@tstdl/base 0.93.80 → 0.93.82

package/authentication/server/authentication.service.d.ts

@@ -1,7 +1,8 @@
 import { Auditor } from '../../audit/index.js';
-import { type AfterResolve, afterResolve } from '../../injector/index.js';
+import { afterResolve, type AfterResolve } from '../../injector/index.js';
 import type { BinaryData, Record } from '../../types/index.js';
-import { type RefreshToken, type SecretCheckResult, type SecretResetToken, type Token } from '../models/index.js';
+import { Subject, type RefreshToken, type SecretCheckResult, type SecretResetToken, type Token } from '../models/index.js';
+import type { SubjectInput } from '../types.js';
 import { type SecretTestResult } from './authentication-secret-requirements.validator.js';
 /**
  * Data for creating a token.
@@ -19,8 +20,8 @@ export type CreateTokenData<AdditionalTokenPayload extends Record> = {
     expiration?: number;
     /** Additional token payload */
     additionalTokenPayload: AdditionalTokenPayload;
-    /** Subject of the token */
-    subject: string;
+    /** Subject */
+    subject: Subject;
     /** Session id */
     sessionId: string;
     /** Impersonator subject */
@@ -70,7 +71,7 @@ export declare class AuthenticationServiceOptions {
  */
 export type AuthenticationResult = {
     success: true;
-    subject: string;
+    subject: Subject;
 } | {
     success: false;
     subject?: undefined;
@@ -133,16 +134,16 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     #private;
     readonly hooks: {
         beforeLogin: import("../../utils/async-hook/async-hook.js").AsyncHook<{
-            subject: string;
+            subject: Subject;
         }, never, unknown>;
         afterLogin: import("../../utils/async-hook/async-hook.js").AsyncHook<{
-            subject: string;
+            subject: Subject;
         }, never, unknown>;
         beforeChangeSecret: import("../../utils/async-hook/async-hook.js").AsyncHook<{
-            subject: string;
+            subject: Subject;
         }, never, unknown>;
         afterChangeSecret: import("../../utils/async-hook/async-hook.js").AsyncHook<{
-            subject: string;
+            subject: Subject;
         }, never, unknown>;
     };
     private readonly tokenVersion;
@@ -168,14 +169,14 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param secret The secret to set.
      * @param options Options for setting the credentials.
      */
-    setCredentials(subject: string, secret: string, options?: SetCredentialsOptions): Promise<void>;
+    setCredentials(subject: Subject, secret: string, options?: SetCredentialsOptions): Promise<void>;
     /**
      * Authenticates a subject with a secret.
      * @param subject The subject to authenticate.
      * @param secret The secret to authenticate with.
      * @returns The result of the authentication.
      */
-    authenticate(subject: string, secret: string): Promise<AuthenticationResult>;
+    authenticate(subject: SubjectInput, secret: string): Promise<AuthenticationResult>;
     /**
      * Gets a token for a subject.
      * @param subject The subject to get the token for.
@@ -183,18 +184,18 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param options Options for getting the token.
      * @returns The token result.
      */
-    getToken(subject: string, authenticationData: AuthenticationData, { impersonator }?: {
+    getToken(subject: Subject, authenticationData: AuthenticationData, { impersonator }?: {
         impersonator?: string;
     }): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Logs in a subject.
-     * @param subject The subject to log in.
+     * @param subjectInput The subject to log in.
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
      * @returns Token
      */
-    login(subject: string, secret: string, data: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
+    login(subjectInput: SubjectInput, secret: string, data: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Ends a session.
      * @param sessionId The id of the session to end.
@@ -223,7 +224,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @returns The token result.
      * @throws {ForbiddenError} If impersonation is not allowed.
      */
-    impersonate(impersonatorToken: string, impersonatorRefreshToken: string, subject: string, authenticationData: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
+    impersonate(impersonatorToken: string, impersonatorRefreshToken: string, subjectId: string, authenticationData: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Unimpersonates a subject.
      * @param impersonatorRefreshToken The refresh token of the impersonator.
@@ -239,15 +240,15 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param auditor Auditor for auditing.
      * @throws {NotImplementedError} If no ancillary service is registered.
      */
-    initSecretReset(subject: string, data: AdditionalInitSecretResetData, auditor: Auditor): Promise<void>;
+    initSecretReset(subject: SubjectInput, data: AdditionalInitSecretResetData, auditor: Auditor): Promise<void>;
     /**
      * Changes a subject's secret.
-     * @param subject The subject to change the secret for.
+     * @param subjectInput The subject to change the secret for.
      * @param currentSecret The current secret.
      * @param newSecret The new secret.
      * @param auditor Auditor for auditing.
      */
-    changeSecret(subject: string, currentSecret: string, newSecret: string, auditor: Auditor): Promise<void>;
+    changeSecret(subjectInput: SubjectInput, currentSecret: string, newSecret: string, auditor: Auditor): Promise<void>;
     /**
      * Resets a secret.
      * @param tokenString The secret reset token.
@@ -297,11 +298,11 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     validateSecretResetToken(token: string): Promise<SecretResetToken>;
     /**
      * Tries to resolve a subject.
-     * This method is safe to use in public facing APIs as it does not leak information about the existence of a subject.
      * @param subject The subject to resolve.
      * @returns The resolved subject or undefined if the subject could not be resolved.
      */
-    tryResolveSubject(subject: string): Promise<string | undefined>;
+    tryResolveSubject(subject: SubjectInput): Promise<Subject | undefined>;
+    resolveSubjects(subjectInput: SubjectInput): Promise<Subject[]>;
     /**
      * Resolves the subject to the actual subject used for authentication.
      * This should *not* be used for public facing APIs, as it throws an error if the subject is not found that leaks if the subjects exists or not.
@@ -309,7 +310,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param subject The subject to resolve.
      * @returns The resolved subject or the original subject if not found.
      */
-    resolveSubject(subject: string): Promise<string>;
+    resolveSubject(subject: SubjectInput): Promise<Subject>;
     /**
      * Creates a token without session or refresh token and is not saved in database.
      * @param data Data for creating the token.
@@ -319,14 +320,23 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     /**
      * Creates a refresh token without session and is not saved in database.
      * @param subject The subject of the refresh token.
+     * @param tenantId The tenant id of the refresh token.
      * @param sessionId The session id of the refresh token.
      * @param expirationTimestamp The expiration timestamp of the refresh token.
      * @param options Options for creating the refresh token.
      * @returns The created refresh token.
      */
-    createRefreshToken(subject: string, sessionId: string, expirationTimestamp: number, options?: {
+    createRefreshToken(subject: Subject, sessionId: string, expirationTimestamp: number, options?: {
         impersonator?: string;
     }): Promise<CreateRefreshTokenResult>;
+    defaultResolveSubjects({ tenantId, subject }: {
+        tenantId?: string;
+        subject: string;
+    }): Promise<Subject[]>;
+    defaultResolveSubject({ tenantId, subject }: {
+        tenantId?: string;
+        subject: string;
+    }): Promise<Subject>;
     private createSecretResetToken;
     private deriveSigningSecrets;
     private getHash;

package/authentication/server/authentication.service.js

@@ -16,6 +16,7 @@ import { afterResolve, inject, provide, Singleton } from '../../injector/index.j
 import { KeyValueStore } from '../../key-value-store/key-value.store.js';
 import { Logger } from '../../logger/logger.js';
 import { DatabaseConfig, injectRepository } from '../../orm/server/index.js';
+import { getEntityIds } from '../../orm/utils.js';
 import { Alphabet } from '../../utils/alphabet.js';
 import { asyncHook } from '../../utils/async-hook/async-hook.js';
 import { decodeBase64, encodeBase64 } from '../../utils/base64.js';
@@ -24,9 +25,9 @@ import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-
 import { timingSafeBinaryEquals } from '../../utils/equals.js';
 import { createJwtTokenString } from '../../utils/jwt.js';
 import { getRandomBytes, getRandomString } from '../../utils/random.js';
-import { isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
+import { assertDefinedPass, isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
 import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
-import { AuthenticationCredentials, AuthenticationSession } from '../models/index.js';
+import { AuthenticationCredentials, AuthenticationSession, Subject, User } from '../models/index.js';
 import { AuthenticationAncillaryService, GetTokenPayloadContextAction } from './authentication-ancillary.service.js';
 import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
 import { getRefreshTokenFromString, getSecretResetTokenFromString, getTokenFromString } from './helper.js';
@@ -83,6 +84,8 @@ const SIGNING_SECRETS_LENGTH = 64;
 let AuthenticationService = AuthenticationService_1 = class AuthenticationService {
     #credentialsRepository = injectRepository(AuthenticationCredentials);
     #sessionRepository = injectRepository(AuthenticationSession);
+    #subjectRepository = injectRepository(Subject);
+    #userRepository = injectRepository(User);
     #authenticationSecretRequirementsValidator = inject(AuthenticationSecretRequirementsValidator);
     #authenticationAncillaryService = inject(AuthenticationAncillaryService, undefined, { optional: true });
     #keyValueStore = inject((KeyValueStore), 'authentication');
@@ -130,7 +133,6 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      */
     async setCredentials(subject, secret, options) {
         // We do not need to avoid information leakage here, as this is a non-public method that is only called by a public api if the secret reset token is valid.
-        const actualSubject = await this.resolveSubject(subject);
         if (options?.skipValidation != true) {
             await this.#authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
         }
@@ -138,13 +140,14 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const hash = await this.getHash(secret, salt);
         await this.#credentialsRepository.transaction(async (tx) => {
             await this.#credentialsRepository.withTransaction(tx).upsert('subject', {
-                subject: actualSubject,
+                tenantId: subject.tenantId,
+                subject: subject.id,
                 hashVersion: 1,
                 salt,
                 hash,
             });
             if (options?.skipSessionInvalidation != true) {
-                await this.#sessionRepository.withTransaction(tx).updateManyByQuery({ subject: actualSubject }, { end: currentTimestamp() });
+                await this.#sessionRepository.withTransaction(tx).updateManyByQuery({ tenantId: subject.tenantId, subject: subject.id }, { end: currentTimestamp() });
             }
         });
     }
@@ -155,16 +158,16 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @returns The result of the authentication.
      */
     async authenticate(subject, secret) {
-        const actualSubject = await this.tryResolveSubject(subject) ?? subject;
-        // Always try to load credentials, even if the subject is not resolved, to avoid information leakage.
+        const actualSubject = await this.tryResolveSubject(subject);
+        // Always try to load credentials, even if the subject is not resolved, to reduce information leakage.
         // If the subject is not resolved, we will create a new credentials entry with an empty salt and hash.
         // This way, we do not leak if the subject exists or not via timing attacks.
-        const credentials = await this.#credentialsRepository.tryLoadByQuery({ subject: actualSubject })
+        const credentials = await this.#credentialsRepository.tryLoadByQuery({ tenantId: actualSubject?.tenantId ?? NIL_UUID, subject: actualSubject?.id ?? NIL_UUID })
             ?? { subject: actualSubject, salt: new Uint8Array(), hash: new Uint8Array() };
         const hash = await this.getHash(secret, credentials.salt);
         const valid = timingSafeBinaryEquals(hash, credentials.hash);
         if (valid) {
-            return { success: true, subject: credentials.subject };
+            return { success: true, subject: assertDefinedPass(actualSubject, 'Subject should be defined if authentication is valid but it is not.') };
         }
         return { success: false };
     }
@@ -176,21 +179,21 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @returns The token result.
      */
     async getToken(subject, authenticationData, { impersonator } = {}) {
-        const actualSubject = await this.resolveSubject(subject);
         const now = currentTimestamp();
         const end = now + this.refreshTokenTimeToLive;
         return await this.#sessionRepository.transaction(async (tx) => {
             const session = await this.#sessionRepository.withTransaction(tx).insert({
-                subject: actualSubject,
+                tenantId: subject.tenantId,
+                subject: subject.id,
                 begin: now,
                 end,
                 refreshTokenHashVersion: 0,
                 refreshTokenSalt: new Uint8Array(),
                 refreshTokenHash: new Uint8Array(),
             });
-            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(actualSubject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
-            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: actualSubject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-            const refreshToken = await this.createRefreshToken(actualSubject, session.id, end, { impersonator });
+            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
+            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
+            const refreshToken = await this.createRefreshToken(subject, session.id, end, { impersonator });
             await this.#sessionRepository.withTransaction(tx).update(session.id, {
                 end,
                 refreshTokenHashVersion: 1,
@@ -202,32 +205,34 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     /**
      * Logs in a subject.
-     * @param subject The subject to log in.
+     * @param subjectInput The subject to log in.
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
      * @returns Token
      */
-    async login(subject, secret, data, auditor) {
+    async login(subjectInput, secret, data, auditor) {
         const authAuditor = auditor.fork(AuthenticationService_1.name);
-        const authenticationResult = await this.authenticate(subject, secret);
+        const authenticationResult = await this.authenticate(subjectInput, secret);
         if (!authenticationResult.success) {
-            const actualSubject = await this.tryResolveSubject(subject) ?? subject;
+            const actualSubject = await this.tryResolveSubject(subjectInput);
             await authAuditor.warn('login-failure', {
-                targetId: actualSubject,
+                tenantId: actualSubject?.tenantId ?? subjectInput.tenantId,
+                targetId: actualSubject?.id ?? NIL_UUID,
                 targetType: 'User',
-                details: { providedSubject: subject },
+                details: { subjectInput, subjectId: actualSubject?.id ?? null },
             });
             throw new InvalidCredentialsError();
         }
         await this.hooks.beforeLogin.trigger({ subject: authenticationResult.subject });
         const token = await this.getToken(authenticationResult.subject, data);
         await this.hooks.afterLogin.trigger({ subject: authenticationResult.subject });
-        const sessionId = token.jsonToken.payload.sessionId;
+        const sessionId = token.jsonToken.payload.session;
         await authAuditor.info('login-success', {
-            actor: authenticationResult.subject,
+            tenantId: authenticationResult.subject.tenantId,
+            actor: authenticationResult.subject.id,
             actorType: ActorType.User,
-            targetId: authenticationResult.subject,
+            targetId: authenticationResult.subject.id,
             targetType: 'User',
             network: { sessionId },
             details: { sessionId },
@@ -249,6 +254,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const now = currentTimestamp();
         await this.#sessionRepository.update(sessionId, { end: now });
         await authAuditor.info('logout', {
+            tenantId: session.tenantId,
             actor: session.subject,
             actorType: ActorType.User,
             targetId: session.subject,
@@ -269,7 +275,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         try {
             const validatedRefreshToken = await this.validateRefreshToken(refreshToken);
-            const sessionId = validatedRefreshToken.payload.sessionId;
+            const sessionId = validatedRefreshToken.payload.session;
             const session = await this.#sessionRepository.load(sessionId);
             const hash = await this.getHash(validatedRefreshToken.payload.secret, session.refreshTokenSalt);
             if (session.end <= currentTimestamp()) {
@@ -281,9 +287,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             const now = currentTimestamp();
             const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
             const newEnd = now + this.refreshTokenTimeToLive;
-            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(session.subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
-            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject: session.subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
-            const newRefreshToken = await this.createRefreshToken(validatedRefreshToken.payload.subject, sessionId, newEnd, { impersonator });
+            const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subject });
+            const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
+            const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
+            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator });
             await this.#sessionRepository.update(sessionId, {
                 end: newEnd,
                 refreshTokenHashVersion: 1,
@@ -291,6 +298,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 refreshTokenHash: newRefreshToken.hash,
             });
             await authAuditor.info('refresh-success', {
+                tenantId: session.tenantId,
                 actor: session.subject,
                 actorType: ActorType.User,
                 targetId: session.subject,
@@ -318,32 +326,35 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @returns The token result.
      * @throws {ForbiddenError} If impersonation is not allowed.
      */
-    async impersonate(impersonatorToken, impersonatorRefreshToken, subject, authenticationData, auditor) {
+    async impersonate(impersonatorToken, impersonatorRefreshToken, subjectId, authenticationData, auditor) {
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         const validatedImpersonatorToken = await this.validateToken(impersonatorToken);
         const validatedImpersonatorRefreshToken = await this.validateRefreshToken(impersonatorRefreshToken);
-        const allowed = await this.#authenticationAncillaryService?.canImpersonate(validatedImpersonatorToken.payload, subject, authenticationData) ?? false;
+        const impersonatorSubject = await this.#subjectRepository.loadByQuery({ tenantId: validatedImpersonatorToken.payload.tenant, id: validatedImpersonatorToken.payload.subject });
+        const allowed = await this.#authenticationAncillaryService?.canImpersonate(validatedImpersonatorToken.payload, impersonatorSubject, authenticationData) ?? false;
         if (!allowed) {
-            const impersonatedSubject = await this.tryResolveSubject(subject);
             await authAuditor.warn('impersonate-failure', {
                 outcome: AuditOutcome.Denied,
-                actor: validatedImpersonatorToken.payload.subject,
+                tenantId: impersonatorSubject.tenantId,
+                actor: impersonatorSubject.id,
                 actorType: ActorType.User,
-                targetId: impersonatedSubject ?? NIL_UUID,
+                targetId: subjectId,
                 targetType: 'User',
-                details: { impersonatedSubject: subject, reason: 'Impersonation forbidden.' },
+                details: { impersonatedSubjectId: subjectId },
             });
             throw new ForbiddenError('Impersonation forbidden.');
         }
+        const subject = await this.#subjectRepository.loadByQuery({ tenantId: validatedImpersonatorToken.payload.tenant, id: subjectId });
         const tokenResult = await this.getToken(subject, authenticationData, { impersonator: validatedImpersonatorToken.payload.subject });
         await authAuditor.info('impersonate-success', {
+            tenantId: subject.tenantId,
             actor: validatedImpersonatorToken.payload.subject,
             actorType: ActorType.User,
             impersonator: validatedImpersonatorToken.payload.subject,
             impersonatorType: ActorType.User,
             targetId: tokenResult.jsonToken.payload.subject,
             targetType: 'User',
-            details: { impersonatedSubject: subject },
+            details: { impersonatedSubjectId: subjectId },
         });
         return {
             ...tokenResult,
@@ -362,9 +373,12 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         const tokenResult = await this.refresh(impersonatorRefreshToken, authenticationData, { omitImpersonator: true }, auditor);
         await authAuditor.info('unimpersonate-success', {
+            tenantId: tokenResult.jsonToken.payload.tenant,
             actor: tokenResult.jsonToken.payload.subject,
             actorType: ActorType.User,
             targetId: tokenResult.jsonToken.payload.subject,
+            impersonatorType: ActorType.User,
+            impersonator: tokenResult.jsonToken.payload.impersonator,
             targetType: 'User',
         });
         return tokenResult;
@@ -383,7 +397,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         const actualSubject = await this.tryResolveSubject(subject);
         if (isUndefined(actualSubject)) {
-            this.#logger.warn(`Subject "${subject}" not found for secret reset.`);
+            this.#logger.warn(`Subject "${subject.subject}" not found for secret reset.`);
             /**
              * If the subject cannot be resolved, we do not throw an error here to avoid information leakage.
              * This is to prevent attackers from discovering valid subjects by trying to reset secrets.
@@ -393,40 +407,43 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         }
         const secretResetToken = await this.createSecretResetToken(actualSubject, currentTimestamp() + this.secretResetTokenTimeToLive);
         const initSecretResetData = {
-            subject: actualSubject,
+            subject: actualSubject.id,
             token: secretResetToken.token,
             ...data,
         };
         await this.#authenticationAncillaryService.handleInitSecretReset(initSecretResetData);
         await authAuditor.info('init-secret-reset', {
-            targetId: actualSubject,
+            tenantId: actualSubject.tenantId,
+            targetId: actualSubject.id,
             targetType: 'User',
         });
     }
     /**
      * Changes a subject's secret.
-     * @param subject The subject to change the secret for.
+     * @param subjectInput The subject to change the secret for.
      * @param currentSecret The current secret.
      * @param newSecret The new secret.
      * @param auditor Auditor for auditing.
      */
-    async changeSecret(subject, currentSecret, newSecret, auditor) {
+    async changeSecret(subjectInput, currentSecret, newSecret, auditor) {
         const authAuditor = auditor.fork(AuthenticationService_1.name);
-        const authenticationResult = await this.authenticate(subject, currentSecret);
+        const authenticationResult = await this.authenticate(subjectInput, currentSecret);
         if (!authenticationResult.success) {
-            const resolvedSubject = await this.tryResolveSubject(subject);
+            const resolvedSubject = await this.tryResolveSubject(subjectInput);
             await authAuditor.warn('change-secret-failure', {
-                targetId: resolvedSubject ?? NIL_UUID,
+                tenantId: resolvedSubject?.tenantId,
+                targetId: resolvedSubject?.id ?? NIL_UUID,
                 targetType: 'User',
-                details: { providedSubject: subject },
+                details: { subjectInput, subjectId: resolvedSubject?.id ?? null },
             });
             throw new InvalidCredentialsError();
         }
-        await this.hooks.beforeChangeSecret.trigger({ subject });
-        await this.setCredentials(subject, newSecret);
-        await this.hooks.afterChangeSecret.trigger({ subject });
+        await this.hooks.beforeChangeSecret.trigger({ subject: authenticationResult.subject });
+        await this.setCredentials(authenticationResult.subject, newSecret);
+        await this.hooks.afterChangeSecret.trigger({ subject: authenticationResult.subject });
         await authAuditor.info('change-secret-success', {
-            targetId: authenticationResult.subject,
+            tenantId: authenticationResult.subject.tenantId,
+            targetId: authenticationResult.subject.id,
             targetType: 'User',
         });
     }
@@ -441,8 +458,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         try {
             const token = await this.validateSecretResetToken(tokenString);
-            await this.setCredentials(token.payload.subject, newSecret);
+            const subject = await this.#subjectRepository.loadByQuery({ tenantId: token.payload.tenant, id: token.payload.subject });
+            await this.setCredentials(subject, newSecret);
             await authAuditor.info('reset-secret-success', {
+                tenantId: token.payload.tenant,
                 targetId: token.payload.subject,
                 targetType: 'User',
             });
@@ -509,19 +528,28 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     /**
      * Tries to resolve a subject.
-     * This method is safe to use in public facing APIs as it does not leak information about the existence of a subject.
      * @param subject The subject to resolve.
      * @returns The resolved subject or undefined if the subject could not be resolved.
      */
     async tryResolveSubject(subject) {
         if (isUndefined(this.#authenticationAncillaryService)) {
-            return subject;
+            const subjects = await this.defaultResolveSubjects(subject);
+            if (subjects.length > 1) {
+                throw new Error('Multiple subjects matched. Not supported yet.');
+            }
+            return subjects[0];
         }
-        const result = await this.#authenticationAncillaryService.resolveSubject(subject);
-        if (result.success) {
-            return result.subject;
+        const subjects = await this.#authenticationAncillaryService.resolveSubjects(subject);
+        if (subjects.length > 1) {
+            throw new Error('Multiple subjects matched. Not supported yet.');
+        }
+        return subjects[0];
+    }
+    async resolveSubjects(subjectInput) {
+        if (isUndefined(this.#authenticationAncillaryService)) {
+            return await this.defaultResolveSubjects(subjectInput);
         }
-        return undefined;
+        return await this.#authenticationAncillaryService.resolveSubjects(subjectInput);
     }
     /**
      * Resolves the subject to the actual subject used for authentication.
@@ -531,14 +559,14 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @returns The resolved subject or the original subject if not found.
      */
     async resolveSubject(subject) {
-        if (isUndefined(this.#authenticationAncillaryService)) {
-            return subject;
+        const subjects = await this.resolveSubjects(subject);
+        if (subjects.length > 1) {
+            throw new Error('Multiple subjects matched. Not supported yet.');
         }
-        const result = await this.#authenticationAncillaryService.resolveSubject(subject);
-        if (result.success) {
-            return result.subject;
+        if (subjects.length == 0) {
+            throw new NotFoundError(`Subject not found.`);
         }
-        throw new NotFoundError(`Subject not found.`);
+        return subjects[0];
     }
     /**
      * Creates a token without session or refresh token and is not saved in database.
@@ -556,8 +584,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             iat: issuedAt ?? timestampToTimestampSeconds(timestamp),
             exp: expiration ?? timestampToTimestampSeconds(timestamp + this.tokenTimeToLive),
             refreshTokenExp: timestampToTimestampSeconds(refreshTokenExpiration),
-            sessionId,
-            subject,
+            session: sessionId,
+            tenant: subject.tenantId,
+            subject: subject.id,
             impersonator: impersonatedBy,
             ...additionalTokenPayload,
         };
@@ -571,6 +600,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     /**
      * Creates a refresh token without session and is not saved in database.
      * @param subject The subject of the refresh token.
+     * @param tenantId The tenant id of the refresh token.
      * @param sessionId The session id of the refresh token.
      * @param expirationTimestamp The expiration timestamp of the refresh token.
      * @param options Options for creating the refresh token.
@@ -587,15 +617,35 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             },
             payload: {
                 exp: timestampToTimestampSeconds(expirationTimestamp),
-                subject,
+                subject: subject.id,
+                tenant: subject.tenantId,
                 impersonator: options?.impersonator,
-                sessionId,
+                session: sessionId,
                 secret,
             },
         };
         const token = await createJwtTokenString(jsonToken, this.derivedRefreshTokenSigningSecret);
         return { token, jsonToken, salt, hash: new Uint8Array(hash) };
     }
+    async defaultResolveSubjects({ tenantId, subject }) {
+        const [subjectsById, usersByMail] = await Promise.all([
+            this.#subjectRepository.loadManyByQuery({ tenantId, id: subject }),
+            this.#userRepository.loadManyByQuery({ tenantId, email: subject }),
+        ]);
+        const userIds = getEntityIds(usersByMail);
+        const subjectsByUser = (userIds.length == 0) ? [] : await this.#subjectRepository.loadManyByQuery({ tenantId, userId: { $in: userIds } });
+        return [...subjectsById, ...subjectsByUser];
+    }
+    async defaultResolveSubject({ tenantId, subject }) {
+        const subjects = await this.defaultResolveSubjects({ tenantId, subject });
+        if (subjects.length > 1) {
+            throw new Error('Multiple subjects matched. Not supported yet.');
+        }
+        if (subjects.length == 0) {
+            throw new NotFoundError('Subject not found.');
+        }
+        return subjects[0];
+    }
     async createSecretResetToken(subject, expirationTimestamp) {
         const jsonToken = {
             header: {
@@ -604,7 +654,8 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             },
             payload: {
                 exp: timestampToTimestampSeconds(expirationTimestamp),
-                subject,
+                subject: subject.id,
+                tenant: subject.tenantId,
             },
         };
         const token = await createJwtTokenString(jsonToken, this.derivedSecretResetTokenSigningSecret);

package/authentication/server/subject.service.d.ts

@@ -1,6 +1,22 @@
-import { Subject, SystemAccount } from '../models/index.js';
+import { ServiceAccount, Subject, User } from '../models/index.js';
+export type CreateUser = Pick<User, 'tenantId' | 'email' | 'firstName' | 'lastName'> & Partial<Pick<User, 'status'>>;
+export type CreateServiceAccount = Pick<ServiceAccount, 'tenantId' | 'description' | 'parent'>;
 export declare class SubjectService {
-    readonly subjectRepository: import("../../orm/server/index.js").EntityRepository<Subject>;
-    readonly systemAccountRepository: import("../../orm/server/index.js").EntityRepository<SystemAccount>;
+    #private;
+    getSubject(id: string): Promise<Subject>;
+    tryGetSubject(id: string): Promise<Subject | undefined>;
     getSystemAccountSubject(tenantId: string, identifier: string): Promise<Subject>;
+    createUser(data: CreateUser): Promise<User>;
+    updateUser(tenantId: string, userId: string, data: Partial<Pick<User, 'firstName' | 'lastName' | 'status'>>): Promise<void>;
+    updateUserEmail(tenantId: string, userId: string, email: string): Promise<void>;
+    getUserSubject(tenantId: string, userId: string): Promise<Subject>;
+    getUserByEmail(tenantId: string, email: string): Promise<User>;
+    tryGetUserByEmail(tenantId: string, email: string): Promise<User | undefined>;
+    hasUserByEmail(tenantId: string, email: string): Promise<boolean>;
+    getUserBySubject(subject: Subject): Promise<User>;
+    loadManyUsersByEmails(tenantId: string, emails: string[]): Promise<User[]>;
+    createServiceAccount(data: CreateServiceAccount): Promise<ServiceAccount>;
+    updateServiceAccount(tenantId: string, serviceAccountId: string, data: Partial<Pick<ServiceAccount, 'description'>> & Partial<Pick<Subject, 'displayName'>>): Promise<void>;
+    getServiceAccountSubject(tenantId: string, serviceAccountId: string): Promise<Subject>;
+    getServiceAccountBySubject(subject: Subject): Promise<ServiceAccount>;
 }