npm - @warlock.js/auth - Versions diffs - 4.0.39 → 4.0.42 - Mend

@warlock.js/auth 4.0.39 → 4.0.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/esm/index.js CHANGED Viewed

@@ -1,8 +1,705 @@
-import {colors}from'@mongez/copper';import {config,command,rootPath,environment,t}from'@warlock.js/core';import {verify,hash}from'@mongez/password';import {Random}from'@mongez/reinforcements';import {migrate,Model}from'@warlock.js/cascade';import {v as v$1}from'@warlock.js/seal';import w from'@mongez/events';import {createVerifier,createSigner}from'fast-jwt';import {fileExistsAsync,getFileAsync,putFileAsync}from'@mongez/fs';import {log}from'@warlock.js/logger';var U=v$1.object({token:v$1.string().required(),lastAccess:v$1.date().default(()=>new Date),user:v$1.object({id:v$1.number().required(),userType:v$1.string()}).allowUnknown().required()}),l=class extends Model{static table="accessTokens";static schema=U};migrate(l,{name:"accessToken",up(){this.string("accessToken").index(),this.date("lastAccess");},down(){this.dropIndex("token");}});var $=v$1.object({token:v$1.string().required(),userId:v$1.number().required(),userType:v$1.string().required(),familyId:v$1.string().required(),expiresAt:v$1.date().required(),lastUsedAt:v$1.date().default(()=>new Date),revokedAt:v$1.date(),deviceInfo:v$1.record(v$1.any())}),u=class extends Model{static table="refreshTokens";static schema=$;get isExpired(){let e=this.get("expiresAt");return e?new Date>new Date(e):false}get isRevoked(){return !!this.get("revokedAt")}get isValid(){return !this.isExpired&&!this.isRevoked}async revoke(){return this.merge({revokedAt:new Date}).save()}async markAsUsed(){await this.merge({lastUsedAt:new Date}).save();}};var I=Symbol("NO_EXPIRATION");function b(t,e=36e5){if(t===void 0)return e;if(t!==I)return typeof t=="number"?t:typeof t=="string"?H(t):L(t)}function L(t){let e=0;return t.milliseconds&&(e+=t.milliseconds),t.seconds&&(e+=t.seconds*1e3),t.minutes&&(e+=t.minutes*60*1e3),t.hours&&(e+=t.hours*60*60*1e3),t.days&&(e+=t.days*24*60*60*1e3),t.weeks&&(e+=t.weeks*7*24*60*60*1e3),e}function H(t){let e=0,r=t.trim().split(/\s+/);for(let o of r){let n=o.match(/^(\d+(?:\.\d+)?)([smhdw])$/i);if(!n)continue;let s=parseFloat(n[1]);switch(n[2].toLowerCase()){case "s":e+=s*1e3;break;case "m":e+=s*60*1e3;break;case "h":e+=s*60*60*1e3;break;case "d":e+=s*24*60*60*1e3;break;case "w":e+=s*7*24*60*60*1e3;break}}return e||36e5}function S(t,e=36e5){let r=b(t,e);if(r!==void 0)return Math.floor(r/1e3)+"s"}var v="auth.",a={on(t,e){return w.subscribe(v+t,e)},subscribe(t,e){return this.on(t,e)},emit(t,...e){w.trigger(v+t,...e);},trigger(t,...e){this.emit(t,...e);},unsubscribeAll(){w.unsubscribeNamespace(v.slice(0,-1));},off(t){t?w.unsubscribe(v+t):this.unsubscribeAll();}};var j=()=>config.key("auth.jwt.secret"),g=()=>config.key("auth.jwt.algorithm"),M=()=>config.key("auth.jwt.refresh.secret"),X=()=>config.key("auth.jwt.refresh.expiresIn"),h={async generate(t,{key:e=j(),algorithm:r=g(),...o}={}){return createSigner({key:e,...o,algorithm:r})({...t})},async verify(t,{key:e=j(),algorithms:r=g()?[g()]:void 0,...o}={}){return await createVerifier({key:e,...o,algorithms:r})(t)},async generateRefreshToken(t,{key:e=M(),expiresIn:r=X(),algorithm:o=g(),...n}={}){return createSigner({key:e,expiresIn:r,algorithm:o,...n})({...t})},async verifyRefreshToken(t,{key:e=M(),algorithms:r=[g()],...o}={}){return await createVerifier({key:e,algorithms:r,...o})(t)}};var x=class{buildAccessTokenPayload(e){return {id:e.id,_id:e.get("_id"),userType:e.userType,createdAt:Date.now()}}async generateAccessToken(e,r){let o=r||this.buildAccessTokenPayload(e),n=config.key("auth.jwt.expiresIn"),s=S(n,36e5),i=s?await h.generate(o,{expiresIn:s}):await h.generate(o);return await l.create({token:i,user:o}),i}async createRefreshToken(e,r){let o=r?.familyId||Random.string(32),n=config.key("auth.jwt.refresh.expiresIn"),s=b(n,10080*60*1e3),i={userId:e.id,userType:e.userType,familyId:o},p=await h.generateRefreshToken(i);await this.enforceMaxRefreshTokens(e);let f=s?new Date(Date.now()+s):new Date(Date.now()+100*365*24*60*60*1e3);return u.create({token:p,userId:e.id,userType:e.userType,familyId:o,expiresAt:f,deviceInfo:r?{userAgent:r.userAgent,ip:r.ip,deviceId:r.deviceId}:void 0})}async createTokenPair(e,r){let o=await this.generateAccessToken(e,r?.payload),n=await this.createRefreshToken(e,r),s={accessToken:o,refreshToken:n.get("token"),expiresIn:config.key("auth.jwt.expiresIn","1h")};return a.emit("token.created",e,s),a.emit("session.created",e,n,r),s}async refreshTokens(e,r){try{let o=await h.verifyRefreshToken(e);if(!o)return null;let n=await u.first({token:e});if(!n?.isValid)return n&&await this.revokeTokenFamily(n.get("familyId")),null;let s=config.key(`auth.userType.${o.userType}`);if(!s)return null;let i=await s.find(o.userId);if(!i)return null;config.key("auth.jwt.refresh.rotation",!0)?await n.revoke():await n.markAsUsed();let f=await this.createTokenPair(i,{...r,familyId:n.get("familyId")});return a.emit("token.refreshed",i,f,n),f}catch{return null}}verifyPassword(e,r){return verify(String(e),String(r))}hashPassword(e){return hash(String(e),config.key("auth.password.salt",12))}async attemptLogin(e,r){let{password:o,...n}=r;a.emit("login.attempt",n);let s=await e.first(n);return s?this.verifyPassword(s.string("password"),o)?s:(a.emit("login.failed",n,"Invalid password"),null):(a.emit("login.failed",n,"User not found"),null)}async login(e,r,o){let n=await this.attemptLogin(e,r);if(!n)return null;if(!config.key("auth.jwt.refresh.enabled",true)){let i=await this.generateAccessToken(n,o?.payload);return {user:n,accessToken:i}}let s=await this.createTokenPair(n,o);return a.emit("login.success",n,s,o),{user:n,tokens:s}}async logout(e,r,o){if(r&&await this.removeAccessToken(e,r),o){let n=await u.first({token:o,userId:e.id});n&&(await n.revoke(),a.emit("session.destroyed",e,n));}else {if(config.key("auth.jwt.refresh.logoutWithoutToken","revoke-all")==="error")throw new Error("Refresh token required for logout");await this.revokeAllTokens(e),a.emit("logout.failsafe",e);}a.emit("logout",e);}async removeAccessToken(e,r){l.delete({token:r,"user.id":e.id});}async revokeAllTokens(e){let r=await u.query().where("userId",e.id).where("userType",e.userType).where("revokedAt",null).get();for(let o of r)await o.revoke(),a.emit("token.revoked",e,o);await l.delete({"user.id":e.id,"user.userType":e.userType}),a.emit("logout.all",e);}async revokeTokenFamily(e){let r=await u.query().where("familyId",e).where("revokedAt",null).get();for(let o of r)await o.revoke();a.emit("token.familyRevoked",e,r);}async cleanupExpiredTokens(){let e=await u.query().where("expiresAt","<",new Date).get();for(let r of e)a.emit("token.expired",r),await r.destroy();return a.emit("cleanup.completed",e.length),e.length}async enforceMaxRefreshTokens(e){let r=config.key("auth.jwt.refresh.maxPerUser",5),o=await u.query().where("userId",e.id).where("userType",e.userType).where("revokedAt",null).orderBy("createdAt","asc").get();if(o.length>=r){let n=o.slice(0,o.length-r+1);for(let s of n)await s.revoke();}}async getActiveSessions(e){return u.query().where("userId",e.id).where("userType",e.userType).where("revokedAt",null).where("expiresAt",">",new Date).orderBy("createdAt","desc").get()}},c=new x;function ze(){return command({name:"auth.cleanup",description:"Remove expired refresh tokens from the database",preload:{env:true,config:["auth","database"],connectors:["database"]},action:async()=>{console.log(colors.cyan("\u{1F9F9} Cleaning up expired tokens..."));let t=await c.cleanupExpiredTokens();console.log(t===0?colors.green("\u2705 No expired tokens found."):colors.green(`\u2705 Removed ${t} expired token(s).`));}})}async function N(){let t=rootPath(".env");log.info("jwt","generating","Generating JWT secrets");let e=environment();if(await fileExistsAsync(t)||(t=rootPath(e==="production"?".env.production":".env.development")),!await fileExistsAsync(t)){log.error("jwt","error",".env file not found");return}let r=await getFileAsync(t),o=r.includes("JWT_SECRET"),n=r.includes("JWT_REFRESH_SECRET");if(o&&n){log.warn("jwt","exists","JWT secrets already exist in the .env file.");return}let s="";if(o)log.info("jwt","exists","JWT_SECRET already exists in the .env file.");else {let i=Random.string(32);s+=`
+import { colors } from '@mongez/copper';
+import { config, command, rootPath, environment, t } from '@warlock.js/core';
+import { verify, hash } from '@mongez/password';
+import { Random } from '@mongez/reinforcements';
+import { migrate, Model } from '@warlock.js/cascade';
+import { v } from '@warlock.js/seal';
+import events from '@mongez/events';
+import { createVerifier, createSigner } from 'fast-jwt';
+import { fileExistsAsync, getFileAsync, putFileAsync } from '@mongez/fs';
+import { log } from '@warlock.js/logger';
+// ../../warlock.js/auth/src/commands/auth-cleanup-command.ts
+var accessTokenSchema = v.object({
+  token: v.string().required(),
+  lastAccess: v.date().default(() => /* @__PURE__ */ new Date()),
+  user: v.object({
+    id: v.number().required(),
+    userType: v.string()
+  }).allowUnknown().required()
+});
+var AccessToken = class extends Model {
+  /**
+   * {@inheritDoc}
+   */
+  static table = "accessTokens";
+  static schema = accessTokenSchema;
+};
+migrate(AccessToken, {
+  name: "accessToken",
+  up() {
+    this.string("accessToken").index();
+    this.date("lastAccess");
+  },
+  down() {
+    this.dropIndex("token");
+  }
+});
+var refreshTokenSchema = v.object({
+  token: v.string().required(),
+  userId: v.number().required(),
+  userType: v.string().required(),
+  familyId: v.string().required(),
+  expiresAt: v.date().required(),
+  lastUsedAt: v.date().default(() => /* @__PURE__ */ new Date()),
+  revokedAt: v.date(),
+  deviceInfo: v.record(v.any())
+});
+var RefreshToken = class extends Model {
+  /**
+   * {@inheritDoc}
+   */
+  static table = "refreshTokens";
+  /**
+   * {@inheritDoc}
+   */
+  static schema = refreshTokenSchema;
+  /**
+   * Check if token is expired
+   */
+  get isExpired() {
+    const expiresAt = this.get("expiresAt");
+    if (!expiresAt) return false;
+    return /* @__PURE__ */ new Date() > new Date(expiresAt);
+  }
+  /**
+   * Check if token is revoked
+   */
+  get isRevoked() {
+    return !!this.get("revokedAt");
+  }
+  /**
+   * Check if token is valid (not expired and not revoked)
+   */
+  get isValid() {
+    return !this.isExpired && !this.isRevoked;
+  }
+  /**
+   * Revoke this token
+   */
+  async revoke() {
+    return this.merge({ revokedAt: /* @__PURE__ */ new Date() }).save();
+  }
+  /**
+   * Mark token as used (update lastUsedAt)
+   */
+  async markAsUsed() {
+    await this.merge({ lastUsedAt: /* @__PURE__ */ new Date() }).save();
+  }
+};
+// ../../warlock.js/auth/src/contracts/types.ts
+var NO_EXPIRATION = /* @__PURE__ */ Symbol("NO_EXPIRATION");
+// ../../warlock.js/auth/src/utils/duration.ts
+function parseExpirationToMs(expiration, defaultMs = 36e5) {
+  if (expiration === void 0) {
+    return defaultMs;
+  }
+  if (expiration === NO_EXPIRATION) {
+    return void 0;
+  }
+  if (typeof expiration === "number") {
+    return expiration;
+  }
+  if (typeof expiration === "string") {
+    return parseStringDuration(expiration);
+  }
+  return parseDurationObject(expiration);
+}
+function parseDurationObject(duration) {
+  let ms = 0;
+  if (duration.milliseconds) ms += duration.milliseconds;
+  if (duration.seconds) ms += duration.seconds * 1e3;
+  if (duration.minutes) ms += duration.minutes * 60 * 1e3;
+  if (duration.hours) ms += duration.hours * 60 * 60 * 1e3;
+  if (duration.days) ms += duration.days * 24 * 60 * 60 * 1e3;
+  if (duration.weeks) ms += duration.weeks * 7 * 24 * 60 * 60 * 1e3;
+  return ms;
+}
+function parseStringDuration(str) {
+  let totalMs = 0;
+  const parts = str.trim().split(/\s+/);
+  for (const part of parts) {
+    const match = part.match(/^(\d+(?:\.\d+)?)([smhdw])$/i);
+    if (!match) continue;
+    const value = parseFloat(match[1]);
+    const unit = match[2].toLowerCase();
+    switch (unit) {
+      case "s":
+        totalMs += value * 1e3;
+        break;
+      case "m":
+        totalMs += value * 60 * 1e3;
+        break;
+      case "h":
+        totalMs += value * 60 * 60 * 1e3;
+        break;
+      case "d":
+        totalMs += value * 24 * 60 * 60 * 1e3;
+        break;
+      case "w":
+        totalMs += value * 7 * 24 * 60 * 60 * 1e3;
+        break;
+    }
+  }
+  return totalMs || 36e5;
+}
+function toJwtExpiresIn(expiration, defaultMs = 36e5) {
+  const ms = parseExpirationToMs(expiration, defaultMs);
+  if (ms === void 0) return void 0;
+  return Math.floor(ms / 1e3) + "s";
+}
+var AUTH_EVENT_PREFIX = "auth.";
+var authEvents = {
+  /**
+   * Subscribe to an auth event
+   */
+  on(event, callback) {
+    return events.subscribe(AUTH_EVENT_PREFIX + event, callback);
+  },
+  /**
+   * Subscribe to an auth event (alias for `on`)
+   */
+  subscribe(event, callback) {
+    return this.on(event, callback);
+  },
+  /**
+   * Emit an auth event
+   */
+  emit(event, ...args) {
+    events.trigger(AUTH_EVENT_PREFIX + event, ...args);
+  },
+  /**
+   * Emit an auth event (alias for `emit`)
+   */
+  trigger(event, ...args) {
+    this.emit(event, ...args);
+  },
+  /**
+   * Unsubscribe from all auth events
+   */
+  unsubscribeAll() {
+    events.unsubscribeNamespace(AUTH_EVENT_PREFIX.slice(0, -1));
+  },
+  /**
+   * Unsubscribe from a specific auth event
+   */
+  off(event) {
+    if (event) {
+      events.unsubscribe(AUTH_EVENT_PREFIX + event);
+    } else {
+      this.unsubscribeAll();
+    }
+  }
+};
+var getSecretKey = () => config.key("auth.jwt.secret");
+var getAlgorithm = () => config.key("auth.jwt.algorithm");
+var getRefreshSecretKey = () => config.key("auth.jwt.refresh.secret");
+var getRefreshTokenValidity = () => config.key("auth.jwt.refresh.expiresIn");
+var jwt = {
+  /**
+   * Generate a new JWT token for the user.
+   * @param payload The payload to encode in the JWT token.
+   */
+  async generate(payload, {
+    key = getSecretKey(),
+    algorithm = getAlgorithm(),
+    ...options
+  } = {}) {
+    const sign = createSigner({ key, ...options, algorithm });
+    return sign({ ...payload });
+  },
+  /**
+   * Verify the given token.
+   * @param token The JWT token to verify.
+   * @returns The decoded token payload if verification is successful.
+   */
+  async verify(token, {
+    key = getSecretKey(),
+    algorithms = getAlgorithm() ? [getAlgorithm()] : void 0,
+    ...options
+  } = {}) {
+    const verify2 = createVerifier({ key, ...options, algorithms });
+    return await verify2(token);
+  },
+  /**
+   * Generate a new refresh token for the user.
+   */
+  async generateRefreshToken(payload, {
+    key = getRefreshSecretKey(),
+    expiresIn = getRefreshTokenValidity(),
+    algorithm = getAlgorithm(),
+    ...options
+  } = {}) {
+    const sign = createSigner({ key, expiresIn, algorithm, ...options });
+    return sign({ ...payload });
+  },
+  /**
+   * Verify the given refresh token.
+   */
+  async verifyRefreshToken(token, {
+    key = getRefreshSecretKey(),
+    algorithms = [getAlgorithm()],
+    ...options
+  } = {}) {
+    const verify2 = createVerifier({ key, algorithms, ...options });
+    return await verify2(token);
+  }
+};
+// ../../warlock.js/auth/src/services/auth.service.ts
+var AuthService = class {
+  /**
+   * Build access token payload from user
+   */
+  buildAccessTokenPayload(user) {
+    return {
+      id: user.id,
+      _id: user.get("_id"),
+      userType: user.userType,
+      createdAt: Date.now()
+    };
+  }
+  /**
+   * Generate access token for user
+   */
+  async generateAccessToken(user, payload) {
+    const data = payload || this.buildAccessTokenPayload(user);
+    const expiresInConfig = config.key("auth.jwt.expiresIn");
+    const expiresIn = toJwtExpiresIn(expiresInConfig, 36e5);
+    const token = expiresIn ? await jwt.generate(data, { expiresIn }) : await jwt.generate(data);
+    await AccessToken.create({
+      token,
+      user: data
+    });
+    return token;
+  }
+  /**
+   * Create refresh token for user
+   */
+  async createRefreshToken(user, deviceInfo) {
+    const familyId = deviceInfo?.familyId || Random.string(32);
+    const expiresInConfig = config.key("auth.jwt.refresh.expiresIn");
+    const expiresInMs = parseExpirationToMs(expiresInConfig, 7 * 24 * 60 * 60 * 1e3);
+    const payload = {
+      userId: user.id,
+      userType: user.userType,
+      familyId
+    };
+    const token = await jwt.generateRefreshToken(payload);
+    await this.enforceMaxRefreshTokens(user);
+    const expiresAt = expiresInMs ? new Date(Date.now() + expiresInMs) : new Date(Date.now() + 100 * 365 * 24 * 60 * 60 * 1e3);
+    return RefreshToken.create({
+      token,
+      userId: user.id,
+      userType: user.userType,
+      familyId,
+      expiresAt,
+      deviceInfo: deviceInfo ? {
+        userAgent: deviceInfo.userAgent,
+        ip: deviceInfo.ip,
+        deviceId: deviceInfo.deviceId
+      } : void 0
+    });
+  }
+  /**
+   * Create both access and refresh tokens
+   */
+  async createTokenPair(user, deviceInfo) {
+    const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+    const refreshToken = await this.createRefreshToken(user, deviceInfo);
+    const tokenPair = {
+      accessToken,
+      refreshToken: refreshToken.get("token"),
+      expiresIn: config.key("auth.jwt.expiresIn", "1h")
+    };
+    authEvents.emit("token.created", user, tokenPair);
+    authEvents.emit("session.created", user, refreshToken, deviceInfo);
+    return tokenPair;
+  }
+  /**
+   * Refresh tokens using a refresh token
+   */
+  async refreshTokens(refreshTokenString, deviceInfo) {
+    try {
+      const decoded = await jwt.verifyRefreshToken(refreshTokenString);
+      if (!decoded) return null;
+      const refreshToken = await RefreshToken.first({ token: refreshTokenString });
+      if (!refreshToken?.isValid) {
+        if (refreshToken) {
+          await this.revokeTokenFamily(refreshToken.get("familyId"));
+        }
+        return null;
+      }
+      const UserModel = config.key(`auth.userType.${decoded.userType}`);
+      if (!UserModel) return null;
+      const user = await UserModel.find(decoded.userId);
+      if (!user) return null;
+      const rotationEnabled = config.key("auth.jwt.refresh.rotation", true);
+      if (rotationEnabled) {
+        await refreshToken.revoke();
+      } else {
+        await refreshToken.markAsUsed();
+      }
+      const newTokenPair = await this.createTokenPair(user, {
+        ...deviceInfo,
+        familyId: refreshToken.get("familyId")
+      });
+      authEvents.emit("token.refreshed", user, newTokenPair, refreshToken);
+      return newTokenPair;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Verify password
+   */
+  verifyPassword(hashedPassword, plainPassword) {
+    return verify(String(hashedPassword), String(plainPassword));
+  }
+  /**
+   * Hash password
+   */
+  hashPassword(password) {
+    return hash(String(password), config.key("auth.password.salt", 12));
+  }
+  /**
+   * Attempt to login user with given credentials
+   */
+  async attemptLogin(Model4, data) {
+    const { password, ...otherData } = data;
+    authEvents.emit("login.attempt", otherData);
+    const user = await Model4.first(otherData);
+    if (!user) {
+      authEvents.emit("login.failed", otherData, "User not found");
+      return null;
+    }
+    if (!this.verifyPassword(user.string("password"), password)) {
+      authEvents.emit("login.failed", otherData, "Invalid password");
+      return null;
+    }
+    return user;
+  }
+  /**
+   * Full login flow: validate credentials, create tokens, emit events
+   * Returns token pair on success, null on failure
+   */
+  async login(Model4, credentials, deviceInfo) {
+    const user = await this.attemptLogin(Model4, credentials);
+    if (!user) {
+      return null;
+    }
+    if (!config.key("auth.jwt.refresh.enabled", true)) {
+      const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+      return { user, accessToken };
+    }
+    const tokens = await this.createTokenPair(user, deviceInfo);
+    authEvents.emit("login.success", user, tokens, deviceInfo);
+    return { user, tokens };
+  }
+  /**
+   * Logout user
+   * @param user - The authenticated user
+   * @param accessToken - Optional access token string to revoke
+   * @param refreshToken - Optional refresh token string to revoke
+   * If refresh token is not provided, behavior is determined by config:
+   * - "revoke-all" (default): Revoke ALL refresh tokens for security
+   * - "error": Throw error requiring refresh token
+   */
+  async logout(user, accessToken, refreshToken) {
+    if (accessToken) {
+      await this.removeAccessToken(user, accessToken);
+    }
+    if (refreshToken) {
+      const token = await RefreshToken.first({
+        token: refreshToken,
+        userId: user.id
+        // Security: ensure token belongs to this user
+      });
+      if (token) {
+        await token.revoke();
+        authEvents.emit("session.destroyed", user, token);
+      }
+    } else {
+      const behavior = config.key("auth.jwt.refresh.logoutWithoutToken", "revoke-all");
+      if (behavior === "error") {
+        throw new Error("Refresh token required for logout");
+      }
+      await this.revokeAllTokens(user);
+      authEvents.emit("logout.failsafe", user);
+    }
+    authEvents.emit("logout", user);
+  }
+  /**
+   * Remove specific access token
+   */
+  async removeAccessToken(user, token) {
+    AccessToken.delete({
+      token,
+      "user.id": user.id
+    });
+  }
+  /**
+   * Revoke all tokens for a user
+   */
+  async revokeAllTokens(user) {
+    const refreshTokens = await RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).get();
+    for (const token of refreshTokens) {
+      await token.revoke();
+      authEvents.emit("token.revoked", user, token);
+    }
+    await AccessToken.delete({
+      "user.id": user.id,
+      "user.userType": user.userType
+    });
+    authEvents.emit("logout.all", user);
+  }
+  /**
+   * Revoke entire token family (for rotation breach detection)
+   */
+  async revokeTokenFamily(familyId) {
+    const tokens = await RefreshToken.query().where("familyId", familyId).where("revokedAt", null).get();
+    for (const token of tokens) {
+      await token.revoke();
+    }
+    authEvents.emit("token.familyRevoked", familyId, tokens);
+  }
+  /**
+   * Cleanup expired tokens
+   */
+  async cleanupExpiredTokens() {
+    const expiredTokens = await RefreshToken.query().where("expiresAt", "<", /* @__PURE__ */ new Date()).get();
+    for (const token of expiredTokens) {
+      authEvents.emit("token.expired", token);
+      await token.destroy();
+    }
+    authEvents.emit("cleanup.completed", expiredTokens.length);
+    return expiredTokens.length;
+  }
+  /**
+   * Enforce max refresh tokens per user
+   */
+  async enforceMaxRefreshTokens(user) {
+    const maxPerUser = config.key("auth.jwt.refresh.maxPerUser", 5);
+    const activeTokens = await RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).orderBy("createdAt", "asc").get();
+    if (activeTokens.length >= maxPerUser) {
+      const tokensToRevoke = activeTokens.slice(0, activeTokens.length - maxPerUser + 1);
+      for (const token of tokensToRevoke) {
+        await token.revoke();
+      }
+    }
+  }
+  /**
+   * Get active sessions for user
+   */
+  async getActiveSessions(user) {
+    return RefreshToken.query().where("userId", user.id).where("userType", user.userType).where("revokedAt", null).where("expiresAt", ">", /* @__PURE__ */ new Date()).orderBy("createdAt", "desc").get();
+  }
+};
+var authService = new AuthService();
+// ../../warlock.js/auth/src/commands/auth-cleanup-command.ts
+function registerAuthCleanupCommand() {
+  return command({
+    name: "auth.cleanup",
+    description: "Remove expired refresh tokens from the database",
+    preload: {
+      env: true,
+      config: ["auth", "database"],
+      connectors: ["database"]
+    },
+    action: async () => {
+      console.log(colors.cyan("\u{1F9F9} Cleaning up expired tokens..."));
+      const count = await authService.cleanupExpiredTokens();
+      if (count === 0) {
+        console.log(colors.green("\u2705 No expired tokens found."));
+      } else {
+        console.log(colors.green(`\u2705 Removed ${count} expired token(s).`));
+      }
+    }
+  });
+}
+async function generateJWTSecret() {
+  let envFile = rootPath(".env");
+  log.info("jwt", "generating", "Generating JWT secrets");
+  const environmentMode = environment();
+  if (!await fileExistsAsync(envFile)) {
+    const envFileType = environmentMode === "production" ? ".env.production" : ".env.development";
+    envFile = rootPath(envFileType);
+  }
+  if (!await fileExistsAsync(envFile)) {
+    log.error("jwt", "error", ".env file not found");
+    return;
+  }
+  let contents = await getFileAsync(envFile);
+  const hasJwtSecret = contents.includes("JWT_SECRET");
+  const hasJwtRefreshSecret = contents.includes("JWT_REFRESH_SECRET");
+  if (hasJwtSecret && hasJwtRefreshSecret) {
+    log.warn("jwt", "exists", "JWT secrets already exist in the .env file.");
+    return;
+  }
+  let secretsToAdd = "";
+  if (!hasJwtSecret) {
+    const jwtSecret = Random.string(32);
+    secretsToAdd += `
 # JWT Secret
-JWT_SECRET=${i}
-`,log.success("jwt","generated","JWT_SECRET generated and added to the .env file.");}if(n)log.info("jwt","exists","JWT_REFRESH_SECRET already exists in the .env file.");else {let i=Random.string(32);s+=`
+JWT_SECRET=${jwtSecret}
+`;
+    log.success("jwt", "generated", "JWT_SECRET generated and added to the .env file.");
+  } else {
+    log.info("jwt", "exists", "JWT_SECRET already exists in the .env file.");
+  }
+  if (!hasJwtRefreshSecret) {
+    const jwtRefreshSecret = Random.string(32);
+    secretsToAdd += `
 # JWT Refresh Secret
-JWT_REFRESH_SECRET=${i}
-`,log.success("jwt","generated","JWT_REFRESH_SECRET generated and added to the .env file.");}s&&(r+=s,await putFileAsync(t,r));}function Qe(){return command({name:"jwt.generate",description:"Generate JWT Secret key in .env file",action:N})}var O=(o=>(o.MissingAccessToken="EC001",o.InvalidAccessToken="EC002",o.Unauthorized="EC003",o))(O||{});function ct(t$1){let e=t$1?Array.isArray(t$1)?t$1:[t$1]:[];return async(o,n)=>{try{let s=o.authorizationValue;if(!e.length&&!s)return;if(!s)return n.unauthorized({error:t("auth.errors.missingAccessToken"),errorCode:"EC001"});let i=await h.verify(s);o.decodedAccessToken=i;let p=await l.first({token:s});if(!p)return n.unauthorized({error:t("auth.errors.invalidAccessToken"),errorCode:"EC002"});let f=i.userType||p.get("userType");if(e.length&&!e.includes(f))return n.unauthorized({error:t("auth.errors.unauthorized"),errorCode:"EC003"});let E=config.key(`auth.userType.${f}`);if(!E)throw new Error(`User type ${f} is unknown type.`);let R=await E.find(i.id);if(!R)return p.destroy(),n.unauthorized({error:t("auth.errors.invalidAccessToken"),errorCode:"EC002"});p.set("lastAccess",new Date),await p.save({skipEvents:!0}),o.user=R;}catch(s){return log.error("http","auth",s),o.clearCurrentUser(),n.unauthorized({error:t("auth.errors.invalidAccessToken"),errorCode:"EC002"})}}}var q=class extends Model{accessTokenPayload(){return c.buildAccessTokenPayload(this)}async createTokenPair(e){return c.createTokenPair(this,e)}async generateAccessToken(e){return c.generateAccessToken(this,e)}async generateRefreshToken(e){return c.createRefreshToken(this,e)}async removeAccessToken(e){return c.removeAccessToken(this,e)}async revokeAllTokens(){return c.revokeAllTokens(this)}async activeSessions(){return c.getActiveSessions(this)}static async attempt(e){return c.attemptLogin(this,e)}confirmPassword(e){return c.verifyPassword(this.string("password"),e)}};function At(t,e,r){return t?hash(String(t),config.key("auth.password.salt",12)):r.getInitial(e)}export{l as AccessToken,q as Auth,O as AuthErrorCodes,I as NO_EXPIRATION,u as RefreshToken,a as authEvents,ct as authMiddleware,c as authService,At as castPassword,N as generateJWTSecret,h as jwt,b as parseExpirationToMs,ze as registerAuthCleanupCommand,Qe as registerJWTSecretGeneratorCommand,S as toJwtExpiresIn};//# sourceMappingURL=index.js.map
+JWT_REFRESH_SECRET=${jwtRefreshSecret}
+`;
+    log.success("jwt", "generated", "JWT_REFRESH_SECRET generated and added to the .env file.");
+  } else {
+    log.info("jwt", "exists", "JWT_REFRESH_SECRET already exists in the .env file.");
+  }
+  if (secretsToAdd) {
+    contents += secretsToAdd;
+    await putFileAsync(envFile, contents);
+  }
+}
+// ../../warlock.js/auth/src/commands/jwt-secret-generator-command.ts
+function registerJWTSecretGeneratorCommand() {
+  return command({
+    name: "jwt.generate",
+    description: "Generate JWT Secret key in .env file",
+    action: generateJWTSecret
+  });
+}
+// ../../warlock.js/auth/src/utils/auth-error-codes.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MissingAccessToken"] = "EC001";
+  AuthErrorCodes2["InvalidAccessToken"] = "EC002";
+  AuthErrorCodes2["Unauthorized"] = "EC003";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
+// ../../warlock.js/auth/src/middleware/auth.middleware.ts
+function authMiddleware(allowedUserType) {
+  const allowedTypes = !allowedUserType ? [] : Array.isArray(allowedUserType) ? allowedUserType : [allowedUserType];
+  const auth = async (request, response) => {
+    try {
+      const authorizationValue = request.authorizationValue;
+      if (!allowedTypes.length && !authorizationValue) return;
+      if (!authorizationValue) {
+        return response.unauthorized({
+          error: t("auth.errors.missingAccessToken"),
+          errorCode: "EC001" /* MissingAccessToken */
+        });
+      }
+      const user = await jwt.verify(authorizationValue);
+      request.decodedAccessToken = user;
+      const accessToken = await AccessToken.first({
+        token: authorizationValue
+      });
+      if (!accessToken) {
+        return response.unauthorized({
+          error: t("auth.errors.invalidAccessToken"),
+          errorCode: "EC002" /* InvalidAccessToken */
+        });
+      }
+      const userType = user.userType || accessToken.get("userType");
+      if (allowedTypes.length && !allowedTypes.includes(userType)) {
+        return response.unauthorized({
+          error: t("auth.errors.unauthorized"),
+          errorCode: "EC003" /* Unauthorized */
+        });
+      }
+      const UserModel = config.key(`auth.userType.${userType}`);
+      if (!UserModel) {
+        throw new Error(`User type ${userType} is unknown type.`);
+      }
+      const currentUser = await UserModel.find(user.id);
+      if (!currentUser) {
+        accessToken.destroy();
+        return response.unauthorized({
+          error: t("auth.errors.invalidAccessToken"),
+          errorCode: "EC002" /* InvalidAccessToken */
+        });
+      }
+      accessToken.set("lastAccess", /* @__PURE__ */ new Date());
+      await accessToken.save({ skipEvents: true });
+      request.user = currentUser;
+    } catch (err) {
+      log.error("http", "auth", err);
+      request.clearCurrentUser();
+      return response.unauthorized({
+        error: t("auth.errors.invalidAccessToken"),
+        errorCode: "EC002" /* InvalidAccessToken */
+      });
+    }
+  };
+  return auth;
+}
+var Auth = class extends Model {
+  /**
+   * Get access token payload
+   */
+  accessTokenPayload() {
+    return authService.buildAccessTokenPayload(this);
+  }
+  /**
+   * Create both access and refresh tokens
+   */
+  async createTokenPair(deviceInfo) {
+    return authService.createTokenPair(this, deviceInfo);
+  }
+  /**
+   * Generate access token
+   */
+  async generateAccessToken(data) {
+    return authService.generateAccessToken(this, data);
+  }
+  /**
+   * Generate refresh token
+   */
+  async generateRefreshToken(deviceInfo) {
+    return authService.createRefreshToken(this, deviceInfo);
+  }
+  /**
+   * Remove current access token
+   */
+  async removeAccessToken(token) {
+    return authService.removeAccessToken(this, token);
+  }
+  /**
+   * Revoke all tokens (logout from all devices)
+   */
+  async revokeAllTokens() {
+    return authService.revokeAllTokens(this);
+  }
+  /**
+   * Get active sessions
+   */
+  async activeSessions() {
+    return authService.getActiveSessions(this);
+  }
+  /**
+   * Attempt to login the user
+   */
+  static async attempt(data) {
+    return authService.attemptLogin(this, data);
+  }
+  /**
+   * Confirm password
+   */
+  confirmPassword(password) {
+    return authService.verifyPassword(this.string("password"), password);
+  }
+};
+function castPassword(value, column, model) {
+  return value ? hash(String(value), config.key("auth.password.salt", 12)) : model.getInitial(column);
+}
+export { AccessToken, Auth, AuthErrorCodes, NO_EXPIRATION, RefreshToken, authEvents, authMiddleware, authService, castPassword, generateJWTSecret, jwt, parseExpirationToMs, registerAuthCleanupCommand, registerJWTSecretGeneratorCommand, toJwtExpiresIn };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map