassword(user, 'Old-Strong-Password-2026!');
+            await service.login({ tenantId, subject: user.id }, 'Old-Strong-Password-2026!');
+            await service.changePassword('Old-Strong-Password-2026!', 'New-Strong-Password-2026!');
+            const authResult = await serverService.authenticateWithPassword({ tenantId, subject: user.id }, 'New-Strong-Password-2026!');
+            expect(authResult.success).toBe(true);
+        });
+    });
 });

package/authentication/tests/authentication.client-error-handling.test.js

@@ -14,6 +14,7 @@ import { Lock } from '../../lock/index.js';
 import { Logger } from '../../logger/index.js';
 import { MessageBus } from '../../message-bus/index.js';
 import { configureDefaultSignalsImplementation } from '../../signals/implementation/configure.js';
+import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { timeout } from '../../utils/timing.js';
 describe('AuthenticationClientService Error Handling & Stuck States', () => {
     let injector;
@@ -36,7 +37,7 @@ describe('AuthenticationClientService Error Handling & Stuck States', () => {
         mockApiClient = {
             login: vi.fn(),
             refresh: vi.fn(),
-            timestamp: vi.fn().mockResolvedValue(Math.floor(Date.now() / 1000)),
+            timestamp: vi.fn().mockResolvedValue(currentTimestampSeconds()),
             endSession: vi.fn().mockResolvedValue(undefined),
         };
         mockLock = {
@@ -72,7 +73,7 @@ describe('AuthenticationClientService Error Handling & Stuck States', () => {
         await injector.dispose();
     });
     function setupServiceWithToken(iatOffset = -10, expOffset = 5) {
-        const now = Math.floor(Date.now() / 1000);
+        const now = currentTimestampSeconds();
         const initialToken = { iat: now + iatOffset, exp: now + expOffset, jti: 'initial' };
         globalThis.localStorage.setItem('AuthenticationService:token', JSON.stringify(initialToken));
         service = injector.resolve(AuthenticationClientService);

package/authentication/tests/authentication.client-middleware.test.js

@@ -2,15 +2,15 @@ import { of } from 'rxjs';
 import { describe, expect, test, vi } from 'vitest';
 import { HttpClientRequest, HttpClientResponse, HttpError, HttpErrorReason } from '../../http/index.js';
 import { dontWaitForValidToken } from '../authentication.api.js';
-import { logoutOnUnauthorizedMiddleware, waitForAuthenticationCredentialsMiddleware } from '../client/http-client.middleware.js';
-describe('waitForAuthenticationCredentialsMiddleware', () => {
+import { logoutOnUnauthorizedMiddleware, waitForAuthenticationMiddleware } from '../client/http-client.middleware.js';
+describe('waitForAuthenticationMiddleware', () => {
     test('should wait for token and call next', async () => {
         const authenticationServiceMock = {
             token: vi.fn().mockReturnValue({ jti: 'test-token' }),
             validToken$: of({ jti: 'test-token' }),
             hasValidToken: true,
         };
-        const middleware = waitForAuthenticationCredentialsMiddleware(authenticationServiceMock);
+        const middleware = waitForAuthenticationMiddleware(authenticationServiceMock);
         const request = new HttpClientRequest('http://localhost');
         request.context = {
             endpoint: {
@@ -26,7 +26,7 @@ describe('waitForAuthenticationCredentialsMiddleware', () => {
             isLoggedIn: vi.fn().mockReturnValue(true),
             hasValidToken: false,
         };
-        const middleware = waitForAuthenticationCredentialsMiddleware(authenticationServiceMock);
+        const middleware = waitForAuthenticationMiddleware(authenticationServiceMock);
         const request = new HttpClientRequest('http://localhost');
         request.context = {
             endpoint: {
@@ -45,7 +45,7 @@ describe('waitForAuthenticationCredentialsMiddleware', () => {
             isLoggedIn: vi.fn().mockReturnValue(true),
             hasValidToken: false,
         };
-        const middleware = waitForAuthenticationCredentialsMiddleware(authenticationServiceMock);
+        const middleware = waitForAuthenticationMiddleware(authenticationServiceMock);
         const request = new HttpClientRequest('http://localhost');
         request.context = {
             endpoint: {

package/authentication/tests/authentication.client-service-methods.test.js

@@ -8,6 +8,7 @@ import { Lock } from '../../lock/index.js';
 import { Logger } from '../../logger/index.js';
 import { MessageBus } from '../../message-bus/index.js';
 import { configureDefaultSignalsImplementation } from '../../signals/implementation/configure.js';
+import { currentTimestampSeconds } from '../../utils/date-time.js';
 describe('AuthenticationClientService Methods', () => {
     let injector;
     let service;
@@ -31,11 +32,13 @@ describe('AuthenticationClientService Methods', () => {
             refresh: vi.fn(),
             impersonate: vi.fn(),
             unimpersonate: vi.fn(),
-            changeSecret: vi.fn(),
-            initSecretReset: vi.fn(),
-            resetSecret: vi.fn(),
-            checkSecret: vi.fn(),
-            timestamp: vi.fn().mockResolvedValue(Math.floor(Date.now() / 1000)),
+            changePassword: vi.fn(),
+            initPasswordReset: vi.fn(),
+            resetPassword: vi.fn(),
+            checkPassword: vi.fn(),
+            listSessions: vi.fn(),
+            invalidateAllOtherSessions: vi.fn(),
+            timestamp: vi.fn().mockResolvedValue(currentTimestampSeconds()),
             endSession: vi.fn().mockResolvedValue(undefined),
         };
         mockLock = {
@@ -106,17 +109,17 @@ describe('AuthenticationClientService Methods', () => {
         expect(mockApiClient.unimpersonate).toHaveBeenCalled();
         expect(service.token()).toEqual(token);
     });
-    test('changeSecret should call api', async () => {
-        await service.changeSecret({ tenantId: 't', subject: 's' }, 'old', 'new');
-        expect(mockApiClient.changeSecret).toHaveBeenCalledWith({ tenantId: 't', subject: 's', currentSecret: 'old', newSecret: 'new' });
+    test('changePassword should call api', async () => {
+        await service.changePassword('old', 'new');
+        expect(mockApiClient.changePassword).toHaveBeenCalledWith({ currentPassword: 'old', newPassword: 'new' });
     });
-    test('initResetSecret should call api', async () => {
-        await service.initResetSecret({ tenantId: 't', subject: 's' }, { some: 'data' });
-        expect(mockApiClient.initSecretReset).toHaveBeenCalledWith({ tenantId: 't', subject: 's', data: { some: 'data' } });
+    test('initPasswordReset should call api', async () => {
+        await service.initPasswordReset({ tenantId: 't', subject: 's' }, { some: 'data' });
+        expect(mockApiClient.initPasswordReset).toHaveBeenCalledWith({ tenantId: 't', subject: 's', data: { some: 'data' } });
     });
-    test('resetSecret should call api', async () => {
-        await service.resetSecret('token', 'new-secret');
-        expect(mockApiClient.resetSecret).toHaveBeenCalledWith({ token: 'token', newSecret: 'new-secret' });
+    test('resetPassword should call api', async () => {
+        await service.resetPassword('token', 'new-password');
+        expect(mockApiClient.resetPassword).toHaveBeenCalledWith({ token: 'token', newPassword: 'new-password' });
     });
     test('updateRawTokens should update signals and storage', async () => {
         service.updateRawTokens('raw', 'refresh', 'impersonator');
@@ -160,4 +163,15 @@ describe('AuthenticationClientService Methods', () => {
         expect(mockLogger.warn).toHaveBeenCalledWith(expect.stringContaining('Failed to synchronize clock'));
         expect(service.clockOffset).toBe(0);
     });
+    test('listSessions should call api', async () => {
+        const sessions = [{ id: '1', begin: 100, end: 200 }];
+        mockApiClient.listSessions.mockResolvedValue(sessions);
+        const result = await service.listSessions();
+        expect(mockApiClient.listSessions).toHaveBeenCalled();
+        expect(result).toEqual(sessions);
+    });
+    test('invalidateAllOtherSessions should call api', async () => {
+        await service.invalidateAllOtherSessions();
+        expect(mockApiClient.invalidateAllOtherSessions).toHaveBeenCalled();
+    });
 });