"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; var __param = (this && this.__param) || function (paramIndex, decorator) { return function (target, key) { decorator(target, key, paramIndex); } }; Object.defineProperty(exports, "__esModule", { value: true }); exports.AuthService = void 0; const common_1 = require("@nestjs/common"); const typeorm_1 = require("@nestjs/typeorm"); const typeorm_2 = require("typeorm"); const jwt_1 = require("@nestjs/jwt"); const config_1 = require("@nestjs/config"); const bcrypt = __importStar(require("bcrypt")); const crypto = __importStar(require("crypto")); const entities_1 = require("../entities"); let AuthService = class AuthService { constructor(userRepository, sessionRepository, tokenRepository, jwtService, configService, dataSource) { this.userRepository = userRepository; this.sessionRepository = sessionRepository; this.tokenRepository = tokenRepository; this.jwtService = jwtService; this.configService = configService; this.dataSource = dataSource; } async register(dto, tenantId, ip, userAgent) { const existing = await this.userRepository.findOne({ where: { email: dto.email, tenant_id: tenantId }, }); if (existing) { throw new common_1.ConflictException('Email ya registrado en esta organización'); } const passwordHash = await bcrypt.hash(dto.password, 12); const user = this.userRepository.create({ tenant_id: tenantId, email: dto.email, password_hash: passwordHash, first_name: dto.first_name || null, last_name: dto.last_name || null, phone: dto.phone || null, status: 'pending_verification', email_verified: false, }); await this.userRepository.save(user); const tokens = await this.generateTokens(user, ip, userAgent); await this.createVerificationToken(user); return { user: this.sanitizeUser(user), ...tokens, }; } async login(dto, tenantId, ip, userAgent) { const user = await this.userRepository.findOne({ where: { email: dto.email, tenant_id: tenantId }, }); if (!user) { throw new common_1.UnauthorizedException('Credenciales inválidas'); } const isValid = await bcrypt.compare(dto.password, user.password_hash); if (!isValid) { throw new common_1.UnauthorizedException('Credenciales inválidas'); } if (user.status === 'suspended') { throw new common_1.UnauthorizedException('Cuenta suspendida'); } if (user.status === 'inactive') { throw new common_1.UnauthorizedException('Cuenta inactiva'); } user.last_login_at = new Date(); user.last_login_ip = ip || null; await this.userRepository.save(user); const tokens = await this.generateTokens(user, ip, userAgent); return { user: this.sanitizeUser(user), ...tokens, }; } async logout(userId, sessionToken) { await this.sessionRepository.update({ user_id: userId, session_token: sessionToken }, { is_active: false }); } async logoutAll(userId) { await this.sessionRepository.update({ user_id: userId }, { is_active: false }); } async refreshToken(refreshToken, ip, userAgent) { try { const payload = this.jwtService.verify(refreshToken, { secret: this.configService.get('jwt.secret'), }); const user = await this.userRepository.findOne({ where: { id: payload.sub }, }); if (!user) { throw new common_1.UnauthorizedException('Usuario no encontrado'); } const refreshTokenHash = this.hashToken(refreshToken); const session = await this.sessionRepository.findOne({ where: { user_id: user.id, refresh_token_hash: refreshTokenHash, is_active: true, }, }); if (!session) { throw new common_1.UnauthorizedException('Sesión inválida'); } if (new Date() > session.expires_at) { await this.sessionRepository.update({ id: session.id }, { is_active: false }); throw new common_1.UnauthorizedException('Sesión expirada'); } const tokens = await this.generateTokens(user, ip, userAgent, session.id); return tokens; } catch (error) { if (error instanceof common_1.UnauthorizedException) { throw error; } throw new common_1.UnauthorizedException('Token inválido'); } } async changePassword(userId, dto) { const user = await this.userRepository.findOne({ where: { id: userId }, }); if (!user) { throw new common_1.NotFoundException('Usuario no encontrado'); } const isValid = await bcrypt.compare(dto.currentPassword, user.password_hash); if (!isValid) { throw new common_1.BadRequestException('Password actual incorrecto'); } if (dto.currentPassword === dto.newPassword) { throw new common_1.BadRequestException('El nuevo password debe ser diferente al actual'); } const newHash = await bcrypt.hash(dto.newPassword, 12); await this.userRepository.update({ id: userId }, { password_hash: newHash }); return { message: 'Password actualizado correctamente' }; } async requestPasswordReset(email, tenantId) { const user = await this.userRepository.findOne({ where: { email, tenant_id: tenantId }, }); if (!user) { return { message: 'Si el email existe, recibirás instrucciones para restablecer tu password' }; } const token = crypto.randomBytes(32).toString('hex'); const tokenHash = this.hashToken(token); await this.tokenRepository.save({ user_id: user.id, tenant_id: tenantId, token_type: 'password_reset', token_hash: tokenHash, expires_at: new Date(Date.now() + 60 * 60 * 1000), }); return { message: 'Si el email existe, recibirás instrucciones para restablecer tu password' }; } async resetPassword(token, newPassword, tenantId) { const tokenHash = this.hashToken(token); const tokenRecord = await this.tokenRepository.findOne({ where: { token_hash: tokenHash, tenant_id: tenantId, token_type: 'password_reset', is_used: false, }, }); if (!tokenRecord) { throw new common_1.BadRequestException('Token inválido o expirado'); } if (new Date() > tokenRecord.expires_at) { throw new common_1.BadRequestException('Token expirado'); } const passwordHash = await bcrypt.hash(newPassword, 12); await this.userRepository.update({ id: tokenRecord.user_id }, { password_hash: passwordHash }); await this.tokenRepository.update({ id: tokenRecord.id }, { is_used: true, used_at: new Date() }); await this.logoutAll(tokenRecord.user_id); return { message: 'Password restablecido correctamente' }; } async verifyEmail(token, tenantId) { const tokenHash = this.hashToken(token); const tokenRecord = await this.tokenRepository.findOne({ where: { token_hash: tokenHash, tenant_id: tenantId, token_type: 'email_verification', is_used: false, }, }); if (!tokenRecord) { throw new common_1.BadRequestException('Token inválido o expirado'); } if (new Date() > tokenRecord.expires_at) { throw new common_1.BadRequestException('Token expirado'); } await this.userRepository.update({ id: tokenRecord.user_id }, { email_verified: true, email_verified_at: new Date(), status: 'active', }); await this.tokenRepository.update({ id: tokenRecord.id }, { is_used: true, used_at: new Date() }); return { message: 'Email verificado correctamente' }; } async validateUser(userId) { return this.userRepository.findOne({ where: { id: userId, status: 'active' }, }); } async getProfile(userId) { const user = await this.userRepository.findOne({ where: { id: userId }, }); if (!user) { throw new common_1.NotFoundException('Usuario no encontrado'); } return this.sanitizeUser(user); } async generateTokens(user, ip, userAgent, existingSessionId) { const payload = { sub: user.id, email: user.email, tenant_id: user.tenant_id, }; const accessTokenExpiry = this.configService.get('jwt.expiresIn') || '15m'; const refreshTokenExpiry = this.configService.get('jwt.refreshExpiresIn') || '7d'; const accessToken = this.jwtService.sign(payload, { expiresIn: accessTokenExpiry, }); const refreshToken = this.jwtService.sign(payload, { expiresIn: refreshTokenExpiry, }); const sessionToken = crypto.randomBytes(32).toString('hex'); const refreshTokenHash = this.hashToken(refreshToken); if (existingSessionId) { await this.sessionRepository.update({ id: existingSessionId }, { refresh_token_hash: refreshTokenHash, last_activity_at: new Date(), expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), }); } else { await this.sessionRepository.save({ user_id: user.id, tenant_id: user.tenant_id, session_token: sessionToken, refresh_token_hash: refreshTokenHash, ip_address: ip || null, user_agent: userAgent || null, device_type: this.detectDeviceType(userAgent), expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), last_activity_at: new Date(), is_active: true, }); } return { accessToken, refreshToken }; } async createVerificationToken(user) { const token = crypto.randomBytes(32).toString('hex'); const tokenHash = this.hashToken(token); await this.tokenRepository.save({ user_id: user.id, tenant_id: user.tenant_id, token_type: 'email_verification', token_hash: tokenHash, expires_at: new Date(Date.now() + 24 * 60 * 60 * 1000), }); return token; } hashToken(token) { return crypto.createHash('sha256').update(token).digest('hex'); } sanitizeUser(user) { const { password_hash, ...sanitized } = user; return sanitized; } detectDeviceType(userAgent) { if (!userAgent) return 'unknown'; const ua = userAgent.toLowerCase(); if (/mobile|android|iphone|ipod/.test(ua)) return 'mobile'; if (/tablet|ipad/.test(ua)) return 'tablet'; return 'desktop'; } }; exports.AuthService = AuthService; exports.AuthService = AuthService = __decorate([ (0, common_1.Injectable)(), __param(0, (0, typeorm_1.InjectRepository)(entities_1.User)), __param(1, (0, typeorm_1.InjectRepository)(entities_1.Session)), __param(2, (0, typeorm_1.InjectRepository)(entities_1.Token)), __metadata("design:paramtypes", [typeorm_2.Repository, typeorm_2.Repository, typeorm_2.Repository, jwt_1.JwtService, config_1.ConfigService, typeorm_2.DataSource]) ], AuthService); //# sourceMappingURL=auth.service.js.map