tychat-contracts 1.4.8 → 1.5.0

package/dist/auth/auth-kafka.payloads.d.ts

@@ -3,6 +3,16 @@ import { RefreshTokenDto } from './refresh-token.dto';
 export declare class LoginPayload extends LoginDto {
     tenant: string;
 }
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+export declare class Login2faPayload {
+    tenant: string;
+    pre_auth_token: string;
+    totp: string;
+    device_name?: string;
+    device_type?: 'web' | 'mobile' | 'api';
+    ip_address?: string | null;
+    location?: string | null;
+}
 export declare class ValidatePayload {
     tenant: string;
     access_token: string;

package/dist/auth/auth-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,+EAA+E;AAC/E,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAKf,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;IAMb,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,WAAW,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;IAMvC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAM3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/auth-kafka.payloads.js

@@ -9,7 +9,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = void 0;
+exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = void 0;
 const swagger_1 = require("@nestjs/swagger");
 const class_validator_1 = require("class-validator");
 const login_dto_1 = require("./login.dto");
@@ -25,6 +25,63 @@ __decorate([
     (0, class_validator_1.MaxLength)(255),
     __metadata("design:type", String)
 ], LoginPayload.prototype, "tenant", void 0);
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+class Login2faPayload {
+    tenant;
+    pre_auth_token;
+    totp;
+    device_name;
+    device_type;
+    ip_address;
+    location;
+}
+exports.Login2faPayload = Login2faPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'ID do tenant', example: 'tenant1' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'tenant não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT pre_2fa do primeiro passo' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_auth_token não pode ser vazio' }),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "totp", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ example: 'Chrome — Windows' }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "device_name", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ enum: ['web', 'mobile', 'api'] }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsIn)(['web', 'mobile', 'api']),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "device_type", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(64),
+    __metadata("design:type", Object)
+], Login2faPayload.prototype, "ip_address", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", Object)
+], Login2faPayload.prototype, "location", void 0);
 class ValidatePayload {
     tenant;
     access_token;

package/dist/auth/auth-login-response.dto.d.ts

@@ -1,6 +1,8 @@
 export declare class AuthLoginResponseDto {
-    access_token: string;
-    refresh_token: string;
-    force_change_password: boolean;
+    two_factor_required: boolean;
+    pre_auth_token?: string;
+    access_token?: string;
+    refresh_token?: string;
+    force_change_password?: boolean;
 }
 //# sourceMappingURL=auth-login-response.dto.d.ts.map

package/dist/auth/auth-login-response.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-login-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/auth-login-response.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,oBAAoB;IAE/B,YAAY,EAAE,MAAM,CAAC;IAGrB,aAAa,EAAE,MAAM,CAAC;IAMtB,qBAAqB,EAAE,OAAO,CAAC;CAChC"}
+{"version":3,"file":"auth-login-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/auth-login-response.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,oBAAoB;IAK/B,mBAAmB,EAAE,OAAO,CAAC;IAK7B,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,aAAa,CAAC,EAAE,MAAM,CAAC;IAMvB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC"}

package/dist/auth/auth-login-response.dto.js

@@ -12,21 +12,35 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthLoginResponseDto = void 0;
 const swagger_1 = require("@nestjs/swagger");
 class AuthLoginResponseDto {
+    two_factor_required;
+    pre_auth_token;
     access_token;
     refresh_token;
     force_change_password;
 }
 exports.AuthLoginResponseDto = AuthLoginResponseDto;
 __decorate([
-    (0, swagger_1.ApiProperty)({ description: 'Token de acesso JWT' }),
+    (0, swagger_1.ApiProperty)({
+        description: 'Se true, o cliente deve enviar pre_auth_token e código TOTP em POST /auth/login-2fa (ou login-health-2fa)',
+    }),
+    __metadata("design:type", Boolean)
+], AuthLoginResponseDto.prototype, "two_factor_required", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'JWT de curta duração; presente quando two_factor_required é true',
+    }),
+    __metadata("design:type", String)
+], AuthLoginResponseDto.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ description: 'Presente quando two_factor_required é false' }),
     __metadata("design:type", String)
 ], AuthLoginResponseDto.prototype, "access_token", void 0);
 __decorate([
-    (0, swagger_1.ApiProperty)({ description: 'Token de refresh JWT' }),
+    (0, swagger_1.ApiPropertyOptional)({ description: 'Presente quando two_factor_required é false' }),
     __metadata("design:type", String)
 ], AuthLoginResponseDto.prototype, "refresh_token", void 0);
 __decorate([
-    (0, swagger_1.ApiProperty)({
+    (0, swagger_1.ApiPropertyOptional)({
         description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
         example: true,
     }),

package/dist/auth/index.d.ts

@@ -1,7 +1,9 @@
 export { LoginDto } from './login.dto';
-export { LoginPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
+export { LoginPayload, Login2faPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
+export { Login2faDto } from './login-2fa.dto';
+export { TotpSetupConfirmDto, TotpDisableDto, TotpSetupStartResponseDto, } from './totp-user.dto';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC"}

package/dist/auth/index.js

@@ -1,10 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = exports.LoginDto = void 0;
+exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = exports.Login2faDto = exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = exports.LoginDto = void 0;
 var login_dto_1 = require("./login.dto");
 Object.defineProperty(exports, "LoginDto", { enumerable: true, get: function () { return login_dto_1.LoginDto; } });
 var auth_kafka_payloads_1 = require("./auth-kafka.payloads");
 Object.defineProperty(exports, "LoginPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.LoginPayload; } });
+Object.defineProperty(exports, "Login2faPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.Login2faPayload; } });
 Object.defineProperty(exports, "ValidatePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.ValidatePayload; } });
 Object.defineProperty(exports, "RefreshPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.RefreshPayload; } });
 Object.defineProperty(exports, "GetProfilePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.GetProfilePayload; } });
@@ -18,3 +19,9 @@ var confirm_password_reset_dto_1 = require("./confirm-password-reset.dto");
 Object.defineProperty(exports, "ConfirmPasswordResetDto", { enumerable: true, get: function () { return confirm_password_reset_dto_1.ConfirmPasswordResetDto; } });
 var auth_login_response_dto_1 = require("./auth-login-response.dto");
 Object.defineProperty(exports, "AuthLoginResponseDto", { enumerable: true, get: function () { return auth_login_response_dto_1.AuthLoginResponseDto; } });
+var login_2fa_dto_1 = require("./login-2fa.dto");
+Object.defineProperty(exports, "Login2faDto", { enumerable: true, get: function () { return login_2fa_dto_1.Login2faDto; } });
+var totp_user_dto_1 = require("./totp-user.dto");
+Object.defineProperty(exports, "TotpSetupConfirmDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpSetupConfirmDto; } });
+Object.defineProperty(exports, "TotpDisableDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpDisableDto; } });
+Object.defineProperty(exports, "TotpSetupStartResponseDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpSetupStartResponseDto; } });

package/dist/auth/login-2fa.dto.d.ts

@@ -0,0 +1,5 @@
+export declare class Login2faDto {
+    pre_auth_token: string;
+    totp: string;
+}
+//# sourceMappingURL=login-2fa.dto.d.ts.map

package/dist/auth/login-2fa.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-2fa.dto.d.ts","sourceRoot":"","sources":["../../src/auth/login-2fa.dto.ts"],"names":[],"mappings":"AAGA,qBAAa,WAAW;IAItB,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;CACd"}

package/dist/auth/login-2fa.dto.js

@@ -0,0 +1,31 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Login2faDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+class Login2faDto {
+    pre_auth_token;
+    totp;
+}
+exports.Login2faDto = Login2faDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT retornado no primeiro passo do login (two_factor_required)' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_auth_token não pode ser vazio' }),
+    __metadata("design:type", String)
+], Login2faDto.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos do aplicativo autenticador' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], Login2faDto.prototype, "totp", void 0);

package/dist/auth/totp-user.dto.d.ts

@@ -0,0 +1,12 @@
+export declare class TotpSetupConfirmDto {
+    totp: string;
+}
+export declare class TotpDisableDto {
+    current_password: string;
+    totp: string;
+}
+export declare class TotpSetupStartResponseDto {
+    otpauth_url: string;
+    secret_base32: string;
+}
+//# sourceMappingURL=totp-user.dto.d.ts.map

package/dist/auth/totp-user.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-user.dto.d.ts","sourceRoot":"","sources":["../../src/auth/totp-user.dto.ts"],"names":[],"mappings":"AAGA,qBAAa,mBAAmB;IAI9B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,cAAc;IAIzB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,yBAAyB;IAEpC,WAAW,EAAE,MAAM,CAAC;IAGpB,aAAa,EAAE,MAAM,CAAC;CACvB"}

package/dist/auth/totp-user.dto.js

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+class TotpSetupConfirmDto {
+    totp;
+}
+exports.TotpSetupConfirmDto = TotpSetupConfirmDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos para confirmar o pareamento' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], TotpSetupConfirmDto.prototype, "totp", void 0);
+class TotpDisableDto {
+    current_password;
+    totp;
+}
+exports.TotpDisableDto = TotpDisableDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Senha atual do utilizador' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'current_password não pode ser vazio' }),
+    __metadata("design:type", String)
+], TotpDisableDto.prototype, "current_password", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP atual de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], TotpDisableDto.prototype, "totp", void 0);
+class TotpSetupStartResponseDto {
+    otpauth_url;
+    secret_base32;
+}
+exports.TotpSetupStartResponseDto = TotpSetupStartResponseDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'URI otpauth para QR code' }),
+    __metadata("design:type", String)
+], TotpSetupStartResponseDto.prototype, "otpauth_url", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Segredo em Base32 para entrada manual' }),
+    __metadata("design:type", String)
+], TotpSetupStartResponseDto.prototype, "secret_base32", void 0);

package/dist/configurations/configuration-tenant-summary.dto.d.ts

@@ -15,7 +15,7 @@ export declare class ConfigurationTenantSummaryDto {
     plan: PlanSummaryDto | null;
     limits: TenantLimitsSummaryDto | null;
     storageUsage: TenantStorageUsageSummaryDto | null;
-    aiTokenState: TenantAiTokenStateDto | null;
+    aiTokenState?: TenantAiTokenStateDto | null;
     conversationEffectiveLimitBytes?: string;
     clinicEffectiveLimitBytes?: string;
     extraStorageCharge?: number;

package/dist/configurations/configuration-tenant-summary.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"configuration-tenant-summary.dto.d.ts","sourceRoot":"","sources":["../../src/configurations/configuration-tenant-summary.dto.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF;;GAEG;AACH,qBAAa,6BAA6B;IAExC,IAAI,EAAE,MAAM,CAAC;IAGb,IAAI,EAAE,MAAM,CAAC;IAGb,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAGxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAGzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAGxB,MAAM,EAAE,QAAQ,GAAG,UAAU,CAAC;IAO9B,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAO5B,MAAM,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAOtC,YAAY,EAAE,4BAA4B,GAAG,IAAI,CAAC;IAOlD,YAAY,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAG3C,+BAA+B,CAAC,EAAE,MAAM,CAAC;IAGzC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAKnC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAK5B,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}
+{"version":3,"file":"configuration-tenant-summary.dto.d.ts","sourceRoot":"","sources":["../../src/configurations/configuration-tenant-summary.dto.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF;;GAEG;AACH,qBAAa,6BAA6B;IAExC,IAAI,EAAE,MAAM,CAAC;IAGb,IAAI,EAAE,MAAM,CAAC;IAGb,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAGxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAGzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAGxB,MAAM,EAAE,QAAQ,GAAG,UAAU,CAAC;IAO9B,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAO5B,MAAM,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAOtC,YAAY,EAAE,4BAA4B,GAAG,IAAI,CAAC;IAOlD,YAAY,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAG5C,+BAA+B,CAAC,EAAE,MAAM,CAAC;IAGzC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAKnC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAK5B,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tychat-contracts",
-  "version": "1.4.8",
+  "version": "1.5.0",
   "description": "DTOs compartilhados com class-validator (API e microserviços)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/auth-kafka.payloads.ts

@@ -1,5 +1,5 @@
-import { ApiProperty } from '@nestjs/swagger';
-import { IsString, IsUUID, MaxLength, MinLength } from 'class-validator';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import { IsIn, IsOptional, IsString, IsUUID, Matches, MaxLength, MinLength } from 'class-validator';
 import { LoginDto } from './login.dto';
 import { RefreshTokenDto } from './refresh-token.dto';
 
@@ -11,6 +11,48 @@ export class LoginPayload extends LoginDto {
   tenant: string;
 }
 
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+export class Login2faPayload {
+  @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
+  @IsString()
+  @MinLength(1, { message: 'tenant não pode ser vazio' })
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty({ description: 'JWT pre_2fa do primeiro passo' })
+  @IsString()
+  @MinLength(1, { message: 'pre_auth_token não pode ser vazio' })
+  pre_auth_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+
+  @ApiPropertyOptional({ example: 'Chrome — Windows' })
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  device_name?: string;
+
+  @ApiPropertyOptional({ enum: ['web', 'mobile', 'api'] })
+  @IsOptional()
+  @IsIn(['web', 'mobile', 'api'])
+  device_type?: 'web' | 'mobile' | 'api';
+
+  @ApiPropertyOptional()
+  @IsOptional()
+  @IsString()
+  @MaxLength(64)
+  ip_address?: string | null;
+
+  @ApiPropertyOptional()
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  location?: string | null;
+}
+
 export class ValidatePayload {
   @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
   @IsString()

package/src/auth/auth-login-response.dto.ts

@@ -1,15 +1,26 @@
-import { ApiProperty } from '@nestjs/swagger';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 
 export class AuthLoginResponseDto {
-  @ApiProperty({ description: 'Token de acesso JWT' })
-  access_token: string;
+  @ApiProperty({
+    description:
+      'Se true, o cliente deve enviar pre_auth_token e código TOTP em POST /auth/login-2fa (ou login-health-2fa)',
+  })
+  two_factor_required: boolean;
+
+  @ApiPropertyOptional({
+    description: 'JWT de curta duração; presente quando two_factor_required é true',
+  })
+  pre_auth_token?: string;
 
-  @ApiProperty({ description: 'Token de refresh JWT' })
-  refresh_token: string;
+  @ApiPropertyOptional({ description: 'Presente quando two_factor_required é false' })
+  access_token?: string;
 
-  @ApiProperty({
+  @ApiPropertyOptional({ description: 'Presente quando two_factor_required é false' })
+  refresh_token?: string;
+
+  @ApiPropertyOptional({
     description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
     example: true,
   })
-  force_change_password: boolean;
+  force_change_password?: boolean;
 }

package/src/auth/index.ts

@@ -1,6 +1,7 @@
 export { LoginDto } from './login.dto';
 export {
   LoginPayload,
+  Login2faPayload,
   ValidatePayload,
   RefreshPayload,
   GetProfilePayload,
@@ -11,3 +12,9 @@ export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
+export { Login2faDto } from './login-2fa.dto';
+export {
+  TotpSetupConfirmDto,
+  TotpDisableDto,
+  TotpSetupStartResponseDto,
+} from './totp-user.dto';

package/src/auth/login-2fa.dto.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, Matches, MinLength } from 'class-validator';
+
+export class Login2faDto {
+  @ApiProperty({ description: 'JWT retornado no primeiro passo do login (two_factor_required)' })
+  @IsString()
+  @MinLength(1, { message: 'pre_auth_token não pode ser vazio' })
+  pre_auth_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos do aplicativo autenticador' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}

package/src/auth/totp-user.dto.ts

@@ -0,0 +1,29 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, Matches, MinLength } from 'class-validator';
+
+export class TotpSetupConfirmDto {
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos para confirmar o pareamento' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}
+
+export class TotpDisableDto {
+  @ApiProperty({ description: 'Senha atual do utilizador' })
+  @IsString()
+  @MinLength(1, { message: 'current_password não pode ser vazio' })
+  current_password: string;
+
+  @ApiProperty({ description: 'Código TOTP atual de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}
+
+export class TotpSetupStartResponseDto {
+  @ApiProperty({ description: 'URI otpauth para QR code' })
+  otpauth_url: string;
+
+  @ApiProperty({ description: 'Segredo em Base32 para entrada manual' })
+  secret_base32: string;
+}

package/src/configurations/configuration-tenant-summary.dto.ts

@@ -52,7 +52,7 @@ export class ConfigurationTenantSummaryDto {
     type: () => TenantAiTokenStateDto,
     nullable: true,
   })
-  aiTokenState: TenantAiTokenStateDto | null;
+  aiTokenState?: TenantAiTokenStateDto | null;
 
   @ApiPropertyOptional({ description: 'Limite efetivo de conversas em bytes (plano + extras)' })
   conversationEffectiveLimitBytes?: string;