@tstdl/base 0.93.78 → 0.93.81

package/api/server/gateway.js

@@ -206,7 +206,7 @@ let ApiGateway = ApiGateway_1 = class ApiGateway {
                         path: context.request.url.pathname,
                         ipAddress: context.request.ip,
                         userAgent: context.request.headers.tryGetSingle('User-Agent') ?? null,
-                        sessionId: token?.payload.sessionId ?? null,
+                        sessionId: token?.payload.session ?? null,
                     },
                 });
             },

package/authentication/authentication.api.d.ts

@@ -27,6 +27,7 @@ export declare const authenticationApiDefinition: {
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
                 readonly data: undefined;
@@ -87,6 +88,7 @@ export declare const authenticationApiDefinition: {
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly currentSecret: string;
                 readonly newSecret: string;
@@ -98,6 +100,7 @@ export declare const authenticationApiDefinition: {
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly data: undefined;
             }>;
@@ -146,6 +149,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
                 readonly data: AuthenticationData;
@@ -206,6 +210,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly currentSecret: string;
                 readonly newSecret: string;
@@ -217,6 +222,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
             resource: string;
             method: "POST";
             parameters: ObjectSchema<{
+                readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly data: AdditionalInitSecretResetData;
             }>;
@@ -260,6 +266,7 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
         resource: string;
         method: "POST";
         parameters: ObjectSchema<{
+            readonly tenantId: string | undefined;
             readonly subject: string;
             readonly secret: string;
             readonly data: AuthenticationData;
@@ -320,6 +327,7 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
         resource: string;
         method: "POST";
         parameters: ObjectSchema<{
+            readonly tenantId: string | undefined;
             readonly subject: string;
             readonly currentSecret: string;
             readonly newSecret: string;
@@ -331,6 +339,7 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
         resource: string;
         method: "POST";
         parameters: ObjectSchema<{
+            readonly tenantId: string | undefined;
             readonly subject: string;
             readonly data: AdditionalInitSecretResetData;
         }>;

package/authentication/authentication.api.js

@@ -48,6 +48,7 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
             resource: 'token',
             method: 'POST',
             parameters: explicitObject({
+                tenantId: optional(string()),
                 subject: string(),
                 secret: string(),
                 data: authenticationDataSchema,
@@ -108,6 +109,7 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
             resource: 'secret/change',
             method: 'POST',
             parameters: explicitObject({
+                tenantId: optional(string()),
                 subject: string(),
                 currentSecret: string(),
                 newSecret: string(),
@@ -119,6 +121,7 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
             resource: 'secret/init-reset',
             method: 'POST',
             parameters: explicitObject({
+                tenantId: optional(string()),
                 subject: string(),
                 data: additionalInitSecretResetDataSchema,
             }),

package/authentication/client/authentication.service.d.ts

@@ -2,6 +2,7 @@ import type { AfterResolve } from '../../injector/index.js';
 import { afterResolve } from '../../injector/index.js';
 import type { Record } from '../../types/index.js';
 import type { SecretCheckResult, TokenPayload } from '../models/index.js';
+import type { SubjectInput } from '../types.js';
 /**
  * Handles authentication on client side.
  *
@@ -35,10 +36,12 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     readonly token: import("../../signals/api.js").WritableSignal<TokenPayload<AdditionalTokenPayload> | undefined>;
     /** Whether the user is logged in */
     readonly isLoggedIn: import("../../signals/api.js").Signal<boolean>;
-    /** Current subject */
-    readonly subject: import("../../signals/api.js").Signal<string | undefined>;
     /** Current session id */
     readonly sessionId: import("../../signals/api.js").Signal<string | undefined>;
+    /** Current tenant id */
+    readonly tenantId: import("../../signals/api.js").Signal<string | undefined>;
+    /** Current subject */
+    readonly subjectId: import("../../signals/api.js").Signal<string | undefined>;
     /** Current impersonator */
     readonly impersonator: import("../../signals/api.js").Signal<string | undefined>;
     /** Whether the user is impersonated */
@@ -50,9 +53,9 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     /** Emits when a valid token is available (not undefined and not expired) */
     readonly validToken$: import("rxjs").Observable<Exclude<TokenPayload<AdditionalTokenPayload>, void | undefined>>;
     /** Current subject */
-    readonly subject$: import("rxjs").Observable<string | undefined>;
+    readonly subjectId$: import("rxjs").Observable<string | undefined>;
     /** Emits when subject is available */
-    readonly definedSubject$: import("rxjs").Observable<string>;
+    readonly definedSubjectId$: import("rxjs").Observable<string>;
     /** Current session id */
     readonly sessionId$: import("rxjs").Observable<string | undefined>;
     /** Emits when session id is available */
@@ -70,16 +73,21 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @throws Will throw if token is not available
      */
     get definedToken(): TokenPayload<AdditionalTokenPayload>;
-    /**
-     * Get current subject or throw if not available
-     * @throws Will throw if subject is not available
-     */
-    get definedSubject(): string;
     /**
      * Get current session id or throw if not available
      * @throws Will throw if session id is not available
      */
     get definedSessionId(): string;
+    /**
+     * Get current tenant id or throw if not available
+     * @throws Will throw if tenant id is not available
+     */
+    get definedTenantId(): string;
+    /**
+     * Get current subject or throw if not available
+     * @throws Will throw if subject is not available
+     */
+    get definedSubject(): string;
     /** Whether a valid token is available (not undefined and not expired) */
     get hasValidToken(): boolean;
     constructor();
@@ -106,11 +114,11 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     setAdditionalData(data: AuthenticationData): void;
     /**
      * Login with subject and secret
-     * @param subject The subject to login with
+     * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
      */
-    login(subject: string, secret: string, data?: AuthenticationData): Promise<void>;
+    login(subjectInput: SubjectInput, secret: string, data?: AuthenticationData): Promise<void>;
     /**
      * Logout from the current session.
      * This will attempt to end the session on the server and then clear local credentials.
@@ -139,17 +147,17 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     unimpersonate(data?: AuthenticationData): Promise<void>;
     /**
      * Change the secret for a subject.
-     * @param subject The subject to change the secret for
+     * @param subjectInput The subject to change the secret for
      * @param currentSecret The current secret
      * @param newSecret The new secret
      */
-    changeSecret(subject: string, currentSecret: string, newSecret: string): Promise<void>;
+    changeSecret(subjectInput: SubjectInput, currentSecret: string, newSecret: string): Promise<void>;
     /**
      * Initialize a secret reset.
-     * @param subject The subject to reset the secret for
+     * @param subjectInput The subject to reset the secret for
      * @param data Additional data for secret reset
      */
-    initResetSecret(subject: string, data: AdditionalInitSecretResetData): Promise<void>;
+    initResetSecret(subjectInput: SubjectInput, data: AdditionalInitSecretResetData): Promise<void>;
     /**
      * Reset a secret using a reset token.
      * @param token The secret reset token

package/authentication/client/authentication.service.js

@@ -78,10 +78,12 @@ let AuthenticationClientService = class AuthenticationClientService {
     token = signal(undefined);
     /** Whether the user is logged in */
     isLoggedIn = computed(() => isDefined(this.token()));
-    /** Current subject */
-    subject = computed(() => this.token()?.subject);
     /** Current session id */
-    sessionId = computed(() => this.token()?.sessionId);
+    sessionId = computed(() => this.token()?.session);
+    /** Current tenant id */
+    tenantId = computed(() => this.token()?.tenant);
+    /** Current subject */
+    subjectId = computed(() => this.token()?.subject);
     /** Current impersonator */
     impersonator = computed(() => this.token()?.impersonator);
     /** Whether the user is impersonated */
@@ -93,9 +95,9 @@ let AuthenticationClientService = class AuthenticationClientService {
     /** Emits when a valid token is available (not undefined and not expired) */
     validToken$ = this.definedToken$.pipe(filter((token) => token.exp > this.estimatedServerTimestampSeconds()));
     /** Current subject */
-    subject$ = toObservable(this.subject);
+    subjectId$ = toObservable(this.subjectId);
     /** Emits when subject is available */
-    definedSubject$ = this.subject$.pipe(filter(isDefined));
+    definedSubjectId$ = this.subjectId$.pipe(filter(isDefined));
     /** Current session id */
     sessionId$ = toObservable(this.sessionId);
     /** Emits when session id is available */
@@ -123,6 +125,20 @@ let AuthenticationClientService = class AuthenticationClientService {
     get definedToken() {
         return assertDefinedPass(this.token(), 'No token available.');
     }
+    /**
+     * Get current session id or throw if not available
+     * @throws Will throw if session id is not available
+     */
+    get definedSessionId() {
+        return this.definedToken.session;
+    }
+    /**
+     * Get current tenant id or throw if not available
+     * @throws Will throw if tenant id is not available
+     */
+    get definedTenantId() {
+        return this.definedToken.tenant;
+    }
     /**
      * Get current subject or throw if not available
      * @throws Will throw if subject is not available
@@ -130,13 +146,6 @@ let AuthenticationClientService = class AuthenticationClientService {
     get definedSubject() {
         return this.definedToken.subject;
     }
-    /**
-     * Get current session id or throw if not available
-     * @throws Will throw if session id is not available
-     */
-    get definedSessionId() {
-        return this.definedToken.sessionId;
-    }
     /** Whether a valid token is available (not undefined and not expired) */
     get hasValidToken() {
         return (this.token()?.exp ?? 0) > this.estimatedServerTimestampSeconds();
@@ -184,16 +193,16 @@ let AuthenticationClientService = class AuthenticationClientService {
     }
     /**
      * Login with subject and secret
-     * @param subject The subject to login with
+     * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
      */
-    async login(subject, secret, data) {
+    async login(subjectInput, secret, data) {
         if (isDefined(data)) {
             this.setAdditionalData(data);
         }
         const [token] = await Promise.all([
-            this.client.login({ subject, secret, data: this.authenticationData }),
+            this.client.login({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, secret, data: this.authenticationData }),
             this.syncClock(),
         ]);
         this.setNewToken(token);
@@ -291,20 +300,20 @@ let AuthenticationClientService = class AuthenticationClientService {
     }
     /**
      * Change the secret for a subject.
-     * @param subject The subject to change the secret for
+     * @param subjectInput The subject to change the secret for
      * @param currentSecret The current secret
      * @param newSecret The new secret
      */
-    async changeSecret(subject, currentSecret, newSecret) {
-        await this.client.changeSecret({ subject, currentSecret, newSecret });
+    async changeSecret(subjectInput, currentSecret, newSecret) {
+        await this.client.changeSecret({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, currentSecret, newSecret });
     }
     /**
      * Initialize a secret reset.
-     * @param subject The subject to reset the secret for
+     * @param subjectInput The subject to reset the secret for
      * @param data Additional data for secret reset
      */
-    async initResetSecret(subject, data) {
-        await this.client.initSecretReset({ subject, data });
+    async initResetSecret(subjectInput, data) {
+        await this.client.initSecretReset({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, data });
     }
     /**
      * Reset a secret using a reset token.

package/authentication/index.d.ts

@@ -7,3 +7,4 @@ export * from './authentication.api.js';
 export * from './client/index.js';
 export * from './errors/index.js';
 export * from './models/index.js';
+export * from './types.js';

package/authentication/index.js

@@ -7,3 +7,4 @@ export * from './authentication.api.js';
 export * from './client/index.js';
 export * from './errors/index.js';
 export * from './models/index.js';
+export * from './types.js';

package/authentication/models/authentication-credentials.model.d.ts

@@ -1,5 +1,5 @@
-import { Entity, type Uuid } from '../../orm/index.js';
-export declare class AuthenticationCredentials extends Entity {
+import { TenantEntity, type Uuid } from '../../orm/index.js';
+export declare class AuthenticationCredentials extends TenantEntity {
     subject: Uuid;
     hashVersion: number;
     /**

package/authentication/models/authentication-credentials.model.js

@@ -7,10 +7,10 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Entity, Reference, Table, Unique, UuidProperty } from '../../orm/index.js';
+import { Table, TenantEntity, TenantReference, Unique, UuidProperty } from '../../orm/index.js';
 import { Integer, Uint8ArrayProperty } from '../../schema/index.js';
 import { Subject } from './subject.model.js';
-let AuthenticationCredentials = class AuthenticationCredentials extends Entity {
+let AuthenticationCredentials = class AuthenticationCredentials extends TenantEntity {
     subject;
     hashVersion;
     /**
@@ -23,8 +23,7 @@ let AuthenticationCredentials = class AuthenticationCredentials extends Entity {
     hash;
 };
 __decorate([
-    Reference(() => Subject),
-    Unique(),
+    TenantReference(() => Subject),
     UuidProperty(),
     __metadata("design:type", String)
 ], AuthenticationCredentials.prototype, "subject", void 0);
@@ -41,6 +40,7 @@ __decorate([
     __metadata("design:type", Uint8Array)
 ], AuthenticationCredentials.prototype, "hash", void 0);
 AuthenticationCredentials = __decorate([
-    Table('credentials', { schema: 'authentication' })
+    Table('credentials', { schema: 'authentication' }),
+    Unique(['tenantId', 'subject'])
 ], AuthenticationCredentials);
 export { AuthenticationCredentials };

package/authentication/models/authentication-session.model.d.ts

@@ -1,6 +1,6 @@
 import type { Timestamp, Uuid } from '../../orm/index.js';
-import { Entity } from '../../orm/index.js';
-export declare class AuthenticationSession extends Entity {
+import { TenantEntity } from '../../orm/index.js';
+export declare class AuthenticationSession extends TenantEntity {
     subject: Uuid;
     begin: Timestamp;
     end: Timestamp;

package/authentication/models/authentication-session.model.js

@@ -7,10 +7,10 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Entity, Reference, Table, TimestampProperty, UuidProperty } from '../../orm/index.js';
+import { Table, TenantEntity, TenantReference, TimestampProperty, UuidProperty } from '../../orm/index.js';
 import { Integer, Uint8ArrayProperty } from '../../schema/index.js';
 import { Subject } from './subject.model.js';
-let AuthenticationSession = class AuthenticationSession extends Entity {
+let AuthenticationSession = class AuthenticationSession extends TenantEntity {
     subject;
     begin;
     end;
@@ -25,7 +25,7 @@ let AuthenticationSession = class AuthenticationSession extends Entity {
     refreshTokenHash;
 };
 __decorate([
-    Reference(() => Subject),
+    TenantReference(() => Subject),
     UuidProperty(),
     __metadata("design:type", String)
 ], AuthenticationSession.prototype, "subject", void 0);

package/authentication/models/subject.model.js

@@ -35,25 +35,27 @@ __decorate([
     __metadata("design:type", String)
 ], Subject.prototype, "displayName", void 0);
 __decorate([
-    Unique(),
     TenantReference(() => SystemAccount),
     UuidProperty({ nullable: true }),
     __metadata("design:type", Object)
 ], Subject.prototype, "systemAccountId", void 0);
 __decorate([
-    Unique(),
     TenantReference(() => User),
     UuidProperty({ nullable: true }),
     __metadata("design:type", Object)
 ], Subject.prototype, "userId", void 0);
 __decorate([
-    Unique(),
     TenantReference(() => ServiceAccount),
     UuidProperty({ nullable: true }),
     __metadata("design:type", Object)
 ], Subject.prototype, "serviceAccountId", void 0);
 Subject = __decorate([
     Table('subject', { schema: 'authentication' }),
+    Unique(['id']) // for external systems that might not support composite identities
+    ,
+    Unique(['tenantId', 'systemAccountId']),
+    Unique(['tenantId', 'userId']),
+    Unique(['tenantId', 'serviceAccountId']),
     Check('authentication_subject_reference_check', (table) => exclusiveNotNull(table.systemAccountId, table.userId, table.serviceAccountId))
 ], Subject);
 export { Subject };

package/authentication/models/token-payload-base.model.d.ts

@@ -21,7 +21,11 @@ export declare class TokenPayloadBase {
     /**
      * The id of the session.
      */
-    sessionId: string;
+    session: string;
+    /**
+     * The tenant id.
+     */
+    tenant: string;
     /**
      * The subject of the token.
      */

package/authentication/models/token-payload-base.model.js

@@ -31,7 +31,11 @@ export class TokenPayloadBase {
     /**
      * The id of the session.
      */
-    sessionId;
+    session;
+    /**
+     * The tenant id.
+     */
+    tenant;
     /**
      * The subject of the token.
      */
@@ -60,7 +64,11 @@ __decorate([
 __decorate([
     StringProperty(),
     __metadata("design:type", String)
-], TokenPayloadBase.prototype, "sessionId", void 0);
+], TokenPayloadBase.prototype, "session", void 0);
+__decorate([
+    StringProperty(),
+    __metadata("design:type", String)
+], TokenPayloadBase.prototype, "tenant", void 0);
 __decorate([
     StringProperty(),
     __metadata("design:type", String)

package/authentication/models/token.model.d.ts

@@ -22,6 +22,10 @@ export type RefreshToken = JwtToken<{
      * Expiration timestamp in seconds.
      */
     exp: number;
+    /**
+     * The tenant id.
+     */
+    tenant: string;
     /**
      * The subject of the token.
      */
@@ -33,7 +37,7 @@ export type RefreshToken = JwtToken<{
     /**
      * The id of the session.
      */
-    sessionId: string;
+    session: string;
     /**
      * The secret to use for refreshing the token.
      */
@@ -44,6 +48,10 @@ export type SecretResetToken = JwtToken<{
      * Expiration timestamp in seconds.
      */
     exp: number;
+    /**
+     * The tenant id.
+     */
+    tenant: string;
     /**
      * The subject for which to reset the secret.
      */

package/authentication/server/authentication-ancillary.service.d.ts

@@ -1,7 +1,8 @@
 import { type EnumType } from '../../enumeration/enumeration.js';
 import type { Record } from '../../types/index.js';
-import type { TokenPayload } from '../index.js';
+import { Subject, type TokenPayload } from '../models/index.js';
 import type { InitSecretResetData } from '../models/init-secret-reset-data.model.js';
+import type { SubjectInput } from '../types.js';
 export declare const GetTokenPayloadContextAction: {
     readonly GetToken: "get-token";
     readonly Refresh: "refresh";
@@ -13,13 +14,6 @@ export type GetTokenPayloadContext = {
      */
     action: GetTokenPayloadContextAction;
 };
-export type ResolveSubjectResult = {
-    success: true;
-    subject: string;
-} | {
-    success: false;
-    subject?: undefined;
-};
 /**
  * Ancillary service for authentication to hook into the authentication process.
  *
@@ -28,14 +22,17 @@ export type ResolveSubjectResult = {
  * @param AdditionalInitSecretResetData Type of additional secret reset data
  */
 export declare abstract class AuthenticationAncillaryService<AdditionalTokenPayload extends Record = Record<never>, AuthenticationData = void, AdditionalInitSecretResetData = void> {
+    readonly subjectRepository: import("../../orm/server/repository.js").EntityRepository<Subject>;
     /**
-     * Resolve a provided subject to the actual subject used for authentication.
+     * Resolve a provided subject (like what was entered into login form) to all matching actual subjects.
      * Useful for example if you want to be able to login via mail but actual subject is the user id.
-     * @param providedSubject The subject provided by the user, e.g. an email address.
-     * @returns An object with success flag and the resolved subject if successful.
-     * If the subject cannot be resolved, return an object with success set to false.
+     *
+     * If multiple subjects are found (like same mail in multiple tenants), all should be returned.
+     * If no subjects are found, an empty array should be returned.
+     * @param data The subject provided by the user, e.g. an email address and tenantId if available (for example by tenant specific subdomains).
+     * @returns An array of resolved subjects.
      */
-    abstract resolveSubject(providedSubject: string): ResolveSubjectResult | Promise<ResolveSubjectResult>;
+    abstract resolveSubjects(data: SubjectInput): Promise<Subject[]>;
     /**
      * Get the additional token payload for a subject.
      * @param subject The subject for which to get the payload.
@@ -43,7 +40,7 @@ export declare abstract class AuthenticationAncillaryService<AdditionalTokenPayl
      * @param context Context for getting the token payload.
      * @returns The additional token payload.
      */
-    abstract getTokenPayload(subject: string, authenticationData: AuthenticationData, context: GetTokenPayloadContext): AdditionalTokenPayload | Promise<AdditionalTokenPayload>;
+    abstract getTokenPayload(subject: Subject, authenticationData: AuthenticationData, context: GetTokenPayloadContext): AdditionalTokenPayload | Promise<AdditionalTokenPayload>;
     /**
      * Handle the initialization of a secret reset.
      * @param data Data for initializing the secret reset.
@@ -56,5 +53,5 @@ export declare abstract class AuthenticationAncillaryService<AdditionalTokenPayl
      * @param authenticationData Additional authentication data.
      * @returns Whether impersonation is allowed.
      */
-    abstract canImpersonate(token: TokenPayload<AdditionalTokenPayload>, subject: string, authenticationData: AuthenticationData): boolean | Promise<boolean>;
+    abstract canImpersonate(token: TokenPayload<AdditionalTokenPayload>, subject: Subject, authenticationData: AuthenticationData): boolean | Promise<boolean>;
 }

package/authentication/server/authentication-ancillary.service.js

@@ -1,4 +1,6 @@
 import { defineEnum } from '../../enumeration/enumeration.js';
+import { injectRepository } from '../../orm/server/repository.js';
+import { Subject } from '../models/index.js';
 export const GetTokenPayloadContextAction = defineEnum('GetTokenPayloadContextAction', {
     GetToken: 'get-token',
     Refresh: 'refresh',
@@ -11,4 +13,5 @@ export const GetTokenPayloadContextAction = defineEnum('GetTokenPayloadContextAc
  * @param AdditionalInitSecretResetData Type of additional secret reset data
  */
 export class AuthenticationAncillaryService {
+    subjectRepository = injectRepository(Subject);
 }

package/authentication/server/authentication.api-controller.js

@@ -34,7 +34,7 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async login({ parameters, getAuditor }) {
-        const result = await this.authenticationService.login(parameters.subject, parameters.secret, parameters.data, await getAuditor());
+        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor());
         return this.getTokenResponse(result);
     }
     /**
@@ -81,13 +81,13 @@ let AuthenticationApiController = class AuthenticationApiController {
         try {
             const tokenString = tryGetAuthorizationTokenStringFromRequest(request) ?? '';
             const token = await this.authenticationService.validateToken(tokenString);
-            sessionId = token.payload.sessionId;
+            sessionId = token.payload.session;
         }
         catch (error) {
             try {
                 const refreshTokenString = tryGetAuthorizationTokenStringFromRequest(request, 'refreshToken', true) ?? '';
                 const refreshToken = await this.authenticationService.validateRefreshToken(refreshTokenString);
-                sessionId = refreshToken.payload.sessionId;
+                sessionId = refreshToken.payload.session;
             }
             catch {
                 throw error;
@@ -107,7 +107,7 @@ let AuthenticationApiController = class AuthenticationApiController {
         });
     }
     async changeSecret({ parameters, getAuditor }) {
-        await this.authenticationService.changeSecret(parameters.subject, parameters.currentSecret, parameters.newSecret, await getAuditor());
+        await this.authenticationService.changeSecret({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.currentSecret, parameters.newSecret, await getAuditor());
         return 'ok';
     }
     /**
@@ -116,7 +116,7 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns 'ok' if the secret reset was initialized.
      */
     async initSecretReset({ parameters, getAuditor }) {
-        await this.authenticationService.initSecretReset(parameters.subject, parameters.data, await getAuditor());
+        await this.authenticationService.initSecretReset({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.data, await getAuditor());
         return 'ok';
     }
     /**

package/authentication/server/authentication.audit.d.ts

@@ -1,9 +1,11 @@
+import type { SubjectInput } from '../types.js';
 export type AuthenticationAuditEvents = {
     'login-success': {
         sessionId: string;
     };
     'login-failure': {
-        providedSubject: string;
+        subjectInput: SubjectInput;
+        subjectId: string | null;
     };
     'logout': {
         sessionId: string;
@@ -15,16 +17,16 @@ export type AuthenticationAuditEvents = {
         reason: string;
     };
     'impersonate-success': {
-        impersonatedSubject: string;
+        impersonatedSubjectId: string;
     };
     'impersonate-failure': {
-        impersonatedSubject: string;
-        reason: string;
+        impersonatedSubjectId: string;
     };
     'unimpersonate-success': {};
     'change-secret-success': {};
     'change-secret-failure': {
-        providedSubject: string;
+        subjectInput: SubjectInput;
+        subjectId: string | null;
     };
     'init-secret-reset': {};
     'reset-secret-success': {};