tychat-contracts 1.5.1 → 1.5.2

package/dist/auth/auth-kafka.payloads.d.ts

@@ -34,4 +34,11 @@ export declare class ConfirmPasswordResetPayload {
     verify_token: string;
     password: string;
 }
+/** Conclui reset de senha com 2FA (RMQ/Kafka → auth-service). */
+export declare class PasswordResetFinalize2faPayload {
+    tenant: string;
+    pre_recovery_token: string;
+    totp: string;
+    password: string;
+}
 //# sourceMappingURL=auth-kafka.payloads.d.ts.map

package/dist/auth/auth-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,+EAA+E;AAC/E,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAKf,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;IAMb,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,WAAW,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;IAMvC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAM3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,+EAA+E;AAC/E,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAKf,cAAc,EAAE,MAAM,CAAC;IAKvB,IAAI,EAAE,MAAM,CAAC;IAMb,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,WAAW,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;IAMvC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAM3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,2FAA2F;AAC3F,qBAAa,iBAAiB;IAK5B,MAAM,EAAE,MAAM,CAAC;IAQf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,iEAAiE;AACjE,qBAAa,+BAA+B;IAK1C,MAAM,EAAE,MAAM,CAAC;IAMf,kBAAkB,EAAE,MAAM,CAAC;IAK3B,IAAI,EAAE,MAAM,CAAC;IAMb,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/auth-kafka.payloads.js

@@ -9,7 +9,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = void 0;
+exports.PasswordResetFinalize2faPayload = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = void 0;
 const swagger_1 = require("@nestjs/swagger");
 const class_validator_1 = require("class-validator");
 const login_dto_1 = require("./login.dto");
@@ -180,3 +180,38 @@ __decorate([
     (0, class_validator_1.MaxLength)(255),
     __metadata("design:type", String)
 ], ConfirmPasswordResetPayload.prototype, "password", void 0);
+/** Conclui reset de senha com 2FA (RMQ/Kafka → auth-service). */
+class PasswordResetFinalize2faPayload {
+    tenant;
+    pre_recovery_token;
+    totp;
+    password;
+}
+exports.PasswordResetFinalize2faPayload = PasswordResetFinalize2faPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'ID do tenant', example: 'tenant1' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'tenant não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT pre_password_reset do pedido de reset' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_recovery_token não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(4096),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faPayload.prototype, "pre_recovery_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faPayload.prototype, "totp", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Nova senha', example: 'senha123' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faPayload.prototype, "password", void 0);

package/dist/auth/index.d.ts

@@ -1,8 +1,10 @@
 export { LoginDto } from './login.dto';
-export { LoginPayload, Login2faPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
+export { LoginPayload, Login2faPayload, ValidatePayload, RefreshPayload, GetProfilePayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, PasswordResetFinalize2faPayload, } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
+export { RequestPasswordResetResponseDto } from './request-password-reset-response.dto';
+export { PasswordResetFinalize2faDto } from './password-reset-finalize-2fa.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
 export { Login2faDto } from './login-2fa.dto';
 export { TotpSetupConfirmDto, TotpDisableDto, TotpSetupStartResponseDto, } from './totp-user.dto';

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,2BAA2B,EAC3B,2BAA2B,EAC3B,+BAA+B,GAChC,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,+BAA+B,EAAE,MAAM,uCAAuC,CAAC;AACxF,OAAO,EAAE,2BAA2B,EAAE,MAAM,mCAAmC,CAAC;AAChF,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC"}

package/dist/auth/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = exports.Login2faDto = exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = exports.LoginDto = void 0;
+exports.TotpSetupStartResponseDto = exports.TotpDisableDto = exports.TotpSetupConfirmDto = exports.Login2faDto = exports.AuthLoginResponseDto = exports.PasswordResetFinalize2faDto = exports.RequestPasswordResetResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.PasswordResetFinalize2faPayload = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.GetProfilePayload = exports.RefreshPayload = exports.ValidatePayload = exports.Login2faPayload = exports.LoginPayload = exports.LoginDto = void 0;
 var login_dto_1 = require("./login.dto");
 Object.defineProperty(exports, "LoginDto", { enumerable: true, get: function () { return login_dto_1.LoginDto; } });
 var auth_kafka_payloads_1 = require("./auth-kafka.payloads");
@@ -11,12 +11,17 @@ Object.defineProperty(exports, "RefreshPayload", { enumerable: true, get: functi
 Object.defineProperty(exports, "GetProfilePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.GetProfilePayload; } });
 Object.defineProperty(exports, "RequestPasswordResetPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.RequestPasswordResetPayload; } });
 Object.defineProperty(exports, "ConfirmPasswordResetPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.ConfirmPasswordResetPayload; } });
+Object.defineProperty(exports, "PasswordResetFinalize2faPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.PasswordResetFinalize2faPayload; } });
 var refresh_token_dto_1 = require("./refresh-token.dto");
 Object.defineProperty(exports, "RefreshTokenDto", { enumerable: true, get: function () { return refresh_token_dto_1.RefreshTokenDto; } });
 var request_password_reset_dto_1 = require("./request-password-reset.dto");
 Object.defineProperty(exports, "RequestPasswordResetDto", { enumerable: true, get: function () { return request_password_reset_dto_1.RequestPasswordResetDto; } });
 var confirm_password_reset_dto_1 = require("./confirm-password-reset.dto");
 Object.defineProperty(exports, "ConfirmPasswordResetDto", { enumerable: true, get: function () { return confirm_password_reset_dto_1.ConfirmPasswordResetDto; } });
+var request_password_reset_response_dto_1 = require("./request-password-reset-response.dto");
+Object.defineProperty(exports, "RequestPasswordResetResponseDto", { enumerable: true, get: function () { return request_password_reset_response_dto_1.RequestPasswordResetResponseDto; } });
+var password_reset_finalize_2fa_dto_1 = require("./password-reset-finalize-2fa.dto");
+Object.defineProperty(exports, "PasswordResetFinalize2faDto", { enumerable: true, get: function () { return password_reset_finalize_2fa_dto_1.PasswordResetFinalize2faDto; } });
 var auth_login_response_dto_1 = require("./auth-login-response.dto");
 Object.defineProperty(exports, "AuthLoginResponseDto", { enumerable: true, get: function () { return auth_login_response_dto_1.AuthLoginResponseDto; } });
 var login_2fa_dto_1 = require("./login-2fa.dto");

package/dist/auth/password-reset-finalize-2fa.dto.d.ts

@@ -0,0 +1,8 @@
+/** Finaliza recuperação de senha quando o utilizador tem 2FA (após `password-reset/request`). */
+export declare class PasswordResetFinalize2faDto {
+    pre_recovery_token: string;
+    totp: string;
+    password: string;
+    password_confirmation: string;
+}
+//# sourceMappingURL=password-reset-finalize-2fa.dto.d.ts.map

package/dist/auth/password-reset-finalize-2fa.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset-finalize-2fa.dto.d.ts","sourceRoot":"","sources":["../../src/auth/password-reset-finalize-2fa.dto.ts"],"names":[],"mappings":"AAIA,iGAAiG;AACjG,qBAAa,2BAA2B;IAKtC,kBAAkB,EAAE,MAAM,CAAC;IAK3B,IAAI,EAAE,MAAM,CAAC;IAMb,QAAQ,EAAE,MAAM,CAAC;IAajB,qBAAqB,EAAE,MAAM,CAAC;CAC/B"}

package/dist/auth/password-reset-finalize-2fa.dto.js

@@ -0,0 +1,57 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasswordResetFinalize2faDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+const match_field_decorator_1 = require("./match-field.decorator");
+/** Finaliza recuperação de senha quando o utilizador tem 2FA (após `password-reset/request`). */
+class PasswordResetFinalize2faDto {
+    pre_recovery_token;
+    totp;
+    password;
+    password_confirmation;
+}
+exports.PasswordResetFinalize2faDto = PasswordResetFinalize2faDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'JWT pre_password_reset devolvido no pedido de reset' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'pre_recovery_token não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(4096),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faDto.prototype, "pre_recovery_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Código TOTP de 6 dígitos' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' }),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faDto.prototype, "totp", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Nova senha', example: 'senha123', minLength: 6 }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faDto.prototype, "password", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Confirmação da nova senha',
+        example: 'senha123',
+        minLength: 6,
+    }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password_confirmation deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    (0, match_field_decorator_1.MatchField)('password', {
+        message: 'password_confirmation deve ser igual a password',
+    }),
+    __metadata("design:type", String)
+], PasswordResetFinalize2faDto.prototype, "password_confirmation", void 0);

package/dist/auth/request-password-reset-response.dto.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Resposta de `POST /auth/password-reset/request`.
+ * - Sem utilizador ou utilizador sem 2FA: apenas mensagem genérica (e e-mail com senha provisória se existir conta sem 2FA).
+ * - Utilizador com 2FA: inclui token para o passo seguinte (`finalize-2fa`).
+ */
+export declare class RequestPasswordResetResponseDto {
+    success: boolean;
+    message: string;
+    two_factor_required?: boolean;
+    pre_recovery_token?: string;
+}
+//# sourceMappingURL=request-password-reset-response.dto.d.ts.map

package/dist/auth/request-password-reset-response.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-password-reset-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/request-password-reset-response.dto.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,qBAAa,+BAA+B;IAE1C,OAAO,EAAE,OAAO,CAAC;IAKjB,OAAO,EAAE,MAAM,CAAC;IAKhB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAK9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/dist/auth/request-password-reset-response.dto.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequestPasswordResetResponseDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+/**
+ * Resposta de `POST /auth/password-reset/request`.
+ * - Sem utilizador ou utilizador sem 2FA: apenas mensagem genérica (e e-mail com senha provisória se existir conta sem 2FA).
+ * - Utilizador com 2FA: inclui token para o passo seguinte (`finalize-2fa`).
+ */
+class RequestPasswordResetResponseDto {
+    success;
+    message;
+    two_factor_required;
+    pre_recovery_token;
+}
+exports.RequestPasswordResetResponseDto = RequestPasswordResetResponseDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ example: true }),
+    __metadata("design:type", Boolean)
+], RequestPasswordResetResponseDto.prototype, "success", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Mensagem genérica (não revela se o e-mail existe, exceto quando two_factor_required é true)',
+    }),
+    __metadata("design:type", String)
+], RequestPasswordResetResponseDto.prototype, "message", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'Presente quando o e-mail existe e o utilizador tem 2FA ativo',
+    }),
+    __metadata("design:type", Boolean)
+], RequestPasswordResetResponseDto.prototype, "two_factor_required", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'JWT de curta duração para `POST /auth/password-reset/finalize-2fa`',
+    }),
+    __metadata("design:type", String)
+], RequestPasswordResetResponseDto.prototype, "pre_recovery_token", void 0);

package/dist/notifications/notifications-kafka.payloads.d.ts

@@ -10,7 +10,8 @@ export declare class NotificationPasswordResetRequestedEventPayload {
     eventId: string;
     tenant: string;
     email: string;
-    verifyToken: string;
+    verifyToken?: string;
+    temporaryPassword?: string;
     occurredAt: string;
 }
 /**

package/dist/notifications/notifications-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notifications-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/notifications/notifications-kafka.payloads.ts"],"names":[],"mappings":"AAiBA,qBAAa,mCAAmC;IAM9C,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,IAAI,EAAE,MAAM,CAAC;IASb,QAAQ,EAAE,MAAM,CAAC;IAOjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,8CAA8C;IAMzD,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,WAAW,EAAE,MAAM,CAAC;IAOpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,qBAAa,sCAAsC;IAMjD,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,MAAM,EAAE,MAAM,CAAC;IAKf,KAAK,EAAE,MAAM,CAAC;IAMd,IAAI,EAAE,MAAM,CAAC;IAMb,UAAU,EAAE,MAAM,CAAC;IAMnB,UAAU,EAAE,MAAM,CAAC;IAMnB,SAAS,CAAC,EAAE,MAAM,CAAC;IAMnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAIlB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,+FAA+F;AAC/F,qBAAa,iDAAiD;IAG5D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,SAAS,EAAE,MAAM,CAAC;IAKlB,WAAW,EAAE,MAAM,CAAC;IAMpB,MAAM,EAAE,MAAM,CAAC;IAIf,UAAU,EAAE,MAAM,CAAC;IAMnB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAOhB,QAAQ,CAAC,EAAE,OAAO,CAAC;IAKnB,aAAa,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;CACjC;AAED,0FAA0F;AAC1F,qBAAa,+CAA+C;IAG1D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IASf,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAMrC,eAAe,EAAE,MAAM,CAAC;IAMxB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,cAAc,EAAE,MAAM,CAAC;IAKvB,gBAAgB,EAAE,MAAM,CAAC;IAIzB,cAAc,EAAE,MAAM,CAAC;IAIvB,aAAa,EAAE,MAAM,CAAC;IAItB,UAAU,EAAE,MAAM,CAAC;CACpB"}
+{"version":3,"file":"notifications-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/notifications/notifications-kafka.payloads.ts"],"names":[],"mappings":"AAiBA,qBAAa,mCAAmC;IAM9C,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IASd,IAAI,EAAE,MAAM,CAAC;IASb,QAAQ,EAAE,MAAM,CAAC;IAOjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,8CAA8C;IAMzD,OAAO,EAAE,MAAM,CAAC;IAShB,MAAM,EAAE,MAAM,CAAC;IAQf,KAAK,EAAE,MAAM,CAAC;IAWd,WAAW,CAAC,EAAE,MAAM,CAAC;IAUrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAO3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,qBAAa,sCAAsC;IAMjD,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,MAAM,EAAE,MAAM,CAAC;IAKf,KAAK,EAAE,MAAM,CAAC;IAMd,IAAI,EAAE,MAAM,CAAC;IAMb,UAAU,EAAE,MAAM,CAAC;IAMnB,UAAU,EAAE,MAAM,CAAC;IAMnB,SAAS,CAAC,EAAE,MAAM,CAAC;IAMnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAIlB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,+FAA+F;AAC/F,qBAAa,iDAAiD;IAG5D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IAIf,SAAS,EAAE,MAAM,CAAC;IAKlB,WAAW,EAAE,MAAM,CAAC;IAMpB,MAAM,EAAE,MAAM,CAAC;IAIf,UAAU,EAAE,MAAM,CAAC;IAMnB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAOhB,QAAQ,CAAC,EAAE,OAAO,CAAC;IAKnB,aAAa,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;CACjC;AAED,0FAA0F;AAC1F,qBAAa,+CAA+C;IAG1D,OAAO,EAAE,MAAM,CAAC;IAMhB,MAAM,EAAE,MAAM,CAAC;IASf,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAMrC,eAAe,EAAE,MAAM,CAAC;IAMxB,gBAAgB,EAAE,MAAM,CAAC;IAKzB,cAAc,EAAE,MAAM,CAAC;IAKvB,gBAAgB,EAAE,MAAM,CAAC;IAIzB,cAAc,EAAE,MAAM,CAAC;IAIvB,aAAa,EAAE,MAAM,CAAC;IAItB,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/notifications/notifications-kafka.payloads.js

@@ -81,6 +81,7 @@ class NotificationPasswordResetRequestedEventPayload {
     tenant;
     email;
     verifyToken;
+    temporaryPassword;
     occurredAt;
 }
 exports.NotificationPasswordResetRequestedEventPayload = NotificationPasswordResetRequestedEventPayload;
@@ -112,15 +113,26 @@ __decorate([
     __metadata("design:type", String)
 ], NotificationPasswordResetRequestedEventPayload.prototype, "email", void 0);
 __decorate([
-    (0, swagger_1.ApiProperty)({
-        description: 'Password reset verification token',
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'Legado: token para fluxo antigo de confirmação de reset (omitido quando se envia senha provisória)',
         example: 'a3b5f3c1f3c6ef',
     }),
+    (0, class_validator_1.IsOptional)(),
     (0, class_validator_1.IsString)(),
     (0, class_validator_1.MinLength)(1),
     (0, class_validator_1.MaxLength)(255),
     __metadata("design:type", String)
 ], NotificationPasswordResetRequestedEventPayload.prototype, "verifyToken", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'Senha provisória gerada no servidor (fluxo sem 2FA); o utilizador deve alterá-la após o login',
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(8),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], NotificationPasswordResetRequestedEventPayload.prototype, "temporaryPassword", void 0);
 __decorate([
     (0, swagger_1.ApiProperty)({
         description: 'Timestamp when the event was created',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tychat-contracts",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "DTOs compartilhados com class-validator (API e microserviços)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/auth-kafka.payloads.ts

@@ -1,5 +1,13 @@
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsIn, IsOptional, IsString, IsUUID, Matches, MaxLength, MinLength } from 'class-validator';
+import {
+  IsIn,
+  IsOptional,
+  IsString,
+  IsUUID,
+  Matches,
+  MaxLength,
+  MinLength,
+} from 'class-validator';
 import { LoginDto } from './login.dto';
 import { RefreshTokenDto } from './refresh-token.dto';
 
@@ -124,4 +132,30 @@ export class ConfirmPasswordResetPayload {
   @MinLength(6, { message: 'password deve ter no mínimo 6 caracteres' })
   @MaxLength(255)
   password: string;
+}
+
+/** Conclui reset de senha com 2FA (RMQ/Kafka → auth-service). */
+export class PasswordResetFinalize2faPayload {
+  @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
+  @IsString()
+  @MinLength(1, { message: 'tenant não pode ser vazio' })
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty({ description: 'JWT pre_password_reset do pedido de reset' })
+  @IsString()
+  @MinLength(1, { message: 'pre_recovery_token não pode ser vazio' })
+  @MaxLength(4096)
+  pre_recovery_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+
+  @ApiProperty({ description: 'Nova senha', example: 'senha123' })
+  @IsString()
+  @MinLength(6, { message: 'password deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  password: string;
 }

package/src/auth/index.ts

@@ -7,10 +7,13 @@ export {
   GetProfilePayload,
   RequestPasswordResetPayload,
   ConfirmPasswordResetPayload,
+  PasswordResetFinalize2faPayload,
 } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
 export { RequestPasswordResetDto } from './request-password-reset.dto';
 export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
+export { RequestPasswordResetResponseDto } from './request-password-reset-response.dto';
+export { PasswordResetFinalize2faDto } from './password-reset-finalize-2fa.dto';
 export { AuthLoginResponseDto } from './auth-login-response.dto';
 export { Login2faDto } from './login-2fa.dto';
 export {

package/src/auth/password-reset-finalize-2fa.dto.ts

@@ -0,0 +1,36 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, Matches, MaxLength, MinLength } from 'class-validator';
+import { MatchField } from './match-field.decorator';
+
+/** Finaliza recuperação de senha quando o utilizador tem 2FA (após `password-reset/request`). */
+export class PasswordResetFinalize2faDto {
+  @ApiProperty({ description: 'JWT pre_password_reset devolvido no pedido de reset' })
+  @IsString()
+  @MinLength(1, { message: 'pre_recovery_token não pode ser vazio' })
+  @MaxLength(4096)
+  pre_recovery_token: string;
+
+  @ApiProperty({ description: 'Código TOTP de 6 dígitos' })
+  @IsString()
+  @Matches(/^\d{6}$/, { message: 'totp deve ser exatamente 6 dígitos' })
+  totp: string;
+
+  @ApiProperty({ description: 'Nova senha', example: 'senha123', minLength: 6 })
+  @IsString()
+  @MinLength(6, { message: 'password deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  password: string;
+
+  @ApiProperty({
+    description: 'Confirmação da nova senha',
+    example: 'senha123',
+    minLength: 6,
+  })
+  @IsString()
+  @MinLength(6, { message: 'password_confirmation deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  @MatchField('password', {
+    message: 'password_confirmation deve ser igual a password',
+  })
+  password_confirmation: string;
+}

package/src/auth/request-password-reset-response.dto.ts

@@ -0,0 +1,26 @@
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+
+/**
+ * Resposta de `POST /auth/password-reset/request`.
+ * - Sem utilizador ou utilizador sem 2FA: apenas mensagem genérica (e e-mail com senha provisória se existir conta sem 2FA).
+ * - Utilizador com 2FA: inclui token para o passo seguinte (`finalize-2fa`).
+ */
+export class RequestPasswordResetResponseDto {
+  @ApiProperty({ example: true })
+  success: boolean;
+
+  @ApiProperty({
+    description: 'Mensagem genérica (não revela se o e-mail existe, exceto quando two_factor_required é true)',
+  })
+  message: string;
+
+  @ApiPropertyOptional({
+    description: 'Presente quando o e-mail existe e o utilizador tem 2FA ativo',
+  })
+  two_factor_required?: boolean;
+
+  @ApiPropertyOptional({
+    description: 'JWT de curta duração para `POST /auth/password-reset/finalize-2fa`',
+  })
+  pre_recovery_token?: string;
+}

package/src/notifications/notifications-kafka.payloads.ts

@@ -91,14 +91,26 @@ export class NotificationPasswordResetRequestedEventPayload {
   @MaxLength(255)
   email: string;
 
-  @ApiProperty({
-    description: 'Password reset verification token',
+  @ApiPropertyOptional({
+    description:
+      'Legado: token para fluxo antigo de confirmação de reset (omitido quando se envia senha provisória)',
     example: 'a3b5f3c1f3c6ef',
   })
+  @IsOptional()
   @IsString()
   @MinLength(1)
   @MaxLength(255)
-  verifyToken: string;
+  verifyToken?: string;
+
+  @ApiPropertyOptional({
+    description:
+      'Senha provisória gerada no servidor (fluxo sem 2FA); o utilizador deve alterá-la após o login',
+  })
+  @IsOptional()
+  @IsString()
+  @MinLength(8)
+  @MaxLength(255)
+  temporaryPassword?: string;
 
   @ApiProperty({
     description: 'Timestamp when the event was created',