@tstdl/base 0.93.2 → 0.93.4

package/authentication/server/authentication.api-controller.js

@@ -33,8 +33,8 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    async login({ parameters }) {
-        const result = await this.authenticationService.login(parameters.subject, parameters.secret, parameters.data);
+    async login({ parameters, getAuditor }) {
+        const result = await this.authenticationService.login(parameters.subject, parameters.secret, parameters.data, await getAuditor());
         return this.getTokenResponse(result);
     }
     /**
@@ -43,9 +43,9 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    async refresh({ request, parameters }) {
+    async refresh({ request, parameters, getAuditor }) {
         const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
-        const result = await this.authenticationService.refresh(refreshTokenString, parameters.data);
+        const result = await this.authenticationService.refresh(refreshTokenString, parameters.data, undefined, await getAuditor());
         return this.getTokenResponse(result);
     }
     /**
@@ -54,10 +54,10 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    async impersonate({ request, parameters }) {
+    async impersonate({ request, parameters, getAuditor }) {
         const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
         const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken') ?? '';
-        const impersonatorResult = await this.authenticationService.impersonate(tokenString, refreshTokenString, parameters.subject, parameters.data);
+        const impersonatorResult = await this.authenticationService.impersonate(tokenString, refreshTokenString, parameters.subject, parameters.data, await getAuditor());
         return this.getTokenResponse(impersonatorResult);
     }
     /**
@@ -66,9 +66,9 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns The token result.
      */
-    async unimpersonate({ request, parameters }) {
+    async unimpersonate({ request, parameters, getAuditor }) {
         const impersonatorRefreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'impersonatorRefreshToken') ?? '';
-        const result = await this.authenticationService.refresh(impersonatorRefreshTokenString, parameters.data, { omitImpersonator: true });
+        const result = await this.authenticationService.unimpersonate(impersonatorRefreshTokenString, parameters.data, await getAuditor());
         return this.getTokenResponse(result);
     }
     /**
@@ -76,7 +76,7 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param request The request context.
      * @returns 'ok' if the session was ended.
      */
-    async endSession({ request }) {
+    async endSession({ request, getAuditor }) {
         let sessionId;
         try {
             const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
@@ -93,7 +93,7 @@ let AuthenticationApiController = class AuthenticationApiController {
                 throw error;
             }
         }
-        await this.authenticationService.endSession(sessionId);
+        await this.authenticationService.endSession(sessionId, await getAuditor());
         const result = 'ok';
         return new HttpServerResponse({
             cookies: {
@@ -106,8 +106,8 @@ let AuthenticationApiController = class AuthenticationApiController {
             },
         });
     }
-    async changeSecret({ parameters }) {
-        await this.authenticationService.changeSecret(parameters.subject, parameters.currentSecret, parameters.newSecret);
+    async changeSecret({ parameters, getAuditor }) {
+        await this.authenticationService.changeSecret(parameters.subject, parameters.currentSecret, parameters.newSecret, await getAuditor());
         return 'ok';
     }
     /**
@@ -115,8 +115,8 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns 'ok' if the secret reset was initialized.
      */
-    async initSecretReset({ parameters }) {
-        await this.authenticationService.initSecretReset(parameters.subject, parameters.data);
+    async initSecretReset({ parameters, getAuditor }) {
+        await this.authenticationService.initSecretReset(parameters.subject, parameters.data, await getAuditor());
         return 'ok';
     }
     /**
@@ -124,8 +124,8 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @param parameters The parameters for the request.
      * @returns 'ok' if the secret was reset.
      */
-    async resetSecret({ parameters }) {
-        await this.authenticationService.resetSecret(parameters.token, parameters.newSecret);
+    async resetSecret({ parameters, getAuditor }) {
+        await this.authenticationService.resetSecret(parameters.token, parameters.newSecret, await getAuditor());
         return 'ok';
     }
     /**

package/authentication/server/authentication.audit.d.ts

@@ -0,0 +1,34 @@
+export type AuthenticationAuditEvents = {
+    'login-success': {
+        sessionId: string;
+    };
+    'login-failure': {
+        providedSubject: string;
+    };
+    'logout': {
+        sessionId: string;
+    };
+    'refresh-success': {
+        sessionId: string;
+    };
+    'refresh-failure': {
+        reason: string;
+    };
+    'impersonate-success': {
+        impersonatedSubject: string;
+    };
+    'impersonate-failure': {
+        impersonatedSubject: string;
+        reason: string;
+    };
+    'unimpersonate-success': {};
+    'change-secret-success': {};
+    'change-secret-failure': {
+        providedSubject: string;
+    };
+    'init-secret-reset': {};
+    'reset-secret-success': {};
+    'reset-secret-failure': {
+        reason: string;
+    };
+};

package/authentication/server/authentication.audit.js

@@ -0,0 +1 @@
+export {};

package/authentication/server/authentication.service.d.ts

@@ -1,3 +1,4 @@
+import { Auditor } from '../../audit/index.js';
 import { type AfterResolve, afterResolve } from '../../injector/index.js';
 import type { BinaryData, Record } from '../../types/index.js';
 import { type RefreshToken, type SecretCheckResult, type SecretResetToken, type Token } from '../models/index.js';
@@ -190,63 +191,71 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param subject The subject to log in.
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns Token
      */
-    login(subject: string, secret: string, data: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    login(subject: string, secret: string, data: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Ends a session.
      * @param sessionId The id of the session to end.
+     * @param auditor Auditor for auditing.
      */
-    endSession(sessionId: string): Promise<void>;
+    endSession(sessionId: string, auditor: Auditor): Promise<void>;
     /**
      * Refreshes a token.
      * @param refreshToken The refresh token to use.
      * @param authenticationData Additional authentication data.
      * @param options Options for refreshing the token.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      * @throws {InvalidTokenError} If the refresh token is invalid.
      */
-    refresh(refreshToken: string, authenticationData: AuthenticationData, { omitImpersonator }?: {
+    refresh(refreshToken: string, authenticationData: AuthenticationData, options: {
         omitImpersonator?: boolean;
-    }): Promise<TokenResult<AdditionalTokenPayload>>;
+    } | undefined, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Impersonates a subject.
-     * @param impersonatorRoken The token of the impersonator.
+     * @param impersonatorToken The token of the impersonator.
      * @param impersonatorRefreshToken The refresh token of the impersonator.
      * @param subject The subject to impersonate.
      * @param authenticationData Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      * @throws {ForbiddenError} If impersonation is not allowed.
      */
-    impersonate(impersonatorRoken: string, impersonatorRefreshToken: string, subject: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    impersonate(impersonatorToken: string, impersonatorRefreshToken: string, subject: string, authenticationData: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Unimpersonates a subject.
      * @param impersonatorRefreshToken The refresh token of the impersonator.
      * @param authenticationData Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      */
-    unimpersonate(impersonatorRefreshToken: string, authenticationData: AuthenticationData): Promise<TokenResult<AdditionalTokenPayload>>;
+    unimpersonate(impersonatorRefreshToken: string, authenticationData: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Initializes a secret reset. This usually involves sending an email for verification.
      * @param subject The subject to reset the secret for.
      * @param data Additional data for the secret reset.
+     * @param auditor Auditor for auditing.
      * @throws {NotImplementedError} If no ancillary service is registered.
      */
-    initSecretReset(subject: string, data: AdditionalInitSecretResetData): Promise<void>;
+    initSecretReset(subject: string, data: AdditionalInitSecretResetData, auditor: Auditor): Promise<void>;
     /**
      * Changes a subject's secret.
      * @param subject The subject to change the secret for.
      * @param currentSecret The current secret.
      * @param newSecret The new secret.
+     * @param auditor Auditor for auditing.
      */
-    changeSecret(subject: string, currentSecret: string, newSecret: string): Promise<void>;
+    changeSecret(subject: string, currentSecret: string, newSecret: string, auditor: Auditor): Promise<void>;
     /**
      * Resets a secret.
      * @param tokenString The secret reset token.
      * @param newSecret The new secret.
+     * @param auditor Auditor for auditing.
      * @throws {InvalidTokenError} If the token is invalid.
      */
-    resetSecret(tokenString: string, newSecret: string): Promise<void>;
+    resetSecret(tokenString: string, newSecret: string, auditor: Auditor): Promise<void>;
     /**
      * Checks a secret against the requirements.
      * @param secret The secret to check.

package/authentication/server/authentication.service.js

@@ -4,16 +4,18 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+var AuthenticationService_1;
+import { ActorType, Auditor, AuditOutcome } from '../../audit/index.js';
+import { NIL_UUID } from '../../constants.js';
 import { ForbiddenError } from '../../errors/forbidden.error.js';
 import { InvalidCredentialsError } from '../../errors/index.js';
 import { InvalidTokenError } from '../../errors/invalid-token.error.js';
 import { NotFoundError } from '../../errors/not-found.error.js';
 import { NotImplementedError } from '../../errors/not-implemented.error.js';
-import { Singleton, afterResolve, inject, provide } from '../../injector/index.js';
+import { afterResolve, inject, provide, Singleton } from '../../injector/index.js';
 import { KeyValueStore } from '../../key-value-store/key-value.store.js';
 import { Logger } from '../../logger/logger.js';
-import { DatabaseConfig } from '../../orm/server/index.js';
-import { EntityRepositoryConfig, injectRepository } from '../../orm/server/repository.js';
+import { DatabaseConfig, EntityRepositoryConfig, injectRepository } from '../../orm/server/index.js';
 import { Alphabet } from '../../utils/alphabet.js';
 import { asyncHook } from '../../utils/async-hook/async-hook.js';
 import { decodeBase64, encodeBase64 } from '../../utils/base64.js';
@@ -78,14 +80,14 @@ const SIGNING_SECRETS_LENGTH = 64;
  * @template AuthenticationData Type of additional authentication data
  * @template AdditionalInitSecretResetData Type of additional secret reset data
  */
-let AuthenticationService = class AuthenticationService {
+let AuthenticationService = AuthenticationService_1 = class AuthenticationService {
     #credentialsRepository = injectRepository(AuthenticationCredentials);
     #sessionRepository = injectRepository(AuthenticationSession);
     #authenticationSecretRequirementsValidator = inject(AuthenticationSecretRequirementsValidator);
     #authenticationAncillaryService = inject(AuthenticationAncillaryService, undefined, { optional: true });
     #keyValueStore = inject((KeyValueStore), 'authentication');
     #options = inject(AuthenticationServiceOptions);
-    #logger = inject(Logger, 'authentication');
+    #logger = inject(Logger, 'Authentication');
     hooks = {
         beforeLogin: asyncHook(),
         afterLogin: asyncHook(),
@@ -203,76 +205,146 @@ let AuthenticationService = class AuthenticationService {
      * @param subject The subject to log in.
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns Token
      */
-    async login(subject, secret, data) {
+    async login(subject, secret, data, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
         const authenticationResult = await this.authenticate(subject, secret);
         if (!authenticationResult.success) {
+            const actualSubject = await this.tryResolveSubject(subject) ?? subject;
+            await authAuditor.warn('login-failure', {
+                targetId: actualSubject,
+                targetType: 'User',
+                details: { providedSubject: subject },
+            });
             throw new InvalidCredentialsError();
         }
-        await this.hooks.afterLogin.trigger({ subject: authenticationResult.subject });
+        await this.hooks.beforeLogin.trigger({ subject: authenticationResult.subject });
         const token = await this.getToken(authenticationResult.subject, data);
         await this.hooks.afterLogin.trigger({ subject: authenticationResult.subject });
+        const sessionId = token.jsonToken.payload.sessionId;
+        await authAuditor.info('login-success', {
+            actor: authenticationResult.subject,
+            actorType: ActorType.User,
+            targetId: authenticationResult.subject,
+            targetType: 'User',
+            network: { sessionId },
+            details: { sessionId },
+        });
         return token;
     }
     /**
      * Ends a session.
      * @param sessionId The id of the session to end.
+     * @param auditor Auditor for auditing.
      */
-    async endSession(sessionId) {
+    async endSession(sessionId, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
+        const session = await this.#sessionRepository.tryLoad(sessionId);
+        if (isUndefined(session)) {
+            this.#logger.warn(`Session "${sessionId}" not found for logout.`);
+            return;
+        }
         const now = currentTimestamp();
         await this.#sessionRepository.update(sessionId, { end: now });
+        await authAuditor.info('logout', {
+            actor: session.subject,
+            actorType: ActorType.User,
+            targetId: session.subject,
+            targetType: 'User',
+            details: { sessionId },
+        });
     }
     /**
      * Refreshes a token.
      * @param refreshToken The refresh token to use.
      * @param authenticationData Additional authentication data.
      * @param options Options for refreshing the token.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      * @throws {InvalidTokenError} If the refresh token is invalid.
      */
-    async refresh(refreshToken, authenticationData, { omitImpersonator = false } = {}) {
-        const validatedRefreshToken = await this.validateRefreshToken(refreshToken);
-        const sessionId = validatedRefreshToken.payload.sessionId;
-        const session = await this.#sessionRepository.load(sessionId);
-        const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
-        if (session.end <= currentTimestamp()) {
-            throw new InvalidTokenError('Session is expired.');
+    async refresh(refreshToken, authenticationData, options = {}, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
+        try {
+            const validatedRefreshToken = await this.validateRefreshToken(refreshToken);
+            const sessionId = validatedRefreshToken.payload.sessionId;
+            const session = await this.#sessionRepository.load(sessionId);
+            const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
+            if (session.end <= currentTimestamp()) {
+                throw new InvalidTokenError('Session is expired.');
+            }
+            if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
+                throw new InvalidTokenError('Invalid refresh token.');
+            }
+            const now = currentTimestamp();
+            const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
+            const newEnd = now + this.refreshTokenTimeToLive;
+            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
+            const newRefreshToken = await this.createRefreshToken(validatedRefreshToken.payload.subject, sessionId, newEnd, { impersonator });
+            await this.#sessionRepository.update(sessionId, {
+                end: newEnd,
+                refreshTokenHashVersion: 1,
+                refreshTokenSalt: newRefreshToken.salt,
+                refreshTokenHash: newRefreshToken.hash,
+            });
+            await authAuditor.info('refresh-success', {
+                actor: session.subject,
+                actorType: ActorType.User,
+                targetId: session.subject,
+                targetType: 'User',
+                details: { sessionId },
+            });
+            return { token, jsonToken, refreshToken: newRefreshToken.token, omitImpersonatorRefreshToken: options.omitImpersonator };
         }
-        if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
-            throw new InvalidTokenError('Invalid refresh token.');
+        catch (error) {
+            await authAuditor.warn('refresh-failure', {
+                targetId: NIL_UUID,
+                targetType: 'User',
+                details: { reason: error.message },
+            });
+            throw error;
         }
-        const now = currentTimestamp();
-        const impersonator = omitImpersonator ? undefined : validatedRefreshToken.payload.impersonator;
-        const newEnd = now + this.refreshTokenTimeToLive;
-        const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
-        const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
-        const newRefreshToken = await this.createRefreshToken(validatedRefreshToken.payload.subject, sessionId, newEnd, { impersonator });
-        await this.#sessionRepository.update(sessionId, {
-            end: newEnd,
-            refreshTokenHashVersion: 1,
-            refreshTokenSalt: newRefreshToken.salt,
-            refreshTokenHash: newRefreshToken.hash,
-        });
-        return { token, jsonToken, refreshToken: newRefreshToken.token, omitImpersonatorRefreshToken: omitImpersonator };
     }
     /**
      * Impersonates a subject.
-     * @param impersonatorRoken The token of the impersonator.
+     * @param impersonatorToken The token of the impersonator.
      * @param impersonatorRefreshToken The refresh token of the impersonator.
      * @param subject The subject to impersonate.
      * @param authenticationData Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      * @throws {ForbiddenError} If impersonation is not allowed.
      */
-    async impersonate(impersonatorRoken, impersonatorRefreshToken, subject, authenticationData) {
-        const validatedImpersonatorRoken = await this.validateToken(impersonatorRoken);
+    async impersonate(impersonatorToken, impersonatorRefreshToken, subject, authenticationData, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
+        const validatedImpersonatorToken = await this.validateToken(impersonatorToken);
         const validatedImpersonatorRefreshToken = await this.validateRefreshToken(impersonatorRefreshToken);
-        const allowed = await this.#authenticationAncillaryService?.canImpersonate(validatedImpersonatorRoken.payload, subject, authenticationData) ?? false;
+        const allowed = await this.#authenticationAncillaryService?.canImpersonate(validatedImpersonatorToken.payload, subject, authenticationData) ?? false;
         if (!allowed) {
+            const impersonatedSubject = await this.tryResolveSubject(subject);
+            await authAuditor.warn('impersonate-failure', {
+                outcome: AuditOutcome.Denied,
+                actor: validatedImpersonatorToken.payload.subject,
+                actorType: ActorType.User,
+                targetId: impersonatedSubject ?? NIL_UUID,
+                targetType: 'User',
+                details: { impersonatedSubject: subject, reason: 'Impersonation forbidden.' },
+            });
             throw new ForbiddenError('Impersonation forbidden.');
         }
-        const tokenResult = await this.getToken(subject, authenticationData, { impersonator: validatedImpersonatorRoken.payload.subject });
+        const tokenResult = await this.getToken(subject, authenticationData, { impersonator: validatedImpersonatorToken.payload.subject });
+        await authAuditor.info('impersonate-success', {
+            actor: validatedImpersonatorToken.payload.subject,
+            actorType: ActorType.User,
+            impersonator: validatedImpersonatorToken.payload.subject,
+            impersonatorType: ActorType.User,
+            targetId: tokenResult.jsonToken.payload.subject,
+            targetType: 'User',
+            details: { impersonatedSubject: subject },
+        });
         return {
             ...tokenResult,
             impersonatorRefreshToken,
@@ -283,21 +355,32 @@ let AuthenticationService = class AuthenticationService {
      * Unimpersonates a subject.
      * @param impersonatorRefreshToken The refresh token of the impersonator.
      * @param authenticationData Additional authentication data.
+     * @param auditor Auditor for auditing.
      * @returns The token result.
      */
-    async unimpersonate(impersonatorRefreshToken, authenticationData) {
-        return await this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true });
+    async unimpersonate(impersonatorRefreshToken, authenticationData, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
+        const tokenResult = await this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true }, auditor);
+        await authAuditor.info('unimpersonate-success', {
+            actor: tokenResult.jsonToken.payload.subject,
+            actorType: ActorType.User,
+            targetId: tokenResult.jsonToken.payload.subject,
+            targetType: 'User',
+        });
+        return tokenResult;
     }
     /**
      * Initializes a secret reset. This usually involves sending an email for verification.
      * @param subject The subject to reset the secret for.
      * @param data Additional data for the secret reset.
+     * @param auditor Auditor for auditing.
      * @throws {NotImplementedError} If no ancillary service is registered.
      */
-    async initSecretReset(subject, data) {
+    async initSecretReset(subject, data, auditor) {
         if (isUndefined(this.#authenticationAncillaryService)) {
             throw new NotImplementedError('No ancillary service registered.');
         }
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
         const actualSubject = await this.tryResolveSubject(subject);
         if (isUndefined(actualSubject)) {
             this.#logger.warn(`Subject "${subject}" not found for secret reset.`);
@@ -315,31 +398,63 @@ let AuthenticationService = class AuthenticationService {
             ...data,
         };
         await this.#authenticationAncillaryService.handleInitSecretReset(initSecretResetData);
+        await authAuditor.info('init-secret-reset', {
+            targetId: actualSubject,
+            targetType: 'User',
+        });
     }
     /**
      * Changes a subject's secret.
      * @param subject The subject to change the secret for.
      * @param currentSecret The current secret.
      * @param newSecret The new secret.
+     * @param auditor Auditor for auditing.
      */
-    async changeSecret(subject, currentSecret, newSecret) {
+    async changeSecret(subject, currentSecret, newSecret, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
         const authenticationResult = await this.authenticate(subject, currentSecret);
         if (!authenticationResult.success) {
+            const resolvedSubject = await this.tryResolveSubject(subject);
+            await authAuditor.warn('change-secret-failure', {
+                targetId: resolvedSubject ?? NIL_UUID,
+                targetType: 'User',
+                details: { providedSubject: subject },
+            });
             throw new InvalidCredentialsError();
         }
         await this.hooks.beforeChangeSecret.trigger({ subject });
         await this.setCredentials(subject, newSecret);
         await this.hooks.afterChangeSecret.trigger({ subject });
+        await authAuditor.info('change-secret-success', {
+            targetId: authenticationResult.subject,
+            targetType: 'User',
+        });
     }
     /**
      * Resets a secret.
      * @param tokenString The secret reset token.
      * @param newSecret The new secret.
+     * @param auditor Auditor for auditing.
      * @throws {InvalidTokenError} If the token is invalid.
      */
-    async resetSecret(tokenString, newSecret) {
-        const token = await this.validateSecretResetToken(tokenString);
-        await this.setCredentials(token.payload.subject, newSecret);
+    async resetSecret(tokenString, newSecret, auditor) {
+        const authAuditor = auditor.fork(AuthenticationService_1.name);
+        try {
+            const token = await this.validateSecretResetToken(tokenString);
+            await this.setCredentials(token.payload.subject, newSecret);
+            await authAuditor.info('reset-secret-success', {
+                targetId: token.payload.subject,
+                targetType: 'User',
+            });
+        }
+        catch (error) {
+            await authAuditor.warn('reset-secret-failure', {
+                targetId: NIL_UUID,
+                targetType: 'User',
+                details: { reason: error.message },
+            });
+            throw error;
+        }
     }
     /**
      * Checks a secret against the requirements.
@@ -511,7 +626,7 @@ let AuthenticationService = class AuthenticationService {
         return new Uint8Array(hash);
     }
 };
-AuthenticationService = __decorate([
+AuthenticationService = AuthenticationService_1 = __decorate([
     Singleton({
         providers: [
             provide(EntityRepositoryConfig, { useValue: { schema: 'authentication' } }),

package/authentication/server/module.d.ts

@@ -1,6 +1,6 @@
 import type { Provider } from '../../injector/provider.js';
 import type { InjectionToken } from '../../injector/token.js';
-import type { DatabaseConfig } from '../../orm/server/module.js';
+import { type DatabaseConfig } from '../../orm/server/index.js';
 import { AuthenticationAncillaryService } from './authentication-ancillary.service.js';
 import { AuthenticationService, AuthenticationServiceOptions } from './authentication.service.js';
 /**

package/authentication/server/schemas.d.ts

@@ -1,5 +1,4 @@
-import { AuthenticationCredentials } from '../models/authentication-credentials.model.js';
-import { AuthenticationSession } from '../models/authentication-session.model.js';
-export declare const authenticationSchema: import("../../orm/server/database-schema.js").DatabaseSchema<"authentication">;
+import { AuthenticationCredentials, AuthenticationSession } from '../models/index.js';
+export declare const authenticationSchema: import("../../orm/server/index.js").DatabaseSchema<"authentication">;
 export declare const authenticationCredentials: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationCredentials, "authentication">;
 export declare const authenticationSession: import("../../orm/server/types.js").PgTableFromType<typeof AuthenticationSession, "authentication">;

package/authentication/server/schemas.js

@@ -1,6 +1,5 @@
-import { databaseSchema } from '../../orm/server/database-schema.js';
-import { AuthenticationCredentials } from '../models/authentication-credentials.model.js';
-import { AuthenticationSession } from '../models/authentication-session.model.js';
+import { databaseSchema } from '../../orm/server/index.js';
+import { AuthenticationCredentials, AuthenticationSession } from '../models/index.js';
 export const authenticationSchema = databaseSchema('authentication');
 export const authenticationCredentials = authenticationSchema.getTable(AuthenticationCredentials);
 export const authenticationSession = authenticationSchema.getTable(AuthenticationSession);

package/constants.d.ts

@@ -0,0 +1 @@
+export declare const NIL_UUID = "00000000-0000-0000-0000-000000000000";

package/constants.js

@@ -0,0 +1 @@
+export const NIL_UUID = '00000000-0000-0000-0000-000000000000';