import { APIController, Request, Response } from '@ten24group/fw24'; import { IAuthService } from '../interfaces'; export declare class AuthController extends APIController { private readonly authService; constructor(authService: IAuthService); initialize(): Promise; /** * Sign up a new user with either username or email * * Example request with both: * ```json * { * "username": "johndoe", * "email": "user@example.com", * "password": "MySecurePassword123!" * } * ``` * * Example request with just email: * ```json * { * "email": "user@example.com", * "password": "MySecurePassword123!" * } * ``` * * Example request with just username: * ```json * { * "username": "johndoe", * "password": "MySecurePassword123!" * } * ``` * * Success response: * ```json * { * "message": "User Signed Up" * } * ``` * * Error response when neither username nor email is provided: * ```json * { * "message": "Either username or email must be provided" * } * ``` * * Note: If email is provided, the user will receive a verification code via email */ signup(req: Request, res: Response): Promise; /** * Get available login options for a user * Used to determine what authentication methods are available * * Example request: * ```json * { * "username": "user@example.com" * } * ``` * * Example response: * ```json * { * "challenges": ["EMAIL_OTP", "PASSWORD"], * "session": "session-token-string" * } * ``` */ initiateAuth(req: Request, res: Response): Promise; /** * Initiate OTP authentication flow * This endpoint starts the OTP challenge by requesting a code to be sent * * Example request: * ```json * { * "username": "user@example.com", * "session": "session-token-from-getLoginOptions" * } * ``` * * Example response: * ```json * { * "session": "new-session-token", * "challengeName": "EMAIL_OTP", * "challengeParameters": { * "CODE_DELIVERY_DESTINATION": "m***@e***.com" * } * } * ``` */ initiateOtpAuth(req: Request, res: Response): Promise; /** * Complete OTP authentication by submitting the received code * * Example request: * ```json * { * "username": "user@example.com", * "session": "session-token-from-initiateOtpAuth", * "code": "123456" * } * ``` * * Success response (tokens issued): * ```json * { * "AccessToken": "access-token", * "IdToken": "id-token", * "RefreshToken": "refresh-token", * "TokenType": "Bearer", * "ExpiresIn": 3600 * } * ``` * * Challenge response (if additional steps needed): * ```json * { * "session": "new-session-token", * "challengeName": "NEXT_CHALLENGE_NAME", * "challengeParameters": {} * } * ``` */ respondToOtpChallenge(req: Request, res: Response): Promise; /** * Sign in with email and password * * Example request with username and password: * ```json * { * "username": "johndoe", * "password": "MySecurePassword123!" * } * ``` * * Example request with just email: * ```json * { * "email": "user@example.com", * "password": "MySecurePassword123!" * * Success response (tokens issued): * ```json * { * "AccessToken": "access-token", * "IdToken": "id-token", * "RefreshToken": "refresh-token", * "TokenType": "Bearer", * "ExpiresIn": 3600 * } * ``` * * Challenge response (if MFA or other challenge required): * ```json * { * "challengeName": "SMS_MFA", * "session": "session-token", * "challengeParameters": { * "CODE_DELIVERY_DESTINATION": "+1********99" * } * } * ``` */ signin(req: Request, res: Response): Promise; /** * Sign out a user by invalidating their access token * * Example request: * ```json * { * "accessToken": "user-access-token" * } * ``` * * Success response: * ```json * { * "message": "User logged out" * } * ``` */ signout(req: Request, res: Response): Promise; /** * Refresh access and ID tokens using a refresh token * * Example request: * ```json * { * "refreshToken": "your-refresh-token" * } * ``` * * Success response: * ```json * { * "AccessToken": "new-access-token", * "IdToken": "new-id-token", * "RefreshToken": "same-refresh-token", * "TokenType": "Bearer", * "ExpiresIn": 3600 * } * ``` * * Note: The refresh token remains the same as Cognito does not issue new refresh tokens during refresh. * Refresh tokens are valid for 30 days by default. */ refreshToken(req: Request, res: Response): Promise; /** * Verify a user's email with the code they received * * Example request: * ```json * { * "email": "user@example.com", * "code": "123456" * } * ``` * * Success response: * ```json * { * "message": "User verified" * } * ``` */ verify(req: Request, res: Response): Promise; /** * Get verification code for a user attribute (e.g., email) * This will send a verification code to the specified attribute * * Example request: * ```json * { * "accessToken": "user-access-token", * "attributeName": "email" * } * ``` * * Success response: * ```json * { * "message": "Verification code sent" * } * ``` */ getUserAttributeVerificationCode(req: Request, res: Response): Promise; /** * Verify a user attribute (e.g., email) with a verification code * First call /getUserAttributeVerificationCode to get the code, then use this endpoint to verify * * Example request: * ```json * { * "accessToken": "user-access-token", * "attributeName": "email", * "code": "123456" * } * ``` * * Success response: * ```json * { * "message": "Attribute verified" * } * ``` */ verifyUserAttribute(req: Request, res: Response): Promise; /** * Resend verification code to a user's email * * Example request with email: * ```json * { * "email": "user@example.com" * } * ``` * * Example request with username: * ```json * { * "username": "johndoe" * } * ``` * * Success response: * ```json * { * "message": "Verification code resent" * } * ``` */ resendVerificationCode(req: Request, res: Response): Promise; /** * Change a user's password * Requires the user to be authenticated with a valid access token * * Example request: * ```json * { * "accessToken": "user-access-token", * "oldPassword": "OldPassword123!", * "newPassword": "NewPassword456!" * } * ``` * * Success response: * ```json * { * "message": "Password changed" * } * ``` */ changePassword(req: Request, res: Response): Promise; /** * Initiate the forgot password flow * This will send a reset code to the user's email * * Example request: * ```json * { * "email": "user@example.com" * } * ``` * * Success response: * ```json * { * "message": "Password reset email sent" * } * ``` */ forgotPassword(req: Request, res: Response): Promise; /** * Complete the forgot password flow by setting a new password with the reset code * * Example request: * ```json * { * "email": "user@example.com", * "code": "123456", * "newPassword": "NewPassword456!" * } * ``` * * Success response: * ```json * { * "message": "Password reset" * } * ``` */ confirmForgotPassword(req: Request, res: Response): Promise; /** * Admin endpoint to get list of user group options * Requires AWS IAM authorization and appropriate group permissions * * Example request: * ```json * * Success response: * ```json * [{ * label: 'admin', * value: 'admin' * }, { * label: 'user', * value: 'user' * }] * ``` */ getGroupOptions(req: Request, res: Response): Response; /** * Admin endpoint to add a user to a group * Requires AWS IAM authorization and appropriate group permissions * * Example request: * ```json * { * "email": "user@example.com", * "groupName": "admin" * } * ``` * * Success response: * ```json * { * "message": "User added to group" * } * ``` * * Note: This endpoint requires the route to be included in the admin group configuration * and proper AWS IAM authorization. */ addUserToGroup(req: Request, res: Response): Promise; /** * Get AWS credentials using an ID token * Used for AWS IAM authentication * * Example request: * ```json * { * "idToken": "cognito-id-token" * } * ``` * * Success response: * ```json * { * "Credentials": { * "AccessKeyId": "ASIA...", * "SecretKey": "...", * "SessionToken": "...", * "Expiration": "2024-03-21T00:00:00.000Z" * }, * "IdentityId": "us-east-1:..." * } * ``` */ getCredentials(req: Request, res: Response): Promise; /** * Get current user profile information using access token * * Example request: * ```json * { * "accessToken": "user-access-token" * } * ``` * * Success response: * ```json * { * "Username": "user@example.com", * "email": "user@example.com", * "Enabled": true, * "UserStatus": "CONFIRMED", * "Attributes": [ * { * "Name": "email", * "Value": "user@example.com" * }, * { * "Name": "email_verified", * "Value": "true" * } * ] * } * ``` */ getCurrentUser(req: Request, res: Response): Promise; /** * Update MFA preferences for the authenticated user * * Example request: * ```json * { * "accessToken": "user-access-token", * "mfaPreference": { * "enabledMethods": ["EMAIL", "SMS"], // Available methods: "EMAIL", "SMS", "SOFTWARE_TOKEN" * "preferredMethod": "EMAIL" * } * } * ``` * * Common use cases: * 1. Enable email MFA only: * ```json * { * "accessToken": "user-access-token", * "mfaPreference": { * "enabledMethods": ["EMAIL"], * "preferredMethod": "EMAIL" * } * } * ``` * * 2. Enable multiple methods with SMS preferred: * ```json * { * "accessToken": "user-access-token", * "mfaPreference": { * "enabledMethods": ["EMAIL", "SMS", "SOFTWARE_TOKEN"], * "preferredMethod": "SMS" * } * } * ``` * * 3. Disable all MFA: * ```json * { * "accessToken": "user-access-token", * "mfaPreference": { * "enabledMethods": [] * } * } * ``` */ updateUserMfaPreference(req: Request, res: Response): Promise; /** * Get current MFA preferences for the authenticated user * * Example request: * ```json * { * "accessToken": "user-access-token" * } * ``` * * Success response: * ```json * { * "enabledMethods": ["EMAIL", "SMS"], * "preferredMethod": "EMAIL" * } * ``` * * If no MFA is configured: * ```json * { * "enabledMethods": [], * "preferredMethod": null * } * ``` */ getUserMfaPreference(req: Request, res: Response): Promise; /** * Admin endpoint to manage MFA settings for any user * Requires AWS IAM authorization and appropriate group permissions * * Example request: * ```json * { * "username": "user@example.com", * "enabledMethods": ["EMAIL", "SMS"], // Available methods: "EMAIL", "SMS", "SOFTWARE_TOKEN" * "preferredMethod": "EMAIL" * } * ``` * * Common use cases: * 1. Force enable email MFA for a user: * ```json * { * "username": "user@example.com", * "enabledMethods": ["EMAIL"], * "preferredMethod": "EMAIL" * } * ``` * * 2. Enable multiple methods for a user: * ```json * { * "username": "user@example.com", * "enabledMethods": ["EMAIL", "SMS"], * "preferredMethod": "SMS" * } * ``` * * 3. Disable all MFA for a user: * ```json * { * "username": "user@example.com", * "enabledMethods": [] * } * ``` * * Note: This endpoint requires the route to be included in the admin group configuration * and proper AWS IAM authorization. */ setUserMfaSettings(req: Request, res: Response): Promise; /** * Get social sign-in configuration * This endpoint returns the configuration for all enabled social providers * * Example request: * ```json * { * "redirectUri": "http://localhost:3000/auth/callback" * } * ``` * * Success response: * ```json * { * "Google": { * "authorizationUrl": "https://your-cognito-domain.auth.region.amazoncognito.com/oauth2/authorize?...", * "clientId": "your-client-id", * "redirectUri": "http://localhost:3000/auth/callback", * "grantType": "authorization_code" * }, * "Facebook": { * "authorizationUrl": "https://your-cognito-domain.auth.region.amazoncognito.com/oauth2/authorize?...", * "clientId": "your-client-id", * "redirectUri": "http://localhost:3000/auth/callback", * "grantType": "authorization_code" * } * } * ``` */ getSocialSignInConfig(req: Request, res: Response): Promise; /** * Initiate social sign-in flow * This endpoint returns the URL to redirect the user to for social login * * Example request: * ```json * { * "provider": "Google", * "redirectUri": "http://localhost:3000/auth/callback" * } * ``` * * Success response: * ```json * { * "authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth?..." * } * ``` */ initiateSocialSignIn(req: Request, res: Response): Promise; /** * Complete social sign-in flow * This endpoint handles the OAuth callback and returns user tokens * * Example request: * ```json * { * "provider": "Google", * "code": "authorization-code-from-callback", * "redirectUri": "http://localhost:3000/auth/callback" * } * ``` * * Success response: * ```json * { * "AccessToken": "access-token", * "IdToken": "id-token", * "RefreshToken": "refresh-token", * "TokenType": "Bearer", * "ExpiresIn": 3600, * "isNewUser": false, * "provider": "Google" * } * ``` */ completeSocialSignIn(req: Request, res: Response): Promise; /** * Link social provider to existing account * This endpoint allows users to link their social accounts to their existing Cognito account * * Example request: * ```json * { * "accessToken": "user-access-token", * "provider": "Google", * "code": "authorization-code-from-oauth", * "redirectUri": "http://localhost:3000/auth/callback" * } * ``` * * Success response: * ```json * { * "message": "Social provider linked successfully", * "provider": "Google" * } * ``` */ linkSocialProvider(req: Request, res: Response): Promise; /** * Unlink social provider from account * This endpoint allows users to remove a linked social provider from their account * * Example request: * ```json * { * "accessToken": "user-access-token", * "provider": "Google" * } * ``` * * Success response: * ```json * { * "message": "Social provider unlinked successfully", * "provider": "Google" * } * ``` */ unlinkSocialProvider(req: Request, res: Response): Promise; /** * Complete the NEW_PASSWORD_REQUIRED challenge by setting a new password * * Example request: * ```json * { * "username": "user@example.com", * "session": "session-token-from-login", * "newPassword": "NewSecurePassword123!" * } * ``` * * Success response (tokens issued): * ```json * { * "AccessToken": "access-token", * "IdToken": "id-token", * "RefreshToken": "refresh-token", * "TokenType": "Bearer", * "ExpiresIn": 3600 * } * ``` */ setNewPassword(req: Request, res: Response): Promise; /** * Verify a JWT token. * * @param {Request} req - The request object. * @param {Response} res - The response object. * @returns {Response} - The response. */ verifyToken(req: Request, res: Response): Promise; }