alepha 0.14.1 → 0.14.3

package/dist/api/users/index.js

@@ -2,20 +2,21 @@ import { $atom, $context, $hook, $inject, $module, Alepha, AlephaError, t } from
 import { $notification, AlephaApiNotifications } from "alepha/api/notifications";
 import { AlephaApiVerification } from "alepha/api/verifications";
 import { AlephaEmail } from "alepha/email";
-import { $entity, $repository, pageQuerySchema, parseQueryString, pg } from "alepha/orm";
+import { AlephaServerCompress } from "alepha/server/compress";
+import { AlephaServerHelmet } from "alepha/server/helmet";
 import { $action, BadRequestError, ConflictError, HttpError, UnauthorizedError, okSchema } from "alepha/server";
+import { $entity, $repository, db, pageQuerySchema, parseQueryString } from "alepha/orm";
+import { AlephaApiAudits, AuditService } from "alepha/api/audits";
 import { $logger } from "alepha/logger";
 import { $bucket } from "alepha/bucket";
+import { $client } from "alepha/server/links";
 import { randomInt, randomUUID } from "node:crypto";
 import { $cache } from "alepha/cache";
 import { DateTimeProvider } from "alepha/datetime";
 import { $realm, CryptoProvider, InvalidCredentialsError, SecurityProvider } from "alepha/security";
-import { $client } from "alepha/server/links";
 import { $authCredentials, $authGithub, $authGoogle, ServerAuthProvider, authenticationProviderSchema } from "alepha/server/auth";
 import { FileSystemProvider } from "alepha/file";
-import { AlephaApiAudits } from "alepha/api/audits";
 import { AlephaApiFiles } from "alepha/api/files";
-import { AlephaApiJobs } from "alepha/api/jobs";
 
 //#region ../../src/api/users/schemas/identityQuerySchema.ts
 const identityQuerySchema = t.extend(pageQuerySchema, {
@@ -29,11 +30,11 @@ const DEFAULT_USER_REALM_NAME = "default";
 const users = $entity({
 	name: "users",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
-		realm: pg.default(t.text(), DEFAULT_USER_REALM_NAME),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
+		realm: db.default(t.text(), DEFAULT_USER_REALM_NAME),
 		username: t.optional(t.shortText({
 			minLength: 3,
 			maxLength: 50,
@@ -41,12 +42,12 @@ const users = $entity({
 		})),
 		email: t.optional(t.string({ format: "email" })),
 		phoneNumber: t.optional(t.e164()),
-		roles: pg.default(t.array(t.string()), []),
+		roles: db.default(t.array(t.string()), []),
 		firstName: t.optional(t.string()),
 		lastName: t.optional(t.string()),
 		picture: t.optional(t.string()),
-		enabled: pg.default(t.boolean(), true),
-		emailVerified: pg.default(t.boolean(), false)
+		enabled: db.default(t.boolean(), true),
+		emailVerified: db.default(t.boolean(), false)
 	}),
 	indexes: [
 		{
@@ -69,11 +70,11 @@ const users = $entity({
 const identities = $entity({
 	name: "identities",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
-		userId: pg.ref(t.uuid(), () => users.cols.id),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
+		userId: db.ref(t.uuid(), () => users.cols.id),
 		password: t.optional(t.text()),
 		provider: t.text(),
 		providerUserId: t.optional(t.text()),
@@ -145,12 +146,12 @@ const realmAuthSettingsAtom = $atom({
 const sessions = $entity({
 	name: "sessions",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
 		refreshToken: t.uuid(),
-		userId: pg.ref(t.uuid(), () => users.cols.id),
+		userId: db.ref(t.uuid(), () => users.cols.id),
 		expiresAt: t.datetime(),
 		ip: t.optional(t.text()),
 		userAgent: t.optional(t.object({
@@ -240,6 +241,7 @@ var UserRealmProvider = class {
 var IdentityService = class {
 	log = $logger();
 	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
 	identities(userRealmName) {
 		return this.userRealmProvider.identityRepository(userRealmName);
 	}
@@ -293,14 +295,25 @@ var IdentityService = class {
 			provider: identity.provider,
 			userId: identity.userId
 		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userRealm: realm.name,
+			resourceId: identity.userId,
+			description: `Identity provider disconnected: ${identity.provider}`,
+			metadata: {
+				identityId: id,
+				provider: identity.provider,
+				userId: identity.userId
+			}
+		});
 	}
 };
 
 //#endregion
-//#region ../../src/api/users/controllers/IdentityController.ts
-var IdentityController = class {
+//#region ../../src/api/users/controllers/AdminIdentityController.ts
+var AdminIdentityController = class {
 	url = "/identities";
-	group = "identities";
+	group = "admin:identities";
 	identityService = $inject(IdentityService);
 	/**
 	* Find identities with pagination and filtering.
@@ -311,7 +324,7 @@ var IdentityController = class {
 		description: "Find identities with pagination and filtering",
 		schema: {
 			query: t.extend(identityQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(identityResourceSchema)
+			response: t.page(identityResourceSchema)
 		},
 		handler: ({ query }) => {
 			const { userRealmName, ...q } = query;
@@ -437,10 +450,10 @@ var SessionCrudService = class {
 };
 
 //#endregion
-//#region ../../src/api/users/controllers/SessionController.ts
-var SessionController = class {
+//#region ../../src/api/users/controllers/AdminSessionController.ts
+var AdminSessionController = class {
 	url = "/sessions";
-	group = "sessions";
+	group = "admin:sessions";
 	sessionService = $inject(SessionCrudService);
 	/**
 	* Find sessions with pagination and filtering.
@@ -451,7 +464,7 @@ var SessionController = class {
 		description: "Find sessions with pagination and filtering",
 		schema: {
 			query: t.extend(sessionQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(sessionResourceSchema)
+			response: t.page(sessionResourceSchema)
 		},
 		handler: ({ query }) => {
 			const { userRealmName, ...q } = query;
@@ -495,92 +508,10 @@ var SessionController = class {
 	});
 };
 
-//#endregion
-//#region ../../src/api/users/schemas/completePasswordResetRequestSchema.ts
-/**
-* Request schema for completing a password reset.
-*
-* Requires the intent ID from Phase 1, the verification code,
-* and the new password.
-*/
-const completePasswordResetRequestSchema = t.object({
-	intentId: t.uuid({ description: "The intent ID from createPasswordResetIntent" }),
-	code: t.string({ description: "6-digit verification code sent via email" }),
-	newPassword: t.string({
-		minLength: 8,
-		description: "New password (minimum 8 characters)"
-	})
-});
-
-//#endregion
-//#region ../../src/api/users/schemas/completeRegistrationRequestSchema.ts
-const completeRegistrationRequestSchema = t.object({
-	intentId: t.uuid({ description: "The registration intent ID from the first phase" }),
-	emailCode: t.optional(t.string({ description: "Email verification code (if email verification required)" })),
-	phoneCode: t.optional(t.string({ description: "Phone verification code (if phone verification required)" })),
-	captchaToken: t.optional(t.string({ description: "Captcha token (if captcha required)" }))
-});
-
 //#endregion
 //#region ../../src/api/users/schemas/createUserSchema.ts
 const createUserSchema = t.omit(users.insertSchema, ["realm"]);
 
-//#endregion
-//#region ../../src/api/users/schemas/passwordResetIntentResponseSchema.ts
-/**
-* Response schema for password reset intent creation.
-*
-* Contains the intent ID needed for Phase 2 completion,
-* along with expiration time.
-*/
-const passwordResetIntentResponseSchema = t.object({
-	intentId: t.uuid({ description: "Unique identifier for this password reset intent" }),
-	expiresAt: t.datetime({ description: "ISO timestamp when this intent expires" })
-});
-
-//#endregion
-//#region ../../src/api/users/schemas/registerQuerySchema.ts
-/**
-* Schema for user registration query parameters.
-* Allows specifying a custom user realm.
-*/
-const registerQuerySchema = t.object({ userRealmName: t.optional(t.text({ description: "The user realm to register the user in (defaults to 'default')" })) });
-
-//#endregion
-//#region ../../src/api/users/schemas/registerRequestSchema.ts
-/**
-* Schema for user registration request body.
-* Password is always required, other fields depend on realm settings.
-*/
-const registerRequestSchema = t.object({
-	password: t.string({
-		minLength: 8,
-		description: "Password for the account"
-	}),
-	username: t.optional(t.string({
-		minLength: 3,
-		description: "Unique username for the account"
-	})),
-	email: t.optional(t.string({
-		format: "email",
-		description: "User's email address"
-	})),
-	phoneNumber: t.optional(t.string({ description: "User's phone number" })),
-	firstName: t.optional(t.string({ description: "User's first name" })),
-	lastName: t.optional(t.string({ description: "User's last name" })),
-	picture: t.optional(t.string({ description: "User's profile picture URL" }))
-});
-
-//#endregion
-//#region ../../src/api/users/schemas/registrationIntentResponseSchema.ts
-const registrationIntentResponseSchema = t.object({
-	intentId: t.uuid({ description: "Unique identifier for the registration intent" }),
-	expectCaptcha: t.boolean({ description: "Whether captcha verification is required" }),
-	expectEmailVerification: t.boolean({ description: "Whether email verification is required" }),
-	expectPhoneVerification: t.boolean({ description: "Whether phone verification is required" }),
-	expiresAt: t.datetime({ description: "When the registration intent expires" })
-});
-
 //#endregion
 //#region ../../src/api/users/schemas/updateUserSchema.ts
 const updateUserSchema = t.partial(t.omit(users.insertSchema, [
@@ -736,136 +667,578 @@ var UserNotifications = class {
 };
 
 //#endregion
-//#region ../../src/api/users/services/CredentialService.ts
-const INTENT_TTL_MINUTES$1 = 10;
-var CredentialService = class {
+//#region ../../src/api/users/services/UserService.ts
+var UserService = class {
 	log = $logger();
-	cryptoProvider = $inject(CryptoProvider);
-	dateTimeProvider = $inject(DateTimeProvider);
 	verificationController = $client();
 	userNotifications = $inject(UserNotifications);
 	userRealmProvider = $inject(UserRealmProvider);
-	intentCache = $cache({
-		name: "password-reset-intents",
-		ttl: [INTENT_TTL_MINUTES$1, "minutes"]
-	});
+	auditService = $inject(AuditService);
 	users(userRealmName) {
 		return this.userRealmProvider.userRepository(userRealmName);
 	}
-	sessions(userRealmName) {
-		return this.userRealmProvider.sessionRepository(userRealmName);
-	}
-	identities(userRealmName) {
-		return this.userRealmProvider.identityRepository(userRealmName);
-	}
 	/**
-	* Phase 1: Create a password reset intent.
-	*
-	* Validates the email, checks for existing user with credentials,
-	* sends verification code, and stores the intent in cache.
-	*
-	* @param email - User's email address
-	* @param userRealmName - Optional realm name
-	* @returns Intent response with intentId and expiration (always returns for security)
+	* Request email verification for a user.
+	* @param email - The email address to verify.
+	* @param userRealmName - Optional realm name.
+	* @param method - The verification method: "code" (default) or "link".
+	* @param verifyUrl - Base URL for verification link (required when method is "link").
 	*/
-	async createPasswordResetIntent(email, userRealmName) {
-		this.log.trace("Creating password reset intent", {
+	async requestEmailVerification(email, userRealmName, method = "code", verifyUrl) {
+		this.log.trace("Requesting email verification", {
 			email,
-			userRealmName
+			userRealmName,
+			method
 		});
-		const intentId = randomUUID();
-		const expiresAt = this.dateTimeProvider.now().add(INTENT_TTL_MINUTES$1, "minutes").toISOString();
 		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
 		if (!user) {
-			this.log.debug("Password reset requested for non-existent email", { email });
-			return {
-				intentId,
-				expiresAt
-			};
+			this.log.debug("Email verification requested for non-existent user", { email });
+			return true;
 		}
-		const identity = await this.identities(userRealmName).findOne({ where: {
-			userId: { eq: user.id },
-			provider: { eq: "credentials" }
-		} }).catch(() => void 0);
-		if (!identity) {
-			this.log.debug("Password reset requested for user without credentials", { userId: user.id });
-			return {
-				intentId,
-				expiresAt
-			};
+		if (user.emailVerified) {
+			this.log.debug("Email verification requested for already verified user", {
+				email,
+				userId: user.id
+			});
+			return true;
 		}
 		try {
 			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
+				params: { type: method },
 				body: { target: email }
 			});
-			await this.userNotifications.passwordReset.push({
-				contact: email,
-				variables: {
+			if (method === "link") {
+				const url = new URL(verifyUrl || "/verify-email", "http://localhost");
+				url.searchParams.set("email", email);
+				url.searchParams.set("token", verification.token);
+				const fullVerifyUrl = verifyUrl ? `${verifyUrl}${url.search}` : url.pathname + url.search;
+				await this.userNotifications.emailVerificationLink.push({
+					contact: email,
+					variables: {
+						email,
+						verifyUrl: fullVerifyUrl,
+						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+					}
+				});
+				this.log.debug("Email verification link sent", {
 					email,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			const intent = {
+					userId: user.id
+				});
+			} else {
+				await this.userNotifications.emailVerification.push({
+					contact: email,
+					variables: {
+						email,
+						code: verification.token,
+						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+					}
+				});
+				this.log.debug("Email verification code sent", {
+					email,
+					userId: user.id
+				});
+			}
+		} catch (error) {
+			this.log.warn("Failed to send email verification", {
 				email,
-				userId: user.id,
-				identityId: identity.id,
-				realmName: userRealmName,
-				expiresAt
-			};
-			await this.intentCache.set(intentId, intent);
-			this.log.info("Password reset intent created", {
-				intentId,
-				userId: user.id,
-				email
+				error
 			});
-		} catch (error) {
-			this.log.warn("Failed to create password reset verification", error);
 		}
-		return {
-			intentId,
-			expiresAt
-		};
+		return true;
 	}
 	/**
-	* Phase 2: Complete password reset using an intent.
-	*
-	* Validates the verification code, updates the password,
-	* and invalidates all existing sessions.
-	*
-	* @param body - Request body with intentId, code, and newPassword
+	* Verify a user's email using a valid verification token.
+	* Supports both code (6-digit) and link (UUID) verification tokens.
 	*/
-	async completePasswordReset(body) {
-		this.log.trace("Completing password reset", { intentId: body.intentId });
-		const intent = await this.intentCache.get(body.intentId);
-		if (!intent) {
-			this.log.warn("Invalid or expired password reset intent", { intentId: body.intentId });
-			throw new HttpError({
-				status: 410,
-				message: "Invalid or expired password reset intent"
-			});
-		}
+	async verifyEmail(email, token, userRealmName) {
+		this.log.trace("Verifying email", {
+			email,
+			userRealmName
+		});
+		const type = /^\d{6}$/.test(token) ? "code" : "link";
 		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
+			params: { type },
 			body: {
-				target: intent.email,
-				token: body.code
+				target: email,
+				token
 			}
 		}).catch(() => {
-			this.log.warn("Invalid verification code for password reset", {
-				intentId: body.intentId,
-				email: intent.email
+			this.log.warn("Invalid email verification token", {
+				email,
+				type
 			});
-			throw new BadRequestError("Invalid or expired verification code");
+			throw new BadRequestError("Invalid or expired verification token");
 		})).alreadyVerified) {
-			this.log.warn("Verification code reuse attempt", {
-				intentId: body.intentId,
-				email: intent.email
-			});
-			throw new BadRequestError("Verification code has already been used");
+			this.log.warn("Email verification token already used", { email });
+			throw new BadRequestError("Invalid or expired verification token");
 		}
-		await this.intentCache.invalidate(body.intentId);
+		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } });
+		await this.users(userRealmName).updateById(user.id, { emailVerified: true });
+		this.log.info("Email verified", {
+			email,
+			userId: user.id,
+			type
+		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "Email verified",
+			metadata: {
+				email,
+				verificationType: type
+			}
+		});
+	}
+	/**
+	* Check if an email is verified.
+	*/
+	async isEmailVerified(email, userRealmName) {
+		this.log.trace("Checking if email is verified", {
+			email,
+			userRealmName
+		});
+		return (await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0))?.emailVerified ?? false;
+	}
+	/**
+	* Find users with pagination and filtering.
+	*/
+	async findUsers(q = {}, userRealmName) {
+		this.log.trace("Finding users", {
+			query: q,
+			userRealmName
+		});
+		q.sort ??= "-createdAt";
+		const where = this.users(userRealmName).createQueryWhere();
+		if (q.email) where.email = { like: q.email };
+		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
+		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
+		if (q.roles) where.roles = { arrayContains: q.roles };
+		if (q.query) Object.assign(where, parseQueryString(q.query));
+		const result = await this.users(userRealmName).paginate(q, { where }, { count: true });
+		this.log.debug("Users found", {
+			count: result.content.length,
+			total: result.page.totalElements
+		});
+		return result;
+	}
+	/**
+	* Get a user by ID.
+	*/
+	async getUserById(id, userRealmName) {
+		this.log.trace("Getting user by ID", {
+			id,
+			userRealmName
+		});
+		return await this.users(userRealmName).findById(id);
+	}
+	/**
+	* Create a new user.
+	*/
+	async createUser(data, userRealmName) {
+		this.log.trace("Creating user", {
+			username: data.username,
+			email: data.email,
+			userRealmName
+		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		if (data.username) {
+			if (await this.users(userRealmName).findOne({ where: { username: { eq: data.username } } }).catch(() => void 0)) {
+				this.log.debug("Username already taken", { username: data.username });
+				throw new BadRequestError("User with this username already exists");
+			}
+		}
+		if (data.email) {
+			if (await this.users(userRealmName).findOne({ where: { email: { eq: data.email } } }).catch(() => void 0)) {
+				this.log.debug("Email already taken", { email: data.email });
+				throw new BadRequestError("User with this email already exists");
+			}
+		}
+		if (data.phoneNumber) {
+			if (await this.users(userRealmName).findOne({ where: { phoneNumber: { eq: data.phoneNumber } } }).catch(() => void 0)) {
+				this.log.debug("Phone number already taken", { phoneNumber: data.phoneNumber });
+				throw new BadRequestError("User with this phone number already exists");
+			}
+		}
+		const user = await this.users(userRealmName).create({
+			...data,
+			roles: data.roles ?? ["user"],
+			realm: realm.name
+		});
+		this.log.info("User created", {
+			userId: user.id,
+			username: user.username,
+			email: user.email
+		});
+		await this.auditService.recordUser("create", {
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "User created",
+			metadata: {
+				username: user.username,
+				email: user.email,
+				roles: user.roles
+			}
+		});
+		return user;
+	}
+	/**
+	* Update an existing user.
+	*/
+	async updateUser(id, data, userRealmName) {
+		this.log.trace("Updating user", {
+			id,
+			userRealmName
+		});
+		const before = await this.getUserById(id, userRealmName);
+		const user = await this.users(userRealmName).updateById(id, data);
+		this.log.debug("User updated", { userId: id });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		const changes = {};
+		for (const key of Object.keys(data)) if (data[key] !== void 0 && before[key] !== data[key]) changes[key] = {
+			from: before[key],
+			to: data[key]
+		};
+		const isRoleChange = data.roles !== void 0 && JSON.stringify(before.roles) !== JSON.stringify(data.roles);
+		await this.auditService.recordUser(isRoleChange ? "role_change" : "update", {
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: isRoleChange ? "User roles changed" : `User updated: ${Object.keys(changes).join(", ")}`,
+			metadata: { changes }
+		});
+		return user;
+	}
+	/**
+	* Delete a user by ID.
+	*/
+	async deleteUser(id, userRealmName) {
+		this.log.trace("Deleting user", {
+			id,
+			userRealmName
+		});
+		const user = await this.getUserById(id, userRealmName);
+		await this.users(userRealmName).deleteById(id);
+		this.log.info("User deleted", { userId: id });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("delete", {
+			userRealm: realm.name,
+			resourceId: id,
+			severity: "warning",
+			description: "User deleted",
+			metadata: {
+				username: user.username,
+				email: user.email
+			}
+		});
+	}
+};
+
+//#endregion
+//#region ../../src/api/users/controllers/AdminUserController.ts
+var AdminUserController = class {
+	url = "/users";
+	group = "admin:users";
+	userService = $inject(UserService);
+	/**
+	* Find users with pagination and filtering.
+	*/
+	findUsers = $action({
+		path: this.url,
+		group: this.group,
+		description: "Find users with pagination and filtering",
+		schema: {
+			query: t.extend(userQuerySchema, { userRealmName: t.optional(t.string()) }),
+			response: t.page(userResourceSchema)
+		},
+		handler: ({ query }) => {
+			const { userRealmName, ...q } = query;
+			return this.userService.findUsers(q, userRealmName);
+		}
+	});
+	/**
+	* Get a user by ID.
+	*/
+	getUser = $action({
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Get a user by ID",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			response: userResourceSchema
+		},
+		handler: ({ params, query }) => this.userService.getUserById(params.id, query.userRealmName)
+	});
+	/**
+	* Create a new user.
+	*/
+	createUser = $action({
+		method: "POST",
+		path: this.url,
+		group: this.group,
+		description: "Create a new user",
+		schema: {
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			body: createUserSchema,
+			response: userResourceSchema
+		},
+		handler: ({ body, query }) => this.userService.createUser(body, query.userRealmName)
+	});
+	/**
+	* Update a user.
+	*/
+	updateUser = $action({
+		method: "PATCH",
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Update a user",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			body: updateUserSchema,
+			response: userResourceSchema
+		},
+		handler: ({ params, body, query }) => this.userService.updateUser(params.id, body, query.userRealmName)
+	});
+	/**
+	* Delete a user.
+	*/
+	deleteUser = $action({
+		method: "DELETE",
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Delete a user",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			response: okSchema
+		},
+		handler: async ({ params, query }) => {
+			await this.userService.deleteUser(params.id, query.userRealmName);
+			return {
+				ok: true,
+				id: params.id
+			};
+		}
+	});
+};
+
+//#endregion
+//#region ../../src/api/users/schemas/completePasswordResetRequestSchema.ts
+/**
+* Request schema for completing a password reset.
+*
+* Requires the intent ID from Phase 1, the verification code,
+* and the new password.
+*/
+const completePasswordResetRequestSchema = t.object({
+	intentId: t.uuid({ description: "The intent ID from createPasswordResetIntent" }),
+	code: t.string({ description: "6-digit verification code sent via email" }),
+	newPassword: t.string({
+		minLength: 8,
+		description: "New password (minimum 8 characters)"
+	})
+});
+
+//#endregion
+//#region ../../src/api/users/schemas/completeRegistrationRequestSchema.ts
+const completeRegistrationRequestSchema = t.object({
+	intentId: t.uuid({ description: "The registration intent ID from the first phase" }),
+	emailCode: t.optional(t.string({ description: "Email verification code (if email verification required)" })),
+	phoneCode: t.optional(t.string({ description: "Phone verification code (if phone verification required)" })),
+	captchaToken: t.optional(t.string({ description: "Captcha token (if captcha required)" }))
+});
+
+//#endregion
+//#region ../../src/api/users/schemas/passwordResetIntentResponseSchema.ts
+/**
+* Response schema for password reset intent creation.
+*
+* Contains the intent ID needed for Phase 2 completion,
+* along with expiration time.
+*/
+const passwordResetIntentResponseSchema = t.object({
+	intentId: t.uuid({ description: "Unique identifier for this password reset intent" }),
+	expiresAt: t.datetime({ description: "ISO timestamp when this intent expires" })
+});
+
+//#endregion
+//#region ../../src/api/users/schemas/registerQuerySchema.ts
+/**
+* Schema for user registration query parameters.
+* Allows specifying a custom user realm.
+*/
+const registerQuerySchema = t.object({ userRealmName: t.optional(t.text({ description: "The user realm to register the user in (defaults to 'default')" })) });
+
+//#endregion
+//#region ../../src/api/users/schemas/registerRequestSchema.ts
+/**
+* Schema for user registration request body.
+* Password is always required, other fields depend on realm settings.
+*/
+const registerRequestSchema = t.object({
+	password: t.string({
+		minLength: 8,
+		description: "Password for the account"
+	}),
+	username: t.optional(t.string({
+		minLength: 3,
+		description: "Unique username for the account"
+	})),
+	email: t.optional(t.string({
+		format: "email",
+		description: "User's email address"
+	})),
+	phoneNumber: t.optional(t.string({ description: "User's phone number" })),
+	firstName: t.optional(t.string({ description: "User's first name" })),
+	lastName: t.optional(t.string({ description: "User's last name" })),
+	picture: t.optional(t.string({ description: "User's profile picture URL" }))
+});
+
+//#endregion
+//#region ../../src/api/users/schemas/registrationIntentResponseSchema.ts
+const registrationIntentResponseSchema = t.object({
+	intentId: t.uuid({ description: "Unique identifier for the registration intent" }),
+	expectCaptcha: t.boolean({ description: "Whether captcha verification is required" }),
+	expectEmailVerification: t.boolean({ description: "Whether email verification is required" }),
+	expectPhoneVerification: t.boolean({ description: "Whether phone verification is required" }),
+	expiresAt: t.datetime({ description: "When the registration intent expires" })
+});
+
+//#endregion
+//#region ../../src/api/users/services/CredentialService.ts
+const INTENT_TTL_MINUTES$1 = 10;
+var CredentialService = class {
+	log = $logger();
+	cryptoProvider = $inject(CryptoProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	verificationController = $client();
+	userNotifications = $inject(UserNotifications);
+	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
+	intentCache = $cache({
+		name: "password-reset-intents",
+		ttl: [INTENT_TTL_MINUTES$1, "minutes"]
+	});
+	users(userRealmName) {
+		return this.userRealmProvider.userRepository(userRealmName);
+	}
+	sessions(userRealmName) {
+		return this.userRealmProvider.sessionRepository(userRealmName);
+	}
+	identities(userRealmName) {
+		return this.userRealmProvider.identityRepository(userRealmName);
+	}
+	/**
+	* Phase 1: Create a password reset intent.
+	*
+	* Validates the email, checks for existing user with credentials,
+	* sends verification code, and stores the intent in cache.
+	*
+	* @param email - User's email address
+	* @param userRealmName - Optional realm name
+	* @returns Intent response with intentId and expiration (always returns for security)
+	*/
+	async createPasswordResetIntent(email, userRealmName) {
+		this.log.trace("Creating password reset intent", {
+			email,
+			userRealmName
+		});
+		const intentId = randomUUID();
+		const expiresAt = this.dateTimeProvider.now().add(INTENT_TTL_MINUTES$1, "minutes").toISOString();
+		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
+		if (!user) {
+			this.log.debug("Password reset requested for non-existent email", { email });
+			return {
+				intentId,
+				expiresAt
+			};
+		}
+		const identity = await this.identities(userRealmName).findOne({ where: {
+			userId: { eq: user.id },
+			provider: { eq: "credentials" }
+		} }).catch(() => void 0);
+		if (!identity) {
+			this.log.debug("Password reset requested for user without credentials", { userId: user.id });
+			return {
+				intentId,
+				expiresAt
+			};
+		}
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: email }
+			});
+			await this.userNotifications.passwordReset.push({
+				contact: email,
+				variables: {
+					email,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			const intent = {
+				email,
+				userId: user.id,
+				identityId: identity.id,
+				realmName: userRealmName,
+				expiresAt
+			};
+			await this.intentCache.set(intentId, intent);
+			this.log.info("Password reset intent created", {
+				intentId,
+				userId: user.id,
+				email
+			});
+		} catch (error) {
+			this.log.warn("Failed to create password reset verification", error);
+		}
+		return {
+			intentId,
+			expiresAt
+		};
+	}
+	/**
+	* Phase 2: Complete password reset using an intent.
+	*
+	* Validates the verification code, updates the password,
+	* and invalidates all existing sessions.
+	*
+	* @param body - Request body with intentId, code, and newPassword
+	*/
+	async completePasswordReset(body) {
+		this.log.trace("Completing password reset", { intentId: body.intentId });
+		const intent = await this.intentCache.get(body.intentId);
+		if (!intent) {
+			this.log.warn("Invalid or expired password reset intent", { intentId: body.intentId });
+			throw new HttpError({
+				status: 410,
+				message: "Invalid or expired password reset intent"
+			});
+		}
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: intent.email,
+				token: body.code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid verification code for password reset", {
+				intentId: body.intentId,
+				email: intent.email
+			});
+			throw new BadRequestError("Invalid or expired verification code");
+		})).alreadyVerified) {
+			this.log.warn("Verification code reuse attempt", {
+				intentId: body.intentId,
+				email: intent.email
+			});
+			throw new BadRequestError("Verification code has already been used");
+		}
+		await this.intentCache.invalidate(body.intentId);
 		const hashedPassword = await this.cryptoProvider.hashPassword(body.newPassword);
 		await this.identities(intent.realmName).updateById(intent.identityId, { password: hashedPassword });
 		await this.sessions(intent.realmName).deleteMany({ userId: { eq: intent.userId } });
@@ -873,6 +1246,23 @@ var CredentialService = class {
 			userId: intent.userId,
 			email: intent.email
 		});
+		const realm = this.userRealmProvider.getRealm(intent.realmName);
+		await this.auditService.recordUser("update", {
+			userId: intent.userId,
+			userEmail: intent.email,
+			userRealm: realm.name,
+			resourceId: intent.userId,
+			description: "Password reset completed",
+			metadata: { email: intent.email }
+		});
+		await this.auditService.record("security", "sessions_invalidated", {
+			userId: intent.userId,
+			userEmail: intent.email,
+			userRealm: realm.name,
+			resourceId: intent.userId,
+			severity: "warning",
+			description: "All sessions invalidated after password reset"
+		});
 	}
 	/**
 	* @deprecated Use createPasswordResetIntent instead
@@ -915,6 +1305,23 @@ var CredentialService = class {
 		const hashedPassword = await this.cryptoProvider.hashPassword(newPassword);
 		await this.identities(userRealmName).updateById(identity.id, { password: hashedPassword });
 		await this.sessions(userRealmName).deleteMany({ userId: { eq: user.id } });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "Password reset completed (legacy)",
+			metadata: { email }
+		});
+		await this.auditService.record("security", "sessions_invalidated", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			severity: "warning",
+			description: "All sessions invalidated after password reset"
+		});
 	}
 };
 
@@ -928,6 +1335,7 @@ var RegistrationService = class {
 	verificationController = $client();
 	userNotifications = $inject(UserNotifications);
 	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
 	intentCache = $cache({
 		name: "registration-intents",
 		ttl: [INTENT_TTL_MINUTES, "minutes"]
@@ -1069,6 +1477,20 @@ var RegistrationService = class {
 			email: user.email,
 			username: user.username
 		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("create", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "User registered",
+			metadata: {
+				username: user.username,
+				email: user.email,
+				emailVerified: user.emailVerified,
+				registrationMethod: "credentials"
+			}
+		});
 		return user;
 	}
 	/**
@@ -1090,317 +1512,95 @@ var RegistrationService = class {
 		}
 		if (body.phoneNumber) {
 			if (await userRepository.findOne({ where: { phoneNumber: { eq: body.phoneNumber } } }).catch(() => void 0)) {
-				this.log.debug("Phone number already taken", { phoneNumber: body.phoneNumber });
-				throw new ConflictError("User with this phone number already exists");
-			}
-		}
-	}
-	/**
-	* Send email verification code.
-	*/
-	async sendEmailVerification(email) {
-		this.log.debug("Sending email verification code", { email });
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
-				body: { target: email }
-			});
-			await this.userNotifications.emailVerification.push({
-				contact: email,
-				variables: {
-					email,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			this.log.debug("Email verification code sent", { email });
-		} catch (error) {
-			this.log.warn("Failed to send email verification code", error);
-		}
-	}
-	/**
-	* Send phone verification code.
-	*/
-	async sendPhoneVerification(phoneNumber) {
-		this.log.debug("Sending phone verification code", { phoneNumber });
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
-				body: { target: phoneNumber }
-			});
-			await this.userNotifications.phoneVerification.push({
-				contact: phoneNumber,
-				variables: {
-					phoneNumber,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			this.log.debug("Phone verification code sent", { phoneNumber });
-		} catch (error) {
-			this.log.warn("Failed to send phone verification code", {
-				phoneNumber,
-				error
-			});
-		}
-	}
-	/**
-	* Verify email code using verification service.
-	*/
-	async verifyEmailCode(email, code) {
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
-			body: {
-				target: email,
-				token: code
-			}
-		}).catch(() => {
-			this.log.warn("Invalid email verification code", { email });
-			throw new BadRequestError("Invalid or expired email verification code");
-		})).alreadyVerified) {
-			this.log.warn("Email verification code already used", { email });
-			throw new BadRequestError("Email verification code has already been used");
-		}
-	}
-	/**
-	* Verify phone code using verification service.
-	*/
-	async verifyPhoneCode(phoneNumber, code) {
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
-			body: {
-				target: phoneNumber,
-				token: code
-			}
-		}).catch(() => {
-			this.log.warn("Invalid phone verification code", { phoneNumber });
-			throw new BadRequestError("Invalid or expired phone verification code");
-		})).alreadyVerified) {
-			this.log.warn("Phone verification code already used", { phoneNumber });
-			throw new BadRequestError("Phone verification code has already been used");
-		}
-	}
-};
-
-//#endregion
-//#region ../../src/api/users/services/UserService.ts
-var UserService = class {
-	log = $logger();
-	verificationController = $client();
-	userNotifications = $inject(UserNotifications);
-	userRealmProvider = $inject(UserRealmProvider);
-	users(userRealmName) {
-		return this.userRealmProvider.userRepository(userRealmName);
-	}
-	/**
-	* Request email verification for a user.
-	* @param email - The email address to verify.
-	* @param userRealmName - Optional realm name.
-	* @param method - The verification method: "code" (default) or "link".
-	* @param verifyUrl - Base URL for verification link (required when method is "link").
-	*/
-	async requestEmailVerification(email, userRealmName, method = "code", verifyUrl) {
-		this.log.trace("Requesting email verification", {
-			email,
-			userRealmName,
-			method
-		});
-		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
-		if (!user) {
-			this.log.debug("Email verification requested for non-existent user", { email });
-			return true;
-		}
-		if (user.emailVerified) {
-			this.log.debug("Email verification requested for already verified user", {
-				email,
-				userId: user.id
-			});
-			return true;
-		}
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: method },
-				body: { target: email }
-			});
-			if (method === "link") {
-				const url = new URL(verifyUrl || "/verify-email", "http://localhost");
-				url.searchParams.set("email", email);
-				url.searchParams.set("token", verification.token);
-				const fullVerifyUrl = verifyUrl ? `${verifyUrl}${url.search}` : url.pathname + url.search;
-				await this.userNotifications.emailVerificationLink.push({
-					contact: email,
-					variables: {
-						email,
-						verifyUrl: fullVerifyUrl,
-						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-					}
-				});
-				this.log.debug("Email verification link sent", {
-					email,
-					userId: user.id
-				});
-			} else {
-				await this.userNotifications.emailVerification.push({
-					contact: email,
-					variables: {
-						email,
-						code: verification.token,
-						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-					}
-				});
-				this.log.debug("Email verification code sent", {
-					email,
-					userId: user.id
-				});
-			}
-		} catch (error) {
-			this.log.warn("Failed to send email verification", {
-				email,
-				error
-			});
-		}
-		return true;
-	}
-	/**
-	* Verify a user's email using a valid verification token.
-	* Supports both code (6-digit) and link (UUID) verification tokens.
-	*/
-	async verifyEmail(email, token, userRealmName) {
-		this.log.trace("Verifying email", {
-			email,
-			userRealmName
-		});
-		const type = /^\d{6}$/.test(token) ? "code" : "link";
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type },
-			body: {
-				target: email,
-				token
-			}
-		}).catch(() => {
-			this.log.warn("Invalid email verification token", {
-				email,
-				type
-			});
-			throw new BadRequestError("Invalid or expired verification token");
-		})).alreadyVerified) {
-			this.log.warn("Email verification token already used", { email });
-			throw new BadRequestError("Invalid or expired verification token");
-		}
-		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } });
-		await this.users(userRealmName).updateById(user.id, { emailVerified: true });
-		this.log.info("Email verified", {
-			email,
-			userId: user.id,
-			type
-		});
-	}
-	/**
-	* Check if an email is verified.
-	*/
-	async isEmailVerified(email, userRealmName) {
-		this.log.trace("Checking if email is verified", {
-			email,
-			userRealmName
-		});
-		return (await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0))?.emailVerified ?? false;
-	}
-	/**
-	* Find users with pagination and filtering.
-	*/
-	async findUsers(q = {}, userRealmName) {
-		this.log.trace("Finding users", {
-			query: q,
-			userRealmName
-		});
-		q.sort ??= "-createdAt";
-		const where = this.users(userRealmName).createQueryWhere();
-		if (q.email) where.email = { like: q.email };
-		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
-		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
-		if (q.roles) where.roles = { arrayContains: q.roles };
-		if (q.query) Object.assign(where, parseQueryString(q.query));
-		const result = await this.users(userRealmName).paginate(q, { where }, { count: true });
-		this.log.debug("Users found", {
-			count: result.content.length,
-			total: result.page.totalElements
-		});
-		return result;
+				this.log.debug("Phone number already taken", { phoneNumber: body.phoneNumber });
+				throw new ConflictError("User with this phone number already exists");
+			}
+		}
 	}
 	/**
-	* Get a user by ID.
+	* Send email verification code.
 	*/
-	async getUserById(id, userRealmName) {
-		this.log.trace("Getting user by ID", {
-			id,
-			userRealmName
-		});
-		return await this.users(userRealmName).findById(id);
+	async sendEmailVerification(email) {
+		this.log.debug("Sending email verification code", { email });
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: email }
+			});
+			await this.userNotifications.emailVerification.push({
+				contact: email,
+				variables: {
+					email,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			this.log.debug("Email verification code sent", { email });
+		} catch (error) {
+			this.log.warn("Failed to send email verification code", error);
+		}
 	}
 	/**
-	* Create a new user.
+	* Send phone verification code.
 	*/
-	async createUser(data, userRealmName) {
-		this.log.trace("Creating user", {
-			username: data.username,
-			email: data.email,
-			userRealmName
-		});
-		const realm = this.userRealmProvider.getRealm(userRealmName);
-		if (data.username) {
-			if (await this.users(userRealmName).findOne({ where: { username: { eq: data.username } } }).catch(() => void 0)) {
-				this.log.debug("Username already taken", { username: data.username });
-				throw new BadRequestError("User with this username already exists");
-			}
-		}
-		if (data.email) {
-			if (await this.users(userRealmName).findOne({ where: { email: { eq: data.email } } }).catch(() => void 0)) {
-				this.log.debug("Email already taken", { email: data.email });
-				throw new BadRequestError("User with this email already exists");
-			}
-		}
-		if (data.phoneNumber) {
-			if (await this.users(userRealmName).findOne({ where: { phoneNumber: { eq: data.phoneNumber } } }).catch(() => void 0)) {
-				this.log.debug("Phone number already taken", { phoneNumber: data.phoneNumber });
-				throw new BadRequestError("User with this phone number already exists");
-			}
+	async sendPhoneVerification(phoneNumber) {
+		this.log.debug("Sending phone verification code", { phoneNumber });
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: phoneNumber }
+			});
+			await this.userNotifications.phoneVerification.push({
+				contact: phoneNumber,
+				variables: {
+					phoneNumber,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			this.log.debug("Phone verification code sent", { phoneNumber });
+		} catch (error) {
+			this.log.warn("Failed to send phone verification code", {
+				phoneNumber,
+				error
+			});
 		}
-		const user = await this.users(userRealmName).create({
-			...data,
-			roles: data.roles ?? ["user"],
-			realm: realm.name
-		});
-		this.log.info("User created", {
-			userId: user.id,
-			username: user.username,
-			email: user.email
-		});
-		return user;
 	}
 	/**
-	* Update an existing user.
+	* Verify email code using verification service.
 	*/
-	async updateUser(id, data, userRealmName) {
-		this.log.trace("Updating user", {
-			id,
-			userRealmName
-		});
-		await this.getUserById(id, userRealmName);
-		const user = await this.users(userRealmName).updateById(id, data);
-		this.log.debug("User updated", { userId: id });
-		return user;
+	async verifyEmailCode(email, code) {
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: email,
+				token: code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid email verification code", { email });
+			throw new BadRequestError("Invalid or expired email verification code");
+		})).alreadyVerified) {
+			this.log.warn("Email verification code already used", { email });
+			throw new BadRequestError("Email verification code has already been used");
+		}
 	}
 	/**
-	* Delete a user by ID.
+	* Verify phone code using verification service.
 	*/
-	async deleteUser(id, userRealmName) {
-		this.log.trace("Deleting user", {
-			id,
-			userRealmName
-		});
-		await this.getUserById(id, userRealmName);
-		await this.users(userRealmName).deleteById(id);
-		this.log.info("User deleted", { userId: id });
+	async verifyPhoneCode(phoneNumber, code) {
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: phoneNumber,
+				token: code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid phone verification code", { phoneNumber });
+			throw new BadRequestError("Invalid or expired phone verification code");
+		})).alreadyVerified) {
+			this.log.warn("Phone verification code already used", { phoneNumber });
+			throw new BadRequestError("Phone verification code has already been used");
+		}
 	}
 };
 
@@ -1417,6 +1617,7 @@ var UserController = class {
 	* Validates data, creates verification sessions, and stores intent in cache.
 	*/
 	createRegistrationIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/register`,
 		secure: false,
@@ -1428,55 +1629,11 @@ var UserController = class {
 		handler: ({ body, query }) => this.registrationService.createRegistrationIntent(body, query.userRealmName)
 	});
 	/**
-	* Find users with pagination and filtering.
-	*/
-	findUsers = $action({
-		path: this.url,
-		group: this.group,
-		description: "Find users with pagination and filtering",
-		schema: {
-			query: t.extend(userQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(userResourceSchema)
-		},
-		handler: ({ query }) => {
-			const { userRealmName, ...q } = query;
-			return this.userService.findUsers(q, userRealmName);
-		}
-	});
-	/**
-	* Get a user by ID.
-	*/
-	getUser = $action({
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Get a user by ID",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			response: userResourceSchema
-		},
-		handler: ({ params, query }) => this.userService.getUserById(params.id, query.userRealmName)
-	});
-	/**
-	* Create a new user.
-	*/
-	createUser = $action({
-		method: "POST",
-		path: this.url,
-		group: this.group,
-		description: "Create a new user",
-		schema: {
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			body: createUserSchema,
-			response: userResourceSchema
-		},
-		handler: ({ body, query }) => this.userService.createUser(body, query.userRealmName)
-	});
-	/**
 	* Phase 2: Complete registration using an intent.
 	* Validates verification codes and creates the user.
 	*/
 	createUserFromIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/register/complete`,
 		secure: false,
@@ -1487,47 +1644,11 @@ var UserController = class {
 		handler: ({ body }) => this.registrationService.completeRegistration(body)
 	});
 	/**
-	* Update a user.
-	*/
-	updateUser = $action({
-		method: "PATCH",
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Update a user",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			body: updateUserSchema,
-			response: userResourceSchema
-		},
-		handler: ({ params, body, query }) => this.userService.updateUser(params.id, body, query.userRealmName)
-	});
-	/**
-	* Delete a user.
-	*/
-	deleteUser = $action({
-		method: "DELETE",
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Delete a user",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			response: okSchema
-		},
-		handler: async ({ params, query }) => {
-			await this.userService.deleteUser(params.id, query.userRealmName);
-			return {
-				ok: true,
-				id: params.id
-			};
-		}
-	});
-	/**
 	* Phase 1: Create a password reset intent.
 	* Validates email, sends verification code, and stores intent in cache.
 	*/
 	createPasswordResetIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/password-reset`,
 		secure: false,
@@ -1543,6 +1664,7 @@ var UserController = class {
 	* Validates verification code, updates password, and invalidates sessions.
 	*/
 	completePasswordReset = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/password-reset/complete`,
 		secure: false,
@@ -1725,6 +1847,7 @@ const userRealmConfigSchema = t.object({
 */
 var UserRealmController = class {
 	url = "/realms";
+	group = "realms";
 	userRealmProvider = $inject(UserRealmProvider);
 	serverAuthProvider = $inject(ServerAuthProvider);
 	/**
@@ -1732,6 +1855,7 @@ var UserRealmController = class {
 	* This endpoint is not exposed in the API documentation.
 	*/
 	getRealmConfig = $action({
+		group: this.group,
 		method: "GET",
 		path: `${this.url}/config`,
 		secure: false,
@@ -1753,6 +1877,7 @@ var UserRealmController = class {
 		}
 	});
 	checkUsernameAvailability = $action({
+		group: this.group,
 		path: `${this.url}/check-username`,
 		secure: false,
 		schema: {
@@ -1777,6 +1902,7 @@ var SessionService = class {
 	log = $logger();
 	userRealmProvider = $inject(UserRealmProvider);
 	fileController = $client();
+	auditService = $inject(AuditService);
 	users(userRealmName) {
 		return this.userRealmProvider.userRepository(userRealmName);
 	}
@@ -1816,6 +1942,14 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					description: "Invalid login identifier format",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
 			const user = await users$1.findOne({ where }).catch(() => void 0);
@@ -1825,6 +1959,14 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					description: "User not found",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
 			const identity = await identities$1.findOne({ where: {
@@ -1847,8 +1989,28 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					resourceId: user.id,
+					description: "Invalid password",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
+			await this.auditService.recordAuth("login", {
+				userId: user.id,
+				userEmail: user.email ?? void 0,
+				userRealm: name,
+				resourceId: user.id,
+				description: `User logged in via ${provider}`,
+				metadata: {
+					provider,
+					username
+				}
+			});
 			return user;
 		} catch (error) {
 			if (error instanceof InvalidCredentialsError) throw error;
@@ -1899,6 +2061,14 @@ var SessionService = class {
 			sessionId: session.id,
 			userId: session.userId
 		});
+		const { name } = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordAuth("token_refresh", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: name,
+			sessionId: session.id,
+			description: "Session token refreshed"
+		});
 		return {
 			user,
 			expiresIn: expiresAt.unix() - now.unix(),
@@ -1907,8 +2077,18 @@ var SessionService = class {
 	}
 	async deleteSession(refreshToken, userRealmName) {
 		this.log.trace("Deleting session");
+		const session = await this.sessions(userRealmName).findOne({ where: { refreshToken: { eq: refreshToken } } }).catch(() => void 0);
 		await this.sessions(userRealmName).deleteOne({ refreshToken });
 		this.log.debug("Session deleted");
+		if (session) {
+			const { name } = this.userRealmProvider.getRealm(userRealmName);
+			await this.auditService.recordAuth("logout", {
+				userId: session.userId,
+				userRealm: name,
+				sessionId: session.id,
+				description: "User logged out"
+			});
+		}
 	}
 	async link(provider, profile, userRealmName) {
 		this.log.trace("Linking OAuth2 profile", {
@@ -1929,7 +2109,19 @@ var SessionService = class {
 				identityId: identity.id,
 				userId: identity.userId
 			});
-			return users$1.findById(identity.userId);
+			const user$1 = await users$1.findById(identity.userId);
+			await this.auditService.recordAuth("login", {
+				userId: user$1.id,
+				userEmail: user$1.email ?? void 0,
+				userRealm: realm.name,
+				resourceId: user$1.id,
+				description: `User logged in via OAuth2 (${provider})`,
+				metadata: {
+					provider,
+					providerUserId: profile.sub
+				}
+			});
+			return user$1;
 		}
 		if (!profile.email) {
 			this.log.debug("OAuth2 profile has no email, returning profile as-is", {
@@ -1954,6 +2146,18 @@ var SessionService = class {
 				providerUserId: profile.sub,
 				userId: existing.id
 			});
+			await this.auditService.recordAuth("login", {
+				userId: existing.id,
+				userEmail: existing.email ?? void 0,
+				userRealm: realm.name,
+				resourceId: existing.id,
+				description: `OAuth2 identity linked to existing user (${provider})`,
+				metadata: {
+					provider,
+					providerUserId: profile.sub,
+					linked: true
+				}
+			});
 			return existing;
 		}
 		const user = await users$1.create({
@@ -1990,6 +2194,31 @@ var SessionService = class {
 			email: user.email,
 			username: user.username
 		});
+		await this.auditService.recordUser("create", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: `User created via OAuth2 (${provider})`,
+			metadata: {
+				provider,
+				providerUserId: profile.sub,
+				username: user.username,
+				email: user.email
+			}
+		});
+		await this.auditService.recordAuth("login", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: `First login via OAuth2 (${provider})`,
+			metadata: {
+				provider,
+				providerUserId: profile.sub,
+				firstLogin: true
+			}
+		});
 		return user;
 	}
 };
@@ -2015,10 +2244,13 @@ const $userRealm = (options = {}) => {
 	const securityProvider = alepha.inject(SecurityProvider);
 	const userRealmProvider = alepha.inject(UserRealmProvider);
 	const name = options.realm?.name ?? DEFAULT_USER_REALM_NAME;
+	options.settings ??= {};
+	if (options.settings.emailRequired) options.settings.emailEnabled = true;
+	if (options.settings.usernameRequired) options.settings.usernameEnabled = true;
+	if (options.settings.phoneRequired) options.settings.phoneEnabled = true;
 	const userRealm = userRealmProvider.register(name, options);
-	if (options.modules?.audits) alepha.with(AlephaApiAudits);
-	if (options.modules?.files) alepha.with(AlephaApiFiles);
-	if (options.modules?.jobs) alepha.with(AlephaApiJobs);
+	alepha.with(AlephaApiFiles);
+	alepha.with(AlephaApiAudits);
 	const realm = $realm({
 		...options.realm,
 		name,
@@ -2141,6 +2373,8 @@ const AlephaApiUsers = $module({
 	services: [
 		AlephaApiVerification,
 		AlephaApiNotifications,
+		AlephaServerHelmet,
+		AlephaServerCompress,
 		AlephaEmail,
 		UserRealmProvider,
 		SessionService,
@@ -2150,13 +2384,14 @@ const AlephaApiUsers = $module({
 		UserService,
 		IdentityService,
 		UserController,
-		SessionController,
-		IdentityController,
+		AdminUserController,
+		AdminSessionController,
+		AdminIdentityController,
 		UserRealmController,
 		UserNotifications
 	]
 });
 
 //#endregion
-export { $userRealm, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityController, IdentityService, RegistrationService, SessionController, SessionCrudService, SessionService, UserController, UserRealmController, UserRealmProvider, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
+export { $userRealm, AdminIdentityController, AdminSessionController, AdminUserController, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityService, RegistrationService, SessionCrudService, SessionService, UserController, UserRealmController, UserRealmProvider, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
 //# sourceMappingURL=index.js.map