najm-auth 1.1.31 → 1.1.33

package/README.md

@@ -198,13 +198,13 @@ class PostController {
 ```typescript
 import { defineRoles } from 'najm-auth';
 
-const roles = defineRoles({
-  ADMIN: 'admin',
-  MODERATOR: 'moderator',
-  USER: 'user',
-}, {
-  superRoles: ['ADMIN'],       // admin also passes moderator/user role guards
-});
+const roles = defineRoles({
+  ADMIN: 'admin',
+  MODERATOR: 'moderator',
+  USER: 'user',
+}, {
+  superRoles: ['ADMIN'],       // admin also passes moderator/user role guards
+});
 
 export const { isAdmin, isModerator, isUser } = roles;
 

package/dist/client/react/index.js

@@ -7,7 +7,19 @@ import { useEffect, useRef } from "react";
 
 // src/client/react/context.ts
 import { createContext, useContext } from "react";
-var AuthClientContext = createContext(null);
+var KEY = /* @__PURE__ */ Symbol.for("najm:auth:client:context");
+var contextStore = globalThis;
+function getAuthClientContext() {
+  const existing = contextStore[KEY];
+  if (existing) {
+    return existing;
+  }
+  const context = createContext(null);
+  contextStore[KEY] = context;
+  return context;
+}
+__name(getAuthClientContext, "getAuthClientContext");
+var AuthClientContext = getAuthClientContext();
 function useAuthClient() {
   const client = useContext(AuthClientContext);
   if (!client) {

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 import * as najm_core from 'najm-core';
+import { Container } from 'najm-core';
 import { ValidationPluginConfig } from 'najm-validation';
 import { RateLimitPluginConfig } from 'najm-rate';
 import { I18nService } from 'najm-i18n';
@@ -109,6 +110,8 @@ type AuthPluginConfig = {
     validation?: ValidationPluginConfig;
     /** Optional config forwarded to rateLimit() dependency */
     rateLimit?: RateLimitPluginConfig;
+    /** AES-256-GCM key for reversible encryption (e.g. API keys). Falls back to NAJM_ENCRYPTION_KEY env var. */
+    encryptionKey?: string;
 };
 /**
  * JWT payload structure
@@ -339,14 +342,13 @@ declare function getAuthLocale(lang: string): Record<string, any>;
  */
 declare const AUTH_SUPPORTED_LANGUAGES: string[];
 
-/**
- * EncryptionService - Pure hashing utility
- * Validation is handled by UserValidator (single source of truth)
- */
 declare class EncryptionService {
-    constructor();
+    private encryptionKey;
+    constructor(encryptionKey?: string | null);
     hashPassword(password: string): Promise<string>;
     comparePassword(password: string, hashedPassword: string): Promise<boolean>;
+    encrypt(plaintext: string): string;
+    decrypt(ciphertext: string): string;
 }
 
 interface SessionCookieData {
@@ -416,8 +418,10 @@ declare class UserRepository {
     delete(id: string): Promise<User>;
     deleteAll(): Promise<User[]>;
     getRoleNameById(userId: string): Promise<string | null>;
+    findByPhone(phone: string): Promise<UserWithPermissions | undefined>;
     getUserPassword(email: string): Promise<string | undefined>;
     getUserPermissions(userId: string): Promise<string[]>;
+    updatePhone(id: string, phone: string): Promise<User>;
 }
 
 /**
@@ -448,6 +452,8 @@ declare class UserValidator {
         updatedAt: string;
         email: string;
         emailVerified: boolean;
+        phone: string;
+        phoneVerified: boolean;
         password: string;
         image: string;
         status: "active" | "pending" | "inactive";
@@ -468,6 +474,8 @@ declare class UserValidator {
         updatedAt: string;
         email: string;
         emailVerified: boolean;
+        phone: string;
+        phoneVerified: boolean;
         password: string;
         image: string;
         status: "active" | "pending" | "inactive";
@@ -968,6 +976,8 @@ declare class AuthController {
         updatedAt: string;
         email: string;
         emailVerified: boolean;
+        phone: string;
+        phoneVerified: boolean;
         password: string;
         image: string;
         status: "active" | "pending" | "inactive";
@@ -1006,6 +1016,10 @@ declare class AuthResolver {
     /**
      * Resolve the current user from the refresh cookie (cookie-only flow,
      * e.g. Next.js Server Components calling /auth/me with just the cookie).
+     *
+     * Read-only: does NOT rotate the refresh token. Rotation is reserved for
+     * the /auth/refresh handler. Mutating here races with /auth/refresh when
+     * requests are concurrent.
      */
     resolveFromCookie(): Promise<{
         user: any;
@@ -1015,6 +1029,13 @@ declare class AuthResolver {
     activate(): Promise<void>;
 }
 
+interface RunAsUser {
+    id: string;
+    role?: string | null;
+    permissions?: string[];
+}
+declare function runAsUser<T>(container: Container, user: RunAsUser, fn: () => Promise<T> | T): Promise<T>;
+
 declare const AUTH_MODULE: readonly [typeof AuthService, typeof CookieManager, typeof EncryptionService, typeof AuthGuard, typeof AuthController, typeof AuthResolver];
 
 declare class PermissionRepository {
@@ -1901,4 +1922,4 @@ declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
  */
 declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
 
-export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type DefineRolesOptions, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, type SessionCookieData, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };
+export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type DefineRolesOptions, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type RunAsUser, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, type SessionCookieData, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, runAsUser, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };

package/dist/index.js

@@ -15,6 +15,7 @@ var AUTH_SCHEMA = /* @__PURE__ */ Symbol.for("najm:auth:schema");
 var AUTH_USER = /* @__PURE__ */ Symbol.for("najm:auth:user");
 var AUTH_ROLE = /* @__PURE__ */ Symbol.for("najm:auth:role");
 var AUTH_PERMISSIONS = /* @__PURE__ */ Symbol.for("najm:auth:permissions");
+var AUTH_ENCRYPTION_KEY = /* @__PURE__ */ Symbol.for("najm:auth:encryption-key");
 
 // src/schema/pg.ts
 import { pgTable, text, boolean, timestamp, pgEnum, primaryKey, integer, index } from "drizzle-orm/pg-core";
@@ -45,6 +46,8 @@ var usersTable = pgTable("users", {
   name: text("name"),
   email: text("email").notNull().unique(),
   emailVerified: boolean("email_verified").default(false),
+  phone: text("phone").unique(),
+  phoneVerified: boolean("phone_verified").default(false),
   password: text("password").notNull(),
   image: text("image").default("noavatar.png"),
   status: userStatusEnum("status").default("pending"),
@@ -110,6 +113,8 @@ var usersTable2 = sqliteTable("users", {
   name: text2("name"),
   email: text2("email").notNull().unique(),
   emailVerified: integer2("email_verified", { mode: "boolean" }).default(false),
+  phone: text2("phone").unique(),
+  phoneVerified: integer2("phone_verified", { mode: "boolean" }).default(false),
   password: text2("password").notNull(),
   image: text2("image").default("noavatar.png"),
   status: text2("status").$type().default("pending"),
@@ -175,6 +180,8 @@ var usersTable3 = mysqlTable("users", {
   name: varchar("name", { length: 255 }),
   email: varchar("email", { length: 255 }).notNull().unique(),
   emailVerified: boolean2("email_verified").default(false),
+  phone: varchar("phone", { length: 255 }).unique(),
+  phoneVerified: boolean2("phone_verified").default(false),
   password: varchar("password", { length: 255 }).notNull(),
   image: varchar("image", { length: 255 }).default("noavatar.png"),
   status: mysqlEnum("status", [...USER_STATUS]).default("pending"),
@@ -227,13 +234,13 @@ import { Get, Post, ResMsg } from "najm-core";
 import { Body, User as User2, Headers } from "najm-core";
 
 // src/auth/AuthService.ts
-import { Injectable as Injectable7, Inject as Inject7 } from "najm-core";
+import { Injectable as Injectable7, Inject as Inject8 } from "najm-core";
 import { Err as Err6, Log } from "najm-core";
 import { I18n as I18n4, I18nService as I18nService2 } from "najm-i18n";
 import { EmailService, passwordResetTemplate } from "najm-email";
 
 // src/users/UserService.ts
-import { Injectable as Injectable5, Inject as Inject3 } from "najm-core";
+import { Injectable as Injectable5, Inject as Inject4 } from "najm-core";
 import { Transaction } from "najm-database";
 import { I18nService } from "najm-i18n";
 
@@ -432,6 +439,15 @@ var UserRepository = class UserRepository2 {
   async getRoleNameById(userId) {
     return this.q.getRoleName(userId);
   }
+  async findByPhone(phone) {
+    const [user] = await this.db.select(this.q.userSelection()).from(this.users).leftJoin(this.roles, eq2(this.users.roleId, this.roles.id)).where(eq2(this.users.phone, phone)).limit(1);
+    if (!user)
+      return void 0;
+    return {
+      ...user,
+      permissions: await this.q.getUserPermissions(user.id)
+    };
+  }
   async getUserPassword(email2) {
     const [user] = await this.db.select({
       id: this.users.id,
@@ -443,6 +459,10 @@ var UserRepository = class UserRepository2 {
   async getUserPermissions(userId) {
     return this.q.getUserPermissions(userId);
   }
+  async updatePhone(id, phone) {
+    const [updatedUser] = await this.db.update(this.users).set({ phone, phoneVerified: true }).where(eq2(this.users.id, id)).returning();
+    return updatedUser;
+  }
 };
 __decorate([
   DB(),
@@ -462,8 +482,9 @@ import { Err } from "najm-core";
 import { I18n } from "najm-i18n";
 
 // src/auth/EncryptionService.ts
-import { Injectable } from "najm-core";
+import { Inject as Inject2, Injectable } from "najm-core";
 import bcrypt from "bcryptjs";
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
 var __decorate2 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -473,11 +494,38 @@ var __decorate2 = function(decorators, target, key, desc) {
 var __metadata2 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
+var __param = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var REQUIRED_KEY_BYTES = 32;
+function decodeKey(raw) {
+  if (/^[0-9a-fA-F]{64}$/.test(raw)) {
+    return Buffer.from(raw, "hex");
+  }
+  if (/^[A-Za-z0-9+/]+=*$/.test(raw) || /^[A-Za-z0-9_-]+=*$/.test(raw)) {
+    const decoded = Buffer.from(raw, raw.includes("-") || raw.includes("_") ? "base64url" : "base64");
+    if (decoded.length === REQUIRED_KEY_BYTES)
+      return decoded;
+  }
+  if (Buffer.byteLength(raw, "utf8") === REQUIRED_KEY_BYTES) {
+    return Buffer.from(raw, "utf8");
+  }
+  throw new Error(`Encryption key must decode to ${REQUIRED_KEY_BYTES} bytes. Provide hex (64 chars) or base64 (32 bytes decoded).`);
+}
+__name(decodeKey, "decodeKey");
 var EncryptionService = class EncryptionService2 {
   static {
     __name(this, "EncryptionService");
   }
-  constructor() {
+  encryptionKey;
+  constructor(encryptionKey) {
+    const raw = encryptionKey ?? process.env.NAJM_ENCRYPTION_KEY ?? "";
+    if (!raw) {
+      throw new Error("Encryption key missing. Set NAJM_ENCRYPTION_KEY (base64 or hex, 32 bytes) or pass auth({ encryptionKey })");
+    }
+    this.encryptionKey = decodeKey(raw);
   }
   async hashPassword(password) {
     return bcrypt.hash(password, 10);
@@ -485,10 +533,27 @@ var EncryptionService = class EncryptionService2 {
   async comparePassword(password, hashedPassword) {
     return bcrypt.compare(password, hashedPassword);
   }
+  encrypt(plaintext) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", this.encryptionKey, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([iv, tag, encrypted]).toString("base64url");
+  }
+  decrypt(ciphertext) {
+    const raw = Buffer.from(ciphertext, "base64url");
+    const iv = raw.subarray(0, 12);
+    const tag = raw.subarray(12, 28);
+    const encrypted = raw.subarray(28);
+    const decipher = createDecipheriv("aes-256-gcm", this.encryptionKey, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  }
 };
 EncryptionService = __decorate2([
   Injectable(),
-  __metadata2("design:paramtypes", [])
+  __param(0, Inject2(AUTH_ENCRYPTION_KEY)),
+  __metadata2("design:paramtypes", [String])
 ], EncryptionService);
 
 // src/users/UserValidator.ts
@@ -640,7 +705,7 @@ import { Injectable as Injectable4 } from "najm-core";
 
 // src/roles/RoleRepository.ts
 import { eq as eq3 } from "drizzle-orm";
-import { Repository as Repository2, Inject as Inject2 } from "najm-core";
+import { Repository as Repository2, Inject as Inject3 } from "najm-core";
 import { DB as DB2 } from "najm-database";
 var __decorate4 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -689,7 +754,7 @@ __decorate4([
   __metadata4("design:type", Object)
 ], RoleRepository.prototype, "db", void 0);
 __decorate4([
-  Inject2(AUTH_SCHEMA),
+  Inject3(AUTH_SCHEMA),
   __metadata4("design:type", Object)
 ], RoleRepository.prototype, "schema", void 0);
 RoleRepository = __decorate4([
@@ -954,7 +1019,7 @@ var __decorate7 = function(decorators, target, key, desc) {
 var __metadata7 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param = function(paramIndex, decorator) {
+var __param2 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -1165,12 +1230,12 @@ __decorate7([
 ], UserService.prototype, "create", null);
 UserService = __decorate7([
   Injectable5(),
-  __param(6, Inject3(AUTH_CONFIG)),
+  __param2(6, Inject4(AUTH_CONFIG)),
   __metadata7("design:paramtypes", [typeof (_a4 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _a4 : Object, typeof (_b3 = typeof RoleService !== "undefined" && RoleService) === "function" ? _b3 : Object, typeof (_c = typeof UserRepository !== "undefined" && UserRepository) === "function" ? _c : Object, typeof (_d = typeof UserValidator !== "undefined" && UserValidator) === "function" ? _d : Object, typeof (_e = typeof EncryptionService !== "undefined" && EncryptionService) === "function" ? _e : Object, typeof (_f = typeof I18nService !== "undefined" && I18nService) === "function" ? _f : Object, Object])
 ], UserService);
 
 // src/auth/CookieManager.ts
-import { Service, Inject as Inject4 } from "najm-core";
+import { Service, Inject as Inject5 } from "najm-core";
 import { CookieService } from "najm-cookies";
 import timestring from "timestring";
 var __decorate8 = function(decorators, target, key, desc) {
@@ -1263,11 +1328,11 @@ var CookieManager = class CookieManager2 {
   }
 };
 __decorate8([
-  Inject4(AUTH_CONFIG),
+  Inject5(AUTH_CONFIG),
   __metadata8("design:type", Object)
 ], CookieManager.prototype, "config", void 0);
 __decorate8([
-  Inject4(CookieService),
+  Inject5(CookieService),
   __metadata8("design:type", typeof (_a5 = typeof CookieService !== "undefined" && CookieService) === "function" ? _a5 : Object)
 ], CookieManager.prototype, "cookieService", void 0);
 CookieManager = __decorate8([
@@ -1275,7 +1340,7 @@ CookieManager = __decorate8([
 ], CookieManager);
 
 // src/tokens/TokenService.ts
-import { Injectable as Injectable6, Inject as Inject6 } from "najm-core";
+import { Injectable as Injectable6, Inject as Inject7 } from "najm-core";
 import { I18n as I18n3 } from "najm-i18n";
 import { CacheService } from "najm-cache";
 import { createHash } from "crypto";
@@ -1284,7 +1349,7 @@ import { nanoid as nanoid5 } from "nanoid";
 
 // src/tokens/TokenRepository.ts
 import { eq as eq4 } from "drizzle-orm";
-import { Repository as Repository3, Inject as Inject5 } from "najm-core";
+import { Repository as Repository3, Inject as Inject6 } from "najm-core";
 import { DB as DB3 } from "najm-database";
 var __decorate9 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -1369,7 +1434,7 @@ __decorate9([
   __metadata9("design:type", Object)
 ], TokenRepository.prototype, "db", void 0);
 __decorate9([
-  Inject5(AUTH_SCHEMA),
+  Inject6(AUTH_SCHEMA),
   __metadata9("design:type", Object)
 ], TokenRepository.prototype, "schema", void 0);
 TokenRepository = __decorate9([
@@ -1730,7 +1795,7 @@ var TokenService = class TokenService2 {
   }
 };
 __decorate10([
-  Inject6(AUTH_CONFIG),
+  Inject7(AUTH_CONFIG),
   __metadata10("design:type", Object)
 ], TokenService.prototype, "config", void 0);
 __decorate10([
@@ -1968,7 +2033,7 @@ var AuthService = class AuthService2 {
   }
 };
 __decorate11([
-  Inject7(AUTH_CONFIG),
+  Inject8(AUTH_CONFIG),
   __metadata11("design:type", Object)
 ], AuthService.prototype, "config", void 0);
 __decorate11([
@@ -1996,7 +2061,7 @@ var __decorate12 = function(decorators, target, key, desc) {
 var __metadata12 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param2 = function(paramIndex, decorator) {
+var __param3 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2010,7 +2075,7 @@ var AuthGuard = class AuthGuard2 {
   }
 };
 __decorate12([
-  __param2(0, User()),
+  __param3(0, User()),
   __metadata12("design:type", Function),
   __metadata12("design:paramtypes", [Object]),
   __metadata12("design:returntype", Boolean)
@@ -2081,7 +2146,7 @@ var __decorate13 = function(decorators, target, key, desc) {
 var __metadata13 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param3 = function(paramIndex, decorator) {
+var __param4 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2148,7 +2213,7 @@ __decorate13([
   RateLimit({ limit: 5, window: "15m", key: ipAndEmail }),
   Validate(createUserDto),
   ResMsg("auth.success.register"),
-  __param3(0, Body()),
+  __param4(0, Body()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [Object]),
   __metadata13("design:returntype", Promise)
@@ -2158,7 +2223,7 @@ __decorate13([
   RateLimit({ limit: 5, window: "15m", key: ipAndEmail, message: "Too many login attempts. Please try again later." }),
   Validate(loginDto),
   ResMsg("auth.success.login"),
-  __param3(0, Body()),
+  __param4(0, Body()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [Object]),
   __metadata13("design:returntype", Promise)
@@ -2175,8 +2240,8 @@ __decorate13([
   Post("/logout"),
   isAuth(),
   RateLimit({ limit: 10, window: "15m", key: "user" }),
-  __param3(0, User2("id")),
-  __param3(1, Headers("authorization")),
+  __param4(0, User2("id")),
+  __param4(1, Headers("authorization")),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [String, String]),
   __metadata13("design:returntype", Promise)
@@ -2186,8 +2251,8 @@ __decorate13([
   isAuth(),
   Validate(changePasswordDto),
   ResMsg("auth.success.passwordChanged"),
-  __param3(0, User2("id")),
-  __param3(1, Body()),
+  __param4(0, User2("id")),
+  __param4(1, Body()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [String, Object]),
   __metadata13("design:returntype", Promise)
@@ -2196,7 +2261,7 @@ __decorate13([
   Get("/me"),
   RateLimit({ limit: 30, window: "1m", key: cookieFingerprint() }),
   ResMsg("auth.users.success.retrieved"),
-  __param3(0, Headers("authorization")),
+  __param4(0, Headers("authorization")),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [String]),
   __metadata13("design:returntype", Promise)
@@ -2206,7 +2271,7 @@ __decorate13([
   RateLimit({ limit: 3, window: "15m", key: ipAndEmail, message: "Too many password reset requests. Please try again later." }),
   Validate(resetPasswordDto),
   ResMsg("auth.success.passwordResetSent"),
-  __param3(0, Body()),
+  __param4(0, Body()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [Object]),
   __metadata13("design:returntype", Promise)
@@ -2216,7 +2281,7 @@ __decorate13([
   RateLimit({ limit: 5, window: "15m", key: "ip", message: "Too many password reset attempts. Please try again later." }),
   Validate(confirmResetPasswordDto),
   ResMsg("auth.success.passwordReset"),
-  __param3(0, Body()),
+  __param4(0, Body()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [Object]),
   __metadata13("design:returntype", Promise)
@@ -2237,11 +2302,12 @@ __export(auth_exports, {
   CookieManager: () => CookieManager,
   EncryptionService: () => EncryptionService,
   isAuth: () => isAuth,
+  runAsUser: () => runAsUser,
   setConfiguredCookieName: () => setConfiguredCookieName
 });
 
 // src/auth/AuthResolver.ts
-import { APP, Container, DI, Inject as Inject8, LOGGER, Meta, Service as Service3 } from "najm-core";
+import { APP, Container, DI, Inject as Inject9, LOGGER, Meta, Service as Service3 } from "najm-core";
 import { USER, ROLE, PERMISSIONS } from "najm-guard";
 var __decorate14 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -2282,22 +2348,19 @@ var AuthResolver = class AuthResolver2 {
   /**
    * Resolve the current user from the refresh cookie (cookie-only flow,
    * e.g. Next.js Server Components calling /auth/me with just the cookie).
+   *
+   * Read-only: does NOT rotate the refresh token. Rotation is reserved for
+   * the /auth/refresh handler. Mutating here races with /auth/refresh when
+   * requests are concurrent.
    */
   async resolveFromCookie() {
     try {
-      const cookieManager = await this.container.resolve(CookieManager);
-      const refreshToken = cookieManager.getRefreshToken();
-      if (!refreshToken)
-        return false;
       const tokenService = await this.container.resolve(TokenService);
-      const result = await tokenService.validateRefreshSession(refreshToken);
-      if (!result.userId)
+      const userId = await tokenService.resolveUserFromCookie();
+      if (!userId)
         return false;
-      if (result.rotatedTokens) {
-        cookieManager.setRefreshToken(result.rotatedTokens.refreshToken);
-      }
       const userService = await this.container.resolve(UserService);
-      const user = await userService.getById(result.userId);
+      const user = await userService.getById(userId);
       if (!user)
         return false;
       return {
@@ -2351,11 +2414,11 @@ __decorate14([
   __metadata14("design:type", typeof (_a9 = typeof Container !== "undefined" && Container) === "function" ? _a9 : Object)
 ], AuthResolver.prototype, "container", void 0);
 __decorate14([
-  Inject8(APP),
+  Inject9(APP),
   __metadata14("design:type", Object)
 ], AuthResolver.prototype, "app", void 0);
 __decorate14([
-  Inject8(LOGGER),
+  Inject9(LOGGER),
   __metadata14("design:type", Object)
 ], AuthResolver.prototype, "log", void 0);
 AuthResolver = __decorate14([
@@ -2363,6 +2426,29 @@ AuthResolver = __decorate14([
   Meta({ layer: "plugin", order: 30 })
 ], AuthResolver);
 
+// src/auth/runAsUser.ts
+import { randomUUID } from "crypto";
+function runAsUser(container, user, fn) {
+  const requestId = `runAs:${randomUUID()}`;
+  const role = user.role ?? "user";
+  const store = {
+    requestId,
+    user,
+    role
+  };
+  if (user.permissions !== void 0) {
+    store.permissions = user.permissions;
+  }
+  return container.run(store, async () => {
+    try {
+      return await fn();
+    } finally {
+      await container.cleanupReq(requestId);
+    }
+  });
+}
+__name(runAsUser, "runAsUser");
+
 // src/auth/index.ts
 var AUTH_MODULE = [
   AuthService,
@@ -2434,7 +2520,7 @@ var __decorate15 = function(decorators, target, key, desc) {
 var __metadata15 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param4 = function(paramIndex, decorator) {
+var __param5 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2455,8 +2541,8 @@ var RoleGuard = class RoleGuard2 {
   }
 };
 __decorate15([
-  __param4(0, GuardParams()),
-  __param4(1, User3("role")),
+  __param5(0, GuardParams()),
+  __param5(1, User3("role")),
   __metadata15("design:type", Function),
   __metadata15("design:paramtypes", [Object, String]),
   __metadata15("design:returntype", void 0)
@@ -2536,7 +2622,7 @@ var __decorate16 = function(decorators, target, key, desc) {
 var __metadata16 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param5 = function(paramIndex, decorator) {
+var __param6 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2579,7 +2665,7 @@ __decorate16([
   isAdmin(),
   Validate2({ params: roleIdParam }),
   ResMsg2("roles.success.retrieved"),
-  __param5(0, Params()),
+  __param6(0, Params()),
   __metadata16("design:type", Function),
   __metadata16("design:paramtypes", [Object]),
   __metadata16("design:returntype", Promise)
@@ -2589,7 +2675,7 @@ __decorate16([
   isAdmin(),
   Validate2(createRoleDto),
   ResMsg2("roles.success.created"),
-  __param5(0, Body2()),
+  __param6(0, Body2()),
   __metadata16("design:type", Function),
   __metadata16("design:paramtypes", [Object]),
   __metadata16("design:returntype", Promise)
@@ -2602,8 +2688,8 @@ __decorate16([
     body: updateRoleDto
   }),
   ResMsg2("roles.success.updated"),
-  __param5(0, Params()),
-  __param5(1, Body2()),
+  __param6(0, Params()),
+  __param6(1, Body2()),
   __metadata16("design:type", Function),
   __metadata16("design:paramtypes", [Object, Object]),
   __metadata16("design:returntype", Promise)
@@ -2613,7 +2699,7 @@ __decorate16([
   isAdmin(),
   Validate2({ params: roleIdParam }),
   ResMsg2("roles.success.deleted"),
-  __param5(0, Params()),
+  __param6(0, Params()),
   __metadata16("design:type", Function),
   __metadata16("design:paramtypes", [Object]),
   __metadata16("design:returntype", Promise)
@@ -2634,7 +2720,7 @@ var __decorate17 = function(decorators, target, key, desc) {
 var __metadata17 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param6 = function(paramIndex, decorator) {
+var __param7 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2707,7 +2793,7 @@ __decorate17([
   isAuth(),
   Validate3({ params: languageParam }),
   ResMsg3("users.success.updated"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2717,7 +2803,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: userIdParam }),
   ResMsg3("users.success.retrieved"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2727,7 +2813,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: emailParam }),
   ResMsg3("users.success.retrieved"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2737,7 +2823,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: userIdInParam }),
   ResMsg3("users.success.retrieved"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2747,7 +2833,7 @@ __decorate17([
   isAdmin(),
   Validate3(createUserDto),
   ResMsg3("users.success.created"),
-  __param6(0, Body3()),
+  __param7(0, Body3()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2760,8 +2846,8 @@ __decorate17([
     body: updateUserDto
   }),
   ResMsg3("users.success.updated"),
-  __param6(0, Params2()),
-  __param6(1, Body3()),
+  __param7(0, Params2()),
+  __param7(1, Body3()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object, Object]),
   __metadata17("design:returntype", Promise)
@@ -2771,7 +2857,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: userIdParam }),
   ResMsg3("users.success.deleted"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2789,7 +2875,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: assignRoleParams }),
   ResMsg3("users.success.updated"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2799,7 +2885,7 @@ __decorate17([
   isAdmin(),
   Validate3({ params: userIdInParam }),
   ResMsg3("users.success.updated"),
-  __param6(0, Params2()),
+  __param7(0, Params2()),
   __metadata17("design:type", Function),
   __metadata17("design:paramtypes", [Object]),
   __metadata17("design:returntype", Promise)
@@ -2827,7 +2913,7 @@ __export(permissions_exports, {
 
 // src/permissions/PermissionRepository.ts
 import { eq as eq5, and } from "drizzle-orm";
-import { Repository as Repository4, Inject as Inject9 } from "najm-core";
+import { Repository as Repository4, Inject as Inject10 } from "najm-core";
 import { DB as DB4 } from "najm-database";
 var __decorate18 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -2918,7 +3004,7 @@ __decorate18([
   __metadata18("design:type", Object)
 ], PermissionRepository.prototype, "db", void 0);
 __decorate18([
-  Inject9(AUTH_SCHEMA),
+  Inject10(AUTH_SCHEMA),
   __metadata18("design:type", Object)
 ], PermissionRepository.prototype, "schema", void 0);
 PermissionRepository = __decorate18([
@@ -2938,7 +3024,7 @@ var __decorate19 = function(decorators, target, key, desc) {
 var __metadata19 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param7 = function(paramIndex, decorator) {
+var __param8 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -2972,8 +3058,8 @@ var PermissionGuard = class PermissionGuard2 {
   }
 };
 __decorate19([
-  __param7(0, GuardParams2()),
-  __param7(1, User4("permissions")),
+  __param8(0, GuardParams2()),
+  __param8(1, User4("permissions")),
   __metadata19("design:type", Function),
   __metadata19("design:paramtypes", [String, Array]),
   __metadata19("design:returntype", Object)
@@ -3243,7 +3329,7 @@ var __decorate22 = function(decorators, target, key, desc) {
 var __metadata22 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param8 = function(paramIndex, decorator) {
+var __param9 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -3305,7 +3391,7 @@ __decorate22([
   Get4("/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.retrieved"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3314,7 +3400,7 @@ __decorate22([
   Post4(),
   Validate4(createPermissionDto),
   ResMsg4({ message: "Permission created successfully", status: 201 }),
-  __param8(0, Body4()),
+  __param9(0, Body4()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3326,8 +3412,8 @@ __decorate22([
     body: updatePermissionDto
   }),
   ResMsg4("permissions.success.updated"),
-  __param8(0, Params3()),
-  __param8(1, Body4()),
+  __param9(0, Params3()),
+  __param9(1, Body4()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object, Object]),
   __metadata22("design:returntype", Promise)
@@ -3336,7 +3422,7 @@ __decorate22([
   Delete3("/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.deleted"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3345,7 +3431,7 @@ __decorate22([
   Get4("/role/:id"),
   Validate4({ params: roleIdParam }),
   ResMsg4("permissions.success.retrieved"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3354,7 +3440,7 @@ __decorate22([
   Get4("/roles/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.retrieved"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3363,7 +3449,7 @@ __decorate22([
   Post4("/assign/:roleId/:permissionId"),
   Validate4({ params: assignPermissionDto }),
   ResMsg4("permissions.success.assigned"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3372,7 +3458,7 @@ __decorate22([
   Delete3("/remove/:roleId/:permissionId"),
   Validate4({ params: assignPermissionDto }),
   ResMsg4("permissions.success.removed"),
-  __param8(0, Params3()),
+  __param9(0, Params3()),
   __metadata22("design:type", Function),
   __metadata22("design:paramtypes", [Object]),
   __metadata22("design:returntype", Promise)
@@ -3595,7 +3681,7 @@ function own(table, opts) {
 __name(own, "own");
 
 // src/ownership/configureOwnership.ts
-import { Injectable as Injectable11, Inject as Inject10, User as User5, Body as Body5, Params as Params4 } from "najm-core";
+import { Injectable as Injectable11, Inject as Inject11, User as User5, Body as Body5, Params as Params4 } from "najm-core";
 import { createGuard as createGuard5, composeGuards as composeGuards4 } from "najm-guard";
 var __decorate23 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -3606,7 +3692,7 @@ var __decorate23 = function(decorators, target, key, desc) {
 var __metadata23 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param9 = function(paramIndex, decorator) {
+var __param10 = function(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
   };
@@ -3636,12 +3722,12 @@ function createResourceGuards(ownershipClass, resourceType, resource, options) {
     }
   };
   __decorate23([
-    Inject10(ownershipClass),
+    Inject11(ownershipClass),
     __metadata23("design:type", Object)
   ], AccessGuard.prototype, "ownership", void 0);
   __decorate23([
-    __param9(0, User5()),
-    __param9(1, Params4("id")),
+    __param10(0, User5()),
+    __param10(1, Params4("id")),
     __metadata23("design:type", Function),
     __metadata23("design:paramtypes", [Object, String]),
     __metadata23("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
@@ -3660,11 +3746,11 @@ function createResourceGuards(ownershipClass, resourceType, resource, options) {
     }
   };
   __decorate23([
-    Inject10(ownershipClass),
+    Inject11(ownershipClass),
     __metadata23("design:type", Object)
   ], ListGuard.prototype, "ownership", void 0);
   __decorate23([
-    __param9(0, User5()),
+    __param10(0, User5()),
     __metadata23("design:type", Function),
     __metadata23("design:paramtypes", [Object]),
     __metadata23("design:returntype", typeof (_b8 = typeof Promise !== "undefined" && Promise) === "function" ? _b8 : Object)
@@ -3819,12 +3905,12 @@ function configureOwnership(config) {
       }
     };
     __decorate23([
-      Inject10(GeneratedOwnershipService),
+      Inject11(GeneratedOwnershipService),
       __metadata23("design:type", GeneratedOwnershipService)
     ], BodyAccessGuard.prototype, "ownership", void 0);
     __decorate23([
-      __param9(0, User5()),
-      __param9(1, Body5()),
+      __param10(0, User5()),
+      __param10(1, Body5()),
       __metadata23("design:type", Function),
       __metadata23("design:paramtypes", [Object, Object]),
       __metadata23("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
@@ -3945,7 +4031,7 @@ __name(Policy, "Policy");
 // src/ownership/OwnedDecorator.ts
 import "reflect-metadata";
 import { sql as sql5, and as and2 } from "drizzle-orm";
-import { Injectable as Injectable12, Inject as Inject11, DI as DI2, Container as Container2, REQUEST_ID } from "najm-core";
+import { Injectable as Injectable12, Inject as Inject12, DI as DI2, Container as Container2, REQUEST_ID } from "najm-core";
 import { USER as USER2 } from "najm-guard";
 var __decorate24 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -3999,7 +4085,7 @@ function Owned(token) {
   return function(target) {
     Reflect.defineMetadata(OWNED_META, token, target);
     const proto = target.prototype;
-    Inject11(ScopeContext)(proto, "_scopeCtx");
+    Inject12(ScopeContext)(proto, "_scopeCtx");
     function getUser(self) {
       return self._scopeCtx?.getUser() ?? null;
     }
@@ -4224,7 +4310,7 @@ var selectSchema = /* @__PURE__ */ __name((config) => {
       return authSchema;
   }
 }, "selectSchema");
-var auth = /* @__PURE__ */ __name((config) => plugin("auth").version("1.0.0").depends(cache(), cookies(), i18n(), guards(), validation(config?.validation), rateLimit(config?.rateLimit), email()).requires("database").contributes(I18N_CONTRIBUTIONS, AUTH_LOCALES).services(auth_exports, users_exports, roles_exports, permissions_exports, tokens_exports, ScopeContext).config(AUTH_CONFIG, mergeConfig(config)).set(AUTH_SCHEMA, selectSchema(config)).build(), "auth");
+var auth = /* @__PURE__ */ __name((config) => plugin("auth").version("1.0.0").depends(cache(), cookies(), i18n(), guards(), validation(config?.validation), rateLimit(config?.rateLimit), email()).requires("database").contributes(I18N_CONTRIBUTIONS, AUTH_LOCALES).services(auth_exports, users_exports, roles_exports, permissions_exports, tokens_exports, ScopeContext).config(AUTH_CONFIG, mergeConfig(config)).set(AUTH_SCHEMA, selectSchema(config)).set(AUTH_ENCRYPTION_KEY, config?.encryptionKey ?? null).build(), "auth");
 
 // src/seed.ts
 import { hash } from "bcryptjs";
@@ -4448,6 +4534,7 @@ export {
   roleIdParam,
   rolePermissionsTable,
   rolesTable,
+  runAsUser,
   seedAuthData,
   setConfiguredCookieName,
   tokenIdParam,

package/dist/schema/mysql.d.ts

@@ -159,6 +159,40 @@ declare const usersTable: drizzle_orm_mysql_core.MySqlTableWithColumns<{
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        phone: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "phone";
+            tableName: "users";
+            dataType: "string";
+            columnType: "MySqlVarChar";
+            data: string;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        phoneVerified: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "phone_verified";
+            tableName: "users";
+            dataType: "boolean";
+            columnType: "MySqlBoolean";
+            data: boolean;
+            driverParam: number | boolean;
+            notNull: false;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         password: drizzle_orm_mysql_core.MySqlColumn<{
             name: "password";
             tableName: "users";
@@ -792,6 +826,40 @@ declare const authSchema: {
                 identity: undefined;
                 generated: undefined;
             }, {}, {}>;
+            phone: drizzle_orm_mysql_core.MySqlColumn<{
+                name: "phone";
+                tableName: "users";
+                dataType: "string";
+                columnType: "MySqlVarChar";
+                data: string;
+                driverParam: string | number;
+                notNull: false;
+                hasDefault: false;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: [string, ...string[]];
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {}>;
+            phoneVerified: drizzle_orm_mysql_core.MySqlColumn<{
+                name: "phone_verified";
+                tableName: "users";
+                dataType: "boolean";
+                columnType: "MySqlBoolean";
+                data: boolean;
+                driverParam: number | boolean;
+                notNull: false;
+                hasDefault: true;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: undefined;
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {}>;
             password: drizzle_orm_mysql_core.MySqlColumn<{
                 name: "password";
                 tableName: "users";

package/dist/schema/mysql.js

@@ -27,6 +27,8 @@ var usersTable = mysqlTable("users", {
   name: varchar("name", { length: 255 }),
   email: varchar("email", { length: 255 }).notNull().unique(),
   emailVerified: boolean("email_verified").default(false),
+  phone: varchar("phone", { length: 255 }).unique(),
+  phoneVerified: boolean("phone_verified").default(false),
   password: varchar("password", { length: 255 }).notNull(),
   image: varchar("image", { length: 255 }).default("noavatar.png"),
   status: mysqlEnum("status", [...USER_STATUS]).default("pending"),

package/dist/schema/pg.d.ts

@@ -162,6 +162,40 @@ declare const usersTable: drizzle_orm_pg_core.PgTableWithColumns<{
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        phone: drizzle_orm_pg_core.PgColumn<{
+            name: "phone";
+            tableName: "users";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        phoneVerified: drizzle_orm_pg_core.PgColumn<{
+            name: "phone_verified";
+            tableName: "users";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: false;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         password: drizzle_orm_pg_core.PgColumn<{
             name: "password";
             tableName: "users";
@@ -795,6 +829,40 @@ declare const authSchema: {
                 identity: undefined;
                 generated: undefined;
             }, {}, {}>;
+            phone: drizzle_orm_pg_core.PgColumn<{
+                name: "phone";
+                tableName: "users";
+                dataType: "string";
+                columnType: "PgText";
+                data: string;
+                driverParam: string;
+                notNull: false;
+                hasDefault: false;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: [string, ...string[]];
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {}>;
+            phoneVerified: drizzle_orm_pg_core.PgColumn<{
+                name: "phone_verified";
+                tableName: "users";
+                dataType: "boolean";
+                columnType: "PgBoolean";
+                data: boolean;
+                driverParam: boolean;
+                notNull: false;
+                hasDefault: true;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: undefined;
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {}>;
             password: drizzle_orm_pg_core.PgColumn<{
                 name: "password";
                 tableName: "users";

package/dist/schema/pg.js

@@ -30,6 +30,8 @@ var usersTable = pgTable("users", {
   name: text("name"),
   email: text("email").notNull().unique(),
   emailVerified: boolean("email_verified").default(false),
+  phone: text("phone").unique(),
+  phoneVerified: boolean("phone_verified").default(false),
   password: text("password").notNull(),
   image: text("image").default("noavatar.png"),
   status: userStatusEnum("status").default("pending"),

package/dist/schema/sqlite.d.ts

@@ -173,6 +173,42 @@ declare const usersTable: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        phone: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "phone";
+            tableName: "users";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        phoneVerified: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "phone_verified";
+            tableName: "users";
+            dataType: "boolean";
+            columnType: "SQLiteBoolean";
+            data: boolean;
+            driverParam: number;
+            notNull: false;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         password: drizzle_orm_sqlite_core.SQLiteColumn<{
             name: "password";
             tableName: "users";
@@ -913,6 +949,42 @@ declare const authSchema: {
                 identity: undefined;
                 generated: undefined;
             }, {}, {}>;
+            phone: drizzle_orm_sqlite_core.SQLiteColumn<{
+                name: "phone";
+                tableName: "users";
+                dataType: "string";
+                columnType: "SQLiteText";
+                data: string;
+                driverParam: string;
+                notNull: false;
+                hasDefault: false;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: [string, ...string[]];
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {
+                length: number;
+            }>;
+            phoneVerified: drizzle_orm_sqlite_core.SQLiteColumn<{
+                name: "phone_verified";
+                tableName: "users";
+                dataType: "boolean";
+                columnType: "SQLiteBoolean";
+                data: boolean;
+                driverParam: number;
+                notNull: false;
+                hasDefault: true;
+                isPrimaryKey: false;
+                isAutoincrement: false;
+                hasRuntimeDefault: false;
+                enumValues: undefined;
+                baseColumn: never;
+                identity: undefined;
+                generated: undefined;
+            }, {}, {}>;
             password: drizzle_orm_sqlite_core.SQLiteColumn<{
                 name: "password";
                 tableName: "users";

package/dist/schema/sqlite.js

@@ -20,6 +20,8 @@ var usersTable = sqliteTable("users", {
   name: text("name"),
   email: text("email").notNull().unique(),
   emailVerified: integer("email_verified", { mode: "boolean" }).default(false),
+  phone: text("phone").unique(),
+  phoneVerified: integer("phone_verified", { mode: "boolean" }).default(false),
   password: text("password").notNull(),
   image: text("image").default("noavatar.png"),
   status: text("status").$type().default("pending"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.31",
+  "version": "1.1.33",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [
@@ -73,15 +73,15 @@
   },
   "dependencies": {
     "bcryptjs": "^3.0.2",
-    "najm-cookies": "^1.1.6",
-    "najm-core": "^1.2.3",
-    "najm-database": "^1.1.7",
-    "najm-guard": "^1.1.6",
-    "najm-i18n": "^1.1.6",
-    "najm-cache": "^1.2.3",
-    "najm-email": "^1.1.6",
-    "najm-rate": "^1.1.6",
-    "najm-validation": "^1.1.7",
+    "najm-cookies": "^1.1.7",
+    "najm-core": "^1.2.4",
+    "najm-database": "^1.1.8",
+    "najm-guard": "^1.1.7",
+    "najm-i18n": "^1.1.7",
+    "najm-cache": "^1.2.4",
+    "najm-email": "^1.1.7",
+    "najm-rate": "^1.1.7",
+    "najm-validation": "^1.1.8",
     "hono": "^4.0.0",
     "jsonwebtoken": "^9.0.3",
     "lodash.isempty": "^4.4.0",