@twin.org/api-auth-entity-storage-service 0.0.1-next.9 → 0.0.2-next.1

package/dist/cjs/index.cjs

@@ -71,13 +71,12 @@ class TokenHelper {
      * @returns The new token and its expiry date.
      */
     static async createToken(vaultConnector, signingKeyName, subject, ttlMinutes) {
-        // Verify was a success so we can now generate a new token.
         const nowSeconds = Math.trunc(Date.now() / 1000);
         const ttlSeconds = ttlMinutes * 60;
-        const jwt = await web.Jwt.encodeWithSigner({ alg: web.JwtAlgorithms.EdDSA }, {
+        const jwt = await web.Jwt.encodeWithSigner({ alg: "EdDSA" }, {
             sub: subject,
             exp: nowSeconds + ttlSeconds
-        }, async (alg, key, payload) => vaultConnector.sign(signingKeyName, payload));
+        }, async (header, payload) => vaultModels.VaultConnectorHelper.jwtSigner(vaultConnector, signingKeyName, header, payload));
         return {
             token: jwt,
             expiry: (nowSeconds + ttlSeconds) * 1000
@@ -95,14 +94,10 @@ class TokenHelper {
         if (!core.Is.stringValue(token)) {
             throw new core.UnauthorizedError(this._CLASS_NAME, "missing");
         }
-        const decoded = await web.Jwt.verifyWithVerifier(token, async (alg, key, payload, signature) => vaultConnector.verify(signingKeyName, payload, signature));
-        // If the signature validation failed or some of the header/payload data
-        // is not properly populated then it is unauthorized.
-        if (!decoded.verified ||
-            !core.Is.object(decoded.header) ||
-            !core.Is.object(decoded.payload) ||
-            !core.Is.stringValue(decoded.payload.sub)) {
-            throw new core.UnauthorizedError(this._CLASS_NAME, "invalidToken");
+        const decoded = await web.Jwt.verifyWithVerifier(token, async (t) => vaultModels.VaultConnectorHelper.jwtVerifier(vaultConnector, signingKeyName, t));
+        // If some of the header/payload data is not properly populated then it is unauthorized.
+        if (!core.Is.stringValue(decoded.payload.sub)) {
+            throw new core.UnauthorizedError(this._CLASS_NAME, "payloadMissingSubject");
         }
         else if (!core.Is.empty(decoded.payload?.exp) &&
             decoded.payload.exp < Math.trunc(Date.now() / 1000)) {
@@ -154,6 +149,10 @@ class TokenHelper {
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
  */
 class AuthHeaderProcessor {
+    /**
+     * The namespace supported by the processor.
+     */
+    static NAMESPACE = "auth-header";
     /**
      * The default name for the access token as a cookie.
      * @internal
@@ -186,8 +185,6 @@ class AuthHeaderProcessor {
     /**
      * Create a new instance of AuthCookiePreProcessor.
      * @param options Options for the processor.
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the processor.
      */
     constructor(options) {
         this._vaultConnector = vaultModels.VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
@@ -244,13 +241,13 @@ class AuthHeaderProcessor {
             if ((responseAuthOperation === "login" || responseAuthOperation === "refresh") &&
                 core.Is.stringValue(response.body?.token)) {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[web.HeaderTypes.SetCookie] =
                     `${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;
                 delete response.body.token;
             }
             else if (responseAuthOperation === "logout") {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[web.HeaderTypes.SetCookie] =
                     `${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;
             }
         }
@@ -391,7 +388,41 @@ function generateRestRoutesAuthentication(baseRouteName, componentName) {
             }
         ]
     };
-    return [loginRoute, logoutRoute, refreshTokenRoute];
+    const updatePasswordRoute = {
+        operationId: "authenticationUpdatePassword",
+        summary: "Update the user's password",
+        tag: tagsAuthentication[0].name,
+        method: "PUT",
+        path: `${baseRouteName}/:email/password`,
+        handler: async (httpRequestContext, request) => authenticationUpdatePassword(httpRequestContext, componentName, request),
+        requestType: {
+            type: "IUpdatePasswordRequest",
+            examples: [
+                {
+                    id: "updatePasswordRequestExample",
+                    description: "The request to update the user's password.",
+                    request: {
+                        pathParams: {
+                            email: "john:example.com"
+                        },
+                        body: {
+                            currentPassword: "MyNewPassword123!",
+                            newPassword: "MyNewPassword123!"
+                        }
+                    }
+                }
+            ]
+        },
+        responseType: [
+            {
+                type: "INoContentResponse"
+            },
+            {
+                type: "IUnauthorizedResponse"
+            }
+        ]
+    };
+    return [loginRoute, logoutRoute, refreshTokenRoute, updatePasswordRoute];
 }
 /**
  * Login to the server.
@@ -451,6 +482,23 @@ async function authenticationRefreshToken(httpRequestContext, componentName, req
         body: result
     };
 }
+/**
+ * Update the user's password.
+ * @param httpRequestContext The request context for the API.
+ * @param componentName The name of the component to use in the routes.
+ * @param request The request.
+ * @returns The response object with additional http response properties.
+ */
+async function authenticationUpdatePassword(httpRequestContext, componentName, request) {
+    core.Guards.object(ROUTES_SOURCE, "request", request);
+    core.Guards.object(ROUTES_SOURCE, "request.pathParams", request.pathParams);
+    core.Guards.object(ROUTES_SOURCE, "request.body", request.body);
+    const component = core.ComponentFactory.get(componentName);
+    await component.updatePassword(request.pathParams.email, request.body.currentPassword, request.body.newPassword);
+    return {
+        statusCode: web.HttpStatusCode.noContent
+    };
+}
 
 const restEntryPoints = [
     {
@@ -498,10 +546,149 @@ class PasswordHelper {
     }
 }
 
+/**
+ * Implementation of the authentication component using entity storage.
+ */
+class EntityStorageAuthenticationAdminService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-admin-entity-storage";
+    /**
+     * The minimum password length.
+     * @internal
+     */
+    static _DEFAULT_MIN_PASSWORD_LENGTH = 8;
+    /**
+     * Runtime name for the class.
+     */
+    CLASS_NAME = "EntityStorageAuthenticationAdminService";
+    /**
+     * The entity storage for users.
+     * @internal
+     */
+    _userEntityStorage;
+    /**
+     * The minimum password length.
+     * @internal
+     */
+    _minPasswordLength;
+    /**
+     * Create a new instance of EntityStorageAuthentication.
+     * @param options The dependencies for the identity connector.
+     */
+    constructor(options) {
+        this._userEntityStorage = entityStorageModels.EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");
+        this._minPasswordLength =
+            options?.config?.minPasswordLength ??
+                EntityStorageAuthenticationAdminService._DEFAULT_MIN_PASSWORD_LENGTH;
+    }
+    /**
+     * Create a login for the user.
+     * @param email The email address for the user.
+     * @param password The password for the user.
+     * @param identity The DID to associate with the account.
+     * @returns Nothing.
+     */
+    async create(email, password, identity) {
+        core.Guards.stringValue(this.CLASS_NAME, "email", email);
+        core.Guards.stringValue(this.CLASS_NAME, "password", password);
+        try {
+            if (password.length < this._minPasswordLength) {
+                throw new core.GeneralError(this.CLASS_NAME, "passwordTooShort", {
+                    minLength: this._minPasswordLength
+                });
+            }
+            const user = await this._userEntityStorage.get(email);
+            if (user) {
+                throw new core.GeneralError(this.CLASS_NAME, "userExists");
+            }
+            const saltBytes = core.RandomHelper.generate(16);
+            const passwordBytes = core.Converter.utf8ToBytes(password);
+            const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+            const newUser = {
+                email,
+                salt: core.Converter.bytesToBase64(saltBytes),
+                password: hashedPassword,
+                identity
+            };
+            await this._userEntityStorage.set(newUser);
+        }
+        catch (error) {
+            throw new core.GeneralError(this.CLASS_NAME, "createUserFailed", undefined, error);
+        }
+    }
+    /**
+     * Remove the current user.
+     * @param email The email address of the user to remove.
+     * @returns Nothing.
+     */
+    async remove(email) {
+        core.Guards.stringValue(this.CLASS_NAME, "email", email);
+        try {
+            const user = await this._userEntityStorage.get(email);
+            if (!user) {
+                throw new core.NotFoundError(this.CLASS_NAME, "userNotFound", email);
+            }
+            await this._userEntityStorage.remove(email);
+        }
+        catch (error) {
+            throw new core.GeneralError(this.CLASS_NAME, "removeUserFailed", undefined, error);
+        }
+    }
+    /**
+     * Update the user's password.
+     * @param email The email address of the user to update.
+     * @param newPassword The new password for the user.
+     * @param currentPassword The current password, optional, if supplied will check against existing.
+     * @returns Nothing.
+     */
+    async updatePassword(email, newPassword, currentPassword) {
+        core.Guards.stringValue(this.CLASS_NAME, "email", email);
+        core.Guards.stringValue(this.CLASS_NAME, "newPassword", newPassword);
+        try {
+            if (newPassword.length < this._minPasswordLength) {
+                throw new core.GeneralError(this.CLASS_NAME, "passwordTooShort", {
+                    minLength: this._minPasswordLength
+                });
+            }
+            const user = await this._userEntityStorage.get(email);
+            if (!user) {
+                throw new core.NotFoundError(this.CLASS_NAME, "userNotFound", email);
+            }
+            if (core.Is.stringValue(currentPassword)) {
+                const saltBytes = core.Converter.base64ToBytes(user.salt);
+                const passwordBytes = core.Converter.utf8ToBytes(currentPassword);
+                const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+                if (hashedPassword !== user.password) {
+                    throw new core.GeneralError(this.CLASS_NAME, "currentPasswordMismatch");
+                }
+            }
+            const saltBytes = core.RandomHelper.generate(16);
+            const passwordBytes = core.Converter.utf8ToBytes(newPassword);
+            const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+            const updatedUser = {
+                email,
+                salt: core.Converter.bytesToBase64(saltBytes),
+                password: hashedPassword,
+                identity: user.identity
+            };
+            await this._userEntityStorage.set(updatedUser);
+        }
+        catch (error) {
+            throw new core.GeneralError(this.CLASS_NAME, "updatePasswordFailed", undefined, error);
+        }
+    }
+}
+
 /**
  * Implementation of the authentication component using entity storage.
  */
 class EntityStorageAuthenticationService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-entity-storage";
     /**
      * Default TTL in minutes.
      * @internal
@@ -511,6 +698,11 @@ class EntityStorageAuthenticationService {
      * Runtime name for the class.
      */
     CLASS_NAME = "EntityStorageAuthenticationService";
+    /**
+     * The user admin service.
+     * @internal
+     */
+    _authenticationAdminService;
     /**
      * The entity storage for users.
      * @internal
@@ -539,13 +731,11 @@ class EntityStorageAuthenticationService {
     /**
      * Create a new instance of EntityStorageAuthentication.
      * @param options The dependencies for the identity connector.
-     * @param options.userEntityStorageType The entity storage for the users, defaults to "authentication-user".
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the authentication.
      */
     constructor(options) {
         this._userEntityStorage = entityStorageModels.EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");
         this._vaultConnector = vaultModels.VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
+        this._authenticationAdminService = core.ComponentFactory.get(options?.authenticationAdminServiceType ?? "authentication-admin");
         this._signingKeyName = options?.config?.signingKeyName ?? "auth-signing";
         this._defaultTtlMinutes =
             options?.config?.defaultTtlMinutes ?? EntityStorageAuthenticationService._DEFAULT_TTL_MINUTES;
@@ -606,15 +796,27 @@ class EntityStorageAuthenticationService {
         const refreshTokenAndExpiry = await TokenHelper.createToken(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, headerAndPayload.payload.sub ?? "", this._defaultTtlMinutes);
         return refreshTokenAndExpiry;
     }
+    /**
+     * Update the user's password.
+     * @param email The email address of the user to update.
+     * @param currentPassword The current password for the user.
+     * @param newPassword The new password for the user.
+     * @returns Nothing.
+     */
+    async updatePassword(email, currentPassword, newPassword) {
+        return this._authenticationAdminService.updatePassword(email, newPassword, currentPassword);
+    }
 }
 
 exports.AuthHeaderProcessor = AuthHeaderProcessor;
+exports.EntityStorageAuthenticationAdminService = EntityStorageAuthenticationAdminService;
 exports.EntityStorageAuthenticationService = EntityStorageAuthenticationService;
 exports.PasswordHelper = PasswordHelper;
 exports.TokenHelper = TokenHelper;
 exports.authenticationLogin = authenticationLogin;
 exports.authenticationLogout = authenticationLogout;
 exports.authenticationRefreshToken = authenticationRefreshToken;
+exports.authenticationUpdatePassword = authenticationUpdatePassword;
 exports.generateRestRoutesAuthentication = generateRestRoutesAuthentication;
 exports.initSchema = initSchema;
 exports.restEntryPoints = restEntryPoints;

package/dist/esm/index.mjs

@@ -1,8 +1,8 @@
 import { property, entity, EntitySchemaFactory, EntitySchemaHelper } from '@twin.org/entity';
 import { HttpErrorHelper } from '@twin.org/api-models';
-import { Is, UnauthorizedError, Guards, BaseError, ComponentFactory, Converter, GeneralError } from '@twin.org/core';
-import { VaultConnectorFactory } from '@twin.org/vault-models';
-import { Jwt, JwtAlgorithms, HeaderTypes, HttpStatusCode } from '@twin.org/web';
+import { Is, UnauthorizedError, Guards, BaseError, ComponentFactory, Converter, GeneralError, RandomHelper, NotFoundError } from '@twin.org/core';
+import { VaultConnectorHelper, VaultConnectorFactory } from '@twin.org/vault-models';
+import { Jwt, HeaderTypes, HttpStatusCode } from '@twin.org/web';
 import { EntityStorageConnectorFactory } from '@twin.org/entity-storage-models';
 import { Blake2b } from '@twin.org/crypto';
 
@@ -69,13 +69,12 @@ class TokenHelper {
      * @returns The new token and its expiry date.
      */
     static async createToken(vaultConnector, signingKeyName, subject, ttlMinutes) {
-        // Verify was a success so we can now generate a new token.
         const nowSeconds = Math.trunc(Date.now() / 1000);
         const ttlSeconds = ttlMinutes * 60;
-        const jwt = await Jwt.encodeWithSigner({ alg: JwtAlgorithms.EdDSA }, {
+        const jwt = await Jwt.encodeWithSigner({ alg: "EdDSA" }, {
             sub: subject,
             exp: nowSeconds + ttlSeconds
-        }, async (alg, key, payload) => vaultConnector.sign(signingKeyName, payload));
+        }, async (header, payload) => VaultConnectorHelper.jwtSigner(vaultConnector, signingKeyName, header, payload));
         return {
             token: jwt,
             expiry: (nowSeconds + ttlSeconds) * 1000
@@ -93,14 +92,10 @@ class TokenHelper {
         if (!Is.stringValue(token)) {
             throw new UnauthorizedError(this._CLASS_NAME, "missing");
         }
-        const decoded = await Jwt.verifyWithVerifier(token, async (alg, key, payload, signature) => vaultConnector.verify(signingKeyName, payload, signature));
-        // If the signature validation failed or some of the header/payload data
-        // is not properly populated then it is unauthorized.
-        if (!decoded.verified ||
-            !Is.object(decoded.header) ||
-            !Is.object(decoded.payload) ||
-            !Is.stringValue(decoded.payload.sub)) {
-            throw new UnauthorizedError(this._CLASS_NAME, "invalidToken");
+        const decoded = await Jwt.verifyWithVerifier(token, async (t) => VaultConnectorHelper.jwtVerifier(vaultConnector, signingKeyName, t));
+        // If some of the header/payload data is not properly populated then it is unauthorized.
+        if (!Is.stringValue(decoded.payload.sub)) {
+            throw new UnauthorizedError(this._CLASS_NAME, "payloadMissingSubject");
         }
         else if (!Is.empty(decoded.payload?.exp) &&
             decoded.payload.exp < Math.trunc(Date.now() / 1000)) {
@@ -152,6 +147,10 @@ class TokenHelper {
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
  */
 class AuthHeaderProcessor {
+    /**
+     * The namespace supported by the processor.
+     */
+    static NAMESPACE = "auth-header";
     /**
      * The default name for the access token as a cookie.
      * @internal
@@ -184,8 +183,6 @@ class AuthHeaderProcessor {
     /**
      * Create a new instance of AuthCookiePreProcessor.
      * @param options Options for the processor.
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the processor.
      */
     constructor(options) {
         this._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
@@ -242,13 +239,13 @@ class AuthHeaderProcessor {
             if ((responseAuthOperation === "login" || responseAuthOperation === "refresh") &&
                 Is.stringValue(response.body?.token)) {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[HeaderTypes.SetCookie] =
                     `${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;
                 delete response.body.token;
             }
             else if (responseAuthOperation === "logout") {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[HeaderTypes.SetCookie] =
                     `${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;
             }
         }
@@ -389,7 +386,41 @@ function generateRestRoutesAuthentication(baseRouteName, componentName) {
             }
         ]
     };
-    return [loginRoute, logoutRoute, refreshTokenRoute];
+    const updatePasswordRoute = {
+        operationId: "authenticationUpdatePassword",
+        summary: "Update the user's password",
+        tag: tagsAuthentication[0].name,
+        method: "PUT",
+        path: `${baseRouteName}/:email/password`,
+        handler: async (httpRequestContext, request) => authenticationUpdatePassword(httpRequestContext, componentName, request),
+        requestType: {
+            type: "IUpdatePasswordRequest",
+            examples: [
+                {
+                    id: "updatePasswordRequestExample",
+                    description: "The request to update the user's password.",
+                    request: {
+                        pathParams: {
+                            email: "john:example.com"
+                        },
+                        body: {
+                            currentPassword: "MyNewPassword123!",
+                            newPassword: "MyNewPassword123!"
+                        }
+                    }
+                }
+            ]
+        },
+        responseType: [
+            {
+                type: "INoContentResponse"
+            },
+            {
+                type: "IUnauthorizedResponse"
+            }
+        ]
+    };
+    return [loginRoute, logoutRoute, refreshTokenRoute, updatePasswordRoute];
 }
 /**
  * Login to the server.
@@ -449,6 +480,23 @@ async function authenticationRefreshToken(httpRequestContext, componentName, req
         body: result
     };
 }
+/**
+ * Update the user's password.
+ * @param httpRequestContext The request context for the API.
+ * @param componentName The name of the component to use in the routes.
+ * @param request The request.
+ * @returns The response object with additional http response properties.
+ */
+async function authenticationUpdatePassword(httpRequestContext, componentName, request) {
+    Guards.object(ROUTES_SOURCE, "request", request);
+    Guards.object(ROUTES_SOURCE, "request.pathParams", request.pathParams);
+    Guards.object(ROUTES_SOURCE, "request.body", request.body);
+    const component = ComponentFactory.get(componentName);
+    await component.updatePassword(request.pathParams.email, request.body.currentPassword, request.body.newPassword);
+    return {
+        statusCode: HttpStatusCode.noContent
+    };
+}
 
 const restEntryPoints = [
     {
@@ -496,10 +544,149 @@ class PasswordHelper {
     }
 }
 
+/**
+ * Implementation of the authentication component using entity storage.
+ */
+class EntityStorageAuthenticationAdminService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-admin-entity-storage";
+    /**
+     * The minimum password length.
+     * @internal
+     */
+    static _DEFAULT_MIN_PASSWORD_LENGTH = 8;
+    /**
+     * Runtime name for the class.
+     */
+    CLASS_NAME = "EntityStorageAuthenticationAdminService";
+    /**
+     * The entity storage for users.
+     * @internal
+     */
+    _userEntityStorage;
+    /**
+     * The minimum password length.
+     * @internal
+     */
+    _minPasswordLength;
+    /**
+     * Create a new instance of EntityStorageAuthentication.
+     * @param options The dependencies for the identity connector.
+     */
+    constructor(options) {
+        this._userEntityStorage = EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");
+        this._minPasswordLength =
+            options?.config?.minPasswordLength ??
+                EntityStorageAuthenticationAdminService._DEFAULT_MIN_PASSWORD_LENGTH;
+    }
+    /**
+     * Create a login for the user.
+     * @param email The email address for the user.
+     * @param password The password for the user.
+     * @param identity The DID to associate with the account.
+     * @returns Nothing.
+     */
+    async create(email, password, identity) {
+        Guards.stringValue(this.CLASS_NAME, "email", email);
+        Guards.stringValue(this.CLASS_NAME, "password", password);
+        try {
+            if (password.length < this._minPasswordLength) {
+                throw new GeneralError(this.CLASS_NAME, "passwordTooShort", {
+                    minLength: this._minPasswordLength
+                });
+            }
+            const user = await this._userEntityStorage.get(email);
+            if (user) {
+                throw new GeneralError(this.CLASS_NAME, "userExists");
+            }
+            const saltBytes = RandomHelper.generate(16);
+            const passwordBytes = Converter.utf8ToBytes(password);
+            const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+            const newUser = {
+                email,
+                salt: Converter.bytesToBase64(saltBytes),
+                password: hashedPassword,
+                identity
+            };
+            await this._userEntityStorage.set(newUser);
+        }
+        catch (error) {
+            throw new GeneralError(this.CLASS_NAME, "createUserFailed", undefined, error);
+        }
+    }
+    /**
+     * Remove the current user.
+     * @param email The email address of the user to remove.
+     * @returns Nothing.
+     */
+    async remove(email) {
+        Guards.stringValue(this.CLASS_NAME, "email", email);
+        try {
+            const user = await this._userEntityStorage.get(email);
+            if (!user) {
+                throw new NotFoundError(this.CLASS_NAME, "userNotFound", email);
+            }
+            await this._userEntityStorage.remove(email);
+        }
+        catch (error) {
+            throw new GeneralError(this.CLASS_NAME, "removeUserFailed", undefined, error);
+        }
+    }
+    /**
+     * Update the user's password.
+     * @param email The email address of the user to update.
+     * @param newPassword The new password for the user.
+     * @param currentPassword The current password, optional, if supplied will check against existing.
+     * @returns Nothing.
+     */
+    async updatePassword(email, newPassword, currentPassword) {
+        Guards.stringValue(this.CLASS_NAME, "email", email);
+        Guards.stringValue(this.CLASS_NAME, "newPassword", newPassword);
+        try {
+            if (newPassword.length < this._minPasswordLength) {
+                throw new GeneralError(this.CLASS_NAME, "passwordTooShort", {
+                    minLength: this._minPasswordLength
+                });
+            }
+            const user = await this._userEntityStorage.get(email);
+            if (!user) {
+                throw new NotFoundError(this.CLASS_NAME, "userNotFound", email);
+            }
+            if (Is.stringValue(currentPassword)) {
+                const saltBytes = Converter.base64ToBytes(user.salt);
+                const passwordBytes = Converter.utf8ToBytes(currentPassword);
+                const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+                if (hashedPassword !== user.password) {
+                    throw new GeneralError(this.CLASS_NAME, "currentPasswordMismatch");
+                }
+            }
+            const saltBytes = RandomHelper.generate(16);
+            const passwordBytes = Converter.utf8ToBytes(newPassword);
+            const hashedPassword = await PasswordHelper.hashPassword(passwordBytes, saltBytes);
+            const updatedUser = {
+                email,
+                salt: Converter.bytesToBase64(saltBytes),
+                password: hashedPassword,
+                identity: user.identity
+            };
+            await this._userEntityStorage.set(updatedUser);
+        }
+        catch (error) {
+            throw new GeneralError(this.CLASS_NAME, "updatePasswordFailed", undefined, error);
+        }
+    }
+}
+
 /**
  * Implementation of the authentication component using entity storage.
  */
 class EntityStorageAuthenticationService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-entity-storage";
     /**
      * Default TTL in minutes.
      * @internal
@@ -509,6 +696,11 @@ class EntityStorageAuthenticationService {
      * Runtime name for the class.
      */
     CLASS_NAME = "EntityStorageAuthenticationService";
+    /**
+     * The user admin service.
+     * @internal
+     */
+    _authenticationAdminService;
     /**
      * The entity storage for users.
      * @internal
@@ -537,13 +729,11 @@ class EntityStorageAuthenticationService {
     /**
      * Create a new instance of EntityStorageAuthentication.
      * @param options The dependencies for the identity connector.
-     * @param options.userEntityStorageType The entity storage for the users, defaults to "authentication-user".
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the authentication.
      */
     constructor(options) {
         this._userEntityStorage = EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");
         this._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
+        this._authenticationAdminService = ComponentFactory.get(options?.authenticationAdminServiceType ?? "authentication-admin");
         this._signingKeyName = options?.config?.signingKeyName ?? "auth-signing";
         this._defaultTtlMinutes =
             options?.config?.defaultTtlMinutes ?? EntityStorageAuthenticationService._DEFAULT_TTL_MINUTES;
@@ -604,6 +794,16 @@ class EntityStorageAuthenticationService {
         const refreshTokenAndExpiry = await TokenHelper.createToken(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, headerAndPayload.payload.sub ?? "", this._defaultTtlMinutes);
         return refreshTokenAndExpiry;
     }
+    /**
+     * Update the user's password.
+     * @param email The email address of the user to update.
+     * @param currentPassword The current password for the user.
+     * @param newPassword The new password for the user.
+     * @returns Nothing.
+     */
+    async updatePassword(email, currentPassword, newPassword) {
+        return this._authenticationAdminService.updatePassword(email, newPassword, currentPassword);
+    }
 }
 
-export { AuthHeaderProcessor, AuthenticationUser, EntityStorageAuthenticationService, PasswordHelper, TokenHelper, authenticationLogin, authenticationLogout, authenticationRefreshToken, generateRestRoutesAuthentication, initSchema, restEntryPoints, tagsAuthentication };
+export { AuthHeaderProcessor, AuthenticationUser, EntityStorageAuthenticationAdminService, EntityStorageAuthenticationService, PasswordHelper, TokenHelper, authenticationLogin, authenticationLogout, authenticationRefreshToken, authenticationUpdatePassword, generateRestRoutesAuthentication, initSchema, restEntryPoints, tagsAuthentication };