tychat-contracts 1.4.9 → 1.5.1

package/dist/auth/auth-kafka.payloads.d.ts

@@ -3,6 +3,16 @@ import { RefreshTokenDto } from './refresh-token.dto';
 export declare class LoginPayload extends LoginDto {
     tenant: string;
 }
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+export declare class Login2faPayload {
+    tenant: string;
+    pre_auth_token: string;
+    totp: string;
+    device_name?: string;
+    device_type?: 'web' | 'mobile' | 'api';
+    ip_address?: string | null;
+    location?: string | null;
+}
 export declare class ValidatePayload {
     tenant: string;
     access_token: string;

package/dist/auth/auth-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,+EAA+E;AAC/E,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAKf,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;IAMb,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,WAAW,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;IAMvC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAM3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/auth-kafka.payloads.js

@@ -9,7 +9,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = void 0;
+exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = void 0;
 const swagger_1 = require("@nestjs/swagger");
 const class_validator_1 = require("class-validator");
 const login_dto_1 = require("./login.dto");
@@ -25,6 +25,63 @@ __decorate([
     (0, class_validator_1.MaxLength)(255),
     __metadata("design:type", String)
 ], LoginPayload.prototype, "tenant", void 0);
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+class Login2faPayload {
+    tenant;
+    pre_auth_token;
+    totp;
+    device_name;
+    device_type;
+    ip_address;
+    location;
+}
+exports.Login2faPayload = Login2faPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'ID do tenant', example: 'tenant1' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'tenant não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT pre_2fa do primeiro passo' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_auth_token não pode ser vazio' }),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "totp", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ example: 'Chrome — Windows' }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "device_name", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ enum: ['web', 'mobile', 'api'] }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsIn)(['web', 'mobile', 'api']),
+    __metadata("design:type", String)
+], Login2faPayload.prototype, "device_type", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(64),
+    __metadata("design:type", Object)
+], Login2faPayload.prototype, "ip_address", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", Object)
+], Login2faPayload.prototype, "location", void 0);
 class ValidatePayload {
     tenant;
     access_token;

package/dist/auth/auth-login-response.dto.d.ts

@@ -1,6 +1,8 @@
 export declare class AuthLoginResponseDto {
-    access_token: string;
-    refresh_token: string;
-    force_change_password: boolean;
+    two_factor_required: boolean;
+    pre_auth_token?: string;
+    access_token?: string;
+    refresh_token?: string;
+    force_change_password?: boolean;
 }
 //# sourceMappingURL=auth-login-response.dto.d.ts.map

package/dist/auth/auth-login-response.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-login-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/auth-login-response.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,oBAAoB;IAE/B,YAAY,EAAE,MAAM,CAAC;IAGrB,aAAa,EAAE,MAAM,CAAC;IAMtB,qBAAqB,EAAE,OAAO,CAAC;CAChC"}
+{"version":3,"file":"auth-login-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/auth-login-response.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,oBAAoB;IAK/B,mBAAmB,EAAE,OAAO,CAAC;IAK7B,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,aAAa,CAAC,EAAE,MAAM,CAAC;IAMvB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC"}

package/dist/auth/auth-login-response.dto.js

@@ -12,21 +12,35 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthLoginResponseDto = void 0;
 const swagger_1 = require("@nestjs/swagger");
 class AuthLoginResponseDto {
+    two_factor_required;
+    pre_auth_token;
     access_token;
     refresh_token;
     force_change_password;
 }
 exports.AuthLoginResponseDto = AuthLoginResponseDto;
 __decorate([
-    (0, swagger_1.ApiProperty)({ description: 'Token de acesso JWT' }),
+    (0, swagger_1.ApiProperty)({
+        description: 'Se true, o cliente deve enviar pre_auth_token e código TOTP em POST /auth/login-2fa (ou login-health-2fa)',
+    }),
+    __metadata("design:type", Boolean)
+], AuthLoginResponseDto.prototype, "two_factor_required", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'JWT de curta duração; presente quando two_factor_required é true',
+    }),
+    __metadata("design:type", String)
+], AuthLoginResponseDto.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ description: 'Presente quando two_factor_required é false' }),
     __metadata("design:type", String)
 ], AuthLoginResponseDto.prototype, "access_token", void 0);
 __decorate([
-    (0, swagger_1.ApiProperty)({ description: 'Token de refresh JWT' }),
+    (0, swagger_1.ApiPropertyOptional)({ description: 'Presente quando two_factor_required é false' }),
     __metadata("design:type", String)
 ], AuthLoginResponseDto.prototype, "refresh_token", void 0);
 __decorate([
-    (0, swagger_1.ApiProperty)({
+    (0, swagger_1.ApiPropertyOptional)({
         description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
         example: true,
     }),

package/dist/auth/index.d.ts

@@ -1,7 +1,9 @@
 export { LoginDto } from './login.dto';
-export { LoginPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
+export { LoginPayload, Login2faPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
+export { Login2faDto } from './login-2fa.dto';
+export { TotpSetupConfirmDto, TotpDisableDto, TotpSetupStartResponseDto, } from './totp-user.dto';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC"}

package/dist/auth/index.js

@@ -1,10 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = exports.LoginDto = void 0;
+exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = exports.Login2faDto = exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = exports.LoginDto = void 0;
 var login_dto_1 = require("./login.dto");
 Object.defineProperty(exports, "LoginDto", { enumerable: true, get: function () { return login_dto_1.LoginDto; } });
 var auth_kafka_payloads_1 = require("./auth-kafka.payloads");
 Object.defineProperty(exports, "LoginPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.LoginPayload; } });
+Object.defineProperty(exports, "Login2faPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.Login2faPayload; } });
 Object.defineProperty(exports, "ValidatePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.ValidatePayload; } });
 Object.defineProperty(exports, "RefreshPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.RefreshPayload; } });
 Object.defineProperty(exports, "GetProfilePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.GetProfilePayload; } });
@@ -18,3 +19,9 @@ var confirm_password_reset_dto_1 = require("./confirm-password-reset.dto");
 Object.defineProperty(exports, "ConfirmPasswordResetDto", { enumerable: true, get: function () { return confirm_password_reset_dto_1.ConfirmPasswordResetDto; } });
 var auth_login_response_dto_1 = require("./auth-login-response.dto");
 Object.defineProperty(exports, "AuthLoginResponseDto", { enumerable: true, get: function () { return auth_login_response_dto_1.AuthLoginResponseDto; } });
+var login_2fa_dto_1 = require("./login-2fa.dto");
+Object.defineProperty(exports, "Login2faDto", { enumerable: true, get: function () { return login_2fa_dto_1.Login2faDto; } });
+var totp_user_dto_1 = require("./totp-user.dto");
+Object.defineProperty(exports, "TotpSetupConfirmDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpSetupConfirmDto; } });
+Object.defineProperty(exports, "TotpDisableDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpDisableDto; } });
+Object.defineProperty(exports, "TotpSetupStartResponseDto", { enumerable: true, get: function () { return totp_user_dto_1.TotpSetupStartResponseDto; } });

package/dist/auth/login-2fa.dto.d.ts

@@ -0,0 +1,5 @@
+export declare class Login2faDto {
+    pre_auth_token: string;
+    totp: string;
+}
+//# sourceMappingURL=login-2fa.dto.d.ts.map

package/dist/auth/login-2fa.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-2fa.dto.d.ts","sourceRoot":"","sources":["../../src/auth/login-2fa.dto.ts"],"names":[],"mappings":"AAGA,qBAAa,WAAW;IAItB,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;CACd"}

package/dist/auth/login-2fa.dto.js

@@ -0,0 +1,31 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Login2faDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+class Login2faDto {
+    pre_auth_token;
+    totp;
+}
+exports.Login2faDto = Login2faDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT retornado no primeiro passo do login (two_factor_required)' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_auth_token não pode ser vazio' }),
+    __metadata("design:type", String)
+], Login2faDto.prototype, "pre_auth_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos do aplicativo autenticador' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], Login2faDto.prototype, "totp", void 0);

package/dist/auth/totp-user.dto.d.ts

@@ -0,0 +1,12 @@
+export declare class TotpSetupConfirmDto {
+    totp: string;
+}
+export declare class TotpDisableDto {
+    current_password: string;
+    totp: string;
+}
+export declare class TotpSetupStartResponseDto {
+    otpauth_url: string;
+    secret_base32: string;
+}
+//# sourceMappingURL=totp-user.dto.d.ts.map

package/dist/auth/totp-user.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-user.dto.d.ts","sourceRoot":"","sources":["../../src/auth/totp-user.dto.ts"],"names":[],"mappings":"AAGA,qBAAa,mBAAmB;IAI9B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,cAAc;IAIzB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,yBAAyB;IAEpC,WAAW,EAAE,MAAM,CAAC;IAGpB,aAAa,EAAE,MAAM,CAAC;CACvB"}

package/dist/auth/totp-user.dto.js

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+class TotpSetupConfirmDto {
+    totp;
+}
+exports.TotpSetupConfirmDto = TotpSetupConfirmDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos para confirmar o pareamento' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], TotpSetupConfirmDto.prototype, "totp", void 0);
+class TotpDisableDto {
+    current_password;
+    totp;
+}
+exports.TotpDisableDto = TotpDisableDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Senha atual do utilizador' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'current_password não pode ser vazio' }),
+    __metadata("design:type", String)
+], TotpDisableDto.prototype, "current_password", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP atual de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], TotpDisableDto.prototype, "totp", void 0);
+class TotpSetupStartResponseDto {
+    otpauth_url;
+    secret_base32;
+}
+exports.TotpSetupStartResponseDto = TotpSetupStartResponseDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'URI otpauth para QR code' }),
+    __metadata("design:type", String)
+], TotpSetupStartResponseDto.prototype, "otpauth_url", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Segredo em Base32 para entrada manual' }),
+    __metadata("design:type", String)
+], TotpSetupStartResponseDto.prototype, "secret_base32", void 0);

package/dist/notifications/index.d.ts

@@ -1,4 +1,4 @@
-export { NotificationUserCreatedEventPayload, NotificationPasswordResetRequestedEventPayload, NotificationConversationChangeToHumanEventPayload, NotificationTenantAiTokensThresholdEventPayload, } from './notifications-kafka.payloads';
+export { NotificationUserCreatedEventPayload, NotificationPasswordResetRequestedEventPayload, NotificationNewDeviceLoginEventPayload, NotificationConversationChangeToHumanEventPayload, NotificationTenantAiTokensThresholdEventPayload, } from './notifications-kafka.payloads';
 export { TOPIC_NOTIFICATIONS_FIND_ALL, TOPIC_NOTIFICATIONS_REGISTER_PUSH_TOKEN, TOPIC_NOTIFICATIONS_UNREGISTER_PUSH_TOKEN, TOPIC_NOTIFICATIONS_UPDATE_VIEWED, TOPIC_NOTIFICATIONS_SEND_PUSH_TO_USER, EVENT_NOTIFICATIONS_ADMIN_BROADCAST_PUSH, EVENT_NOTIFICATIONS_CONVERSATION_HANDOFF_PUSH, EVENT_NOTIFICATIONS_HUMAN_ATTENDANT_IDLE_WARNING_PUSH, EVENT_NOTIFICATIONS_TENANT_AI_TOKENS_THRESHOLD, } from './notifications-kafka-topics';
 export { AdminBroadcastPushDto, ADMIN_NOTIFICATION_KINDS, type AdminNotificationKind, } from './admin-broadcast-push.dto';
 export { RegisterPushTokenDto, NotificationsRegisterPushTokenKafkaDto, NotificationsUnregisterPushTokenKafkaDto, } from './register-push-token.dto';

package/dist/notifications/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/notifications/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mCAAmC,EACnC,8CAA8C,EAC9C,iDAAiD,EACjD,+CAA+C,GAChD,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,4BAA4B,EAC5B,uCAAuC,EACvC,yCAAyC,EACzC,iCAAiC,EACjC,qCAAqC,EACrC,wCAAwC,EACxC,6CAA6C,EAC7C,qDAAqD,EACrD,8CAA8C,GAC/C,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,oBAAoB,EACpB,sCAAsC,EACtC,wCAAwC,GACzC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,2BAA2B,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,GACjC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACL,2BAA2B,EAC3B,iCAAiC,GAClC,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,mCAAmC,EAAE,MAAM,uCAAuC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/notifications/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mCAAmC,EACnC,8CAA8C,EAC9C,sCAAsC,EACtC,iDAAiD,EACjD,+CAA+C,GAChD,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,4BAA4B,EAC5B,uCAAuC,EACvC,yCAAyC,EACzC,iCAAiC,EACjC,qCAAqC,EACrC,wCAAwC,EACxC,6CAA6C,EAC7C,qDAAqD,EACrD,8CAA8C,GAC/C,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,oBAAoB,EACpB,sCAAsC,EACtC,wCAAwC,GACzC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,2BAA2B,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,GACjC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACL,2BAA2B,EAC3B,iCAAiC,GAClC,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,mCAAmC,EAAE,MAAM,uCAAuC,CAAC"}

package/dist/notifications/index.js

@@ -1,9 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NotificationsSendPushToUserKafkaDto = exports.NotificationsUpdateViewedKafkaDto = exports.UpdateNotificationViewedDto = exports.NotificationListItemDto = exports.NotificationsFindAllKafkaDto = exports.NOTIFICATION_STATUS_FILTERS = exports.NOTIFICATION_PROVIDER_FILTERS = exports.ListNotificationsQueryDto = exports.NotificationsUnregisterPushTokenKafkaDto = exports.NotificationsRegisterPushTokenKafkaDto = exports.RegisterPushTokenDto = exports.ADMIN_NOTIFICATION_KINDS = exports.AdminBroadcastPushDto = exports.EVENT_NOTIFICATIONS_TENANT_AI_TOKENS_THRESHOLD = exports.EVENT_NOTIFICATIONS_HUMAN_ATTENDANT_IDLE_WARNING_PUSH = exports.EVENT_NOTIFICATIONS_CONVERSATION_HANDOFF_PUSH = exports.EVENT_NOTIFICATIONS_ADMIN_BROADCAST_PUSH = exports.TOPIC_NOTIFICATIONS_SEND_PUSH_TO_USER = exports.TOPIC_NOTIFICATIONS_UPDATE_VIEWED = exports.TOPIC_NOTIFICATIONS_UNREGISTER_PUSH_TOKEN = exports.TOPIC_NOTIFICATIONS_REGISTER_PUSH_TOKEN = exports.TOPIC_NOTIFICATIONS_FIND_ALL = exports.NotificationTenantAiTokensThresholdEventPayload = exports.NotificationConversationChangeToHumanEventPayload = exports.NotificationPasswordResetRequestedEventPayload = exports.NotificationUserCreatedEventPayload = void 0;
+exports.NotificationsSendPushToUserKafkaDto = exports.NotificationsUpdateViewedKafkaDto = exports.UpdateNotificationViewedDto = exports.NotificationListItemDto = exports.NotificationsFindAllKafkaDto = exports.NOTIFICATION_STATUS_FILTERS = exports.NOTIFICATION_PROVIDER_FILTERS = exports.ListNotificationsQueryDto = exports.NotificationsUnregisterPushTokenKafkaDto = exports.NotificationsRegisterPushTokenKafkaDto = exports.RegisterPushTokenDto = exports.ADMIN_NOTIFICATION_KINDS = exports.AdminBroadcastPushDto = exports.EVENT_NOTIFICATIONS_TENANT_AI_TOKENS_THRESHOLD = exports.EVENT_NOTIFICATIONS_HUMAN_ATTENDANT_IDLE_WARNING_PUSH = exports.EVENT_NOTIFICATIONS_CONVERSATION_HANDOFF_PUSH = exports.EVENT_NOTIFICATIONS_ADMIN_BROADCAST_PUSH = exports.TOPIC_NOTIFICATIONS_SEND_PUSH_TO_USER = exports.TOPIC_NOTIFICATIONS_UPDATE_VIEWED = exports.TOPIC_NOTIFICATIONS_UNREGISTER_PUSH_TOKEN = exports.TOPIC_NOTIFICATIONS_REGISTER_PUSH_TOKEN = exports.TOPIC_NOTIFICATIONS_FIND_ALL = exports.NotificationTenantAiTokensThresholdEventPayload = exports.NotificationConversationChangeToHumanEventPayload = exports.NotificationNewDeviceLoginEventPayload = exports.NotificationPasswordResetRequestedEventPayload = exports.NotificationUserCreatedEventPayload = void 0;
 var notifications_kafka_payloads_1 = require("./notifications-kafka.payloads");
 Object.defineProperty(exports, "NotificationUserCreatedEventPayload", { enumerable: true, get: function () { return notifications_kafka_payloads_1.NotificationUserCreatedEventPayload; } });
 Object.defineProperty(exports, "NotificationPasswordResetRequestedEventPayload", { enumerable: true, get: function () { return notifications_kafka_payloads_1.NotificationPasswordResetRequestedEventPayload; } });
+Object.defineProperty(exports, "NotificationNewDeviceLoginEventPayload", { enumerable: true, get: function () { return notifications_kafka_payloads_1.NotificationNewDeviceLoginEventPayload; } });
 Object.defineProperty(exports, "NotificationConversationChangeToHumanEventPayload", { enumerable: true, get: function () { return notifications_kafka_payloads_1.NotificationConversationChangeToHumanEventPayload; } });
 Object.defineProperty(exports, "NotificationTenantAiTokensThresholdEventPayload", { enumerable: true, get: function () { return notifications_kafka_payloads_1.NotificationTenantAiTokensThresholdEventPayload; } });
 var notifications_kafka_topics_1 = require("./notifications-kafka-topics");

package/dist/notifications/notifications-kafka.payloads.d.ts

@@ -13,6 +13,22 @@ export declare class NotificationPasswordResetRequestedEventPayload {
     verifyToken: string;
     occurredAt: string;
 }
+/**
+ * Evento RabbitMQ `notifications.new_device_login` — alerta de login a partir de um perfil de
+ * dispositivo ainda não registado para o utilizador (par deviceName + deviceType após normalização no auth).
+ */
+export declare class NotificationNewDeviceLoginEventPayload {
+    eventId: string;
+    tenant: string;
+    userId: string;
+    email: string;
+    name: string;
+    deviceName: string;
+    deviceType: string;
+    ipAddress?: string;
+    location?: string;
+    occurredAt: string;
+}
 /** Evento Kafka `notifications.conversation-change-to-human` (IA ou clínica → fila humana). */
 export declare class NotificationConversationChangeToHumanEventPayload {
     eventId: string;

package/dist/notifications/notifications-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notifications-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/notifications/notifications-kafka.payloads.ts"],"names":[],"mappings":"AAiBA,qBAAa,mCAAmC;IAM9C,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,IAAI,EAAE,MAAM,CAAC;IASb,QAAQ,EAAE,MAAM,CAAC;IAOjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,8CAA8C;IAMzD,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,WAAW,EAAE,MAAM,CAAC;IAOpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,+FAA+F;AAC/F,qBAAa,iDAAiD;IAG5D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,SAAS,EAAE,MAAM,CAAC;IAKlB,WAAW,EAAE,MAAM,CAAC;IAMpB,MAAM,EAAE,MAAM,CAAC;IAIf,UAAU,EAAE,MAAM,CAAC;IAMnB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAOhB,QAAQ,CAAC,EAAE,OAAO,CAAC;IAKnB,aAAa,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;CACjC;AAED,0FAA0F;AAC1F,qBAAa,+CAA+C;IAG1D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IASf,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAMrC,eAAe,EAAE,MAAM,CAAC;IAMxB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,cAAc,EAAE,MAAM,CAAC;IAKvB,gBAAgB,EAAE,MAAM,CAAC;IAIzB,cAAc,EAAE,MAAM,CAAC;IAIvB,aAAa,EAAE,MAAM,CAAC;IAItB,UAAU,EAAE,MAAM,CAAC;CACpB"}
+{"version":3,"file":"notifications-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/notifications/notifications-kafka.payloads.ts"],"names":[],"mappings":"AAiBA,qBAAa,mCAAmC;IAM9C,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,IAAI,EAAE,MAAM,CAAC;IASb,QAAQ,EAAE,MAAM,CAAC;IAOjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,8CAA8C;IAMzD,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,WAAW,EAAE,MAAM,CAAC;IAOpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,qBAAa,sCAAsC;IAMjD,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,MAAM,EAAE,MAAM,CAAC;IAKf,KAAK,EAAE,MAAM,CAAC;IAMd,IAAI,EAAE,MAAM,CAAC;IAMb,UAAU,EAAE,MAAM,CAAC;IAMnB,UAAU,EAAE,MAAM,CAAC;IAMnB,SAAS,CAAC,EAAE,MAAM,CAAC;IAMnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAIlB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,+FAA+F;AAC/F,qBAAa,iDAAiD;IAG5D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,SAAS,EAAE,MAAM,CAAC;IAKlB,WAAW,EAAE,MAAM,CAAC;IAMpB,MAAM,EAAE,MAAM,CAAC;IAIf,UAAU,EAAE,MAAM,CAAC;IAMnB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAOhB,QAAQ,CAAC,EAAE,OAAO,CAAC;IAKnB,aAAa,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;CACjC;AAED,0FAA0F;AAC1F,qBAAa,+CAA+C;IAG1D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IASf,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAMrC,eAAe,EAAE,MAAM,CAAC;IAMxB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,cAAc,EAAE,MAAM,CAAC;IAKvB,gBAAgB,EAAE,MAAM,CAAC;IAIzB,cAAc,EAAE,MAAM,CAAC;IAIvB,aAAa,EAAE,MAAM,CAAC;IAItB,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/notifications/notifications-kafka.payloads.js

@@ -9,7 +9,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NotificationTenantAiTokensThresholdEventPayload = exports.NotificationConversationChangeToHumanEventPayload = exports.NotificationPasswordResetRequestedEventPayload = exports.NotificationUserCreatedEventPayload = void 0;
+exports.NotificationTenantAiTokensThresholdEventPayload = exports.NotificationConversationChangeToHumanEventPayload = exports.NotificationNewDeviceLoginEventPayload = exports.NotificationPasswordResetRequestedEventPayload = exports.NotificationUserCreatedEventPayload = void 0;
 const swagger_1 = require("@nestjs/swagger");
 const class_validator_1 = require("class-validator");
 class NotificationUserCreatedEventPayload {
@@ -129,6 +129,89 @@ __decorate([
     (0, class_validator_1.IsISO8601)(),
     __metadata("design:type", String)
 ], NotificationPasswordResetRequestedEventPayload.prototype, "occurredAt", void 0);
+/**
+ * Evento RabbitMQ `notifications.new_device_login` — alerta de login a partir de um perfil de
+ * dispositivo ainda não registado para o utilizador (par deviceName + deviceType após normalização no auth).
+ */
+class NotificationNewDeviceLoginEventPayload {
+    eventId;
+    tenant;
+    userId;
+    email;
+    name;
+    deviceName;
+    deviceType;
+    ipAddress;
+    location;
+    occurredAt;
+}
+exports.NotificationNewDeviceLoginEventPayload = NotificationNewDeviceLoginEventPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Idempotência',
+        example: '2d3ecf0d-8d38-4b95-95c8-d3e903e6f1fe',
+    }),
+    (0, class_validator_1.IsUUID)(),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "eventId", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: 'default' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)(),
+    (0, class_validator_1.IsUUID)(),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "userId", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: 'maria.silva@example.com' }),
+    (0, class_validator_1.IsEmail)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "email", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: 'Maria Silva' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "name", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: 'Chrome on Windows' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "deviceName", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: 'web' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    (0, class_validator_1.MaxLength)(32),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "deviceType", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ example: '203.0.113.10' }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(64),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "ipAddress", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({ example: 'Lisboa, PT' }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "location", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: '2026-03-22T12:30:00.000Z' }),
+    (0, class_validator_1.IsISO8601)(),
+    __metadata("design:type", String)
+], NotificationNewDeviceLoginEventPayload.prototype, "occurredAt", void 0);
 /** Evento Kafka `notifications.conversation-change-to-human` (IA ou clínica → fila humana). */
 class NotificationConversationChangeToHumanEventPayload {
     eventId;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tychat-contracts",
-  "version": "1.4.9",
+  "version": "1.5.1",
   "description": "DTOs compartilhados com class-validator (API e microserviços)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/auth-kafka.payloads.ts

@@ -1,5 +1,5 @@
-import { ApiProperty } from '@nestjs/swagger';
-import { IsString, IsUUID, MaxLength, MinLength } from 'class-validator';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import { IsIn, IsOptional, IsString, IsUUID, Matches, MaxLength, MinLength } from 'class-validator';
 import { LoginDto } from './login.dto';
 import { RefreshTokenDto } from './refresh-token.dto';
 
@@ -11,6 +11,48 @@ export class LoginPayload extends LoginDto {
   tenant: string;
 }
 
+/** Segundo passo do login quando 2FA está ativo (RMQ/Kafka → auth-service). */
+export class Login2faPayload {
+  @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
+  @IsString()
+  @MinLength(1, { message: 'tenant não pode ser vazio' })
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty({ description: 'JWT pre_2fa do primeiro passo' })
+  @IsString()
+  @MinLength(1, { message: 'pre_auth_token não pode ser vazio' })
+  pre_auth_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+
+  @ApiPropertyOptional({ example: 'Chrome — Windows' })
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  device_name?: string;
+
+  @ApiPropertyOptional({ enum: ['web', 'mobile', 'api'] })
+  @IsOptional()
+  @IsIn(['web', 'mobile', 'api'])
+  device_type?: 'web' | 'mobile' | 'api';
+
+  @ApiPropertyOptional()
+  @IsOptional()
+  @IsString()
+  @MaxLength(64)
+  ip_address?: string | null;
+
+  @ApiPropertyOptional()
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  location?: string | null;
+}
+
 export class ValidatePayload {
   @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
   @IsString()

package/src/auth/auth-login-response.dto.ts

@@ -1,15 +1,26 @@
-import { ApiProperty } from '@nestjs/swagger';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 
 export class AuthLoginResponseDto {
-  @ApiProperty({ description: 'Token de acesso JWT' })
-  access_token: string;
+  @ApiProperty({
+    description:
+      'Se true, o cliente deve enviar pre_auth_token e código TOTP em POST /auth/login-2fa (ou login-health-2fa)',
+  })
+  two_factor_required: boolean;
+
+  @ApiPropertyOptional({
+    description: 'JWT de curta duração; presente quando two_factor_required é true',
+  })
+  pre_auth_token?: string;
 
-  @ApiProperty({ description: 'Token de refresh JWT' })
-  refresh_token: string;
+  @ApiPropertyOptional({ description: 'Presente quando two_factor_required é false' })
+  access_token?: string;
 
-  @ApiProperty({
+  @ApiPropertyOptional({ description: 'Presente quando two_factor_required é false' })
+  refresh_token?: string;
+
+  @ApiPropertyOptional({
     description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
     example: true,
   })
-  force_change_password: boolean;
+  force_change_password?: boolean;
 }

package/src/auth/index.ts

@@ -1,6 +1,7 @@
 export { LoginDto } from './login.dto';
 export {
   LoginPayload,
+  Login2faPayload,
   ValidatePayload,
   RefreshPayload,
   GetProfilePayload,
@@ -11,3 +12,9 @@ export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
+export { Login2faDto } from './login-2fa.dto';
+export {
+  TotpSetupConfirmDto,
+  TotpDisableDto,
+  TotpSetupStartResponseDto,
+} from './totp-user.dto';

package/src/auth/login-2fa.dto.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, Matches, MinLength } from 'class-validator';
+
+export class Login2faDto {
+  @ApiProperty({ description: 'JWT retornado no primeiro passo do login (two_factor_required)' })
+  @IsString()
+  @MinLength(1, { message: 'pre_auth_token não pode ser vazio' })
+  pre_auth_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos do aplicativo autenticador' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}

package/src/auth/totp-user.dto.ts

@@ -0,0 +1,29 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, Matches, MinLength } from 'class-validator';
+
+export class TotpSetupConfirmDto {
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos para confirmar o pareamento' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}
+
+export class TotpDisableDto {
+  @ApiProperty({ description: 'Senha atual do utilizador' })
+  @IsString()
+  @MinLength(1, { message: 'current_password não pode ser vazio' })
+  current_password: string;
+
+  @ApiProperty({ description: 'Código TOTP atual de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+}
+
+export class TotpSetupStartResponseDto {
+  @ApiProperty({ description: 'URI otpauth para QR code' })
+  otpauth_url: string;
+
+  @ApiProperty({ description: 'Segredo em Base32 para entrada manual' })
+  secret_base32: string;
+}

package/src/notifications/index.ts

@@ -1,6 +1,7 @@
 export {
   NotificationUserCreatedEventPayload,
   NotificationPasswordResetRequestedEventPayload,
+  NotificationNewDeviceLoginEventPayload,
   NotificationConversationChangeToHumanEventPayload,
   NotificationTenantAiTokensThresholdEventPayload,
 } from './notifications-kafka.payloads';

package/src/notifications/notifications-kafka.payloads.ts

@@ -108,6 +108,68 @@ export class NotificationPasswordResetRequestedEventPayload {
   occurredAt: string;
 }
 
+/**
+ * Evento RabbitMQ `notifications.new_device_login` — alerta de login a partir de um perfil de
+ * dispositivo ainda não registado para o utilizador (par deviceName + deviceType após normalização no auth).
+ */
+export class NotificationNewDeviceLoginEventPayload {
+  @ApiProperty({
+    description: 'Idempotência',
+    example: '2d3ecf0d-8d38-4b95-95c8-d3e903e6f1fe',
+  })
+  @IsUUID()
+  eventId: string;
+
+  @ApiProperty({ example: 'default' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty()
+  @IsUUID()
+  userId: string;
+
+  @ApiProperty({ example: 'maria.silva@example.com' })
+  @IsEmail()
+  @MaxLength(255)
+  email: string;
+
+  @ApiProperty({ example: 'Maria Silva' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  name: string;
+
+  @ApiProperty({ example: 'Chrome on Windows' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  deviceName: string;
+
+  @ApiProperty({ example: 'web' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(32)
+  deviceType: string;
+
+  @ApiPropertyOptional({ example: '203.0.113.10' })
+  @IsOptional()
+  @IsString()
+  @MaxLength(64)
+  ipAddress?: string;
+
+  @ApiPropertyOptional({ example: 'Lisboa, PT' })
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  location?: string;
+
+  @ApiProperty({ example: '2026-03-22T12:30:00.000Z' })
+  @IsISO8601()
+  occurredAt: string;
+}
+
 /** Evento Kafka `notifications.conversation-change-to-human` (IA ou clínica → fila humana). */
 export class NotificationConversationChangeToHumanEventPayload {
   @ApiProperty({ description: 'Idempotência' })