npm - cca-auth-module - Versions diffs - 0.2.0 → 0.2.2 - Mend

cca-auth-module 0.2.0 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md +385 -395
package/dist/application/useCase/LogoutUseCase.d.ts +1 -1
package/dist/domain/interfaces/IAuthService.d.ts +2 -2
package/dist/domain/interfaces/IDecodedToken.d.ts +1 -0
package/dist/domain/interfaces/IJwtAuth.d.ts +4 -4
package/dist/domain/interfaces/IJwtPayload.d.ts +1 -0
package/dist/index.d.mts +7 -6
package/dist/index.d.ts +7 -6
package/dist/index.js +136 -58
package/dist/index.js.map +1 -1
package/dist/index.mjs +136 -58
package/dist/index.mjs.map +1 -1
package/dist/infrastructure/repository/AuthRepository.d.ts +2 -1
package/dist/infrastructure/services/JwtAuthService.d.ts +1 -2
package/package.json +19 -16

package/dist/application/useCase/LogoutUseCase.d.ts CHANGED Viewed

@@ -4,5 +4,5 @@ export declare class LogoutUseCase implements IBaseService {
     private readonly repository;
     constructor(repository: AuthRepository);
     initialize(): Promise<void>;
-    execute(authId: string): Promise<void>;
+    execute(userId: string | undefined): Promise<void>;
 }

package/dist/domain/interfaces/IAuthService.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { AdminEntity, UserEntity, UserRole } from "cca-entities";
 import { IDecodedToken } from "./IDecodedToken";
 export interface IAuthService {
-    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
     generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
-    verifyRefreshToken(token: string): IDecodedToken;
+    verifyRefreshToken(token: string): Promise<IDecodedToken>;
 }

package/dist/domain/interfaces/IDecodedToken.d.ts CHANGED Viewed

@@ -3,4 +3,5 @@ export interface IDecodedToken extends JwtPayload {
     userId?: string;
     email?: string;
     role?: string;
+    twoFactorAuthenticated?: boolean;
 }

package/dist/domain/interfaces/IJwtAuth.d.ts CHANGED Viewed

@@ -1,9 +1,9 @@
-import { AuthEntity, UserEntity, UserRole } from "cca-entities";
+import { AdminEntity, AuthEntity, UserEntity, UserRole } from "cca-entities";
 import { IDecodedToken } from "./IDecodedToken";
 export interface IJwtAuth {
     validateUser(email: string, password: string): Promise<AuthEntity | null>;
-    generateAccessToken(user: UserEntity, role: UserRole): string;
-    generateRefreshToken(user: UserEntity): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
+    generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
-    verifyRefreshToken(token: string): IDecodedToken;
+    verifyRefreshToken(token: string): Promise<IDecodedToken>;
 }

package/dist/domain/interfaces/IJwtPayload.d.ts CHANGED Viewed

@@ -4,4 +4,5 @@ export interface IJwtPayload {
     role: string;
     iat: number;
     exp: number;
+    twoFactorAuthenticated?: boolean;
 }

package/dist/index.d.mts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { BaseRepository, IExtendedBaseRepository, IBaseService, BaseDatabase, BaseContainer } from 'cca-core';
 import { Request, Response, NextFunction } from 'express';
-import { AuthEntity, UserRole, UserEntity, AdminEntity } from 'cca-entities';
+import { AuthEntity, UserEntity, AdminEntity, UserRole } from 'cca-entities';
 import { Repository } from 'typeorm';
 import * as jwt from 'jsonwebtoken';
 import { JwtPayload } from 'jsonwebtoken';
@@ -32,6 +32,7 @@ declare class AuthRepository extends BaseRepository<AuthEntity> implements IExte
     disableTwoFactor(auth: AuthEntity): Promise<void>;
     isTwoFactorEnabled(userId: string): Promise<boolean>;
     getTwoFactorSecret(userId: string): Promise<string | null>;
+    saveAccount(account: UserEntity | AdminEntity): Promise<void>;
 }
 declare class RegisterUseCase implements IBaseService {
@@ -64,24 +65,24 @@ interface IDecodedToken extends JwtPayload {
     userId?: string;
     email?: string;
     role?: string;
+    twoFactorAuthenticated?: boolean;
 }
 interface IAuthService {
-    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
     generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
-    verifyRefreshToken(token: string): IDecodedToken;
+    verifyRefreshToken(token: string): Promise<IDecodedToken>;
 }
 declare class JwtAuthService implements IBaseService, IAuthService {
     private readonly repository;
     private jwtConfig;
     constructor(repository: AuthRepository, config?: IJwtConfig);
-    private loadConfig;
     initialize(): Promise<void>;
     private validateConfiguration;
     private verifyJwtConfig;
-    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
     generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyToken(token: string, secret: string): Promise<IDecodedToken>;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
@@ -105,7 +106,7 @@ declare class LogoutUseCase implements IBaseService {
     private readonly repository;
     constructor(repository: AuthRepository);
     initialize(): Promise<void>;
-    execute(authId: string): Promise<void>;
+    execute(userId: string | undefined): Promise<void>;
 }
 interface ITokenPair {

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { BaseRepository, IExtendedBaseRepository, IBaseService, BaseDatabase, BaseContainer } from 'cca-core';
 import { Request, Response, NextFunction } from 'express';
-import { AuthEntity, UserRole, UserEntity, AdminEntity } from 'cca-entities';
+import { AuthEntity, UserEntity, AdminEntity, UserRole } from 'cca-entities';
 import { Repository } from 'typeorm';
 import * as jwt from 'jsonwebtoken';
 import { JwtPayload } from 'jsonwebtoken';
@@ -32,6 +32,7 @@ declare class AuthRepository extends BaseRepository<AuthEntity> implements IExte
     disableTwoFactor(auth: AuthEntity): Promise<void>;
     isTwoFactorEnabled(userId: string): Promise<boolean>;
     getTwoFactorSecret(userId: string): Promise<string | null>;
+    saveAccount(account: UserEntity | AdminEntity): Promise<void>;
 }
 declare class RegisterUseCase implements IBaseService {
@@ -64,24 +65,24 @@ interface IDecodedToken extends JwtPayload {
     userId?: string;
     email?: string;
     role?: string;
+    twoFactorAuthenticated?: boolean;
 }
 interface IAuthService {
-    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
     generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
-    verifyRefreshToken(token: string): IDecodedToken;
+    verifyRefreshToken(token: string): Promise<IDecodedToken>;
 }
 declare class JwtAuthService implements IBaseService, IAuthService {
     private readonly repository;
     private jwtConfig;
     constructor(repository: AuthRepository, config?: IJwtConfig);
-    private loadConfig;
     initialize(): Promise<void>;
     private validateConfiguration;
     private verifyJwtConfig;
-    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole): string;
+    generateAccessToken(user: UserEntity | AdminEntity, role: UserRole, twoFactorAuthenticated?: boolean): string;
     generateRefreshToken(user: UserEntity | AdminEntity): string;
     verifyToken(token: string, secret: string): Promise<IDecodedToken>;
     verifyAccessToken(token: string): Promise<IDecodedToken>;
@@ -105,7 +106,7 @@ declare class LogoutUseCase implements IBaseService {
     private readonly repository;
     constructor(repository: AuthRepository);
     initialize(): Promise<void>;
-    execute(authId: string): Promise<void>;
+    execute(userId: string | undefined): Promise<void>;
 }
 interface ITokenPair {

package/dist/index.js CHANGED Viewed

@@ -174,6 +174,7 @@ var import_jwt_decode = require("jwt-decode");
 var yup = __toESM(require("yup"));
 var import_cca_entities = require("cca-entities");
 var import_bcrypt = __toESM(require("bcrypt"));
+var import_crypto = __toESM(require("crypto"));
 var schemas = {
   id: yup.string().uuid("Invalid user ID format"),
   email: yup.string().email("Invalid email format").max(255, "Email cannot exceed 255 characters"),
@@ -186,8 +187,9 @@ var schemas = {
 };
 var validateEmail = /* @__PURE__ */ __name(async (email, repository) => {
   try {
-    await schemas.email.validate(email?.trim().toLowerCase());
-    const user = await repository.findByEmail(email);
+    const normalizedEmail = email?.trim().toLowerCase();
+    await schemas.email.validate(normalizedEmail);
+    const user = await repository.findByEmail(normalizedEmail);
     if (!user) {
       throw new NotFoundError(
         "The email address or password is incorrect. Please retry"
@@ -209,8 +211,9 @@ var validatePassword = /* @__PURE__ */ __name(async (password) => {
 }, "validatePassword");
 var validateEmailUniqueness = /* @__PURE__ */ __name(async (repository, email, excludeUserId) => {
   try {
-    await schemas.email.validate(email?.trim().toLowerCase());
-    const existingUser = await repository.findByEmail(email);
+    const normalizedEmail = email?.trim().toLowerCase();
+    await schemas.email.validate(normalizedEmail);
+    const existingUser = await repository.findByEmail(normalizedEmail);
     if (!existingUser) return;
     if (existingUser.id === excludeUserId) return;
     throw new ValidationError(`Email ${email} is already in use.`);
@@ -255,7 +258,14 @@ var validateAdminSecret = /* @__PURE__ */ __name(async (secretPassword) => {
     if (!config.adminSecretPassword) {
       throw new ValidationError("ADMIN_SECRET_PASSWORD not found in config");
     }
-    if (parseInt(secretPassword) !== parseInt(config.adminSecretPassword)) {
+    const provided = secretPassword.trim();
+    const expected = config.adminSecretPassword.trim();
+    if (provided.length !== expected.length) {
+      throw new ValidationError("Invalid admin password");
+    }
+    const providedBuf = Buffer.from(provided);
+    const expectedBuf = Buffer.from(expected);
+    if (!import_crypto.default.timingSafeEqual(providedBuf, expectedBuf)) {
       throw new ValidationError("Invalid admin password");
     }
   } catch (error) {
@@ -285,8 +295,9 @@ var _LoginUseCase = class _LoginUseCase {
     if (!account) {
       throw new NotFoundError(`${isAdmin ? "Admin" : "User"} account not found or inactive`);
     }
-    const accessToken = this.jwtService.generateAccessToken(account, auth.role);
-    const expiresAt = (0, import_jwt_decode.jwtDecode)(accessToken).exp;
+    const accessToken = this.jwtService.generateAccessToken(account, auth.role, false);
+    const decoded = (0, import_jwt_decode.jwtDecode)(accessToken);
+    const expiresAt = decoded.exp ?? 0;
     return { id: account.id, accessToken, expiresAt, enabled: auth.twoFactorEnabled };
   }
 };
@@ -302,11 +313,17 @@ var _LogoutUseCase = class _LogoutUseCase {
   async initialize() {
     await (0, import_cca_core2.validateRepository)(this.repository, (repo) => repo.getAll());
   }
-  async execute(authId) {
+  async execute(userId) {
     try {
-      await this.repository.logout(authId);
+      if (!userId) {
+        throw new NotFoundError("User ID is required");
+      }
+      await this.repository.logout(userId);
     } catch (error) {
-      new NotFoundError("Auth not found");
+      if (error instanceof NotFoundError) {
+        throw error;
+      }
+      throw new NotFoundError("Auth not found");
     }
   }
 };
@@ -478,7 +495,11 @@ var _RegisterUseCase = class _RegisterUseCase {
     const authEntity = mapper.map(dto, RegisterDTO, import_cca_entities3.AuthEntity);
     const userOrAdminEntity = isAdmin ? mapper.map(dto, RegisterDTO, import_cca_entities3.AdminEntity) : mapper.map(dto, RegisterDTO, import_cca_entities3.UserEntity);
     userOrAdminEntity.updatedAt = void 0;
-    authEntity.user = userOrAdminEntity;
+    if (isAdmin) {
+      authEntity.admin = userOrAdminEntity;
+    } else {
+      authEntity.user = userOrAdminEntity;
+    }
     authEntity.password = hashedPassword;
     authEntity.refreshToken = "";
     return authEntity;
@@ -499,18 +520,23 @@ var _RefreshTokenUseCase = class _RefreshTokenUseCase {
   }
   async execute(refreshToken) {
     try {
+      if (!refreshToken) return null;
       const decoded = await this.service.verifyRefreshToken(refreshToken);
       if (!decoded.userId) return null;
-      const authEntity = await this.repository.findByUseAdminId(decoded.userId);
+      const authEntity = await this.repository.findByUserOrAdminId(decoded.userId);
       if (!authEntity) return null;
+      if (!authEntity.refreshToken || authEntity.refreshToken !== refreshToken) return null;
       const account = authEntity.user ?? authEntity.admin;
       if (!account) return null;
-      const accessToken = this.service.generateAccessToken(account, authEntity.role);
+      const accessToken = this.service.generateAccessToken(
+        account,
+        authEntity.role,
+        !!authEntity.twoFactorEnabled
+      );
       const newRefreshToken = this.service.generateRefreshToken(account);
       await this.repository.update(authEntity.id, { refreshToken: newRefreshToken });
       return { accessToken, refreshToken: newRefreshToken };
     } catch (error) {
-      console.error("Refresh token failed:", error);
       return null;
     }
   }
@@ -576,6 +602,9 @@ var _TwoFactorEnableUseCase = class _TwoFactorEnableUseCase {
     if (!token) {
       throw new TwoFactorError("Token is required");
     }
+    if (!userId) {
+      throw new TwoFactorError("User ID is required");
+    }
     const auth = await this.authRepository.findByUserOrAdminId(userId);
     if (!auth || !auth.twoFactorSecret) {
       throw new TwoFactorError("Please set up two-factor authentication first");
@@ -658,7 +687,7 @@ var _TwoFactorVerifyUseCase = class _TwoFactorVerifyUseCase {
     if (!account) throw new NotFoundError("User or Admin account not found for AuthEntity");
     account.lastLoginAt = /* @__PURE__ */ new Date();
     account.isActive = true;
-    await this.authRepository.update(auth.id, auth);
+    await this.authRepository.saveAccount(account);
   }
   async updateUserRefreshToken(auth, refreshToken) {
     auth.refreshToken = refreshToken;
@@ -668,7 +697,7 @@ var _TwoFactorVerifyUseCase = class _TwoFactorVerifyUseCase {
     const account = auth.user ?? auth.admin;
     if (!account) throw new NotFoundError("User or Admin account not found for AuthEntity");
     return {
-      accessToken: this.jwtService.generateAccessToken(account, auth.role),
+      accessToken: this.jwtService.generateAccessToken(account, auth.role, true),
       refreshToken: this.jwtService.generateRefreshToken(account)
     };
   }
@@ -690,7 +719,6 @@ var _TwoFactorDisableUseCase = class _TwoFactorDisableUseCase {
       this.twoFactorService.initialize(),
       (0, import_cca_core7.validateRepository)(this.authRepository, (repo) => repo.getAll())
     ]);
-    4;
     this.isInitialized = true;
   }
   async execute(userId, dto) {
@@ -698,6 +726,12 @@ var _TwoFactorDisableUseCase = class _TwoFactorDisableUseCase {
       await this.initialize();
     }
     const { token } = dto;
+    if (!token) {
+      throw new TwoFactorError("Token is required");
+    }
+    if (!userId) {
+      throw new TwoFactorError("User ID is required");
+    }
     const user = await this.authRepository.findByUserOrAdminId(userId);
     if (!user || !user.twoFactorSecret || !user.twoFactorEnabled) {
       throw new TwoFactorError("Two-factor authentication is not enabled");
@@ -773,11 +807,13 @@ var _AuthController = class _AuthController {
         }
         const result = await this.loginUseCase.execute(loginDTO, adminPassword);
         const adminLoginData = {
-          message: result,
+          accessToken: result.accessToken,
+          userId: result.id,
+          expiresAt: result.expiresAt,
           auth: this.createAuthData(
             true,
-            false,
-            AUTH_STATUS.BASIC_AUTH,
+            result.enabled ?? false,
+            result.enabled ?? false ? AUTH_STATUS.PENDING_VERIFICATION : AUTH_STATUS.BASIC_AUTH,
             false
           )
         };
@@ -788,7 +824,8 @@ var _AuthController = class _AuthController {
     }, "adminLogin");
     this.logout = /* @__PURE__ */ __name(async (req, res, next) => {
       try {
-        await this.logoutUseCase.execute(req.body.id);
+        const userId = req.auth?.userId ?? req.body.id;
+        await this.logoutUseCase.execute(userId);
         const logoutData = {
           auth: this.createAuthData(
             false,
@@ -849,10 +886,10 @@ var _AuthController = class _AuthController {
     }, "refreshToken");
     this.setup2FA = /* @__PURE__ */ __name(async (req, res, next) => {
       try {
-        if (!req.auth?.id) {
+        if (!req.auth?.userId) {
           throw new ForbiddenError("User authentication required");
         }
-        const result = await this.twoFactorSetupUseCase.execute(req.auth.id);
+        const result = await this.twoFactorSetupUseCase.execute(req.auth.userId);
         const setupData = {
           qrCode: result.qrCodeUrl,
           auth: this.createAuthData(true, false, AUTH_STATUS.NEEDS_SETUP)
@@ -868,7 +905,10 @@ var _AuthController = class _AuthController {
     }, "setup2FA");
     this.enable2FA = /* @__PURE__ */ __name(async (req, res, next) => {
       try {
-        const dto = { ...req.body, userId: req.auth?.id };
+        if (!req.auth?.userId) {
+          throw new ForbiddenError("User authentication required");
+        }
+        const dto = { ...req.body, userId: req.auth?.userId };
         await this.twoFactorEnableUseCase.execute(dto);
         const enableData = {
           enabledAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -885,16 +925,22 @@ var _AuthController = class _AuthController {
     }, "enable2FA");
     this.verify2FA = /* @__PURE__ */ __name(async (req, res, next) => {
       try {
-        const dto = req.body;
+        if (!req.auth?.userId) {
+          throw new ForbiddenError("User authentication required");
+        }
+        const dto = { ...req.body, userId: req.auth.userId };
         const result = await this.twoFactorVerifyUseCase.execute(dto);
+        if (!result) {
+          throw new Error("Two-factor verification failed");
+        }
         const verifyData = {
-          token: result?.token,
-          refreshToken: result?.refreshToken,
+          token: result.token,
+          refreshToken: result.refreshToken,
           user: {
-            id: result?.data?.id,
-            email: result?.data?.email,
-            name: result?.data?.name,
-            role: result?.data?.role
+            id: result.data?.id,
+            email: result.data?.email,
+            name: result.data?.name,
+            role: result.data?.role
           },
           auth: this.createAuthData(true, true, AUTH_STATUS.FULL_AUTH, true)
         };
@@ -909,7 +955,10 @@ var _AuthController = class _AuthController {
     }, "verify2FA");
     this.disable2FA = /* @__PURE__ */ __name(async (req, res, next) => {
       try {
-        const userId = req.auth.id;
+        const userId = req.auth?.userId;
+        if (!userId) {
+          throw new ForbiddenError("User authentication required");
+        }
         const dto = req.body;
         await this.twoFactorDisableUseCase.execute(userId, dto);
         const disableData = {
@@ -973,11 +1022,14 @@ var _RequireComplete2FA = class _RequireComplete2FA {
         return res.status(401).json({ message: "Authentication required" });
       }
       const decoded = await this.jwtService.verifyAccessToken(token);
+      if (!decoded.userId) {
+        return res.status(401).json({ message: "Invalid token payload" });
+      }
       if (!decoded.twoFactorAuthenticated) {
         return res.status(403).json({
           message: "Two-factor authentication required",
           code: "REQUIRE_2FA",
-          userId: decoded.id
+          userId: decoded.userId
         });
       }
       req.auth = { ...decoded, twoFactorAuthenticated: true };
@@ -1001,7 +1053,14 @@ var _AuthRepository = class _AuthRepository extends import_cca_core8.BaseReposit
     return result;
   }
   async create(entity) {
-    return super.create(entity);
+    const now = /* @__PURE__ */ new Date();
+    const auth = this.repository.create({
+      ...entity,
+      createdAt: now,
+      updatedAt: now,
+      isDeleted: false
+    });
+    return this.repository.save(auth);
   }
   async findByUserOrAdminId(id) {
     return await this.repository.createQueryBuilder("auth").leftJoinAndSelect("auth.user", "user").leftJoinAndSelect("auth.admin", "admin").addSelect("auth.twoFactorSecret").where("user.id = :id", { id }).orWhere("admin.id = :id", { id }).getOne();
@@ -1024,6 +1083,7 @@ var _AuthRepository = class _AuthRepository extends import_cca_core8.BaseReposit
     if (account) {
       auth.refreshToken = "";
       account.isActive = false;
+      await this.saveAccount(account);
     }
     await this.update(auth.id, auth);
   }
@@ -1058,6 +1118,9 @@ var _AuthRepository = class _AuthRepository extends import_cca_core8.BaseReposit
     }
     return auth.twoFactorSecret;
   }
+  async saveAccount(account) {
+    await this.repository.manager.save(account);
+  }
 };
 __name(_AuthRepository, "AuthRepository");
 var AuthRepository = _AuthRepository;
@@ -1068,34 +1131,40 @@ var import_cca_core9 = require("cca-core");
 var _JwtAuthService = class _JwtAuthService {
   constructor(repository, config) {
     this.repository = repository;
-    this.loadConfig(config);
-  }
-  async loadConfig(config) {
-    const configData = await createConfigInstance();
-    this.jwtConfig = {
-      accessTokenSecret: configData.accessTokenSecret,
-      refreshTokenSecret: configData.refreshTokenSecret,
-      accessTokenExpiry: parseInt(configData.accessTokenExpiry, 10),
-      refreshTokenExpiry: parseInt(configData.refreshTokenExpiry, 10),
-      ...config
-    };
+    if (config) {
+      this.jwtConfig = {
+        accessTokenSecret: config.accessTokenSecret,
+        refreshTokenSecret: config.refreshTokenSecret,
+        accessTokenExpiry: config.accessTokenExpiry,
+        refreshTokenExpiry: config.refreshTokenExpiry
+      };
+    }
     this.validateConfiguration();
   }
   async initialize() {
     await (0, import_cca_core9.validateRepository)(this.repository, (repo) => repo.getAll());
+    this.validateConfiguration();
   }
   validateConfiguration() {
     if (!this.jwtConfig?.accessTokenSecret || !this.jwtConfig?.refreshTokenSecret) {
       throw new JwtError("JWT secrets required in config");
     }
+    if (this.jwtConfig.accessTokenExpiry == null || this.jwtConfig.refreshTokenExpiry == null) {
+      throw new JwtError("JWT expirations required in config");
+    }
   }
   verifyJwtConfig() {
     if (!this.jwtConfig) throw new JwtError("JWT config not loaded");
   }
-  generateAccessToken(user, role) {
+  generateAccessToken(user, role, twoFactorAuthenticated = false) {
     this.verifyJwtConfig();
     return jwt.sign(
-      { userId: user.id, email: user.email, role },
+      {
+        userId: user.id,
+        email: user.email,
+        role,
+        twoFactorAuthenticated
+      },
       this.jwtConfig.accessTokenSecret,
       { expiresIn: this.jwtConfig.accessTokenExpiry }
     );
@@ -1110,11 +1179,8 @@ var _JwtAuthService = class _JwtAuthService {
   }
   async verifyToken(token, secret) {
     try {
-      console.log("Verifying token:", token);
-      console.log("Using secret:", secret);
       return jwt.verify(token, secret);
     } catch (error) {
-      console.error("Error verifying token:", error);
       throw new UnauthorizedError();
     }
   }
@@ -1137,9 +1203,11 @@ var _TwoFactorService = class _TwoFactorService {
   constructor(config) {
     this.initialized = false;
     this.config = config;
+    const parsedTokenWindow = Number.parseInt(config.tokenWindow, 10);
+    const parsedSecretLength = Number.parseInt(config.secretLength, 10);
     this.twoFactorConfig = {
-      tokenWindow: parseInt(config.tokenWindow) ?? 1,
-      secretLength: parseInt(config.secretLength) ?? 20,
+      tokenWindow: Number.isFinite(parsedTokenWindow) ? parsedTokenWindow : 1,
+      secretLength: Number.isFinite(parsedSecretLength) ? parsedSecretLength : 20,
       qrCodeOptions: {
         errorCorrectionLevel: "M",
         margin: 4,
@@ -1228,25 +1296,35 @@ async function createAuthContainer(database) {
     database.getRepository(import_cca_entities5.AuthEntity)
   );
   container.registerRepository("AuthRepository", authRepository);
-  const jwtAuthService = new JwtAuthService(authRepository);
-  container.registerService("JwtAuthService", jwtAuthService);
   const configData = await createConfigInstance();
+  const parseExpiry = /* @__PURE__ */ __name((value) => {
+    const numeric = Number(value);
+    return Number.isFinite(numeric) ? numeric : value;
+  }, "parseExpiry");
+  const jwtConfig = {
+    accessTokenSecret: configData.accessTokenSecret,
+    refreshTokenSecret: configData.refreshTokenSecret,
+    accessTokenExpiry: parseExpiry(configData.accessTokenExpiry),
+    refreshTokenExpiry: parseExpiry(configData.refreshTokenExpiry)
+  };
+  const configuredJwtAuthService = new JwtAuthService(authRepository, jwtConfig);
+  container.registerService("JwtAuthService", configuredJwtAuthService);
   const twoFactorService = new TwoFactorService(configData);
   container.registerService("TwoFactorService", twoFactorService);
-  const requireComplete2FA = new RequireComplete2FA(jwtAuthService);
-  const loginUseCase = new LoginUseCase(authRepository, jwtAuthService);
+  const requireComplete2FA = new RequireComplete2FA(configuredJwtAuthService);
+  const loginUseCase = new LoginUseCase(authRepository, configuredJwtAuthService);
   const logoutUseCase = new LogoutUseCase(authRepository);
   const registerUseCase = new RegisterUseCase(authRepository);
   const refreshTokenUseCase = new RefreshTokenUseCase(
     authRepository,
-    jwtAuthService
+    configuredJwtAuthService
   );
   const twoFactorSetupUseCase = new TwoFactorSetupUseCase(twoFactorService, authRepository);
   const twoFactorEnableUseCase = new TwoFactorEnableUseCase(twoFactorService, authRepository);
   const twoFactorVerifyUseCase = new TwoFactorVerifyUseCase(
     twoFactorService,
     authRepository,
-    jwtAuthService
+    configuredJwtAuthService
   );
   const twoFactorDisableUseCase = new TwoFactorDisableUseCase(twoFactorService, authRepository);
   container.registerService("LoginUseCase", loginUseCase);