@tstdl/base 0.93.187 → 0.93.189

package/ai/genkit/multi-region.plugin.js

@@ -14,16 +14,20 @@ export function vertexAiMultiLocation(options) {
     }
     const tokenLimitThreshold = options.tokenLimitThreshold ?? defaultTokenLimitThreshold;
     const locationConfigs = options.locations.map((location) => {
-        const circuitBreakerKey = `genkit:vertex-ai:location:${location}`;
-        const tokenLimitCircuitBreakerKey = `${circuitBreakerKey}:token-limit`;
+        const circuitBreakerNamespace = `genkit:vertex-ai:location`;
+        const tokenLimitCircuitBreakerNamespace = `genkit:vertex-ai:location-token-limit`;
+        const resource = location;
+        const tokenLimitResource = location;
         return {
             location,
-            circuitBreaker: options.circuitBreakerProvider.provide(circuitBreakerKey, {
+            resource,
+            tokenLimitResource,
+            circuitBreaker: options.circuitBreakerProvider.provide(circuitBreakerNamespace, {
                 threshold: 1,
                 resetTimeout: 30 * millisecondsPerSecond,
                 ...options.circuitBreakerConfig,
             }),
-            tokenLimitCircuitBreaker: options.circuitBreakerProvider.provide(tokenLimitCircuitBreakerKey, {
+            tokenLimitCircuitBreaker: options.circuitBreakerProvider.provide(tokenLimitCircuitBreakerNamespace, {
                 threshold: 1,
                 resetTimeout: 15 * millisecondsPerMinute,
                 ...options.tokenLimitCircuitBreakerConfig,
@@ -48,15 +52,15 @@ export function vertexAiMultiLocation(options) {
             let lastError;
             let isLargeRequest = false;
             const skippedLocations = [];
-            for (const { location, circuitBreaker, tokenLimitCircuitBreaker } of shuffledConfigs) {
-                const check = await circuitBreaker.check();
+            for (const { location, resource, tokenLimitResource, circuitBreaker, tokenLimitCircuitBreaker } of shuffledConfigs) {
+                const check = await circuitBreaker.check(resource);
                 if (!check.allowed) {
                     options.logger.warn(`Location ${location} is currently unhealthy. Skipping...`);
                     skippedLocations.push({ location, reason: 'unhealthy' });
                     continue;
                 }
                 if (isLargeRequest) {
-                    const tokenCheck = await tokenLimitCircuitBreaker.check();
+                    const tokenCheck = await tokenLimitCircuitBreaker.check(tokenLimitResource);
                     if (!tokenCheck.allowed) {
                         options.logger.warn(`Location ${location} is known to have a low token limit. Skipping for this large request...`);
                         skippedLocations.push({ location, reason: 'known to have low token limits' });
@@ -73,10 +77,10 @@ export function vertexAiMultiLocation(options) {
                     }, {
                         onChunk: streamingCallback,
                     });
-                    await circuitBreaker.recordSuccess();
+                    await circuitBreaker.recordSuccess(resource);
                     const isLargeSuccess = isLargeRequest || ((result.usage?.inputTokens ?? 0) > tokenLimitThreshold);
                     if (isLargeSuccess) {
-                        await tokenLimitCircuitBreaker.recordSuccess();
+                        await tokenLimitCircuitBreaker.recordSuccess(tokenLimitResource);
                     }
                     return result;
                 }
@@ -93,11 +97,11 @@ export function vertexAiMultiLocation(options) {
                     if (isTokenLimitError) {
                         options.logger.warn(`Location ${location} responded with token limit error. Trying next location...`);
                         isLargeRequest = true;
-                        await tokenLimitCircuitBreaker.recordFailure();
+                        await tokenLimitCircuitBreaker.recordFailure(tokenLimitResource);
                     }
                     else {
                         options.logger.warn(`Location ${location} responded with ${error.status}. Tripping circuit breaker and trying next location...`);
-                        await circuitBreaker.recordFailure();
+                        await circuitBreaker.recordFailure(resource);
                     }
                 }
             }

package/ai/genkit/types.d.ts

@@ -430,7 +430,7 @@ export declare abstract class VertexAiMultiLocationOptions {
     /**
      * Threshold of input tokens after which a request is considered large.
      * A successful request with more tokens than this threshold will record a success for the token limit circuit breaker.
-     * Defaults to 131,072.
+     * Defaults to 131_072.
      */
     tokenLimitThreshold?: number;
 }

package/ai/genkit/types.js

@@ -16,7 +16,7 @@ export class VertexAiMultiLocationOptions {
     /**
      * Threshold of input tokens after which a request is considered large.
      * A successful request with more tokens than this threshold will record a success for the token limit circuit breaker.
-     * Defaults to 131,072.
+     * Defaults to 131_072.
      */
     tokenLimitThreshold;
 }

package/authentication/client/authentication.service.d.ts

@@ -27,6 +27,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     private readonly logger;
     private readonly disposeSignal;
     private readonly forceRefreshRequested;
+    private readonly totpStatusReloadNotifier;
     private readonly forceRefreshSubject;
     private clockOffset;
     private initialized;
@@ -193,6 +194,10 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @param newPassword The new password
      */
     resetPassword(token: string, newPassword: string): Promise<void>;
+    /**
+     * Reload TOTP status.
+     */
+    reloadTotpStatus(): void;
     /**
      * Initiate TOTP enrollment.
      * @returns The secret and URI for enrollment.

package/authentication/client/authentication.service.js

@@ -22,7 +22,7 @@ import { Lock } from '../../lock/index.js';
 import { Logger } from '../../logger/index.js';
 import { MessageBus } from '../../message-bus/index.js';
 import { computed, signal, toObservable } from '../../signals/api.js';
-import { deriveAsync } from '../../signals/index.js';
+import { createNotifier, deriveAsync } from '../../signals/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { clamp } from '../../utils/math.js';
 import { timeout } from '../../utils/timing.js';
@@ -74,6 +74,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     logger = inject(Logger, 'AuthenticationService');
     disposeSignal = inject(CancellationSignal).fork();
     forceRefreshRequested = signal(false);
+    totpStatusReloadNotifier = createNotifier();
     forceRefreshSubject = new Subject();
     clockOffset = 0;
     initialized = false;
@@ -107,6 +108,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     /** Whether the user is impersonated */
     impersonated = computed(() => isDefined(this.impersonator()));
     totpStatus = deriveAsync(async () => {
+        this.totpStatusReloadNotifier.listen();
         const token = this.token();
         if (isUndefined(token)) {
             return undefined;
@@ -403,6 +405,12 @@ let AuthenticationClientService = class AuthenticationClientService {
     async resetPassword(token, newPassword) {
         await this.client.resetPassword({ token, newPassword });
     }
+    /**
+     * Reload TOTP status.
+     */
+    reloadTotpStatus() {
+        this.totpStatusReloadNotifier.notify();
+    }
     /**
      * Initiate TOTP enrollment.
      * @returns The secret and URI for enrollment.
@@ -416,7 +424,9 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @returns The recovery codes.
      */
     async completeEnrollTotp(token) {
-        return await this.client.completeEnrollTotp({ token });
+        const result = await this.client.completeEnrollTotp({ token });
+        this.reloadTotpStatus();
+        return result;
     }
     /**
      * Disable TOTP.
@@ -424,6 +434,7 @@ let AuthenticationClientService = class AuthenticationClientService {
      */
     async disableTotp(token) {
         await this.client.disableTotp({ token });
+        this.reloadTotpStatus();
     }
     /**
      * Disable TOTP using a recovery code.
@@ -431,6 +442,7 @@ let AuthenticationClientService = class AuthenticationClientService {
      */
     async disableTotpWithRecoveryCode(recoveryCode) {
         await this.client.disableTotpWithRecoveryCode({ recoveryCode });
+        this.reloadTotpStatus();
     }
     /**
      * Regenerate recovery codes.
@@ -439,7 +451,9 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @returns The new recovery codes.
      */
     async regenerateRecoveryCodes(token, options) {
-        return await this.client.regenerateRecoveryCodes({ token, ...options });
+        const result = await this.client.regenerateRecoveryCodes({ token, ...options });
+        this.reloadTotpStatus();
+        return result;
     }
     /**
      * Get TOTP activation status.
@@ -514,7 +528,10 @@ let AuthenticationClientService = class AuthenticationClientService {
             const token = this.token();
             // 1. Wait for login/token if none is present
             if (isUndefined(token)) {
-                await firstValueFrom(race([this.definedToken$, from(this.disposeSignal)]), { defaultValue: undefined });
+                await firstValueFrom(race([
+                    this.tokenUpdateBus.allMessages$.pipe(filter(isDefined)),
+                    from(this.disposeSignal),
+                ]), { defaultValue: undefined });
                 continue;
             }
             try {

package/authentication/models/authentication-totp-recovery-code.model.js

@@ -7,7 +7,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Table, TenantEntity, TenantReference, TimestampProperty, UuidProperty } from '../../orm/index.js';
+import { Index, Table, TenantEntity, TenantReference, TimestampProperty, UuidProperty } from '../../orm/index.js';
 import { Uint8ArrayProperty } from '../../schema/index.js';
 import { AuthenticationTotp } from './authentication-totp.model.js';
 let AuthenticationTotpRecoveryCode = class AuthenticationTotpRecoveryCode extends TenantEntity {
@@ -29,6 +29,7 @@ __decorate([
     __metadata("design:type", Object)
 ], AuthenticationTotpRecoveryCode.prototype, "usedTimestamp", void 0);
 AuthenticationTotpRecoveryCode = __decorate([
-    Table('totp_recovery_code', { schema: 'authentication' })
+    Table('totp_recovery_code', { schema: 'authentication' }),
+    Index(['tenantId', 'totpId'])
 ], AuthenticationTotpRecoveryCode);
 export { AuthenticationTotpRecoveryCode };

package/authentication/models/totp-results.model.d.ts

@@ -8,4 +8,5 @@ export declare class TotpRecoveryCodesResult {
 }
 export declare class TotpStatusResult {
     active: boolean;
+    remainingRecoveryCodes: number | null;
 }

package/authentication/models/totp-results.model.js

@@ -8,7 +8,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Array, BooleanProperty, StringProperty } from '../../schema/index.js';
+import { Array, BooleanProperty, NumberProperty, StringProperty } from '../../schema/index.js';
 export class TotpEnrollmentInitResult {
     secret;
     uri;
@@ -30,8 +30,13 @@ __decorate([
 ], TotpRecoveryCodesResult.prototype, "recoveryCodes", void 0);
 export class TotpStatusResult {
     active;
+    remainingRecoveryCodes;
 }
 __decorate([
     BooleanProperty(),
     __metadata("design:type", Boolean)
 ], TotpStatusResult.prototype, "active", void 0);
+__decorate([
+    NumberProperty({ nullable: true }),
+    __metadata("design:type", Object)
+], TotpStatusResult.prototype, "remainingRecoveryCodes", void 0);

package/authentication/server/authentication.api-controller.d.ts

@@ -99,6 +99,7 @@ export declare class AuthenticationApiController<AdditionalTokenPayload extends
      */
     invalidateAllOtherSessions({ getToken, getAuditor }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'invalidateAllOtherSessions'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'invalidateAllOtherSessions'>>;
     protected enforceRateLimit(ip: string, subjectResource: string, auditor: Auditor, targetId: string, action: string): Promise<void>;
+    protected refundRateLimit(ip: string, subjectResource: string): Promise<void>;
     protected getTokenResponse<T>(result: TokenResult<AdditionalTokenPayload>, body: NoInfer<T>): HttpServerResponse;
     protected getLoginResponse(result: LoginResult<AdditionalTokenPayload>): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitPasswordResetData>, 'login'>;
 }

package/authentication/server/authentication.api-controller.js

@@ -35,12 +35,12 @@ let AuthenticationApiController = AuthenticationApiController_1 = class Authenti
     authenticationService = inject((AuthenticationService));
     options = inject(AuthenticationServiceOptions, undefined, { optional: true }) ?? {};
     subjectRateLimiter = inject(RateLimiter, {
-        resource: 'authentication:subject',
+        namespace: 'authentication:subject',
         burstCapacity: this.options.bruteForceProtection?.subjectBurstCapacity ?? 10,
         refillInterval: this.options.bruteForceProtection?.subjectRefillInterval ?? (30 * millisecondsPerMinute),
     });
     ipRateLimiter = inject(RateLimiter, {
-        resource: 'authentication:ip',
+        namespace: 'authentication:ip',
         burstCapacity: this.options.bruteForceProtection?.ipBurstCapacity ?? 20,
         refillInterval: this.options.bruteForceProtection?.ipRefillInterval ?? (5 * millisecondsPerMinute),
     });
@@ -154,6 +154,7 @@ let AuthenticationApiController = AuthenticationApiController_1 = class Authenti
         const subjectResource = `${validatedToken.payload.tenant}:${validatedToken.payload.subject}`;
         await this.enforceRateLimit(request.ip, subjectResource, auditor, validatedToken.payload.subject, 'refresh');
         const result = await this.authenticationService.refreshAlreadyValidatedToken(validatedToken, parameters.data, undefined, auditor);
+        await this.refundRateLimit(request.ip, subjectResource);
         return this.getTokenResponse(result, result.jsonToken.payload);
     }
     /**
@@ -332,6 +333,12 @@ let AuthenticationApiController = AuthenticationApiController_1 = class Authenti
             throw new TooManyRequestsError();
         }
     }
+    async refundRateLimit(ip, subjectResource) {
+        await Promise.all([
+            this.ipRateLimiter.refund(ip),
+            this.subjectRateLimiter.refund(subjectResource),
+        ]);
+    }
     getTokenResponse(result, body) {
         const { token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration } = result;
         const options = {

package/authentication/server/authentication.service.js

@@ -294,14 +294,15 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         await this.#endSession(sessionId, authAuditor);
     }
-    async #endSession(sessionId, authAuditor) {
-        const session = await this.#sessionRepository.tryLoad(sessionId);
+    async #endSession(sessionId, authAuditor, tx) {
+        const sessionRepository = this.#sessionRepository.withOptionalTransaction(tx);
+        const session = await sessionRepository.tryLoad(sessionId);
         if (isUndefined(session)) {
             this.#logger.warn(`Session "${sessionId}" not found for logout.`);
             return;
         }
         const now = currentTimestamp();
-        await this.#sessionRepository.update(sessionId, { end: now });
+        await sessionRepository.update(sessionId, { end: now });
         await authAuditor.info('logout', {
             tenantId: session.tenantId,
             actor: session.subjectId,
@@ -411,53 +412,55 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         let session;
         try {
             const sessionId = validatedRefreshToken.payload.session;
-            session = await this.#sessionRepository.load(sessionId);
-            const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
-            if (session.end <= currentTimestamp()) {
-                throw new InvalidTokenError('Session is expired.');
-            }
-            if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
-                await this.#endSession(sessionId, authAuditor);
-                await authAuditor.warn('refresh-failure', {
-                    actorType: ActorType.Anonymous,
+            return await this.#sessionRepository.transaction(async (tx) => {
+                session = await this.#sessionRepository.withTransaction(tx).load(sessionId);
+                const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
+                if (session.end <= currentTimestamp()) {
+                    throw new InvalidTokenError('Session is expired.');
+                }
+                if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
+                    await this.#endSession(sessionId, authAuditor, tx);
+                    await authAuditor.warn('refresh-failure', {
+                        actorType: ActorType.Anonymous,
+                        tenantId: session.tenantId,
+                        targetId: session.subjectId,
+                        targetType: 'Subject',
+                        details: { sessionId, reason: 'Token reuse detected. Session revoked.' },
+                    });
+                    throw new InvalidTokenError('Invalid refresh token.');
+                }
+                const now = currentTimestamp();
+                const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
+                const remember = validatedRefreshToken.payload.remember;
+                const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
+                const newEnd = now + ttl;
+                const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subjectId });
+                this.ensureNotSuspended(subject);
+                const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+                const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
+                const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator, remember });
+                await this.#sessionRepository.withTransaction(tx).update(sessionId, {
+                    end: newEnd,
+                    refreshTokenSalt: newRefreshToken.salt,
+                    refreshTokenHash: newRefreshToken.hash,
+                });
+                await authAuditor.info('refresh-success', {
                     tenantId: session.tenantId,
+                    actor: session.subjectId,
+                    actorType: ActorType.Subject,
                     targetId: session.subjectId,
                     targetType: 'Subject',
-                    details: { sessionId, reason: 'Token reuse detected. Session revoked.' },
+                    details: { sessionId, remember },
                 });
-                throw new InvalidTokenError('Invalid refresh token.');
-            }
-            const now = currentTimestamp();
-            const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
-            const remember = validatedRefreshToken.payload.remember;
-            const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
-            const newEnd = now + ttl;
-            const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subjectId });
-            this.ensureNotSuspended(subject);
-            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
-            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
-            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator, remember });
-            await this.#sessionRepository.update(sessionId, {
-                end: newEnd,
-                refreshTokenSalt: newRefreshToken.salt,
-                refreshTokenHash: newRefreshToken.hash,
-            });
-            await authAuditor.info('refresh-success', {
-                tenantId: session.tenantId,
-                actor: session.subjectId,
-                actorType: ActorType.Subject,
-                targetId: session.subjectId,
-                targetType: 'Subject',
-                details: { sessionId, remember },
+                return { token, jsonToken, refreshToken: newRefreshToken.token, remember, omitImpersonatorRefreshToken: options.omitImpersonator };
             });
-            return { token, jsonToken, refreshToken: newRefreshToken.token, remember, omitImpersonatorRefreshToken: options.omitImpersonator };
         }
         catch (error) {
             await authAuditor.warn('refresh-failure', {
                 actorType: ActorType.Anonymous,
                 targetId: session?.subjectId ?? NIL_UUID,
                 targetType: 'Subject',
-                details: { sessionId: null, reason: error.message },
+                details: { sessionId: session?.id ?? null, reason: error.message },
             });
             throw error;
         }
@@ -861,8 +864,13 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     async getTotpStatus(tenantId, subjectId) {
         const totp = await this.tryGetTotp(tenantId, subjectId);
+        const active = totp?.status == TotpStatus.Active;
+        const remainingRecoveryCodes = active
+            ? await this.#totpRecoveryCodeRepository.countByQuery({ tenantId, totpId: totp.id, usedTimestamp: null })
+            : null;
         return {
-            active: totp?.status == TotpStatus.Active,
+            active,
+            remainingRecoveryCodes,
         };
     }
     async initEnrollTotp(tenantId, subjectId, auditor) {
@@ -995,7 +1003,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         }));
         await this.#totpRepository.transaction(async (transaction) => {
             const totpRecoveryCodeRepository = this.#totpRecoveryCodeRepository.withTransaction(transaction);
-            await totpRecoveryCodeRepository.deleteByQuery({ tenantId, totpId: totp.id });
+            await totpRecoveryCodeRepository.hardDeleteManyByQuery({ tenantId, totpId: totp.id });
             await totpRecoveryCodeRepository.insertMany(hashedRecoveryCodes);
             if (options?.invalidateOtherSessions == true) {
                 await this.#invalidateAllOtherSessions(tenantId, subjectId, NIL_UUID, authAuditor);
@@ -1028,7 +1036,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             });
             throw new ForbiddenError('Invalid TOTP token');
         }
-        await this.#totpRepository.deleteByQuery({ tenantId, id: totp.id });
+        await this.#totpRepository.transaction(async (tx) => {
+            await this.#totpRecoveryCodeRepository.withTransaction(tx).hardDeleteManyByQuery({ tenantId, totpId: totp.id });
+            await this.#totpRepository.withTransaction(tx).hardDeleteByQuery({ tenantId, id: totp.id });
+        });
         await authAuditor.info('totp-disable-success', {
             tenantId,
             actor: subjectId,
@@ -1054,7 +1065,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             });
             throw new ForbiddenError('Invalid recovery code');
         }
-        await this.#totpRepository.deleteByQuery({ tenantId, id: totp.id });
+        await this.#totpRepository.transaction(async (tx) => {
+            await this.#totpRecoveryCodeRepository.withTransaction(tx).hardDeleteManyByQuery({ tenantId, totpId: totp.id });
+            await this.#totpRepository.withTransaction(tx).hardDeleteByQuery({ tenantId, id: totp.id });
+        });
         await authAuditor.info('totp-disable-success', {
             tenantId,
             actor: subjectId,
@@ -1075,58 +1089,63 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const challengeToken = await this.validateTotpChallengeToken(challengeTokenString);
         const { tenant, subject: subjectId, remember, data } = challengeToken.payload;
         const totp = await this.#totpRepository.loadByQuery({ tenantId: tenant, subjectId });
-        const isRecoveryCodeValid = await this.verifyAndUseRecoveryCode(totp, recoveryCode);
-        if (!isRecoveryCodeValid) {
-            await authAuditor.warn('recovery-login-failure', {
-                actorType: ActorType.Anonymous,
-                tenantId: tenant,
-                targetId: subjectId,
-                targetType: 'Subject',
-                details: {
-                    subjectInput: { tenantId: tenant, subject: subjectId },
-                    resolvedSubjectId: subjectId,
-                },
-            });
-            throw new ForbiddenError('Invalid recovery code');
-        }
-        const subject = await this.#subjectRepository.loadByQuery({ tenantId: tenant, id: subjectId });
-        const loginResult = await this.#loginAlreadyValidatedSubject(subject, data, authAuditor, remember);
-        const unusedRecoveryCodesCount = await this.#totpRecoveryCodeRepository.countByQuery({ tenantId: tenant, totpId: totp.id, usedTimestamp: null });
+        const result = await this.#totpRepository.transaction(async (tx) => {
+            const isRecoveryCodeValid = await this.verifyAndUseRecoveryCode(totp, recoveryCode, tx);
+            if (!isRecoveryCodeValid) {
+                await authAuditor.warn('recovery-login-failure', {
+                    actorType: ActorType.Anonymous,
+                    tenantId: tenant,
+                    targetId: subjectId,
+                    targetType: 'Subject',
+                    details: {
+                        subjectInput: { tenantId: tenant, subject: subjectId },
+                        resolvedSubjectId: subjectId,
+                    },
+                });
+                throw new ForbiddenError('Invalid recovery code');
+            }
+            const subject = await this.#subjectRepository.loadByQuery({ tenantId: tenant, id: subjectId });
+            const loginResult = await this.#loginAlreadyValidatedSubject(subject, data, authAuditor, remember);
+            const unusedRecoveryCodesCount = await this.#totpRecoveryCodeRepository.withTransaction(tx).countByQuery({ tenantId: tenant, totpId: totp.id, usedTimestamp: null });
+            return { loginResult, unusedRecoveryCodesCount };
+        });
         await authAuditor.info('recovery-login-success', {
             tenantId: tenant,
             actor: subjectId,
             actorType: ActorType.Subject,
             targetId: subjectId,
             targetType: 'Subject',
-            network: { sessionId: loginResult.result.jsonToken.payload.session },
+            network: { sessionId: result.loginResult.result.jsonToken.payload.session },
             details: {
-                sessionId: loginResult.result.jsonToken.payload.session,
+                sessionId: result.loginResult.result.jsonToken.payload.session,
                 remember,
             },
         });
         return {
-            ...loginResult,
-            lowRecoveryCodesWarning: unusedRecoveryCodesCount <= 3,
+            ...result.loginResult,
+            lowRecoveryCodesWarning: result.unusedRecoveryCodesCount <= 3,
         };
     }
     async #loginVerifyTotp(challengeTokenString, token, authAuditor) {
         const challengeToken = await this.validateTotpChallengeToken(challengeTokenString);
         const { tenant, subject: subjectId, remember, data } = challengeToken.payload;
-        const totp = await this.#totpRepository.loadByQuery({ tenantId: tenant, subjectId });
-        const isValid = await this.verifyAndRecordTotpToken(totp, token, authAuditor);
-        if (!isValid) {
-            await authAuditor.warn('totp-verify-failure', {
-                tenantId: tenant,
-                actor: subjectId,
-                actorType: ActorType.Subject,
-                targetId: subjectId,
-                targetType: 'Subject',
-                details: { reason: 'Invalid token' },
-            });
-            throw new ForbiddenError('Invalid TOTP token');
-        }
-        const subject = await this.#subjectRepository.loadByQuery({ tenantId: tenant, id: subjectId });
-        return await this.#loginAlreadyValidatedSubject(subject, data, authAuditor, remember);
+        return await this.#totpRepository.transaction(async (tx) => {
+            const totp = await this.#totpRepository.withTransaction(tx).loadByQuery({ tenantId: tenant, subjectId });
+            const isValid = await this.verifyAndRecordTotpToken(totp, token, authAuditor, tx);
+            if (!isValid) {
+                await authAuditor.warn('totp-verify-failure', {
+                    tenantId: tenant,
+                    actor: subjectId,
+                    actorType: ActorType.Subject,
+                    targetId: subjectId,
+                    targetType: 'Subject',
+                    details: { reason: 'Invalid token' },
+                });
+                throw new ForbiddenError('Invalid TOTP token');
+            }
+            const subject = await this.#subjectRepository.loadByQuery({ tenantId: tenant, id: subjectId });
+            return await this.#loginAlreadyValidatedSubject(subject, data, authAuditor, remember);
+        });
     }
     async validateTotpChallengeToken(tokenString) {
         const validatedToken = await parseAndValidateJwtTokenString(tokenString, 'KMAC256', await this.#totpChallengeSigningKey.getKey());
@@ -1155,26 +1174,29 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         };
         return await createJwtTokenString(jsonToken, await this.#totpChallengeSigningKey.getKey());
     }
-    async verifyAndUseRecoveryCode(totp, code) {
-        const recoveryCodes = await this.#totpRecoveryCodeRepository.loadManyByQuery({ tenantId: totp.tenantId, totpId: totp.id, usedTimestamp: null });
-        const hashingOptions = this.#getTotpRecoveryCodeHashingOptions(totp.recoveryCodeSalt);
-        const hash = await hashTotpRecoveryCode(code, hashingOptions);
-        for (const recoveryCode of recoveryCodes) {
-            const isValid = await verifyTotpRecoveryCode(hash, recoveryCode.code, hashingOptions);
-            if (isValid) {
-                await this.#totpRecoveryCodeRepository.updateByQuery({ tenantId: recoveryCode.tenantId, id: recoveryCode.id }, { usedTimestamp: TRANSACTION_TIMESTAMP });
-                return true;
+    async verifyAndUseRecoveryCode(totp, code, tx) {
+        return await this.#totpRecoveryCodeRepository.useTransaction(tx, async (tx) => {
+            const totpRecoveryCodeRepository = this.#totpRecoveryCodeRepository.withTransaction(tx);
+            const recoveryCodes = await totpRecoveryCodeRepository.loadManyByQuery({ tenantId: totp.tenantId, totpId: totp.id, usedTimestamp: null });
+            const hashingOptions = this.#getTotpRecoveryCodeHashingOptions(totp.recoveryCodeSalt);
+            const hash = await hashTotpRecoveryCode(code, hashingOptions);
+            for (const recoveryCode of recoveryCodes) {
+                const isValid = await verifyTotpRecoveryCode(hash, recoveryCode.code, hashingOptions);
+                if (isValid) {
+                    await totpRecoveryCodeRepository.updateByQuery({ tenantId: recoveryCode.tenantId, id: recoveryCode.id, usedTimestamp: null }, { usedTimestamp: TRANSACTION_TIMESTAMP });
+                    return true;
+                }
             }
-        }
-        return false;
+            return false;
+        });
     }
-    async verifyAndRecordTotpToken(totp, token, authAuditor) {
+    async verifyAndRecordTotpToken(totp, token, authAuditor, tx) {
         const secret = await importHmacKey('raw-secret', this.totpOptions.codeHashAlgorithm, totp.secret, false);
         const isValid = await verifyTotpToken(secret, token, this.#getTotpOptions(totp.recoveryCodeSalt));
         if (!isValid) {
             return false;
         }
-        const inserted = await this.#usedTotpTokenRepository.tryInsert({
+        const inserted = await this.#usedTotpTokenRepository.withOptionalTransaction(tx).tryInsert({
             tenantId: totp.tenantId,
             subjectId: totp.subjectId,
             token,

package/authentication/server/drizzle/{0000_odd_echo.sql → 0000_dry_stepford_cuckoos.sql}

@@ -140,4 +140,5 @@ ALTER TABLE "authentication"."used_totp_tokens" ADD CONSTRAINT "used_totp_tokens
 ALTER TABLE "authentication"."service_account" ADD CONSTRAINT "service_account_tenantId_type_id_subject_fkey" FOREIGN KEY ("tenant_id","type","id") REFERENCES "authentication"."subject"("tenant_id","type","id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "authentication"."service_account" ADD CONSTRAINT "service_account_id_subject_fkey" FOREIGN KEY ("tenant_id","parent") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "authentication"."system_account" ADD CONSTRAINT "system_account_tenantId_type_id_subject_fkey" FOREIGN KEY ("tenant_id","type","id") REFERENCES "authentication"."subject"("tenant_id","type","id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "authentication"."user" ADD CONSTRAINT "user_tenantId_type_id_subject_fkey" FOREIGN KEY ("tenant_id","type","id") REFERENCES "authentication"."subject"("tenant_id","type","id") ON DELETE cascade ON UPDATE no action;
+ALTER TABLE "authentication"."user" ADD CONSTRAINT "user_tenantId_type_id_subject_fkey" FOREIGN KEY ("tenant_id","type","id") REFERENCES "authentication"."subject"("tenant_id","type","id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "totp_recovery_code_tenant_id_totp_id_idx" ON "authentication"."totp_recovery_code" USING btree ("tenant_id","totp_id");