@warlock.js/auth 4.0.31 → 4.0.41

package/cjs/index.js

@@ -1 +1,725 @@
-'use strict';var authCleanupCommand=require('./commands/auth-cleanup-command.js'),jwtSecretGeneratorCommand=require('./commands/jwt-secret-generator-command.js'),types=require('./contracts/types.js'),auth_middleware=require('./middleware/auth.middleware.js'),accessToken=require('./models/access-token/access-token.js');require('./models/access-token/migration.js');var auth=require('./models/auth.js'),castPassword=require('./models/casts/cast-password.js'),refreshToken=require('./models/refresh-token/refresh-token.js'),authEvents=require('./services/auth-events.js'),auth_service=require('./services/auth.service.js'),generateJwtSecret=require('./services/generate-jwt-secret.js'),jwt=require('./services/jwt.js'),authErrorCodes=require('./utils/auth-error-codes.js'),duration=require('./utils/duration.js');exports.registerAuthCleanupCommand=authCleanupCommand.registerAuthCleanupCommand;exports.registerJWTSecretGeneratorCommand=jwtSecretGeneratorCommand.registerJWTSecretGeneratorCommand;exports.NO_EXPIRATION=types.NO_EXPIRATION;exports.authMiddleware=auth_middleware.authMiddleware;exports.AccessToken=accessToken.AccessToken;exports.Auth=auth.Auth;exports.castPassword=castPassword.castPassword;exports.RefreshToken=refreshToken.RefreshToken;exports.authEvents=authEvents.authEvents;exports.authService=auth_service.authService;exports.generateJWTSecret=generateJwtSecret.generateJWTSecret;exports.jwt=jwt.jwt;Object.defineProperty(exports,'AuthErrorCodes',{enumerable:true,get:function(){return authErrorCodes.AuthErrorCodes}});exports.parseExpirationToMs=duration.parseExpirationToMs;exports.toJwtExpiresIn=duration.toJwtExpiresIn;//# sourceMappingURL=index.js.map
+'use strict';
+
+var copper = require('@mongez/copper');
+var core = require('@warlock.js/core');
+var password = require('@mongez/password');
+var reinforcements = require('@mongez/reinforcements');
+var cascade = require('@warlock.js/cascade');
+var seal = require('@warlock.js/seal');
+var events = require('@mongez/events');
+var fastJwt = require('fast-jwt');
+var fs = require('@mongez/fs');
+var logger = require('@warlock.js/logger');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var events__default = /*#__PURE__*/_interopDefault(events);
+
+// ../../warlock.js/auth/src/commands/auth-cleanup-command.ts
+var accessTokenSchema = seal.v.object({
+  token: seal.v.string().required(),
+  lastAccess: seal.v.date().default(() => /* @__PURE__ */ new Date()),
+  user: seal.v.object({
+    id: seal.v.number().required(),
+    userType: seal.v.string()
+  }).allowUnknown().required()
+});
+var AccessToken = class extends cascade.Model {
+  /**
+   * {@inheritDoc}
+   */
+  static table = "accessTokens";
+  static schema = accessTokenSchema;
+};
+cascade.migrate(AccessToken, {
+  name: "accessToken",
+  up() {
+    this.string("accessToken").index();
+    this.date("lastAccess");
+  },
+  down() {
+    this.dropIndex("token");
+  }
+});
+var refreshTokenSchema = seal.v.object({
+  token: seal.v.string().required(),
+  userId: seal.v.number().required(),
+  userType: seal.v.string().required(),
+  familyId: seal.v.string().required(),
+  expiresAt: seal.v.date().required(),
+  lastUsedAt: seal.v.date().default(() => /* @__PURE__ */ new Date()),
+  revokedAt: seal.v.date(),
+  deviceInfo: seal.v.record(seal.v.any())
+});
+var RefreshToken = class extends cascade.Model {
+  /**
+   * {@inheritDoc}
+   */
+  static table = "refreshTokens";
+  /**
+   * {@inheritDoc}
+   */
+  static schema = refreshTokenSchema;
+  /**
+   * Check if token is expired
+   */
+  get isExpired() {
+    const expiresAt = this.get("expiresAt");
+    if (!expiresAt) return false;
+    return /* @__PURE__ */ new Date() > new Date(expiresAt);
+  }
+  /**
+   * Check if token is revoked
+   */
+  get isRevoked() {
+    return !!this.get("revokedAt");
+  }
+  /**
+   * Check if token is valid (not expired and not revoked)
+   */
+  get isValid() {
+    return !this.isExpired && !this.isRevoked;
+  }
+  /**
+   * Revoke this token
+   */
+  async revoke() {
+    return this.merge({ revokedAt: /* @__PURE__ */ new Date() }).save();
+  }
+  /**
+   * Mark token as used (update lastUsedAt)
+   */
+  async markAsUsed() {
+    await this.merge({ lastUsedAt: /* @__PURE__ */ new Date() }).save();
+  }
+};
+
+// ../../warlock.js/auth/src/contracts/types.ts
+var NO_EXPIRATION = /* @__PURE__ */ Symbol("NO_EXPIRATION");
+
+// ../../warlock.js/auth/src/utils/duration.ts
+function parseExpirationToMs(expiration, defaultMs = 36e5) {
+  if (expiration === void 0) {
+    return defaultMs;
+  }
+  if (expiration === NO_EXPIRATION) {
+    return void 0;
+  }
+  if (typeof expiration === "number") {
+    return expiration;
+  }
+  if (typeof expiration === "string") {
+    return parseStringDuration(expiration);
+  }
+  return parseDurationObject(expiration);
+}
+function parseDurationObject(duration) {
+  let ms = 0;
+  if (duration.milliseconds) ms += duration.milliseconds;
+  if (duration.seconds) ms += duration.seconds * 1e3;
+  if (duration.minutes) ms += duration.minutes * 60 * 1e3;
+  if (duration.hours) ms += duration.hours * 60 * 60 * 1e3;
+  if (duration.days) ms += duration.days * 24 * 60 * 60 * 1e3;
+  if (duration.weeks) ms += duration.weeks * 7 * 24 * 60 * 60 * 1e3;
+  return ms;
+}
+function parseStringDuration(str) {
+  let totalMs = 0;
+  const parts = str.trim().split(/\s+/);
+  for (const part of parts) {
+    const match = part.match(/^(\d+(?:\.\d+)?)([smhdw])$/i);
+    if (!match) continue;
+    const value = parseFloat(match[1]);
+    const unit = match[2].toLowerCase();
+    switch (unit) {
+      case "s":
+        totalMs += value * 1e3;
+        break;
+      case "m":
+        totalMs += value * 60 * 1e3;
+        break;
+      case "h":
+        totalMs += value * 60 * 60 * 1e3;
+        break;
+      case "d":
+        totalMs += value * 24 * 60 * 60 * 1e3;
+        break;
+      case "w":
+        totalMs += value * 7 * 24 * 60 * 60 * 1e3;
+        break;
+    }
+  }
+  return totalMs || 36e5;
+}
+function toJwtExpiresIn(expiration, defaultMs = 36e5) {
+  const ms = parseExpirationToMs(expiration, defaultMs);
+  if (ms === void 0) return void 0;
+  return Math.floor(ms / 1e3) + "s";
+}
+var AUTH_EVENT_PREFIX = "auth.";
+var authEvents = {
+  /**
+   * Subscribe to an auth event
+   */
+  on(event, callback) {
+    return events__default.default.subscribe(AUTH_EVENT_PREFIX + event, callback);
+  },
+  /**
+   * Subscribe to an auth event (alias for `on`)
+   */
+  subscribe(event, callback) {
+    return this.on(event, callback);
+  },
+  /**
+   * Emit an auth event
+   */
+  emit(event, ...args) {
+    events__default.default.trigger(AUTH_EVENT_PREFIX + event, ...args);
+  },
+  /**
+   * Emit an auth event (alias for `emit`)
+   */
+  trigger(event, ...args) {
+    this.emit(event, ...args);
+  },
+  /**
+   * Unsubscribe from all auth events
+   */
+  unsubscribeAll() {
+    events__default.default.unsubscribeNamespace(AUTH_EVENT_PREFIX.slice(0, -1));
+  },
+  /**
+   * Unsubscribe from a specific auth event
+   */
+  off(event) {
+    if (event) {
+      events__default.default.unsubscribe(AUTH_EVENT_PREFIX + event);
+    } else {
+      this.unsubscribeAll();
+    }
+  }
+};
+var getSecretKey = () => core.config.key("auth.jwt.secret");
+var getAlgorithm = () => core.config.key("auth.jwt.algorithm");
+var getRefreshSecretKey = () => core.config.key("auth.jwt.refresh.secret");
+var getRefreshTokenValidity = () => core.config.key("auth.jwt.refresh.expiresIn");
+var jwt = {
+  /**
+   * Generate a new JWT token for the user.
+   * @param payload The payload to encode in the JWT token.
+   */
+  async generate(payload, {
+    key = getSecretKey(),
+    algorithm = getAlgorithm(),
+    ...options
+  } = {}) {
+    const sign = fastJwt.createSigner({ key, ...options, algorithm });
+    return sign({ ...payload });
+  },
+  /**
+   * Verify the given token.
+   * @param token The JWT token to verify.
+   * @returns The decoded token payload if verification is successful.
+   */
+  async verify(token, {
+    key = getSecretKey(),
+    algorithms = getAlgorithm() ? [getAlgorithm()] : void 0,
+    ...options
+  } = {}) {
+    const verify2 = fastJwt.createVerifier({ key, ...options, algorithms });
+    return await verify2(token);
+  },
+  /**
+   * Generate a new refresh token for the user.
+   */
+  async generateRefreshToken(payload, {
+    key = getRefreshSecretKey(),
+    expiresIn = getRefreshTokenValidity(),
+    algorithm = getAlgorithm(),
+    ...options
+  } = {}) {
+    const sign = fastJwt.createSigner({ key, expiresIn, algorithm, ...options });
+    return sign({ ...payload });
+  },
+  /**
+   * Verify the given refresh token.
+   */
+  async verifyRefreshToken(token, {
+    key = getRefreshSecretKey(),
+    algorithms = [getAlgorithm()],
+    ...options
+  } = {}) {
+    const verify2 = fastJwt.createVerifier({ key, algorithms, ...options });
+    return await verify2(token);
+  }
+};
+
+// ../../warlock.js/auth/src/services/auth.service.ts
+var AuthService = class {
+  /**
+   * Build access token payload from user
+   */
+  buildAccessTokenPayload(user) {
+    return {
+      id: user.id,
+      _id: user.get("_id"),
+      userType: user.userType,
+      createdAt: Date.now()
+    };
+  }
+  /**
+   * Generate access token for user
+   */
+  async generateAccessToken(user, payload) {
+    const data = payload || this.buildAccessTokenPayload(user);
+    const expiresInConfig = core.config.key("auth.jwt.expiresIn");
+    const expiresIn = toJwtExpiresIn(expiresInConfig, 36e5);
+    const token = expiresIn ? await jwt.generate(data, { expiresIn }) : await jwt.generate(data);
+    await AccessToken.create({
+      token,
+      user: data
+    });
+    return token;
+  }
+  /**
+   * Create refresh token for user
+   */
+  async createRefreshToken(user, deviceInfo) {
+    const familyId = deviceInfo?.familyId || reinforcements.Random.string(32);
+    const expiresInConfig = core.config.key("auth.jwt.refresh.expiresIn");
+    const expiresInMs = parseExpirationToMs(expiresInConfig, 7 * 24 * 60 * 60 * 1e3);
+    const payload = {
+      userId: user.id,
+      userType: user.userType,
+      familyId
+    };
+    const token = await jwt.generateRefreshToken(payload);
+    await this.enforceMaxRefreshTokens(user);
+    const expiresAt = expiresInMs ? new Date(Date.now() + expiresInMs) : new Date(Date.now() + 100 * 365 * 24 * 60 * 60 * 1e3);
+    return RefreshToken.create({
+      token,
+      userId: user.id,
+      userType: user.userType,
+      familyId,
+      expiresAt,
+      deviceInfo: deviceInfo ? {
+        userAgent: deviceInfo.userAgent,
+        ip: deviceInfo.ip,
+        deviceId: deviceInfo.deviceId
+      } : void 0
+    });
+  }
+  /**
+   * Create both access and refresh tokens
+   */
+  async createTokenPair(user, deviceInfo) {
+    const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+    const refreshToken = await this.createRefreshToken(user, deviceInfo);
+    const tokenPair = {
+      accessToken,
+      refreshToken: refreshToken.get("token"),
+      expiresIn: core.config.key("auth.jwt.expiresIn", "1h")
+    };
+    authEvents.emit("token.created", user, tokenPair);
+    authEvents.emit("session.created", user, refreshToken, deviceInfo);
+    return tokenPair;
+  }
+  /**
+   * Refresh tokens using a refresh token
+   */
+  async refreshTokens(refreshTokenString, deviceInfo) {
+    try {
+      const decoded = await jwt.verifyRefreshToken(refreshTokenString);
+      if (!decoded) return null;
+      const refreshToken = await RefreshToken.first({ token: refreshTokenString });
+      if (!refreshToken?.isValid) {
+        if (refreshToken) {
+          await this.revokeTokenFamily(refreshToken.get("familyId"));
+        }
+        return null;
+      }
+      const UserModel = core.config.key(`auth.userType.${decoded.userType}`);
+      if (!UserModel) return null;
+      const user = await UserModel.find(decoded.userId);
+      if (!user) return null;
+      const rotationEnabled = core.config.key("auth.jwt.refresh.rotation", true);
+      if (rotationEnabled) {
+        await refreshToken.revoke();
+      } else {
+        await refreshToken.markAsUsed();
+      }
+      const newTokenPair = await this.createTokenPair(user, {
+        ...deviceInfo,
+        familyId: refreshToken.get("familyId")
+      });
+      authEvents.emit("token.refreshed", user, newTokenPair, refreshToken);
+      return newTokenPair;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Verify password
+   */
+  verifyPassword(hashedPassword, plainPassword) {
+    return password.verify(String(hashedPassword), String(plainPassword));
+  }
+  /**
+   * Hash password
+   */
+  hashPassword(password$1) {
+    return password.hash(String(password$1), core.config.key("auth.password.salt", 12));
+  }
+  /**
+   * Attempt to login user with given credentials
+   */
+  async attemptLogin(Model4, data) {
+    const { password, ...otherData } = data;
+    authEvents.emit("login.attempt", otherData);
+    const user = await Model4.first(otherData);
+    if (!user) {
+      authEvents.emit("login.failed", otherData, "User not found");
+      return null;
+    }
+    if (!this.verifyPassword(user.string("password"), password)) {
+      authEvents.emit("login.failed", otherData, "Invalid password");
+      return null;
+    }
+    return user;
+  }
+  /**
+   * Full login flow: validate credentials, create tokens, emit events
+   * Returns token pair on success, null on failure
+   */
+  async login(Model4, credentials, deviceInfo) {
+    const user = await this.attemptLogin(Model4, credentials);
+    if (!user) {
+      return null;
+    }
+    if (!core.config.key("auth.jwt.refresh.enabled", true)) {
+      const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+      return { user, accessToken };
+    }
+    const tokens = await this.createTokenPair(user, deviceInfo);
+    authEvents.emit("login.success", user, tokens, deviceInfo);
+    return { user, tokens };
+  }
+  /**
+   * Logout user
+   * @param user - The authenticated user
+   * @param accessToken - Optional access token string to revoke
+   * @param refreshToken - Optional refresh token string to revoke
+   * If refresh token is not provided, behavior is determined by config:
+   * - "revoke-all" (default): Revoke ALL refresh tokens for security
+   * - "error": Throw error requiring refresh token
+   */
+  async logout(user, accessToken, refreshToken) {
+    if (accessToken) {
+      await this.removeAccessToken(user, accessToken);
+    }
+    if (refreshToken) {
+      const token = await RefreshToken.first({
+        token: refreshToken,
+        userId: user.id
+        // Security: ensure token belongs to this user
+      });
+      if (token) {
+        await token.revoke();
+        authEvents.emit("session.destroyed", user, token);
+      }
+    } else {
+      const behavior = core.config.key("auth.jwt.refresh.logoutWithoutToken", "revoke-all");
+      if (behavior === "error") {
+        throw new Error("Refresh token required for logout");
+      }
+      await this.revokeAllTokens(user);
+      authEvents.emit("logout.failsafe", user);
+    }
+    authEvents.emit("logout", user);
+  }
+  /**
+   * Remove specific access token
+   */
+  async removeAccessToken(user, token) {
+    AccessToken.delete({
+      token,
+      "user.id": user.id
+    });
+  }
+  /**
+   * Revoke all tokens for a user
+   */
+  async revokeAllTokens(user) {
+    const refreshTokens = await RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).get();
+    for (const token of refreshTokens) {
+      await token.revoke();
+      authEvents.emit("token.revoked", user, token);
+    }
+    await AccessToken.delete({
+      "user.id": user.id,
+      "user.userType": user.userType
+    });
+    authEvents.emit("logout.all", user);
+  }
+  /**
+   * Revoke entire token family (for rotation breach detection)
+   */
+  async revokeTokenFamily(familyId) {
+    const tokens = await RefreshToken.query().where("familyId", familyId).where("revokedAt", null).get();
+    for (const token of tokens) {
+      await token.revoke();
+    }
+    authEvents.emit("token.familyRevoked", familyId, tokens);
+  }
+  /**
+   * Cleanup expired tokens
+   */
+  async cleanupExpiredTokens() {
+    const expiredTokens = await RefreshToken.query().where("expiresAt", "<", /* @__PURE__ */ new Date()).get();
+    for (const token of expiredTokens) {
+      authEvents.emit("token.expired", token);
+      await token.destroy();
+    }
+    authEvents.emit("cleanup.completed", expiredTokens.length);
+    return expiredTokens.length;
+  }
+  /**
+   * Enforce max refresh tokens per user
+   */
+  async enforceMaxRefreshTokens(user) {
+    const maxPerUser = core.config.key("auth.jwt.refresh.maxPerUser", 5);
+    const activeTokens = await RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).orderBy("createdAt", "asc").get();
+    if (activeTokens.length >= maxPerUser) {
+      const tokensToRevoke = activeTokens.slice(0, activeTokens.length - maxPerUser + 1);
+      for (const token of tokensToRevoke) {
+        await token.revoke();
+      }
+    }
+  }
+  /**
+   * Get active sessions for user
+   */
+  async getActiveSessions(user) {
+    return RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).where("expiresAt", ">", /* @__PURE__ */ new Date()).orderBy("createdAt", "desc").get();
+  }
+};
+var authService = new AuthService();
+
+// ../../warlock.js/auth/src/commands/auth-cleanup-command.ts
+function registerAuthCleanupCommand() {
+  return core.command({
+    name: "auth.cleanup",
+    description: "Remove expired refresh tokens from the database",
+    preload: {
+      env: true,
+      config: ["auth", "database"],
+      connectors: ["database"]
+    },
+    action: async () => {
+      console.log(copper.colors.cyan("\u{1F9F9} Cleaning up expired tokens..."));
+      const count = await authService.cleanupExpiredTokens();
+      if (count === 0) {
+        console.log(copper.colors.green("\u2705 No expired tokens found."));
+      } else {
+        console.log(copper.colors.green(`\u2705 Removed ${count} expired token(s).`));
+      }
+    }
+  });
+}
+async function generateJWTSecret() {
+  let envFile = core.rootPath(".env");
+  logger.log.info("jwt", "generating", "Generating JWT secrets");
+  const environmentMode = core.environment();
+  if (!await fs.fileExistsAsync(envFile)) {
+    const envFileType = environmentMode === "production" ? ".env.production" : ".env.development";
+    envFile = core.rootPath(envFileType);
+  }
+  if (!await fs.fileExistsAsync(envFile)) {
+    logger.log.error("jwt", "error", ".env file not found");
+    return;
+  }
+  let contents = await fs.getFileAsync(envFile);
+  const hasJwtSecret = contents.includes("JWT_SECRET");
+  const hasJwtRefreshSecret = contents.includes("JWT_REFRESH_SECRET");
+  if (hasJwtSecret && hasJwtRefreshSecret) {
+    logger.log.warn("jwt", "exists", "JWT secrets already exist in the .env file.");
+    return;
+  }
+  let secretsToAdd = "";
+  if (!hasJwtSecret) {
+    const jwtSecret = reinforcements.Random.string(32);
+    secretsToAdd += `
+# JWT Secret
+JWT_SECRET=${jwtSecret}
+`;
+    logger.log.success("jwt", "generated", "JWT_SECRET generated and added to the .env file.");
+  } else {
+    logger.log.info("jwt", "exists", "JWT_SECRET already exists in the .env file.");
+  }
+  if (!hasJwtRefreshSecret) {
+    const jwtRefreshSecret = reinforcements.Random.string(32);
+    secretsToAdd += `
+# JWT Refresh Secret
+JWT_REFRESH_SECRET=${jwtRefreshSecret}
+`;
+    logger.log.success("jwt", "generated", "JWT_REFRESH_SECRET generated and added to the .env file.");
+  } else {
+    logger.log.info("jwt", "exists", "JWT_REFRESH_SECRET already exists in the .env file.");
+  }
+  if (secretsToAdd) {
+    contents += secretsToAdd;
+    await fs.putFileAsync(envFile, contents);
+  }
+}
+
+// ../../warlock.js/auth/src/commands/jwt-secret-generator-command.ts
+function registerJWTSecretGeneratorCommand() {
+  return core.command({
+    name: "jwt.generate",
+    description: "Generate JWT Secret key in .env file",
+    action: generateJWTSecret
+  });
+}
+
+// ../../warlock.js/auth/src/utils/auth-error-codes.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MissingAccessToken"] = "EC001";
+  AuthErrorCodes2["InvalidAccessToken"] = "EC002";
+  AuthErrorCodes2["Unauthorized"] = "EC003";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
+
+// ../../warlock.js/auth/src/middleware/auth.middleware.ts
+function authMiddleware(allowedUserType) {
+  const allowedTypes = !allowedUserType ? [] : Array.isArray(allowedUserType) ? allowedUserType : [allowedUserType];
+  const auth = async (request, response) => {
+    try {
+      const authorizationValue = request.authorizationValue;
+      if (!allowedTypes.length && !authorizationValue) return;
+      if (!authorizationValue) {
+        return response.unauthorized({
+          error: core.t("auth.errors.missingAccessToken"),
+          errorCode: "EC001" /* MissingAccessToken */
+        });
+      }
+      const user = await jwt.verify(authorizationValue);
+      request.decodedAccessToken = user;
+      const accessToken = await AccessToken.first({
+        token: authorizationValue
+      });
+      if (!accessToken) {
+        return response.unauthorized({
+          error: core.t("auth.errors.invalidAccessToken"),
+          errorCode: "EC002" /* InvalidAccessToken */
+        });
+      }
+      const userType = user.userType || accessToken.get("userType");
+      if (allowedTypes.length && !allowedTypes.includes(userType)) {
+        return response.unauthorized({
+          error: core.t("auth.errors.unauthorized"),
+          errorCode: "EC003" /* Unauthorized */
+        });
+      }
+      const UserModel = core.config.key(`auth.userType.${userType}`);
+      if (!UserModel) {
+        throw new Error(`User type ${userType} is unknown type.`);
+      }
+      const currentUser = await UserModel.find(user.id);
+      if (!currentUser) {
+        accessToken.destroy();
+        return response.unauthorized({
+          error: core.t("auth.errors.invalidAccessToken"),
+          errorCode: "EC002" /* InvalidAccessToken */
+        });
+      }
+      accessToken.set("lastAccess", /* @__PURE__ */ new Date());
+      await accessToken.save({ skipEvents: true });
+      request.user = currentUser;
+    } catch (err) {
+      logger.log.error("http", "auth", err);
+      request.clearCurrentUser();
+      return response.unauthorized({
+        error: core.t("auth.errors.invalidAccessToken"),
+        errorCode: "EC002" /* InvalidAccessToken */
+      });
+    }
+  };
+  return auth;
+}
+var Auth = class extends cascade.Model {
+  /**
+   * Get access token payload
+   */
+  accessTokenPayload() {
+    return authService.buildAccessTokenPayload(this);
+  }
+  /**
+   * Create both access and refresh tokens
+   */
+  async createTokenPair(deviceInfo) {
+    return authService.createTokenPair(this, deviceInfo);
+  }
+  /**
+   * Generate access token
+   */
+  async generateAccessToken(data) {
+    return authService.generateAccessToken(this, data);
+  }
+  /**
+   * Generate refresh token
+   */
+  async generateRefreshToken(deviceInfo) {
+    return authService.createRefreshToken(this, deviceInfo);
+  }
+  /**
+   * Remove current access token
+   */
+  async removeAccessToken(token) {
+    return authService.removeAccessToken(this, token);
+  }
+  /**
+   * Revoke all tokens (logout from all devices)
+   */
+  async revokeAllTokens() {
+    return authService.revokeAllTokens(this);
+  }
+  /**
+   * Get active sessions
+   */
+  async activeSessions() {
+    return authService.getActiveSessions(this);
+  }
+  /**
+   * Attempt to login the user
+   */
+  static async attempt(data) {
+    return authService.attemptLogin(this, data);
+  }
+  /**
+   * Confirm password
+   */
+  confirmPassword(password) {
+    return authService.verifyPassword(this.string("password"), password);
+  }
+};
+function castPassword(value, column, model) {
+  return value ? password.hash(String(value), core.config.key("auth.password.salt", 12)) : model.getInitial(column);
+}
+
+exports.AccessToken = AccessToken;
+exports.Auth = Auth;
+exports.AuthErrorCodes = AuthErrorCodes;
+exports.NO_EXPIRATION = NO_EXPIRATION;
+exports.RefreshToken = RefreshToken;
+exports.authEvents = authEvents;
+exports.authMiddleware = authMiddleware;
+exports.authService = authService;
+exports.castPassword = castPassword;
+exports.generateJWTSecret = generateJWTSecret;
+exports.jwt = jwt;
+exports.parseExpirationToMs = parseExpirationToMs;
+exports.registerAuthCleanupCommand = registerAuthCleanupCommand;
+exports.registerJWTSecretGeneratorCommand = registerJWTSecretGeneratorCommand;
+exports.toJwtExpiresIn = toJwtExpiresIn;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map