create-forgeon 0.3.24 → 0.3.26

package/templates/module-fragments/accounts/20_scope.md

@@ -5,11 +5,10 @@ Implemented scope:
 1. Public installer surface:
    - single umbrella add-module: `accounts`
    - requires `db-adapter`
-   - requires `communications-runtime`
 2. Internal runtime split:
    - `@forgeon/accounts-contracts`
    - `@forgeon/accounts-api`
-   - users core, auth core, auth-jwt, auth-password
+   - users core, auth core, handlers, auth-jwt, auth-password
 3. API runtime:
    - `POST /api/auth/register`
    - `POST /api/auth/login`
@@ -17,14 +16,14 @@ Implemented scope:
    - `POST /api/auth/logout`
    - `GET /api/auth/me`
    - `POST /api/auth/change-password`
-   - stub endpoints for verify-email and password reset confirmation
 4. Users surface:
    - owner-scoped routes under `/api/users/:id`, `/api/users/:id/profile`, `/api/users/:id/settings`
    - `/users/me` is resolved through the same owner-scoped route surface
 5. Persistence and security:
-   - DB-backed `User`, `UserProfile`, `UserSettings`, `AuthIdentity`, `AuthCredential`, `AuthRefreshToken`
+   - DB-backed `User`, `UserProfile`, `UserSettings`, `AuthIdentity`, `AuthCredential`, `AuthRefreshToken`, `AuthPendingOperation`
    - argon2 for password and refresh-token hashing
    - refresh token rotation + revoke with per-token storage rows
+   - pending operation records for delayed confirmation and recovery flows
 6. Module checks:
    - API probe endpoint: `GET /api/health/auth`
-   - default web probe button + result block
+   - default web probe button + result block

package/templates/module-fragments/accounts/90_status_implemented.md

@@ -3,6 +3,6 @@
 Status: implemented.
 
 Notes:
-- `accounts` is a hard consumer of the `db-adapter` and `communications-runtime` capabilities.
+- `accounts` is a hard consumer of the `db-adapter` capability only.
 - The base accounts schema does not store RBAC roles or permissions.
-- Registration and password-reset request flows send best-effort communication intents through `CommunicationsService`.
+- Delivery-assisted auth/account flows belong to the optional `accounts-communications` extension.

package/templates/module-fragments/accounts-communications/00_title.md

@@ -0,0 +1 @@
+# {{MODULE_LABEL}}

package/templates/module-fragments/accounts-communications/10_overview.md

@@ -0,0 +1,3 @@
+## Overview
+
+{{MODULE_DESCRIPTION}}

package/templates/module-fragments/accounts-communications/20_scope.md

@@ -0,0 +1,24 @@
+## Scope
+
+Implemented scope:
+
+1. Public installer surface:
+   - single add-module: `accounts-communications`
+   - requires `accounts`
+   - requires `communications`
+2. Runtime package:
+   - `@forgeon/accounts-communications`
+3. Handler rebinding:
+   - pending-verification `register`
+   - confirmable `change-password`
+4. Extension routes:
+   - `POST /api/auth/verify-email`
+   - `POST /api/auth/password-reset/request`
+   - `POST /api/auth/password-reset/confirm`
+   - `POST /api/auth/change-password/confirm`
+   - `POST /api/auth/change-email/request`
+   - `POST /api/auth/change-email/confirm`
+5. Runtime boundaries:
+   - one `AuthCommunicationsController`
+   - one `AuthCommunicationsService`
+   - base account/auth state remains owned by `accounts`

package/templates/module-fragments/accounts-communications/90_status_implemented.md

@@ -0,0 +1,3 @@
+## Status
+
+Current status: implemented.

package/templates/module-fragments/communications/20_scope.md

@@ -1,4 +1,4 @@
-## Scope
+## Scope
 
 Implemented scope:
 
@@ -14,7 +14,10 @@ Implemented scope:
    - email channel with Gmail SMTP transport configuration
    - sms stub channel
    - push stub channel
-5. Module checks:
+5. SMTP defaults:
+   - `COMMUNICATIONS_EMAIL_SMTP_SECURE=false` uses STARTTLS mode correctly on port `587`
+   - `COMMUNICATIONS_EMAIL_FROM` falls back to the authenticated SMTP user when left empty
+6. Module checks:
    - `GET /api/health/communications`
    - `POST /api/health/communications`
    - default web probe with email input + test send

package/templates/module-presets/accounts/apps/api/prisma/migrations/0002_accounts_core/migration.sql

@@ -6,6 +6,7 @@ ALTER TABLE "User"
 DROP COLUMN IF EXISTS "email",
 ADD COLUMN IF NOT EXISTS "status" TEXT NOT NULL DEFAULT 'active',
 ADD COLUMN IF NOT EXISTS "data" JSONB,
+ADD COLUMN IF NOT EXISTS "emailVerifiedAt" TIMESTAMP(3),
 ADD COLUMN IF NOT EXISTS "deletedAt" TIMESTAMP(3),
 ADD COLUMN IF NOT EXISTS "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP;
 
@@ -57,10 +58,24 @@ CREATE TABLE IF NOT EXISTS "AuthRefreshToken" (
   CONSTRAINT "AuthRefreshToken_pkey" PRIMARY KEY ("id")
 );
 
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "AuthPendingOperation" (
+  "id" TEXT NOT NULL,
+  "userId" TEXT NOT NULL,
+  "type" TEXT NOT NULL,
+  "tokenHash" TEXT NOT NULL,
+  "metadata" JSONB,
+  "expiresAt" TIMESTAMP(3) NOT NULL,
+  "consumedAt" TIMESTAMP(3),
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "AuthPendingOperation_pkey" PRIMARY KEY ("id")
+);
+
 -- Indexes
 CREATE UNIQUE INDEX IF NOT EXISTS "AuthIdentity_provider_providerId_key" ON "AuthIdentity"("provider", "providerId");
 CREATE UNIQUE INDEX IF NOT EXISTS "AuthCredential_userId_key" ON "AuthCredential"("userId");
 CREATE INDEX IF NOT EXISTS "AuthRefreshToken_userId_createdAt_idx" ON "AuthRefreshToken"("userId", "createdAt");
+CREATE INDEX IF NOT EXISTS "AuthPendingOperation_userId_type_createdAt_idx" ON "AuthPendingOperation"("userId", "type", "createdAt");
 
 -- Foreign keys
 DO $$
@@ -94,4 +109,10 @@ BEGIN
     ADD CONSTRAINT "AuthRefreshToken_userId_fkey"
     FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
   END IF;
-END $$;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'AuthPendingOperation_userId_fkey') THEN
+    ALTER TABLE "AuthPendingOperation"
+    ADD CONSTRAINT "AuthPendingOperation_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+END $$;

package/templates/module-presets/accounts/packages/accounts-api/package.json

@@ -9,7 +9,6 @@
   },
   "dependencies": {
     "@forgeon/accounts-contracts": "workspace:*",
-    "@forgeon/communications": "workspace:*",
     "@forgeon/db-prisma": "workspace:*",
     "@nestjs/common": "^11.0.1",
     "@nestjs/config": "^4.0.2",

package/templates/module-presets/accounts/packages/accounts-api/src/auth-core.service.ts

@@ -3,18 +3,22 @@ import {
   BadRequestException,
   ConflictException,
   Injectable,
-  Logger,
+  NotFoundException,
   UnauthorizedException,
 } from '@nestjs/common';
-import { CommunicationsService } from '@forgeon/communications';
 import type {
   AuthSessionResponse,
+  JsonObject,
   RegisterRequest,
   UserRecordDto,
 } from '@forgeon/accounts-contracts';
 import { AuthJwtService } from './auth-jwt.service';
 import { AuthPasswordService } from './auth-password.service';
-import { AuthStore } from './auth.store';
+import {
+  AuthStore,
+  type PasswordAccountRecord,
+  type PendingOperationRecord,
+} from './auth.store';
 import type { AuthRefreshTokenPayload } from './auth.types';
 import { UsersService } from './users.service';
 import { toUserRecordDto } from './users.types';
@@ -25,21 +29,27 @@ const AUTH_ERROR_CODES = {
   tokenExpired: 'AUTH_TOKEN_EXPIRED',
   emailTaken: 'AUTH_EMAIL_TAKEN',
   accountDisabled: 'AUTH_ACCOUNT_DISABLED',
+  pendingOperationInvalid: 'AUTH_PENDING_OPERATION_INVALID',
 } as const;
 
+const DEFAULT_PENDING_OPERATION_TTL_MS = 1000 * 60 * 30;
+
 @Injectable()
 export class AuthCoreService {
-  private readonly logger = new Logger(AuthCoreService.name);
-
   constructor(
     private readonly authStore: AuthStore,
-    private readonly communicationsService: CommunicationsService,
     private readonly authJwtService: AuthJwtService,
     private readonly authPasswordService: AuthPasswordService,
     private readonly usersService: UsersService,
   ) {}
 
-  async registerWithPassword(input: RegisterRequest): Promise<AuthSessionResponse> {
+  async createPasswordAccount(
+    input: RegisterRequest,
+    options: {
+      status: string;
+      emailVerifiedAt: Date | null;
+    },
+  ): Promise<PasswordAccountRecord> {
     const email = input.email.trim().toLowerCase();
     const existing = await this.authStore.findPasswordAccountByEmail(email);
     if (existing) {
@@ -50,10 +60,11 @@ export class AuthCoreService {
     }
 
     const passwordHash = await this.authPasswordService.hash(input.password);
-    const account = await this.authStore.createPasswordAccount({
+    return this.authStore.createPasswordAccount({
       email,
       passwordHash,
-      status: 'active',
+      status: options.status,
+      emailVerifiedAt: options.emailVerifiedAt,
       userData: this.usersService.resolveUserData(input.user),
       profile: {
         name: this.readNullableString(input.profile, 'name'),
@@ -66,40 +77,6 @@ export class AuthCoreService {
         data: this.usersService.resolveSettingsData(this.readNestedObject(input.settings, 'data')),
       },
     });
-
-    const accountDto = toUserRecordDto(account);
-    const verificationToken = this.createStubToken('verify', account.id);
-    await Promise.all([
-      this.sendCommunicationSafely({
-        kind: 'email_verification_code',
-        channels: ['email'],
-        recipient: { email },
-        payload: {
-          NAME: accountDto.profile?.name ?? 'there',
-          CODE: verificationToken,
-        },
-        locale: accountDto.settings?.locale ?? undefined,
-        metadata: {
-          USER_ID: account.id,
-          SOURCE: 'accounts.register',
-        },
-      }),
-      this.sendCommunicationSafely({
-        kind: 'welcome_email',
-        channels: ['email'],
-        recipient: { email },
-        payload: {
-          NAME: accountDto.profile?.name ?? 'there',
-        },
-        locale: accountDto.settings?.locale ?? undefined,
-        metadata: {
-          USER_ID: account.id,
-          SOURCE: 'accounts.register',
-        },
-      }),
-    ]);
-
-    return this.issueSession(accountDto);
   }
 
   async loginWithPassword(emailInput: string, password: string): Promise<AuthSessionResponse> {
@@ -116,7 +93,7 @@ export class AuthCoreService {
       throw this.invalidCredentialsError();
     }
 
-    return this.issueSession(toUserRecordDto(account));
+    return this.issueSessionForAccount(account);
   }
 
   async refreshTokens(refreshToken: string): Promise<AuthSessionResponse> {
@@ -152,17 +129,10 @@ export class AuthCoreService {
       });
     }
 
-    const account = await this.authStore.findAccountByUserId(payload.sub);
-    if (!account) {
-      throw new UnauthorizedException({
-        message: 'Refresh token is invalid or expired',
-        details: { code: AUTH_ERROR_CODES.refreshInvalid },
-      });
-    }
-
+    const account = await this.findAccountByUserIdOrThrow(payload.sub);
     this.assertAccountActive(account);
     await this.authStore.revokeRefreshToken(record.id, new Date());
-    return this.issueSession(toUserRecordDto(account));
+    return this.issueSessionForAccount(account);
   }
 
   async logout(userId: string, refreshToken: string): Promise<void> {
@@ -177,62 +147,104 @@ export class AuthCoreService {
     await this.authStore.revokeRefreshToken(payload.jti, new Date());
   }
 
-  async changePassword(userId: string, newPassword: string): Promise<void> {
+  async changePasswordNow(userId: string, newPassword: string): Promise<void> {
     const passwordHash = await this.authPasswordService.hash(newPassword);
+    await this.applyPasswordHash(userId, passwordHash);
+  }
+
+  async applyPasswordHash(userId: string, passwordHash: string): Promise<void> {
     await this.authStore.updatePassword(userId, passwordHash);
     await this.authStore.revokeRefreshTokensForUser(userId, new Date());
   }
 
-  async requestPasswordReset(emailInput: string) {
+  async markEmailVerified(userId: string): Promise<PasswordAccountRecord> {
+    await this.authStore.markEmailVerified(userId, new Date());
+    return this.findAccountByUserIdOrThrow(userId);
+  }
+
+  async updatePrimaryEmail(userId: string, emailInput: string): Promise<PasswordAccountRecord> {
     const email = emailInput.trim().toLowerCase();
-    const account = await this.authStore.findPasswordAccountByEmail(email);
-    if (account) {
-      const user = toUserRecordDto(account);
-      await this.sendCommunicationSafely({
-        kind: 'password_reset',
-        channels: ['email'],
-        recipient: { email },
-        payload: {
-          NAME: user.profile?.name ?? 'there',
-          TOKEN: this.createStubToken('reset', account.id),
-        },
-        locale: user.settings?.locale ?? undefined,
-        metadata: {
-          USER_ID: account.id,
-          SOURCE: 'accounts.password-reset',
-        },
+    const existing = await this.authStore.findPasswordAccountByEmail(email);
+    if (existing && existing.id !== userId) {
+      throw new ConflictException({
+        message: 'Email is already registered',
+        details: { code: AUTH_ERROR_CODES.emailTaken },
       });
     }
 
-    return {
-      status: 'accepted',
-      delivery: 'communications',
-    };
+    await this.authStore.updatePrimaryEmail(userId, email, new Date());
+    return this.findAccountByUserIdOrThrow(userId);
   }
 
-  async resetPassword(token: string, newPassword: string) {
-    if (token.trim().length < 8) {
-      throw new BadRequestException('Reset token is invalid');
-    }
+  async issuePendingOperation(input: {
+    userId: string;
+    type: string;
+    metadata?: JsonObject | null;
+    ttlMs?: number;
+  }): Promise<{ token: string; id: string; expiresAt: Date }> {
+    const id = crypto.randomUUID();
+    const secret = crypto.randomBytes(24).toString('hex');
+    const tokenHash = await this.authPasswordService.hash(secret);
+    const expiresAt = new Date(Date.now() + (input.ttlMs ?? DEFAULT_PENDING_OPERATION_TTL_MS));
+
+    await this.authStore.createPendingOperation({
+      id,
+      userId: input.userId,
+      type: input.type,
+      tokenHash,
+      metadata: input.metadata ?? null,
+      expiresAt,
+    });
 
     return {
-      status: 'accepted',
-      delivery: 'stub',
-      nextAction: 'accounts-token-flow',
-      passwordLength: newPassword.length,
+      id,
+      token: `${id}.${secret}`,
+      expiresAt,
     };
   }
 
-  async verifyEmail(token: string) {
-    if (token.trim().length < 8) {
-      throw new BadRequestException('Verification token is invalid');
+  async readPendingOperation(token: string, expectedType: string): Promise<PendingOperationRecord> {
+    const [id, secret] = token.trim().split('.');
+    if (!id || !secret) {
+      throw new BadRequestException({
+        message: 'Pending operation token is invalid',
+        details: { code: AUTH_ERROR_CODES.pendingOperationInvalid },
+      });
     }
 
-    return {
-      status: 'accepted',
-      delivery: 'stub',
-      nextAction: 'accounts-token-flow',
-    };
+    const operation = await this.authStore.findPendingOperationById(id);
+    if (!operation || operation.type !== expectedType || operation.consumedAt || operation.expiresAt <= new Date()) {
+      throw new BadRequestException({
+        message: 'Pending operation token is invalid',
+        details: { code: AUTH_ERROR_CODES.pendingOperationInvalid },
+      });
+    }
+
+    const matched = await this.authPasswordService.verify(secret, operation.tokenHash);
+    if (!matched) {
+      throw new BadRequestException({
+        message: 'Pending operation token is invalid',
+        details: { code: AUTH_ERROR_CODES.pendingOperationInvalid },
+      });
+    }
+
+    return operation;
+  }
+
+  async consumePendingOperation(operationId: string): Promise<void> {
+    await this.authStore.consumePendingOperation(operationId, new Date());
+  }
+
+  async findPasswordAccountByEmail(emailInput: string): Promise<PasswordAccountRecord | null> {
+    return this.authStore.findPasswordAccountByEmail(emailInput.trim().toLowerCase());
+  }
+
+  async findAccountByUserIdOrThrow(userId: string): Promise<PasswordAccountRecord> {
+    const account = await this.authStore.findAccountByUserId(userId);
+    if (!account) {
+      throw new NotFoundException('Account was not found');
+    }
+    return account;
   }
 
   async me(userId: string): Promise<{ user: UserRecordDto }> {
@@ -240,12 +252,16 @@ export class AuthCoreService {
     return { user };
   }
 
+  async issueSessionForAccount(account: PasswordAccountRecord): Promise<AuthSessionResponse> {
+    return this.issueSession(toUserRecordDto(account));
+  }
+
   getProbeStatus() {
     return {
       status: 'ok',
       feature: 'accounts',
       storage: 'db-prisma',
-      emailDelivery: 'communications',
+      messagingExtension: 'accounts-communications (optional)',
       selfServiceRoutes: [
         '/api/users/:id',
         '/api/users/:id/profile',
@@ -288,16 +304,6 @@ export class AuthCoreService {
     };
   }
 
-  private async sendCommunicationSafely(input: Parameters<CommunicationsService['send']>[0]): Promise<void> {
-    try {
-      await this.communicationsService.send(input);
-    } catch (error) {
-      this.logger.warn(
-        `accounts.communication_failed kind=${input.kind} channel=${input.channels.join(',')} reason=${error instanceof Error ? error.message : 'unknown'}`,
-      );
-    }
-  }
-
   private assertAccountActive(user: { status: string; deletedAt: Date | null }) {
     if (user.deletedAt || user.status !== 'active') {
       throw new UnauthorizedException({
@@ -314,10 +320,6 @@ export class AuthCoreService {
     });
   }
 
-  private createStubToken(kind: string, userId: string): string {
-    return `stub-${kind}-${userId}-${Date.now()}`;
-  }
-
   private readNullableString(input: unknown, key: string): string | null {
     if (!input || typeof input !== 'object' || Array.isArray(input)) {
       return null;
@@ -338,17 +340,20 @@ export class AuthCoreService {
   }
 
   private toExpiresAt(ttl: string): Date {
-    const now = Date.now();
-    const match = ttl.trim().match(/^(\d+)([smhd])$/i);
-    if (!match) {
-      const seconds = Number.parseInt(ttl, 10);
-      return new Date(now + (Number.isFinite(seconds) ? seconds : 7 * 24 * 60 * 60) * 1000);
+    const value = ttl.trim();
+    const matched = value.match(/^(\d+)([smhd])$/);
+    if (!matched) {
+      return new Date(Date.now() + 1000 * 60 * 60 * 24 * 7);
     }
 
-    const amount = Number.parseInt(match[1], 10);
-    const unit = match[2].toLowerCase();
-    const multiplier =
-      unit === 's' ? 1000 : unit === 'm' ? 60_000 : unit === 'h' ? 3_600_000 : 86_400_000;
-    return new Date(now + amount * multiplier);
+    const amount = Number(matched[1]);
+    const unit = matched[2];
+    const multipliers = {
+      s: 1000,
+      m: 1000 * 60,
+      h: 1000 * 60 * 60,
+      d: 1000 * 60 * 60 * 24,
+    } as const;
+    return new Date(Date.now() + amount * multipliers[unit]);
   }
-}
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth-pending-operations.ts

@@ -0,0 +1,9 @@
+export const AUTH_PENDING_OPERATION_TYPES = {
+  emailVerification: 'email_verification',
+  passwordReset: 'password_reset',
+  passwordChange: 'password_change',
+  emailChange: 'email_change',
+} as const;
+
+export type AuthPendingOperationType =
+  (typeof AUTH_PENDING_OPERATION_TYPES)[keyof typeof AUTH_PENDING_OPERATION_TYPES];

package/templates/module-presets/accounts/packages/accounts-api/src/auth.controller.ts

@@ -9,12 +9,9 @@ import {
 import { AuthService } from './auth.service';
 import {
   ChangePasswordDto,
-  ConfirmPasswordResetDto,
   LoginDto,
   RefreshDto,
   RegisterDto,
-  RequestPasswordResetDto,
-  VerifyEmailDto,
 } from './dto';
 import { JwtAuthGuard } from './access-token.guard';
 import type { AuthAccessTokenPayload } from './auth.types';
@@ -57,25 +54,9 @@ export class AuthController {
 
   @UseGuards(JwtAuthGuard)
   @Post('change-password')
-  async changePassword(@Body() body: ChangePasswordDto, @Req() request: RequestWithUser) {
+  changePassword(@Body() body: ChangePasswordDto, @Req() request: RequestWithUser) {
     const user = this.getRequestUser(request);
-    await this.authService.changePassword(user.sub, body.newPassword);
-    return { status: 'ok' };
-  }
-
-  @Post('verify-email')
-  verifyEmail(@Body() body: VerifyEmailDto) {
-    return this.authService.verifyEmail(body.token);
-  }
-
-  @Post('password-reset/request')
-  requestPasswordReset(@Body() body: RequestPasswordResetDto) {
-    return this.authService.requestPasswordReset(body.email);
-  }
-
-  @Post('password-reset/confirm')
-  confirmPasswordReset(@Body() body: ConfirmPasswordResetDto) {
-    return this.authService.resetPassword(body.token, body.newPassword);
+    return this.authService.changePassword(user.sub, body);
   }
 
   private getRequestUser(request: RequestWithUser): AuthAccessTokenPayload {

package/templates/module-presets/accounts/packages/accounts-api/src/auth.handlers.ts

@@ -0,0 +1,45 @@
+import { Injectable } from '@nestjs/common';
+import type {
+  ChangePasswordRequest,
+  ChangePasswordResult,
+  RegisterRequest,
+  RegisterResult,
+} from '@forgeon/accounts-contracts';
+import { AuthCoreService } from './auth-core.service';
+
+export const REGISTER_HANDLER = Symbol('REGISTER_HANDLER');
+export const CHANGE_PASSWORD_HANDLER = Symbol('CHANGE_PASSWORD_HANDLER');
+
+export interface RegisterHandler {
+  execute(input: RegisterRequest): Promise<RegisterResult>;
+}
+
+export interface ChangePasswordHandler {
+  execute(userId: string, input: ChangePasswordRequest): Promise<ChangePasswordResult>;
+}
+
+@Injectable()
+export class DefaultRegisterHandler implements RegisterHandler {
+  constructor(private readonly authCoreService: AuthCoreService) {}
+
+  async execute(input: RegisterRequest): Promise<RegisterResult> {
+    const account = await this.authCoreService.createPasswordAccount(input, {
+      status: 'active',
+      emailVerifiedAt: new Date(),
+    });
+    return this.authCoreService.issueSessionForAccount(account);
+  }
+}
+
+@Injectable()
+export class DefaultChangePasswordHandler implements ChangePasswordHandler {
+  constructor(private readonly authCoreService: AuthCoreService) {}
+
+  async execute(userId: string, input: ChangePasswordRequest): Promise<ChangePasswordResult> {
+    await this.authCoreService.changePasswordNow(userId, input.newPassword);
+    return {
+      status: 'completed',
+      message: 'Password changed successfully',
+    };
+  }
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth.service.ts

@@ -1,13 +1,26 @@
-import { Injectable } from '@nestjs/common';
-import type { RegisterRequest } from '@forgeon/accounts-contracts';
+import { Inject, Injectable } from '@nestjs/common';
+import type {
+  ChangePasswordRequest,
+  RegisterRequest,
+} from '@forgeon/accounts-contracts';
 import { AuthCoreService } from './auth-core.service';
+import {
+  CHANGE_PASSWORD_HANDLER,
+  REGISTER_HANDLER,
+  type ChangePasswordHandler,
+  type RegisterHandler,
+} from './auth.handlers';
 
 @Injectable()
 export class AuthService {
-  constructor(private readonly authCoreService: AuthCoreService) {}
+  constructor(
+    private readonly authCoreService: AuthCoreService,
+    @Inject(REGISTER_HANDLER) private readonly registerHandler: RegisterHandler,
+    @Inject(CHANGE_PASSWORD_HANDLER) private readonly changePasswordHandler: ChangePasswordHandler,
+  ) {}
 
   register(input: RegisterRequest) {
-    return this.authCoreService.registerWithPassword(input);
+    return this.registerHandler.execute(input);
   }
 
   login(input: { email: string; password: string }) {
@@ -22,20 +35,8 @@ export class AuthService {
     return this.authCoreService.logout(userId, refreshToken);
   }
 
-  changePassword(userId: string, newPassword: string) {
-    return this.authCoreService.changePassword(userId, newPassword);
-  }
-
-  requestPasswordReset(email: string) {
-    return this.authCoreService.requestPasswordReset(email);
-  }
-
-  resetPassword(token: string, newPassword: string) {
-    return this.authCoreService.resetPassword(token, newPassword);
-  }
-
-  verifyEmail(token: string) {
-    return this.authCoreService.verifyEmail(token);
+  changePassword(userId: string, input: ChangePasswordRequest) {
+    return this.changePasswordHandler.execute(userId, input);
   }
 
   me(userId: string) {