najm-auth 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.d.ts +1466 -0
  2. package/dist/index.js +3201 -0
  3. package/dist/schema/mysql.d.ts +1297 -0
  4. package/dist/schema/mysql.js +72 -0
  5. package/dist/schema/pg.d.ts +1300 -0
  6. package/dist/schema/pg.js +78 -0
  7. package/dist/schema/sqlite.d.ts +1439 -0
  8. package/dist/schema/sqlite.js +65 -0
  9. package/package.json +90 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,1466 @@
1
+ import * as najm_core from 'najm-core';
2
+ import { ValidationPluginConfig } from 'najm-validation';
3
+ import { RateLimitPluginConfig } from 'najm-rate';
4
+ import { I18nService } from 'najm-i18n';
5
+ import { EmailService } from 'najm-email';
6
+ import { TDb, SeedEntry } from 'najm-database';
7
+ import { User, NewUser, RoleEntity, NewRoleEntity, Permission, NewPermission, RolePermission } from './schema/pg.js';
8
+ export { NewRolePermission, NewToken, Token, authSchema, baseFields, permissionsTable, rolePermissionsTable, rolesTable, tokensTable, usersTable } from './schema/pg.js';
9
+ import { CacheService } from 'najm-cache';
10
+ import { z } from 'zod';
11
+ import { GuardResult } from 'najm-guard';
12
+ import 'drizzle-orm';
13
+ import 'drizzle-orm/pg-core';
14
+
15
+ /**
16
+ * JWT configuration for token generation and verification
17
+ */
18
+ interface JwtConfig {
19
+ /** Secret key for access token signing */
20
+ accessSecret: string;
21
+ /** Access token expiration time (e.g., '15m', '1h') */
22
+ accessExpiresIn: string;
23
+ /** Secret key for refresh token signing */
24
+ refreshSecret: string;
25
+ /** Refresh token expiration time (e.g., '7d', '30d') */
26
+ refreshExpiresIn: string;
27
+ }
28
+ /**
29
+ * Complete auth plugin configuration (internal)
30
+ */
31
+ interface AuthConfig {
32
+ /** JWT configuration */
33
+ jwt: JwtConfig;
34
+ /** Refresh token cookie name (default: 'refreshToken') */
35
+ refreshCookieName: string;
36
+ /** Database name to use (default: 'default') */
37
+ database: string;
38
+ /** Cache key prefix for blacklist (default: 'auth:blacklist:') */
39
+ blacklistPrefix: string;
40
+ /** Default role name for new user registration (default: null - no role assigned) */
41
+ defaultRole: string | null;
42
+ }
43
+ /**
44
+ * Auth plugin configuration options
45
+ * Cache is provided by najm-cache plugin (auto-dependency)
46
+ */
47
+ /**
48
+ * Auth schema shape (dialect-agnostic)
49
+ * Import from 'najm-auth/pg', 'najm-auth/sqlite', or 'najm-auth/mysql'
50
+ */
51
+ interface AuthSchema {
52
+ users: any;
53
+ tokens: any;
54
+ roles: any;
55
+ permissions: any;
56
+ rolePermissions: any;
57
+ }
58
+ type AuthPluginConfig = {
59
+ /** Database dialect (default: 'pg'). Auto-selects the correct schema. */
60
+ dialect?: 'pg' | 'sqlite' | 'mysql';
61
+ /** Database schema tables (optional, overrides dialect). Use authSchema from 'najm-auth/sqlite' or 'najm-auth/mysql' */
62
+ schema?: AuthSchema;
63
+ /** JWT configuration (secrets can be set via env vars) */
64
+ jwt?: Partial<JwtConfig>;
65
+ /** Refresh token cookie name (default: 'refreshToken') */
66
+ refreshCookieName?: string;
67
+ /** Database name to use (default: 'default') */
68
+ database?: string;
69
+ /** Cache key prefix for blacklist (default: 'auth:blacklist:') */
70
+ blacklistPrefix?: string;
71
+ /** Default role name for new user registration (default: null - no role assigned). Set to 'user' for auto-assignment. */
72
+ defaultRole?: string | null;
73
+ /** Optional config forwarded to validation() dependency */
74
+ validation?: ValidationPluginConfig;
75
+ /** Optional config forwarded to rateLimit() dependency */
76
+ rateLimit?: RateLimitPluginConfig;
77
+ };
78
+ /**
79
+ * JWT payload structure
80
+ */
81
+ interface JwtPayload {
82
+ userId: string;
83
+ /** Unique token ID for blacklist-based revocation */
84
+ jti: string;
85
+ exp?: number;
86
+ iat?: number;
87
+ }
88
+ /**
89
+ * Token pair returned after authentication
90
+ */
91
+ interface TokenPair {
92
+ accessToken: string;
93
+ refreshToken: string;
94
+ accessTokenExpiresAt?: number;
95
+ refreshTokenExpiresAt?: number;
96
+ }
97
+ /**
98
+ * User data structure for authentication
99
+ */
100
+ interface AuthUser {
101
+ id: string;
102
+ email: string;
103
+ name?: string;
104
+ role?: string;
105
+ permissions?: string[];
106
+ }
107
+
108
+ declare const auth$1: (config?: AuthPluginConfig) => najm_core.NajmPlugin;
109
+
110
+ declare const AUTH_CONFIG: unique symbol;
111
+ declare const AUTH_SCHEMA: unique symbol;
112
+ declare const AUTH_USER: unique symbol;
113
+ declare const AUTH_ROLE: unique symbol;
114
+ declare const AUTH_PERMISSIONS: unique symbol;
115
+
116
+ var auth = {
117
+ errors: {
118
+ invalidCredentials: "Invalid email or password",
119
+ emailExists: "Email already registered",
120
+ accessDenied: "Access denied",
121
+ tokenExpired: "Token has expired",
122
+ tokenInvalid: "Invalid token",
123
+ tokenMissing: "Authorization token is missing",
124
+ tokenVerificationFailed: "Token verification failed",
125
+ tokenRevoked: "Token has been revoked",
126
+ refreshTokenMissing: "Refresh token is missing",
127
+ refreshTokenInvalid: "Invalid refresh token",
128
+ invalidResetToken: "Invalid password reset token",
129
+ resetTokenExpired: "Password reset token has expired",
130
+ unauthorized: "Unauthorized access",
131
+ sessionExpired: "Session has expired"
132
+ },
133
+ success: {
134
+ login: "Login successful",
135
+ logout: "Logout successful",
136
+ passwordChanged: "Password changed successfully",
137
+ tokenRefreshed: "Token refreshed successfully"
138
+ }
139
+ };
140
+ var users = {
141
+ errors: {
142
+ notFound: "User not found",
143
+ idExists: "User ID already exists",
144
+ emailRequired: "Email is required",
145
+ passwordRequired: "Password is required",
146
+ invalidEmail: "Invalid email format",
147
+ weakPassword: "Password is too weak",
148
+ adminRoleNotFound: "Admin role not found in system"
149
+ },
150
+ success: {
151
+ created: "User created successfully",
152
+ updated: "User updated successfully",
153
+ deleted: "User deleted successfully",
154
+ retrieved: "User retrieved successfully"
155
+ }
156
+ };
157
+ var roles = {
158
+ errors: {
159
+ notFound: "Role not found",
160
+ exists: "Role already exists",
161
+ nameRequired: "Role name is required",
162
+ cannotDeleteSystem: "Cannot delete system role"
163
+ },
164
+ success: {
165
+ created: "Role created successfully",
166
+ updated: "Role updated successfully",
167
+ deleted: "Role deleted successfully",
168
+ assigned: "Role assigned successfully",
169
+ retrieved: "Role retrieved successfully"
170
+ }
171
+ };
172
+ var permissions = {
173
+ errors: {
174
+ notFound: "Permission not found",
175
+ nameExists: "Permission name already exists",
176
+ roleAlreadyHasPermission: "Role already has this permission",
177
+ cannotRemoveRequired: "Cannot remove required permission"
178
+ },
179
+ success: {
180
+ created: "Permission created successfully",
181
+ updated: "Permission updated successfully",
182
+ deleted: "Permission deleted successfully",
183
+ granted: "Permission granted successfully",
184
+ revoked: "Permission revoked successfully",
185
+ retrieved: "Permissions retrieved successfully",
186
+ assigned: "Permission assigned to role successfully",
187
+ removed: "Permission removed from role successfully",
188
+ allDeleted: "All permissions deleted successfully"
189
+ }
190
+ };
191
+ var en = {
192
+ auth: auth,
193
+ users: users,
194
+ roles: roles,
195
+ permissions: permissions
196
+ };
197
+
198
+ /**
199
+ * Default auth translations organized by language
200
+ * Can be imported and merged with user translations
201
+ */
202
+ declare const AUTH_LOCALES: {
203
+ readonly en: {
204
+ auth: {
205
+ errors: {
206
+ invalidCredentials: string;
207
+ emailExists: string;
208
+ accessDenied: string;
209
+ tokenExpired: string;
210
+ tokenInvalid: string;
211
+ tokenMissing: string;
212
+ tokenVerificationFailed: string;
213
+ tokenRevoked: string;
214
+ refreshTokenMissing: string;
215
+ refreshTokenInvalid: string;
216
+ invalidResetToken: string;
217
+ resetTokenExpired: string;
218
+ unauthorized: string;
219
+ sessionExpired: string;
220
+ };
221
+ success: {
222
+ login: string;
223
+ logout: string;
224
+ passwordChanged: string;
225
+ tokenRefreshed: string;
226
+ };
227
+ };
228
+ users: {
229
+ errors: {
230
+ notFound: string;
231
+ idExists: string;
232
+ emailRequired: string;
233
+ passwordRequired: string;
234
+ invalidEmail: string;
235
+ weakPassword: string;
236
+ adminRoleNotFound: string;
237
+ };
238
+ success: {
239
+ created: string;
240
+ updated: string;
241
+ deleted: string;
242
+ retrieved: string;
243
+ };
244
+ };
245
+ roles: {
246
+ errors: {
247
+ notFound: string;
248
+ exists: string;
249
+ nameRequired: string;
250
+ cannotDeleteSystem: string;
251
+ };
252
+ success: {
253
+ created: string;
254
+ updated: string;
255
+ deleted: string;
256
+ assigned: string;
257
+ retrieved: string;
258
+ };
259
+ };
260
+ permissions: {
261
+ errors: {
262
+ notFound: string;
263
+ nameExists: string;
264
+ roleAlreadyHasPermission: string;
265
+ cannotRemoveRequired: string;
266
+ };
267
+ success: {
268
+ created: string;
269
+ updated: string;
270
+ deleted: string;
271
+ granted: string;
272
+ revoked: string;
273
+ retrieved: string;
274
+ assigned: string;
275
+ removed: string;
276
+ allDeleted: string;
277
+ };
278
+ };
279
+ };
280
+ };
281
+ /**
282
+ * Get translations for a specific language
283
+ * Falls back to English if language not found
284
+ */
285
+ declare function getAuthLocale(lang: string): Record<string, any>;
286
+ /**
287
+ * All supported languages in auth package
288
+ */
289
+ declare const AUTH_SUPPORTED_LANGUAGES: string[];
290
+
291
+ /**
292
+ * EncryptionService - Pure hashing utility
293
+ * Validation is handled by UserValidator (single source of truth)
294
+ */
295
+ declare class EncryptionService {
296
+ constructor();
297
+ hashPassword(password: string): Promise<string>;
298
+ comparePassword(password: string, hashedPassword: string): Promise<boolean>;
299
+ }
300
+
301
+ declare class CookieManager {
302
+ private config;
303
+ private cookieService;
304
+ private get cookieName();
305
+ setRefreshToken(refreshToken: string): void;
306
+ clearRefreshToken(): void;
307
+ getRefreshToken(): string | undefined;
308
+ hasRefreshToken(): boolean;
309
+ getCookieName(): string;
310
+ }
311
+
312
+ interface UserWithPermissions extends Omit<User, 'password'> {
313
+ role?: string | null;
314
+ permissions: string[];
315
+ }
316
+ declare class UserRepository {
317
+ db: TDb;
318
+ private schema;
319
+ private get users();
320
+ private get roles();
321
+ /** Shared query helper */
322
+ private get q();
323
+ getAll(): Promise<UserWithPermissions[]>;
324
+ getById(id: string): Promise<UserWithPermissions | undefined>;
325
+ getByEmail(email: string): Promise<(User & {
326
+ role?: string | null;
327
+ }) | undefined>;
328
+ create(data: NewUser): Promise<User>;
329
+ update(id: string, data: Partial<NewUser>): Promise<User>;
330
+ delete(id: string): Promise<User>;
331
+ deleteAll(): Promise<User[]>;
332
+ getRoleNameById(userId: string): Promise<string | null>;
333
+ getUserPassword(email: string): Promise<string | undefined>;
334
+ getUserPermissions(userId: string): Promise<string[]>;
335
+ }
336
+
337
+ /**
338
+ * UserValidator - Business validation for user operations
339
+ * Handles database checks (unique, exists, permissions)
340
+ * Schema validation is handled by DTOs in user.dto.ts
341
+ */
342
+ declare class UserValidator {
343
+ private userRepository;
344
+ private encryptionService;
345
+ private t;
346
+ constructor(userRepository: UserRepository, encryptionService: EncryptionService);
347
+ /**
348
+ * Check if email already exists in database
349
+ */
350
+ checkEmailUnique(email: string, excludeId?: string): Promise<void>;
351
+ /**
352
+ * Check if user exists by ID
353
+ */
354
+ checkUserExists(id: string): Promise<UserWithPermissions>;
355
+ /**
356
+ * Check if user exists by email
357
+ */
358
+ checkUserExistsByEmail(email: string): Promise<{
359
+ id: string;
360
+ createdAt: string;
361
+ updatedAt: string;
362
+ email: string;
363
+ emailVerified: boolean;
364
+ password: string;
365
+ image: string;
366
+ status: "active" | "inactive" | "pending";
367
+ roleId: string;
368
+ lastLogin: string;
369
+ } & {
370
+ role?: string | null;
371
+ }>;
372
+ /**
373
+ * Check if email exists in database
374
+ */
375
+ checkEmailExists(email: string): Promise<{
376
+ id: string;
377
+ createdAt: string;
378
+ updatedAt: string;
379
+ email: string;
380
+ emailVerified: boolean;
381
+ password: string;
382
+ image: string;
383
+ status: "active" | "inactive" | "pending";
384
+ roleId: string;
385
+ lastLogin: string;
386
+ } & {
387
+ role?: string | null;
388
+ }>;
389
+ /**
390
+ * Verify password against hashed password (throws on invalid)
391
+ */
392
+ checkPasswordValid(password: string, hashedPassword: string): Promise<void>;
393
+ /**
394
+ * Compare password against hash - returns boolean (no throw)
395
+ * Used for timing-safe authentication
396
+ */
397
+ comparePassword(password: string, hashedPassword: string): Promise<boolean>;
398
+ /**
399
+ * Check if user ID is unique (for custom IDs)
400
+ */
401
+ checkUserIdIsUnique(id: string): Promise<void>;
402
+ /**
403
+ * Check if user has required role
404
+ */
405
+ hasRole(userId: string, roles: string[]): Promise<boolean>;
406
+ /**
407
+ * Validate password strength and complexity
408
+ * Enforces:
409
+ * - Minimum 8 characters
410
+ * - At least one uppercase letter
411
+ * - At least one lowercase letter
412
+ * - At least one number
413
+ */
414
+ validatePasswordStrength(password: string): void;
415
+ }
416
+
417
+ declare class RoleRepository {
418
+ db: TDb;
419
+ private schema;
420
+ private get roles();
421
+ getAll(): Promise<RoleEntity[]>;
422
+ getById(id: string): Promise<RoleEntity | undefined>;
423
+ getByName(name: string): Promise<RoleEntity | undefined>;
424
+ create(data: NewRoleEntity): Promise<RoleEntity>;
425
+ update(id: string, data: Partial<NewRoleEntity>): Promise<RoleEntity>;
426
+ delete(id: string): Promise<RoleEntity>;
427
+ }
428
+
429
+ /**
430
+ * RoleValidator - Business validation for role operations
431
+ * Handles database checks (unique, exists)
432
+ * Schema validation is handled by DTOs in role.dto.ts
433
+ */
434
+ declare class RoleValidator {
435
+ private roleRepository;
436
+ private t;
437
+ constructor(roleRepository: RoleRepository);
438
+ /**
439
+ * Check if role name is unique
440
+ */
441
+ checkNameUnique(roleName: string, excludeId?: string): Promise<void>;
442
+ /**
443
+ * Check if role exists by ID
444
+ */
445
+ checkRoleExists(id: string): Promise<{
446
+ id: string;
447
+ name: string;
448
+ description: string;
449
+ createdAt: string;
450
+ updatedAt: string;
451
+ }>;
452
+ /**
453
+ * Check if role exists by name
454
+ */
455
+ checkRoleExistsByName(roleName: string): Promise<{
456
+ id: string;
457
+ name: string;
458
+ description: string;
459
+ createdAt: string;
460
+ updatedAt: string;
461
+ }>;
462
+ /**
463
+ * Check if admin role exists (required for system setup)
464
+ */
465
+ checkAdminRoleExists(): Promise<{
466
+ id: string;
467
+ name: string;
468
+ description: string;
469
+ createdAt: string;
470
+ updatedAt: string;
471
+ }>;
472
+ /**
473
+ * Check if role name exists (returns boolean, doesn't throw)
474
+ */
475
+ isRoleNameExists(roleName: string): Promise<boolean>;
476
+ }
477
+
478
+ declare class RoleService {
479
+ private roleRepository;
480
+ private roleValidator;
481
+ constructor(roleRepository: RoleRepository, roleValidator: RoleValidator);
482
+ getAll(): Promise<{
483
+ id: string;
484
+ name: string;
485
+ description: string;
486
+ createdAt: string;
487
+ updatedAt: string;
488
+ }[]>;
489
+ getById(id: any): Promise<{
490
+ id: string;
491
+ name: string;
492
+ description: string;
493
+ createdAt: string;
494
+ updatedAt: string;
495
+ }>;
496
+ getByName(name: any): Promise<{
497
+ id: string;
498
+ name: string;
499
+ description: string;
500
+ createdAt: string;
501
+ updatedAt: string;
502
+ }>;
503
+ create(data: any): Promise<{
504
+ id: string;
505
+ name: string;
506
+ description: string;
507
+ createdAt: string;
508
+ updatedAt: string;
509
+ }>;
510
+ update(id: any, data: any): Promise<{
511
+ id: string;
512
+ name: string;
513
+ description: string;
514
+ createdAt: string;
515
+ updatedAt: string;
516
+ }>;
517
+ delete(id: any): Promise<{
518
+ id: string;
519
+ name: string;
520
+ description: string;
521
+ createdAt: string;
522
+ updatedAt: string;
523
+ }>;
524
+ seedDefaultRoles(defaultRoles: any): Promise<{
525
+ id: string;
526
+ name: string;
527
+ description: string;
528
+ createdAt: string;
529
+ updatedAt: string;
530
+ }[]>;
531
+ getRoleIdByName(name: any): Promise<string>;
532
+ }
533
+
534
+ type SanitizedUser = Omit<User, 'password'> & {
535
+ role?: string | null;
536
+ permissions?: string[];
537
+ };
538
+ declare class UserService {
539
+ private roleValidator;
540
+ private roleService;
541
+ private userRepository;
542
+ private userValidator;
543
+ private encryptionService;
544
+ private i18nService;
545
+ private authConfig;
546
+ constructor(roleValidator: RoleValidator, roleService: RoleService, userRepository: UserRepository, userValidator: UserValidator, encryptionService: EncryptionService, i18nService: I18nService, authConfig: AuthConfig);
547
+ private sanitizeUser;
548
+ private sanitizeUsers;
549
+ private resolveUserRole;
550
+ getAll(): Promise<SanitizedUser[]>;
551
+ getById(id: string): Promise<SanitizedUser>;
552
+ getByEmail(email: string): Promise<SanitizedUser>;
553
+ /**
554
+ * Find user by email without throwing - returns null if not found
555
+ * Used for timing-safe authentication
556
+ */
557
+ findByEmail(email: string): Promise<(User & {
558
+ role?: string | null;
559
+ }) | undefined>;
560
+ create(data: Record<string, any>): Promise<SanitizedUser>;
561
+ update(id: string, data: Record<string, any>): Promise<SanitizedUser>;
562
+ delete(id: string): Promise<SanitizedUser>;
563
+ deleteAll(): Promise<SanitizedUser[]>;
564
+ getRoleName(id: string): Promise<string | null>;
565
+ getPassword(email: string): Promise<string | undefined>;
566
+ assignRole(id: string, roleId?: string, roleName?: string): Promise<SanitizedUser>;
567
+ removeRole(id: string): Promise<SanitizedUser>;
568
+ seedAdminUser(config?: {
569
+ email?: string;
570
+ password?: string;
571
+ name?: string;
572
+ }): Promise<SanitizedUser>;
573
+ updateLang(language: string): Promise<string>;
574
+ getLang(): Promise<string>;
575
+ }
576
+
577
+ declare class TokenRepository {
578
+ db: TDb;
579
+ private schema;
580
+ private get tokens();
581
+ private get users();
582
+ private get roles();
583
+ /** Shared query helper */
584
+ private get q();
585
+ storeRefreshToken(tokenData: {
586
+ userId: string;
587
+ token: string;
588
+ expiresAt: string;
589
+ }): Promise<any>;
590
+ getRefreshToken(userId: string): Promise<any>;
591
+ revokeToken(userId: string): Promise<any>;
592
+ isUserExists(userId: string): Promise<boolean>;
593
+ getRoleNameById(userId: string): Promise<string>;
594
+ getUserPermissions(userId: string): Promise<string[]>;
595
+ getUser(userId: string): Promise<any>;
596
+ }
597
+
598
+ declare class TokenService {
599
+ private tokenRepository;
600
+ private cookieManager;
601
+ private cache;
602
+ private config;
603
+ private t;
604
+ constructor(tokenRepository: TokenRepository, cookieManager: CookieManager, cache: CacheService);
605
+ /**
606
+ * Get blacklist key prefix
607
+ */
608
+ private get blacklistPrefix();
609
+ extractAccessToken(authorization: string): string;
610
+ /**
611
+ * Verify access token and check blacklist
612
+ * Throws error if token is invalid, expired, or blacklisted
613
+ */
614
+ verifyAccessToken(token: string): Promise<JwtPayload>;
615
+ verifyRefreshToken(token: string): string;
616
+ getUser(auth: string): Promise<any>;
617
+ getTokenExpire(token: string): number | undefined;
618
+ /**
619
+ * Generate access token with unique jti for blacklist support
620
+ */
621
+ generateAccessToken(data: {
622
+ userId: string;
623
+ }): string;
624
+ /**
625
+ * Generate refresh token with unique jti
626
+ */
627
+ generateRefreshToken(data: {
628
+ userId: string;
629
+ }): string;
630
+ generateTokens(userId: string): Promise<{
631
+ accessToken: string;
632
+ refreshToken: string;
633
+ accessTokenExpiresAt: number;
634
+ refreshTokenExpiresAt: number;
635
+ }>;
636
+ /**
637
+ * Blacklist an access token by its jti
638
+ * Token will be rejected until it naturally expires
639
+ */
640
+ blacklistToken(jti: string, expiresInSeconds: number): Promise<void>;
641
+ /**
642
+ * Check if a token is blacklisted
643
+ */
644
+ isTokenBlacklisted(jti: string): Promise<boolean>;
645
+ /**
646
+ * Blacklist the current access token (for logout)
647
+ * Extracts jti and remaining TTL from the token
648
+ */
649
+ blacklistCurrentToken(token: string): Promise<void>;
650
+ /**
651
+ * Store hashed refresh token in database for security
652
+ * This prevents token theft in case of database breach
653
+ */
654
+ storeRefreshToken(userId: string, refreshToken: string): Promise<void>;
655
+ /**
656
+ * Refresh tokens with secure token comparison
657
+ * Compares provided token with hashed version in database
658
+ */
659
+ refreshTokens(): Promise<{
660
+ accessToken: string;
661
+ refreshToken: string;
662
+ accessTokenExpiresAt: number;
663
+ refreshTokenExpiresAt: number;
664
+ }>;
665
+ revokeToken(userId: string): Promise<any>;
666
+ /**
667
+ * Logout user - blacklist access token and revoke refresh token
668
+ */
669
+ logout(userId: string, authorization?: string): Promise<void>;
670
+ /**
671
+ * Generate secure password reset token
672
+ * Returns both the plain token (to send via email) and userId for identification
673
+ */
674
+ generateResetToken(userId: string): {
675
+ token: string;
676
+ userId: string;
677
+ };
678
+ /**
679
+ * Verify password reset token
680
+ * Returns userId if valid, throws error if expired/invalid
681
+ */
682
+ verifyResetToken(token: string): string;
683
+ }
684
+
685
+ declare const createUserDto: z.ZodObject<{
686
+ email: z.ZodString;
687
+ password: z.ZodString;
688
+ username: z.ZodOptional<z.ZodString>;
689
+ roleId: z.ZodOptional<z.ZodString>;
690
+ image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>]>>;
691
+ emailVerified: z.ZodDefault<z.ZodBoolean>;
692
+ status: z.ZodDefault<z.ZodEnum<{
693
+ active: "active";
694
+ inactive: "inactive";
695
+ pending: "pending";
696
+ }>>;
697
+ }, z.core.$strip>;
698
+ declare const updateUserDto: z.ZodObject<{
699
+ email: z.ZodOptional<z.ZodString>;
700
+ password: z.ZodOptional<z.ZodString>;
701
+ username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
702
+ roleId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
703
+ image: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>]>>>;
704
+ emailVerified: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
705
+ status: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
706
+ active: "active";
707
+ inactive: "inactive";
708
+ pending: "pending";
709
+ }>>>;
710
+ }, z.core.$strip>;
711
+ declare const userIdParam: z.ZodObject<{
712
+ id: z.ZodString;
713
+ }, z.core.$strip>;
714
+ declare const loginDto: z.ZodObject<{
715
+ email: z.ZodString;
716
+ password: z.ZodString;
717
+ }, z.core.$strip>;
718
+ declare const changePasswordDto: z.ZodObject<{
719
+ currentPassword: z.ZodString;
720
+ newPassword: z.ZodString;
721
+ }, z.core.$strip>;
722
+ declare const resetPasswordDto: z.ZodObject<{
723
+ email: z.ZodString;
724
+ }, z.core.$strip>;
725
+ declare const confirmResetPasswordDto: z.ZodObject<{
726
+ token: z.ZodString;
727
+ newPassword: z.ZodString;
728
+ }, z.core.$strip>;
729
+ declare const languageParam: z.ZodObject<{
730
+ language: z.ZodString;
731
+ }, z.core.$strip>;
732
+ declare const emailParam: z.ZodObject<{
733
+ email: z.ZodString;
734
+ }, z.core.$strip>;
735
+ declare const userIdInParam: z.ZodObject<{
736
+ userId: z.ZodString;
737
+ }, z.core.$strip>;
738
+ declare const assignRoleParams: z.ZodObject<{
739
+ userId: z.ZodString;
740
+ roleId: z.ZodString;
741
+ }, z.core.$strip>;
742
+ type CreateUserDto = z.infer<typeof createUserDto>;
743
+ type UpdateUserDto = z.infer<typeof updateUserDto>;
744
+ type UserIdParam = z.infer<typeof userIdParam>;
745
+ type LoginDto = z.infer<typeof loginDto>;
746
+ type ChangePasswordDto = z.infer<typeof changePasswordDto>;
747
+ type ResetPasswordDto = z.infer<typeof resetPasswordDto>;
748
+ type ConfirmResetPasswordDto = z.infer<typeof confirmResetPasswordDto>;
749
+ type LanguageParam = z.infer<typeof languageParam>;
750
+ type EmailParam = z.infer<typeof emailParam>;
751
+ type UserIdInParam = z.infer<typeof userIdInParam>;
752
+ type AssignRoleParams = z.infer<typeof assignRoleParams>;
753
+
754
+ declare class AuthService {
755
+ private tokenService;
756
+ private userService;
757
+ private userValidator;
758
+ private cookieManager;
759
+ private i18nService;
760
+ private emailService;
761
+ private t;
762
+ private logger;
763
+ private static readonly DUMMY_HASH;
764
+ constructor(tokenService: TokenService, userService: UserService, userValidator: UserValidator, cookieManager: CookieManager, i18nService: I18nService, emailService: EmailService);
765
+ registerUser(body: CreateUserDto): Promise<SanitizedUser>;
766
+ loginUser(body: LoginDto): Promise<TokenPair>;
767
+ refreshTokens(): Promise<TokenPair>;
768
+ logoutUser(userId: string, authorization?: string): Promise<{
769
+ data: any;
770
+ message: string;
771
+ }>;
772
+ getUserProfile(userData: AuthUser): Promise<AuthUser & {
773
+ language: string;
774
+ }>;
775
+ forgotPassword(email: string): Promise<{
776
+ message: string;
777
+ }>;
778
+ resetPassword(token: string, newPassword: string): Promise<{
779
+ message: string;
780
+ }>;
781
+ }
782
+
783
+ declare class AuthController {
784
+ private authService;
785
+ constructor(authService: AuthService);
786
+ registerUser(body: CreateUserDto): Promise<SanitizedUser>;
787
+ loginUser(body: LoginDto): Promise<TokenPair>;
788
+ refreshTokens(): Promise<TokenPair>;
789
+ logoutUser(userId: string, authorization?: string): Promise<{
790
+ data: any;
791
+ message: string;
792
+ }>;
793
+ userProfile(user: any): Promise<AuthUser & {
794
+ language: string;
795
+ }>;
796
+ forgotPassword(body: ResetPasswordDto): Promise<{
797
+ message: string;
798
+ }>;
799
+ resetPassword(body: ConfirmResetPasswordDto): Promise<{
800
+ message: string;
801
+ }>;
802
+ }
803
+
804
+ declare class AuthGuard {
805
+ private tokenService;
806
+ canActivate(auth: string): Promise<GuardResult | false>;
807
+ }
808
+ declare const isAuth: () => ClassDecorator & MethodDecorator;
809
+
810
+ declare const AUTH_MODULE: readonly [typeof AuthService, typeof CookieManager, typeof EncryptionService, typeof AuthGuard, typeof AuthController];
811
+
812
+ declare class PermissionRepository {
813
+ db: TDb;
814
+ private schema;
815
+ private get permissions();
816
+ private get rolePermissions();
817
+ private get roles();
818
+ getAll(): Promise<Permission[]>;
819
+ getById(id: string): Promise<Permission | undefined>;
820
+ getByName(name: string): Promise<Permission | undefined>;
821
+ getByResource(resource: string): Promise<Permission[]>;
822
+ create(data: NewPermission): Promise<Permission>;
823
+ update(id: string, data: Partial<NewPermission>): Promise<Permission>;
824
+ delete(id: string): Promise<Permission>;
825
+ getPermissionsByRole(roleId: string): Promise<Array<Pick<Permission, 'id' | 'name' | 'description' | 'resource' | 'action'>>>;
826
+ getRolesByPermission(permissionId: string): Promise<Array<Pick<RoleEntity, 'id' | 'name' | 'description'>>>;
827
+ assignPermissionToRole(roleId: string, permissionId: string): Promise<RolePermission>;
828
+ removePermissionFromRole(roleId: string, permissionId: string): Promise<RolePermission>;
829
+ checkRoleHasPermission(roleId: string, permissionId: string): Promise<boolean>;
830
+ deleteAll(): Promise<Permission[]>;
831
+ }
832
+
833
+ declare class PermissionGuard {
834
+ canActivate(requiredPermission: string, permissions: string[]): GuardResult | false;
835
+ private checkPermission;
836
+ }
837
+ declare const Can: (permission: string) => ClassDecorator & MethodDecorator;
838
+ declare const canCreate: (resource: string) => ClassDecorator & MethodDecorator;
839
+ declare const canRead: (resource: string) => ClassDecorator & MethodDecorator;
840
+ declare const canUpdate: (resource: string) => ClassDecorator & MethodDecorator;
841
+ declare const canDelete: (resource: string) => ClassDecorator & MethodDecorator;
842
+ declare const canManage: (resource: string) => ClassDecorator & MethodDecorator;
843
+
844
+ declare const ROLES: {
845
+ readonly ADMIN: "admin";
846
+ };
847
+ declare const ROLE_GROUPS: {
848
+ ADMINISTRATORS: "admin"[];
849
+ };
850
+ type RoleType = typeof ROLES[keyof typeof ROLES];
851
+ type RoleInput = string | string[];
852
+
853
+ declare class RoleGuard {
854
+ canActivate(allowedRoles: RoleInput, userRole: string): false | {
855
+ role: string;
856
+ };
857
+ }
858
+ declare const Role: (roles: RoleInput) => any;
859
+ declare const isAdmin: () => ClassDecorator & MethodDecorator;
860
+ declare const isAdministrator: () => ClassDecorator & MethodDecorator;
861
+
862
+ declare const createRoleDto: z.ZodObject<{
863
+ name: z.ZodString;
864
+ description: z.ZodOptional<z.ZodString>;
865
+ }, z.core.$strip>;
866
+ declare const updateRoleDto: z.ZodObject<{
867
+ name: z.ZodOptional<z.ZodString>;
868
+ description: z.ZodOptional<z.ZodOptional<z.ZodString>>;
869
+ }, z.core.$strip>;
870
+ declare const roleIdParam: z.ZodObject<{
871
+ id: z.ZodString;
872
+ }, z.core.$strip>;
873
+ declare const assignRoleDto: z.ZodObject<{
874
+ userId: z.ZodString;
875
+ roleId: z.ZodString;
876
+ }, z.core.$strip>;
877
+ type CreateRoleDto = z.infer<typeof createRoleDto>;
878
+ type UpdateRoleDto = z.infer<typeof updateRoleDto>;
879
+ type RoleIdParam = z.infer<typeof roleIdParam>;
880
+ type AssignRoleDto = z.infer<typeof assignRoleDto>;
881
+
882
+ declare class RoleController {
883
+ private roleService;
884
+ constructor(roleService: RoleService);
885
+ getRoles(): Promise<{
886
+ id: string;
887
+ name: string;
888
+ description: string;
889
+ createdAt: string;
890
+ updatedAt: string;
891
+ }[]>;
892
+ getRole(params: RoleIdParam): Promise<{
893
+ id: string;
894
+ name: string;
895
+ description: string;
896
+ createdAt: string;
897
+ updatedAt: string;
898
+ }>;
899
+ createRole(body: CreateRoleDto): Promise<{
900
+ id: string;
901
+ name: string;
902
+ description: string;
903
+ createdAt: string;
904
+ updatedAt: string;
905
+ }>;
906
+ updateRole(params: RoleIdParam, body: UpdateRoleDto): Promise<{
907
+ id: string;
908
+ name: string;
909
+ description: string;
910
+ createdAt: string;
911
+ updatedAt: string;
912
+ }>;
913
+ deleteRole(params: RoleIdParam): Promise<{
914
+ id: string;
915
+ name: string;
916
+ description: string;
917
+ createdAt: string;
918
+ updatedAt: string;
919
+ }>;
920
+ }
921
+
922
+ /**
923
+ * PermissionValidator - Business validation for permission operations
924
+ * Handles database checks (unique, exists, role permissions)
925
+ * Schema validation is handled by DTOs in permission.dto.ts
926
+ */
927
+ declare class PermissionValidator {
928
+ private permissionRepository;
929
+ private roleValidator;
930
+ private t;
931
+ constructor(permissionRepository: PermissionRepository, roleValidator: RoleValidator);
932
+ /**
933
+ * Check if permission exists by ID
934
+ */
935
+ checkPermissionExists(id: string): Promise<{
936
+ id: string;
937
+ name: string;
938
+ description: string;
939
+ createdAt: string;
940
+ updatedAt: string;
941
+ resource: string;
942
+ action: string;
943
+ }>;
944
+ /**
945
+ * Check if permission exists by name
946
+ */
947
+ checkPermissionExistsByName(name: string): Promise<{
948
+ id: string;
949
+ name: string;
950
+ description: string;
951
+ createdAt: string;
952
+ updatedAt: string;
953
+ resource: string;
954
+ action: string;
955
+ }>;
956
+ /**
957
+ * Check if permission name is unique
958
+ */
959
+ checkPermissionNameUnique(name: string, excludeId?: string): Promise<void>;
960
+ /**
961
+ * Check if role exists (delegates to RoleValidator)
962
+ */
963
+ checkRoleExists(id: string): Promise<{
964
+ id: string;
965
+ name: string;
966
+ description: string;
967
+ createdAt: string;
968
+ updatedAt: string;
969
+ }>;
970
+ /**
971
+ * Check if role exists by name (delegates to RoleValidator)
972
+ */
973
+ checkRoleExistsByName(name: string): Promise<{
974
+ id: string;
975
+ name: string;
976
+ description: string;
977
+ createdAt: string;
978
+ updatedAt: string;
979
+ }>;
980
+ /**
981
+ * Check if role already has permission
982
+ */
983
+ checkRoleHasPermission(roleId: string, permissionId: string): Promise<void>;
984
+ }
985
+
986
+ declare class PermissionService {
987
+ private permissionRepository;
988
+ private permissionValidator;
989
+ private roleService;
990
+ constructor(permissionRepository: PermissionRepository, permissionValidator: PermissionValidator, roleService: RoleService);
991
+ getAll(): Promise<{
992
+ id: string;
993
+ name: string;
994
+ description: string;
995
+ createdAt: string;
996
+ updatedAt: string;
997
+ resource: string;
998
+ action: string;
999
+ }[]>;
1000
+ getById(id: string): Promise<{
1001
+ id: string;
1002
+ name: string;
1003
+ description: string;
1004
+ createdAt: string;
1005
+ updatedAt: string;
1006
+ resource: string;
1007
+ action: string;
1008
+ }>;
1009
+ getByName(name: string): Promise<{
1010
+ id: string;
1011
+ name: string;
1012
+ description: string;
1013
+ createdAt: string;
1014
+ updatedAt: string;
1015
+ resource: string;
1016
+ action: string;
1017
+ }>;
1018
+ getByResource(resource: string): Promise<{
1019
+ id: string;
1020
+ name: string;
1021
+ description: string;
1022
+ createdAt: string;
1023
+ updatedAt: string;
1024
+ resource: string;
1025
+ action: string;
1026
+ }[]>;
1027
+ create(data: any): Promise<{
1028
+ id: string;
1029
+ name: string;
1030
+ description: string;
1031
+ createdAt: string;
1032
+ updatedAt: string;
1033
+ resource: string;
1034
+ action: string;
1035
+ }>;
1036
+ update(id: string, data: any): Promise<{
1037
+ id: string;
1038
+ name: string;
1039
+ description: string;
1040
+ createdAt: string;
1041
+ updatedAt: string;
1042
+ resource: string;
1043
+ action: string;
1044
+ }>;
1045
+ delete(id: string): Promise<{
1046
+ id: string;
1047
+ name: string;
1048
+ description: string;
1049
+ createdAt: string;
1050
+ updatedAt: string;
1051
+ resource: string;
1052
+ action: string;
1053
+ }>;
1054
+ getPermissionsByRole(roleId: string): Promise<Pick<{
1055
+ id: string;
1056
+ name: string;
1057
+ description: string;
1058
+ createdAt: string;
1059
+ updatedAt: string;
1060
+ resource: string;
1061
+ action: string;
1062
+ }, "id" | "name" | "description" | "resource" | "action">[]>;
1063
+ getRolesByPermission(permissionId: string): Promise<Pick<{
1064
+ id: string;
1065
+ name: string;
1066
+ description: string;
1067
+ createdAt: string;
1068
+ updatedAt: string;
1069
+ }, "id" | "name" | "description">[]>;
1070
+ assignPermissionToRole(roleId: string, permissionId: string): Promise<{
1071
+ id: string;
1072
+ createdAt: string;
1073
+ updatedAt: string;
1074
+ roleId: string;
1075
+ permissionId: string;
1076
+ }>;
1077
+ removePermissionFromRole(roleId: string, permissionId: string): Promise<{
1078
+ id: string;
1079
+ createdAt: string;
1080
+ updatedAt: string;
1081
+ roleId: string;
1082
+ permissionId: string;
1083
+ }>;
1084
+ seedDefaultPermissions(defaultPermissions: any): Promise<{
1085
+ created: any[];
1086
+ skipped: any[];
1087
+ }>;
1088
+ seedDefaultRolePermissions(defaultRolePermissions: any): Promise<{
1089
+ assigned: any[];
1090
+ skipped: any[];
1091
+ }>;
1092
+ deleteAll(): Promise<{
1093
+ id: string;
1094
+ name: string;
1095
+ description: string;
1096
+ createdAt: string;
1097
+ updatedAt: string;
1098
+ resource: string;
1099
+ action: string;
1100
+ }[]>;
1101
+ }
1102
+
1103
+ declare const createPermissionDto: z.ZodObject<{
1104
+ name: z.ZodString;
1105
+ description: z.ZodOptional<z.ZodString>;
1106
+ resource: z.ZodString;
1107
+ action: z.ZodString;
1108
+ }, z.core.$strip>;
1109
+ declare const updatePermissionDto: z.ZodObject<{
1110
+ name: z.ZodOptional<z.ZodString>;
1111
+ description: z.ZodOptional<z.ZodOptional<z.ZodString>>;
1112
+ resource: z.ZodOptional<z.ZodString>;
1113
+ action: z.ZodOptional<z.ZodString>;
1114
+ }, z.core.$strip>;
1115
+ declare const permissionIdParam: z.ZodObject<{
1116
+ id: z.ZodString;
1117
+ }, z.core.$strip>;
1118
+ declare const assignPermissionDto: z.ZodObject<{
1119
+ roleId: z.ZodString;
1120
+ permissionId: z.ZodString;
1121
+ }, z.core.$strip>;
1122
+ declare const checkPermissionDto: z.ZodObject<{
1123
+ userId: z.ZodString;
1124
+ resource: z.ZodString;
1125
+ action: z.ZodString;
1126
+ }, z.core.$strip>;
1127
+ type CreatePermissionDto = z.infer<typeof createPermissionDto>;
1128
+ type UpdatePermissionDto = z.infer<typeof updatePermissionDto>;
1129
+ type PermissionIdParam = z.infer<typeof permissionIdParam>;
1130
+ type AssignPermissionDto = z.infer<typeof assignPermissionDto>;
1131
+ type CheckPermissionDto = z.infer<typeof checkPermissionDto>;
1132
+
1133
+ declare class PermissionController {
1134
+ private permissionService;
1135
+ constructor(permissionService: PermissionService);
1136
+ getPermissions(): Promise<{
1137
+ id: string;
1138
+ name: string;
1139
+ description: string;
1140
+ createdAt: string;
1141
+ updatedAt: string;
1142
+ resource: string;
1143
+ action: string;
1144
+ }[]>;
1145
+ getPermission(params: PermissionIdParam): Promise<{
1146
+ id: string;
1147
+ name: string;
1148
+ description: string;
1149
+ createdAt: string;
1150
+ updatedAt: string;
1151
+ resource: string;
1152
+ action: string;
1153
+ }>;
1154
+ create(body: CreatePermissionDto): Promise<{
1155
+ id: string;
1156
+ name: string;
1157
+ description: string;
1158
+ createdAt: string;
1159
+ updatedAt: string;
1160
+ resource: string;
1161
+ action: string;
1162
+ }>;
1163
+ update(params: PermissionIdParam, body: UpdatePermissionDto): Promise<{
1164
+ id: string;
1165
+ name: string;
1166
+ description: string;
1167
+ createdAt: string;
1168
+ updatedAt: string;
1169
+ resource: string;
1170
+ action: string;
1171
+ }>;
1172
+ delete(params: PermissionIdParam): Promise<{
1173
+ id: string;
1174
+ name: string;
1175
+ description: string;
1176
+ createdAt: string;
1177
+ updatedAt: string;
1178
+ resource: string;
1179
+ action: string;
1180
+ }>;
1181
+ getByRole(params: RoleIdParam): Promise<Pick<{
1182
+ id: string;
1183
+ name: string;
1184
+ description: string;
1185
+ createdAt: string;
1186
+ updatedAt: string;
1187
+ resource: string;
1188
+ action: string;
1189
+ }, "id" | "name" | "description" | "resource" | "action">[]>;
1190
+ getRolesByPermission(params: PermissionIdParam): Promise<Pick<{
1191
+ id: string;
1192
+ name: string;
1193
+ description: string;
1194
+ createdAt: string;
1195
+ updatedAt: string;
1196
+ }, "id" | "name" | "description">[]>;
1197
+ assignToRole(params: AssignPermissionDto): Promise<{
1198
+ id: string;
1199
+ createdAt: string;
1200
+ updatedAt: string;
1201
+ roleId: string;
1202
+ permissionId: string;
1203
+ }>;
1204
+ removeFromRole(params: AssignPermissionDto): Promise<{
1205
+ id: string;
1206
+ createdAt: string;
1207
+ updatedAt: string;
1208
+ roleId: string;
1209
+ permissionId: string;
1210
+ }>;
1211
+ deleteAll(): Promise<{
1212
+ id: string;
1213
+ name: string;
1214
+ description: string;
1215
+ createdAt: string;
1216
+ updatedAt: string;
1217
+ resource: string;
1218
+ action: string;
1219
+ }[]>;
1220
+ }
1221
+
1222
+ /**
1223
+ * Shared query builders used across auth repositories.
1224
+ * Eliminates duplication between UserRepository and TokenRepository.
1225
+ */
1226
+ declare class AuthQueries {
1227
+ private db;
1228
+ private schema;
1229
+ constructor(db: any, schema: AuthSchema);
1230
+ /**
1231
+ * Standard user selection fields with role join
1232
+ */
1233
+ userSelection(): {
1234
+ id: any;
1235
+ email: any;
1236
+ emailVerified: any;
1237
+ image: any;
1238
+ status: any;
1239
+ roleId: any;
1240
+ role: any;
1241
+ createdAt: any;
1242
+ updatedAt: any;
1243
+ };
1244
+ /**
1245
+ * Get permissions for a user by their userId
1246
+ */
1247
+ getUserPermissions(userId: string): Promise<string[]>;
1248
+ /**
1249
+ * Get role name for a user
1250
+ */
1251
+ getRoleName(userId: string): Promise<string | null>;
1252
+ /**
1253
+ * Batch load permissions for multiple users (fixes N+1 query problem)
1254
+ * Returns a Map of roleId -> permissions[]
1255
+ */
1256
+ batchLoadPermissionsByRole(): Promise<Map<string, string[]>>;
1257
+ }
1258
+
1259
+ declare const avatarsPath: string;
1260
+ declare const parseSchema: (schema: any, data: any) => Promise<any>;
1261
+ declare const clean: (obj: any) => any;
1262
+ declare const getAvatarFile: (fileName: any) => Promise<File>;
1263
+ declare const formatDate: (dateValue: any) => string;
1264
+ declare function calculateAge(dateOfBirth: any): number;
1265
+ declare function calculateYearsOfExperience(hireDate: any): number;
1266
+ declare function pickProps<T>(source: T, keys: any): Partial<T>;
1267
+ declare const isEmpty: any;
1268
+ declare const isPath: (img: any) => boolean;
1269
+ declare const isFile: (img: any) => boolean;
1270
+
1271
+ declare const createTokenDto: z.ZodObject<{
1272
+ userId: z.ZodString;
1273
+ token: z.ZodString;
1274
+ type: z.ZodDefault<z.ZodEnum<{
1275
+ access: "access";
1276
+ refresh: "refresh";
1277
+ }>>;
1278
+ status: z.ZodDefault<z.ZodEnum<{
1279
+ active: "active";
1280
+ revoked: "revoked";
1281
+ expired: "expired";
1282
+ }>>;
1283
+ expiresAt: z.ZodString;
1284
+ }, z.core.$strip>;
1285
+ declare const updateTokenDto: z.ZodObject<{
1286
+ status: z.ZodEnum<{
1287
+ active: "active";
1288
+ revoked: "revoked";
1289
+ expired: "expired";
1290
+ }>;
1291
+ }, z.core.$strip>;
1292
+ declare const tokenIdParam: z.ZodObject<{
1293
+ id: z.ZodString;
1294
+ }, z.core.$strip>;
1295
+ declare const verifyTokenDto: z.ZodObject<{
1296
+ token: z.ZodString;
1297
+ }, z.core.$strip>;
1298
+ declare const refreshTokenDto: z.ZodObject<{
1299
+ refreshToken: z.ZodString;
1300
+ }, z.core.$strip>;
1301
+ declare const revokeTokenDto: z.ZodObject<{
1302
+ userId: z.ZodString;
1303
+ }, z.core.$strip>;
1304
+ type CreateTokenDto = z.infer<typeof createTokenDto>;
1305
+ type UpdateTokenDto = z.infer<typeof updateTokenDto>;
1306
+ type TokenIdParam = z.infer<typeof tokenIdParam>;
1307
+ type VerifyTokenDto = z.infer<typeof verifyTokenDto>;
1308
+ type RefreshTokenDto = z.infer<typeof refreshTokenDto>;
1309
+ type RevokeTokenDto = z.infer<typeof revokeTokenDto>;
1310
+
1311
+ declare class UserController {
1312
+ private userService;
1313
+ constructor(userService: UserService);
1314
+ getUsers(): Promise<SanitizedUser[]>;
1315
+ getLang(): Promise<{
1316
+ language: string;
1317
+ }>;
1318
+ updateLang(params: LanguageParam): Promise<string>;
1319
+ getUser(params: UserIdParam): Promise<SanitizedUser>;
1320
+ getByEmail(params: EmailParam): Promise<SanitizedUser>;
1321
+ getRole(params: UserIdInParam): Promise<string>;
1322
+ create(body: CreateUserDto): Promise<SanitizedUser>;
1323
+ update(params: UserIdParam, body: UpdateUserDto): Promise<SanitizedUser>;
1324
+ delete(params: UserIdParam): Promise<SanitizedUser>;
1325
+ deleteAll(): Promise<SanitizedUser[]>;
1326
+ assignRole(params: AssignRoleParams): Promise<SanitizedUser>;
1327
+ removeRole(params: UserIdInParam): Promise<SanitizedUser>;
1328
+ }
1329
+
1330
+ declare const USER_STATUS: readonly ["active", "inactive", "pending"];
1331
+ declare const TOKEN_STATUS: readonly ["active", "revoked", "expired"];
1332
+ declare const TOKEN_TYPE: readonly ["access", "refresh"];
1333
+
1334
+ /**
1335
+ * Shared user configuration for seeding
1336
+ */
1337
+ interface SeedUserConfig {
1338
+ email: string;
1339
+ password: string;
1340
+ roleName: string;
1341
+ emailVerified?: boolean;
1342
+ status?: 'active' | 'inactive' | 'pending';
1343
+ image?: string;
1344
+ username?: string;
1345
+ }
1346
+ /**
1347
+ * Low-level factory config (for use with SeedService)
1348
+ */
1349
+ interface AuthSeedConfig {
1350
+ adminEmail: string;
1351
+ adminPass: string;
1352
+ roles?: Array<{
1353
+ name: string;
1354
+ description?: string;
1355
+ }>;
1356
+ permissions?: Array<{
1357
+ action: string;
1358
+ resource: string;
1359
+ name: string;
1360
+ description?: string;
1361
+ }>;
1362
+ additionalUsers?: SeedUserConfig[];
1363
+ }
1364
+ /**
1365
+ * High-level standalone function config
1366
+ */
1367
+ interface SeedAuthDataConfig {
1368
+ /** Drizzle database instance (required) */
1369
+ db: any;
1370
+ /** Admin email (required) */
1371
+ adminEmail: string;
1372
+ /** Admin password (required) */
1373
+ adminPassword: string;
1374
+ /** Additional users to seed (optional) */
1375
+ users?: SeedUserConfig[];
1376
+ /** Custom roles (optional - uses defaults if omitted) */
1377
+ roles?: Array<{
1378
+ name: string;
1379
+ description?: string;
1380
+ }>;
1381
+ /** Custom permissions (optional - uses defaults if omitted) */
1382
+ permissions?: Array<{
1383
+ action: string;
1384
+ resource: string;
1385
+ name: string;
1386
+ description?: string;
1387
+ }>;
1388
+ /** Show verbose logging (optional) */
1389
+ verbose?: boolean;
1390
+ /** Conflict handling strategy (optional) */
1391
+ onConflict?: 'skip' | 'replace' | 'fail';
1392
+ }
1393
+ /**
1394
+ * Result of seedAuthData operation
1395
+ */
1396
+ interface SeedAuthDataResult {
1397
+ inserted: number;
1398
+ skipped: number;
1399
+ failed: number;
1400
+ users: Array<{
1401
+ id: string;
1402
+ email: string;
1403
+ roleId: string;
1404
+ }>;
1405
+ roles: Array<{
1406
+ id: string;
1407
+ name: string;
1408
+ }>;
1409
+ }
1410
+
1411
+ /**
1412
+ * Composable seed definition factory for najm-auth plugin.
1413
+ *
1414
+ * Provides default roles, permissions, and admin user with proper validation and password hashing.
1415
+ *
1416
+ * @example
1417
+ * ```typescript
1418
+ * const seeder = server.container.get(SeedService);
1419
+ *
1420
+ * await seeder.run({
1421
+ * ...authSeed({ adminEmail: 'admin@test.com', adminPass: 'Admin123!' }),
1422
+ * // ... your app-specific seeds
1423
+ * });
1424
+ * ```
1425
+ */
1426
+ declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
1427
+
1428
+ /**
1429
+ * Standalone function to seed authentication data.
1430
+ * Handles Server setup, seeding, and cleanup automatically.
1431
+ *
1432
+ * @example
1433
+ * ```typescript
1434
+ * // In a seed script
1435
+ * import { seedAuthData } from 'najm-auth';
1436
+ * import { db } from './database';
1437
+ *
1438
+ * await seedAuthData({
1439
+ * db,
1440
+ * adminEmail: 'admin@app.com',
1441
+ * adminPassword: 'Secret123!',
1442
+ * users: [
1443
+ * { email: 'user@app.com', password: 'User123!', roleName: 'user' }
1444
+ * ]
1445
+ * });
1446
+ * ```
1447
+ *
1448
+ * @example
1449
+ * ```typescript
1450
+ * // In a service method
1451
+ * @Service()
1452
+ * class SetupService {
1453
+ * async seedDefaultData() {
1454
+ * await seedAuthData({
1455
+ * db: this.db,
1456
+ * adminEmail: process.env.ADMIN_EMAIL!,
1457
+ * adminPassword: process.env.ADMIN_PASSWORD!,
1458
+ * verbose: true
1459
+ * });
1460
+ * }
1461
+ * }
1462
+ * ```
1463
+ */
1464
+ declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
1465
+
1466
+ export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, type ChangePasswordDto, type CheckPermissionDto, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, canCreate, canDelete, canManage, canRead, canUpdate, changePasswordDto, checkPermissionDto, clean, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, languageParam, loginDto, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto };