Assist_Design/apps/bff/src/auth/auth.service.ts

import { Injectable, UnauthorizedException, ConflictException, BadRequestException, Logger } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import * as bcrypt from 'bcrypt';
import { UsersService } from '../users/users.service';
import { MappingsService } from '../mappings/mappings.service';
import { WhmcsService } from '../vendors/whmcs/whmcs.service';
import { SalesforceService } from '../vendors/salesforce/salesforce.service';
import { AuditService, AuditAction } from '../common/audit/audit.service';
import { TokenBlacklistService } from './services/token-blacklist.service';
import { SignupDto } from './dto/signup.dto';
import { LinkWhmcsDto } from './dto/link-whmcs.dto';
import { SetPasswordDto } from './dto/set-password.dto';
import { getErrorMessage } from '../common/utils/error.util';

@Injectable()
export class AuthService {
  private readonly logger = new Logger(AuthService.name);
  private readonly MAX_LOGIN_ATTEMPTS = 5;
  private readonly LOCKOUT_DURATION_MINUTES = 15;

  constructor(
    private usersService: UsersService,
    private mappingsService: MappingsService,
    private jwtService: JwtService,
    private configService: ConfigService,
    private whmcsService: WhmcsService,
    private salesforceService: SalesforceService,
    private auditService: AuditService,
    private tokenBlacklistService: TokenBlacklistService,
  ) {}

  async signup(signupData: SignupDto, request?: any) {
    const { email, password, firstName, lastName, company, phone } = signupData;
    
    // Check if user already exists
    const existingUser = await this.usersService.findByEmailInternal(email);
    if (existingUser) {
      await this.auditService.logAuthEvent(
        AuditAction.SIGNUP,
        undefined,
        { email, reason: 'User already exists' },
        request,
        false,
        'User with this email already exists'
      );
      throw new ConflictException('User with this email already exists');
    }

    // Hash password
    const saltRounds = 12; // Use a fixed safe value
    const passwordHash = await bcrypt.hash(password, saltRounds);

    try {
      // 1. Create user in portal
      const user = await this.usersService.create({
        email,
        passwordHash,
        firstName,
        lastName,
        company,
        phone,
        emailVerified: false,
        failedLoginAttempts: 0,
        lockedUntil: null,
        lastLoginAt: null,
      });

      // 2. Create client in WHMCS
      const whmcsClient = await this.whmcsService.addClient({
        firstname: firstName,
        lastname: lastName,
        email,
        companyname: company || '',
        phonenumber: phone || '',
        password2: password, // WHMCS requires plain password for new clients
      });

      // 3. Create account in Salesforce (no Contact, just Account)
      const sfAccount = await this.salesforceService.upsertAccount({
        name: company || `${firstName} ${lastName}`,
        phone: phone,
      });

      // 4. Store ID mappings
      await this.mappingsService.createMapping({
        userId: user.id,
        whmcsClientId: whmcsClient.clientId,
        sfAccountId: sfAccount.id,
      });

      // Log successful signup
      await this.auditService.logAuthEvent(
        AuditAction.SIGNUP,
        user.id,
        { email, whmcsClientId: whmcsClient.clientId },
        request,
        true
      );

      // Generate JWT token
      const tokens = await this.generateTokens(user);

      return {
        user: this.sanitizeUser(user),
        ...tokens,
      };
    } catch (error) {
      // Log failed signup
      await this.auditService.logAuthEvent(
        AuditAction.SIGNUP,
        undefined,
        { email, error: getErrorMessage(error) },
        request,
        false,
        getErrorMessage(error)
      );
      
      // TODO: Implement rollback logic if any step fails
      this.logger.error('Signup error:', error);
      throw new BadRequestException('Failed to create user account');
    }
  }

  async login(user: any, request?: any) {
    // Update last login time and reset failed attempts
    await this.usersService.update(user.id, {
      lastLoginAt: new Date(),
      failedLoginAttempts: 0,
      lockedUntil: null,
    });

    // Log successful login
    await this.auditService.logAuthEvent(
      AuditAction.LOGIN_SUCCESS,
      user.id,
      { email: user.email },
      request,
      true
    );

    const tokens = await this.generateTokens(user);
    return {
      user: this.sanitizeUser(user),
      ...tokens,
    };
  }

  async linkWhmcsUser(linkData: LinkWhmcsDto, request?: any) {
    const { email, password } = linkData;

    // Check if user already exists in portal
    const existingUser = await this.usersService.findByEmailInternal(email);
    if (existingUser) {
      // If user exists but has no password (abandoned during setup), allow them to continue
      if (!existingUser.passwordHash) {
        this.logger.log(`User ${email} exists but has no password - allowing password setup to continue`);
        return {
          user: this.sanitizeUser(existingUser),
          needsPasswordSet: true,
        };
      } else {
        throw new ConflictException('User already exists in portal and has completed setup. Please use the login page.');
      }
    }

    try {
      // 1. First, find the client by email using GetClientsDetails directly
      let clientDetails;
      try {
        clientDetails = await this.whmcsService.getClientDetailsByEmail(email);
      } catch (error) {
        throw new UnauthorizedException('WHMCS client not found with this email address');
      }

      // 2. Validate the password using ValidateLogin
      try {
        this.logger.debug(`About to validate WHMCS password for ${email}`);
        const validateResult = await this.whmcsService.validateLogin(email, password);
        this.logger.debug(`WHMCS validation successful for ${email}:`, validateResult);
        if (!validateResult || !validateResult.userId) {
          throw new UnauthorizedException('Invalid WHMCS credentials');
        }
      } catch (error) {
        this.logger.debug(`WHMCS validation failed for ${email}:`, getErrorMessage(error));
        throw new UnauthorizedException('Invalid WHMCS password');
      }

      // 3. Extract Customer Number from field ID 198
      const customerNumberField = clientDetails.customfields?.find(
        (field: any) => field.id == 198  // Use == instead of === to handle string/number comparison
      );
      
      const customerNumber = customerNumberField?.value;

      if (!customerNumber || customerNumber.toString().trim() === '') {
        throw new BadRequestException(
          `Customer Number not found in WHMCS custom field 198. ` +
          `Found field: ${JSON.stringify(customerNumberField)}. ` +
          `Available custom fields: ${JSON.stringify(clientDetails.customfields || [])}. ` +
          `Please contact support.`
        );
      }

      this.logger.log(`Found Customer Number: ${customerNumber} for WHMCS client ${clientDetails.id}`);

      // 3. Find existing Salesforce account using Customer Number
      const sfAccount = await this.salesforceService.findAccountByCustomerNumber(customerNumber);
      if (!sfAccount) {
        throw new BadRequestException(`Salesforce account not found for Customer Number: ${customerNumber}. Please contact support.`);
      }

      // 4. Create portal user (without password initially)
      const user = await this.usersService.create({
        email,
        passwordHash: null, // No password hash - will be set when user sets password
        firstName: clientDetails.firstname || '',
        lastName: clientDetails.lastname || '',
        company: clientDetails.companyname || '',
        phone: clientDetails.phonenumber || '',
        emailVerified: true, // WHMCS users are pre-verified
      });

      // 5. Store ID mappings
      await this.mappingsService.createMapping({
        userId: user.id,
        whmcsClientId: parseInt(clientDetails.id),
        sfAccountId: sfAccount.id,
      });

      return {
        user: this.sanitizeUser(user),
        needsPasswordSet: true,
      };
    } catch (error) {
      this.logger.error('WHMCS linking error:', error);
      if (error instanceof BadRequestException || error instanceof UnauthorizedException) {
        throw error;
      }
      throw new BadRequestException('Failed to link WHMCS account');
    }
  }

  async checkPasswordNeeded(email: string) {
    const user = await this.usersService.findByEmailInternal(email);
    if (!user) {
      return { needsPasswordSet: false, userExists: false };
    }
    
    return { 
      needsPasswordSet: !user.passwordHash,
      userExists: true,
      email: user.email
    };
  }

  async setPassword(setPasswordData: SetPasswordDto, request?: any) {
    const { email, password } = setPasswordData;

    const user = await this.usersService.findByEmailInternal(email);
    if (!user) {
      throw new UnauthorizedException('User not found');
    }

    // Check if user needs to set password (linked users have null password hash)
    if (user.passwordHash) {
      throw new BadRequestException('User already has a password set');
    }

    // Hash new password
    const saltRounds = 12; // Use a fixed safe value
    const passwordHash = await bcrypt.hash(password, saltRounds);

    // Update user with new password
    const updatedUser = await this.usersService.update(user.id, { passwordHash });

    // Generate tokens
    const tokens = await this.generateTokens(updatedUser);

    return {
      user: this.sanitizeUser(updatedUser),
      ...tokens,
    };
  }

  async validateUser(email: string, password: string, request?: any): Promise<any> {
    const user = await this.usersService.findByEmailInternal(email);
    
    if (!user) {
      await this.auditService.logAuthEvent(
        AuditAction.LOGIN_FAILED,
        undefined,
        { email, reason: 'User not found' },
        request,
        false,
        'User not found'
      );
      return null;
    }

    // Check if account is locked
    if (user.lockedUntil && user.lockedUntil > new Date()) {
      await this.auditService.logAuthEvent(
        AuditAction.LOGIN_FAILED,
        user.id,
        { email, reason: 'Account locked' },
        request,
        false,
        'Account is locked'
      );
      return null;
    }
    
    if (!user.passwordHash) {
      await this.auditService.logAuthEvent(
        AuditAction.LOGIN_FAILED,
        user.id,
        { email, reason: 'No password set' },
        request,
        false,
        'No password set'
      );
      return null;
    }

    try {
      const isPasswordValid = await bcrypt.compare(password, user.passwordHash);
      
      if (isPasswordValid) {
        return user;
      } else {
        // Increment failed login attempts
        await this.handleFailedLogin(user, request);
        return null;
      }
    } catch (error) {
      this.logger.error(`Password validation error for ${email}:`, getErrorMessage(error));
      await this.auditService.logAuthEvent(
        AuditAction.LOGIN_FAILED,
        user.id,
        { email, error: getErrorMessage(error) },
        request,
        false,
        getErrorMessage(error)
      );
      return null;
    }
  }

  private async handleFailedLogin(user: any, request?: any): Promise<void> {
    const newFailedAttempts = (user.failedLoginAttempts || 0) + 1;
    let lockedUntil = null;
    let isAccountLocked = false;

    // Lock account if max attempts reached
    if (newFailedAttempts >= this.MAX_LOGIN_ATTEMPTS) {
      lockedUntil = new Date();
      lockedUntil.setMinutes(lockedUntil.getMinutes() + this.LOCKOUT_DURATION_MINUTES);
      isAccountLocked = true;
    }

    await this.usersService.update(user.id, {
      failedLoginAttempts: newFailedAttempts,
      lockedUntil,
    });

    // Log failed login
    await this.auditService.logAuthEvent(
      AuditAction.LOGIN_FAILED,
      user.id,
      { 
        email: user.email, 
        failedAttempts: newFailedAttempts,
        lockedUntil: lockedUntil?.toISOString()
      },
      request,
      false,
      'Invalid password'
    );

    // Log account lock if applicable
    if (isAccountLocked) {
      await this.auditService.logAuthEvent(
        AuditAction.ACCOUNT_LOCKED,
        user.id,
        { 
          email: user.email, 
          lockDuration: this.LOCKOUT_DURATION_MINUTES,
          lockedUntil: lockedUntil?.toISOString()
        },
        request,
        false,
        `Account locked for ${this.LOCKOUT_DURATION_MINUTES} minutes`
      );
    }
  }

  async logout(userId: string, token: string, request?: any): Promise<void> {
    // Blacklist the token
    await this.tokenBlacklistService.blacklistToken(token);
    
    await this.auditService.logAuthEvent(
      AuditAction.LOGOUT,
      userId,
      {},
      request,
      true
    );
  }

  // Helper methods
  private async generateTokens(user: any) {
    const payload = { email: user.email, sub: user.id, role: user.role };
    return {
      access_token: this.jwtService.sign(payload),
    };
  }

  private sanitizeUser(user: any) {
    const { passwordHash, failedLoginAttempts, lockedUntil, ...sanitizedUser } = user;
    return sanitizedUser;
  }

  /**
   * Create SSO link to WHMCS for general access
   */
  async createSsoLink(userId: string, destination?: string): Promise<{ url: string; expiresAt: string }> {
    try {
      // Production-safe logging - no sensitive data
      this.logger.log('Creating SSO link request');
      
      // Get WHMCS client ID from user mapping
      const mapping = await this.mappingsService.findByUserId(userId);
      
      if (!mapping?.whmcsClientId) {
        this.logger.warn('SSO link creation failed: No WHMCS mapping found');
        throw new UnauthorizedException('WHMCS client mapping not found');
      }

      // Create SSO token using custom redirect for better compatibility
      let ssoDestination = 'sso:custom_redirect';
      let ssoRedirectPath = destination || 'clientarea.php';
      
      const result = await this.whmcsService.createSsoToken(
        mapping.whmcsClientId,
        ssoDestination,
        ssoRedirectPath
      );
      
      this.logger.log('SSO link created successfully');
      
      return result;
      
    } catch (error) {
      // Production-safe error logging - no sensitive data or stack traces
      this.logger.error('SSO link creation failed', {
        errorType: error instanceof Error ? error.constructor.name : 'Unknown',
        message: getErrorMessage(error)
      });
      throw error;
    }
  }
}
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`import { Injectable, UnauthorizedException, ConflictException, BadRequestException, Logger } from '@nestjs/common';`
			`import { JwtService } from '@nestjs/jwt';`
			`import { ConfigService } from '@nestjs/config';`
			`import * as bcrypt from 'bcrypt';`
			`import { UsersService } from '../users/users.service';`
			`import { MappingsService } from '../mappings/mappings.service';`
			`import { WhmcsService } from '../vendors/whmcs/whmcs.service';`
			`import { SalesforceService } from '../vendors/salesforce/salesforce.service';`
			`import { AuditService, AuditAction } from '../common/audit/audit.service';`
			`import { TokenBlacklistService } from './services/token-blacklist.service';`
			`import { SignupDto } from './dto/signup.dto';`
			`import { LinkWhmcsDto } from './dto/link-whmcs.dto';`
			`import { SetPasswordDto } from './dto/set-password.dto';`
			`import { getErrorMessage } from '../common/utils/error.util';`

			`@Injectable()`
			`export class AuthService {`
			`private readonly logger = new Logger(AuthService.name);`
			`private readonly MAX_LOGIN_ATTEMPTS = 5;`
			`private readonly LOCKOUT_DURATION_MINUTES = 15;`

			`constructor(`
			`private usersService: UsersService,`
			`private mappingsService: MappingsService,`
			`private jwtService: JwtService,`
			`private configService: ConfigService,`
			`private whmcsService: WhmcsService,`
			`private salesforceService: SalesforceService,`
			`private auditService: AuditService,`
			`private tokenBlacklistService: TokenBlacklistService,`
			`) {}`

			`async signup(signupData: SignupDto, request?: any) {`
			`const { email, password, firstName, lastName, company, phone } = signupData;`

			`// Check if user already exists`
			`const existingUser = await this.usersService.findByEmailInternal(email);`
			`if (existingUser) {`
			`await this.auditService.logAuthEvent(`
			`AuditAction.SIGNUP,`
			`undefined,`
			`{ email, reason: 'User already exists' },`
			`request,`
			`false,`
			`'User with this email already exists'`
			`);`
			`throw new ConflictException('User with this email already exists');`
			`}`

			`// Hash password`
			`const saltRounds = 12; // Use a fixed safe value`
			`const passwordHash = await bcrypt.hash(password, saltRounds);`

			`try {`
			`// 1. Create user in portal`
			`const user = await this.usersService.create({`
			`email,`
			`passwordHash,`
			`firstName,`
			`lastName,`
			`company,`
			`phone,`
			`emailVerified: false,`
			`failedLoginAttempts: 0,`
			`lockedUntil: null,`
			`lastLoginAt: null,`
			`});`

			`// 2. Create client in WHMCS`
			`const whmcsClient = await this.whmcsService.addClient({`
			`firstname: firstName,`
			`lastname: lastName,`
			`email,`
			`companyname: company \|\| '',`
			`phonenumber: phone \|\| '',`
			`password2: password, // WHMCS requires plain password for new clients`
			`});`

			`// 3. Create account in Salesforce (no Contact, just Account)`
			`const sfAccount = await this.salesforceService.upsertAccount({`
			name: company \|\| `${firstName} ${lastName}`,
			`phone: phone,`
			`});`

			`// 4. Store ID mappings`
			`await this.mappingsService.createMapping({`
			`userId: user.id,`
			`whmcsClientId: whmcsClient.clientId,`
			`sfAccountId: sfAccount.id,`
			`});`

			`// Log successful signup`
			`await this.auditService.logAuthEvent(`
			`AuditAction.SIGNUP,`
			`user.id,`
			`{ email, whmcsClientId: whmcsClient.clientId },`
			`request,`
			`true`
			`);`

			`// Generate JWT token`
			`const tokens = await this.generateTokens(user);`

			`return {`
			`user: this.sanitizeUser(user),`
			`...tokens,`
			`};`
			`} catch (error) {`
			`// Log failed signup`
			`await this.auditService.logAuthEvent(`
			`AuditAction.SIGNUP,`
			`undefined,`
			`{ email, error: getErrorMessage(error) },`
			`request,`
			`false,`
			`getErrorMessage(error)`
			`);`

			`// TODO: Implement rollback logic if any step fails`
			`this.logger.error('Signup error:', error);`
			`throw new BadRequestException('Failed to create user account');`
			`}`
			`}`

			`async login(user: any, request?: any) {`
			`// Update last login time and reset failed attempts`
			`await this.usersService.update(user.id, {`
			`lastLoginAt: new Date(),`
			`failedLoginAttempts: 0,`
			`lockedUntil: null,`
			`});`

			`// Log successful login`
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_SUCCESS,`
			`user.id,`
			`{ email: user.email },`
			`request,`
			`true`
			`);`

			`const tokens = await this.generateTokens(user);`
			`return {`
			`user: this.sanitizeUser(user),`
			`...tokens,`
			`};`
			`}`

			`async linkWhmcsUser(linkData: LinkWhmcsDto, request?: any) {`
			`const { email, password } = linkData;`

			`// Check if user already exists in portal`
			`const existingUser = await this.usersService.findByEmailInternal(email);`
			`if (existingUser) {`
			`// If user exists but has no password (abandoned during setup), allow them to continue`
			`if (!existingUser.passwordHash) {`
			this.logger.log(`User ${email} exists but has no password - allowing password setup to continue`);
			`return {`
			`user: this.sanitizeUser(existingUser),`
			`needsPasswordSet: true,`
			`};`
			`} else {`
			`throw new ConflictException('User already exists in portal and has completed setup. Please use the login page.');`
			`}`
			`}`

			`try {`
			`// 1. First, find the client by email using GetClientsDetails directly`
			`let clientDetails;`
			`try {`
			`clientDetails = await this.whmcsService.getClientDetailsByEmail(email);`
			`} catch (error) {`
			`throw new UnauthorizedException('WHMCS client not found with this email address');`
			`}`

			`// 2. Validate the password using ValidateLogin`
			`try {`
			this.logger.debug(`About to validate WHMCS password for ${email}`);
			`const validateResult = await this.whmcsService.validateLogin(email, password);`
			this.logger.debug(`WHMCS validation successful for ${email}:`, validateResult);
			`if (!validateResult \|\| !validateResult.userId) {`
			`throw new UnauthorizedException('Invalid WHMCS credentials');`
			`}`
			`} catch (error) {`
			this.logger.debug(`WHMCS validation failed for ${email}:`, getErrorMessage(error));
			`throw new UnauthorizedException('Invalid WHMCS password');`
			`}`

			`// 3. Extract Customer Number from field ID 198`
			`const customerNumberField = clientDetails.customfields?.find(`
			`(field: any) => field.id == 198 // Use == instead of === to handle string/number comparison`
			`);`

			`const customerNumber = customerNumberField?.value;`

			`if (!customerNumber \|\| customerNumber.toString().trim() === '') {`
			`throw new BadRequestException(`
			`Customer Number not found in WHMCS custom field 198. ` +
			`Found field: ${JSON.stringify(customerNumberField)}. ` +
			`Available custom fields: ${JSON.stringify(clientDetails.customfields \|\| [])}. ` +
			`Please contact support.`
			`);`
			`}`

			this.logger.log(`Found Customer Number: ${customerNumber} for WHMCS client ${clientDetails.id}`);

			`// 3. Find existing Salesforce account using Customer Number`
			`const sfAccount = await this.salesforceService.findAccountByCustomerNumber(customerNumber);`
			`if (!sfAccount) {`
			throw new BadRequestException(`Salesforce account not found for Customer Number: ${customerNumber}. Please contact support.`);
			`}`

			`// 4. Create portal user (without password initially)`
			`const user = await this.usersService.create({`
			`email,`
			`passwordHash: null, // No password hash - will be set when user sets password`
			`firstName: clientDetails.firstname \|\| '',`
			`lastName: clientDetails.lastname \|\| '',`
			`company: clientDetails.companyname \|\| '',`
			`phone: clientDetails.phonenumber \|\| '',`
			`emailVerified: true, // WHMCS users are pre-verified`
			`});`

			`// 5. Store ID mappings`
			`await this.mappingsService.createMapping({`
			`userId: user.id,`
			`whmcsClientId: parseInt(clientDetails.id),`
			`sfAccountId: sfAccount.id,`
			`});`

			`return {`
			`user: this.sanitizeUser(user),`
			`needsPasswordSet: true,`
			`};`
			`} catch (error) {`
			`this.logger.error('WHMCS linking error:', error);`
			`if (error instanceof BadRequestException \|\| error instanceof UnauthorizedException) {`
			`throw error;`
			`}`
			`throw new BadRequestException('Failed to link WHMCS account');`
			`}`
			`}`

			`async checkPasswordNeeded(email: string) {`
			`const user = await this.usersService.findByEmailInternal(email);`
			`if (!user) {`
			`return { needsPasswordSet: false, userExists: false };`
			`}`

			`return {`
			`needsPasswordSet: !user.passwordHash,`
			`userExists: true,`
			`email: user.email`
			`};`
			`}`

			`async setPassword(setPasswordData: SetPasswordDto, request?: any) {`
			`const { email, password } = setPasswordData;`

			`const user = await this.usersService.findByEmailInternal(email);`
			`if (!user) {`
			`throw new UnauthorizedException('User not found');`
			`}`

			`// Check if user needs to set password (linked users have null password hash)`
			`if (user.passwordHash) {`
			`throw new BadRequestException('User already has a password set');`
			`}`

			`// Hash new password`
			`const saltRounds = 12; // Use a fixed safe value`
			`const passwordHash = await bcrypt.hash(password, saltRounds);`

			`// Update user with new password`
			`const updatedUser = await this.usersService.update(user.id, { passwordHash });`

			`// Generate tokens`
			`const tokens = await this.generateTokens(updatedUser);`

			`return {`
			`user: this.sanitizeUser(updatedUser),`
			`...tokens,`
			`};`
			`}`

			`async validateUser(email: string, password: string, request?: any): Promise<any> {`
			`const user = await this.usersService.findByEmailInternal(email);`

			`if (!user) {`
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_FAILED,`
			`undefined,`
			`{ email, reason: 'User not found' },`
			`request,`
			`false,`
			`'User not found'`
			`);`
			`return null;`
			`}`

			`// Check if account is locked`
			`if (user.lockedUntil && user.lockedUntil > new Date()) {`
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_FAILED,`
			`user.id,`
			`{ email, reason: 'Account locked' },`
			`request,`
			`false,`
			`'Account is locked'`
			`);`
			`return null;`
			`}`

			`if (!user.passwordHash) {`
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_FAILED,`
			`user.id,`
			`{ email, reason: 'No password set' },`
			`request,`
			`false,`
			`'No password set'`
			`);`
			`return null;`
			`}`

			`try {`
			`const isPasswordValid = await bcrypt.compare(password, user.passwordHash);`

			`if (isPasswordValid) {`
			`return user;`
			`} else {`
			`// Increment failed login attempts`
			`await this.handleFailedLogin(user, request);`
			`return null;`
			`}`
			`} catch (error) {`
			this.logger.error(`Password validation error for ${email}:`, getErrorMessage(error));
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_FAILED,`
			`user.id,`
			`{ email, error: getErrorMessage(error) },`
			`request,`
			`false,`
			`getErrorMessage(error)`
			`);`
			`return null;`
			`}`
			`}`

			`private async handleFailedLogin(user: any, request?: any): Promise<void> {`
			`const newFailedAttempts = (user.failedLoginAttempts \|\| 0) + 1;`
			`let lockedUntil = null;`
			`let isAccountLocked = false;`

			`// Lock account if max attempts reached`
			`if (newFailedAttempts >= this.MAX_LOGIN_ATTEMPTS) {`
			`lockedUntil = new Date();`
			`lockedUntil.setMinutes(lockedUntil.getMinutes() + this.LOCKOUT_DURATION_MINUTES);`
			`isAccountLocked = true;`
			`}`

			`await this.usersService.update(user.id, {`
			`failedLoginAttempts: newFailedAttempts,`
			`lockedUntil,`
			`});`

			`// Log failed login`
			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGIN_FAILED,`
			`user.id,`
			`{`
			`email: user.email,`
			`failedAttempts: newFailedAttempts,`
			`lockedUntil: lockedUntil?.toISOString()`
			`},`
			`request,`
			`false,`
			`'Invalid password'`
			`);`

			`// Log account lock if applicable`
			`if (isAccountLocked) {`
			`await this.auditService.logAuthEvent(`
			`AuditAction.ACCOUNT_LOCKED,`
			`user.id,`
			`{`
			`email: user.email,`
			`lockDuration: this.LOCKOUT_DURATION_MINUTES,`
			`lockedUntil: lockedUntil?.toISOString()`
			`},`
			`request,`
			`false,`
			`Account locked for ${this.LOCKOUT_DURATION_MINUTES} minutes`
			`);`
			`}`
			`}`

			`async logout(userId: string, token: string, request?: any): Promise<void> {`
			`// Blacklist the token`
			`await this.tokenBlacklistService.blacklistToken(token);`

			`await this.auditService.logAuthEvent(`
			`AuditAction.LOGOUT,`
			`userId,`
			`{},`
			`request,`
			`true`
			`);`
			`}`

			`// Helper methods`
			`private async generateTokens(user: any) {`
			`const payload = { email: user.email, sub: user.id, role: user.role };`
			`return {`
			`access_token: this.jwtService.sign(payload),`
			`};`
			`}`

			`private sanitizeUser(user: any) {`
			`const { passwordHash, failedLoginAttempts, lockedUntil, ...sanitizedUser } = user;`
			`return sanitizedUser;`
			`}`

			`/**`
			`* Create SSO link to WHMCS for general access`
			`*/`
			`async createSsoLink(userId: string, destination?: string): Promise<{ url: string; expiresAt: string }> {`
			`try {`
			`// Production-safe logging - no sensitive data`
			`this.logger.log('Creating SSO link request');`

			`// Get WHMCS client ID from user mapping`
			`const mapping = await this.mappingsService.findByUserId(userId);`

			`if (!mapping?.whmcsClientId) {`
			`this.logger.warn('SSO link creation failed: No WHMCS mapping found');`
			`throw new UnauthorizedException('WHMCS client mapping not found');`
			`}`

			`// Create SSO token using custom redirect for better compatibility`
			`let ssoDestination = 'sso:custom_redirect';`
			`let ssoRedirectPath = destination \|\| 'clientarea.php';`

			`const result = await this.whmcsService.createSsoToken(`
			`mapping.whmcsClientId,`
			`ssoDestination,`
			`ssoRedirectPath`
			`);`

			`this.logger.log('SSO link created successfully');`

			`return result;`

			`} catch (error) {`
			`// Production-safe error logging - no sensitive data or stack traces`
			`this.logger.error('SSO link creation failed', {`
			`errorType: error instanceof Error ? error.constructor.name : 'Unknown',`
			`message: getErrorMessage(error)`
			`});`
			`throw error;`
			`}`
			`}`
			`}`