Fix forRootAsync DI bypass and empty body crash

CHANGELOG.md

@@ -2,7 +2,15 @@
 
 All notable changes to `@nestbolt/authentication` will be documented in this file.
 
-## 0.1.0
+## v0.1.1
+
+### Bug Fixes
+
+- **forRootAsync DI bypass** — `forRootAsync` was using `new options.userRepository()` which bypassed NestJS dependency injection, leaving repository dependencies (e.g. `DataSource`) undefined. Now uses `ModuleRef.create()` to properly instantiate repositories through the DI container.
+- **forRootAsync missing PASSWORD_RESET_REPOSITORY** — The conditional `PASSWORD_RESET_REPOSITORY` registration present in `forRoot` was absent from `forRootAsync`. Now registers it via `ModuleRef.create()` when configured, or `null` when not (compatible with `@Optional()` injection).
+- **TwoFactorController.enable() crash on empty body** — Calling `POST /user/two-factor-authentication` without a request body caused a `TypeError` because `@Body()` returned `undefined`. Now handles optional body with safe navigation (`body?.force ?? false`).
+
+## v0.1.0
 
 ### Features
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nestbolt/authentication",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "packageManager": "pnpm@9.15.4",
   "description": "Frontend-agnostic authentication backend for NestJS with 2FA, password reset, email verification, and more",
   "main": "dist/index.js",

src/authentication.module.ts

@@ -1,4 +1,5 @@
 import { DynamicModule, Module, Provider, Type } from "@nestjs/common";
+import { ModuleRef } from "@nestjs/core";
 import { JwtModule } from "@nestjs/jwt";
 import { PassportModule } from "@nestjs/passport";
 import {
@@ -154,6 +155,32 @@ export class AuthenticationModule {
   }
 
   static forRootAsync(asyncOptions: AuthenticationAsyncOptions): DynamicModule {
+    const optionsProvider: Provider = {
+      provide: AUTHENTICATION_OPTIONS,
+      useFactory: asyncOptions.useFactory,
+      inject: asyncOptions.inject ?? [],
+    };
+
+    const repositoryProviders: Provider[] = [
+      {
+        provide: USER_REPOSITORY,
+        useFactory: async (options: AuthenticationModuleOptions, moduleRef: ModuleRef) =>
+          moduleRef.create(options.userRepository),
+        inject: [AUTHENTICATION_OPTIONS, ModuleRef],
+      },
+      {
+        provide: PASSWORD_RESET_REPOSITORY,
+        useFactory: async (options: AuthenticationModuleOptions, moduleRef: ModuleRef) =>
+          options.passwordResetRepository
+            ? moduleRef.create(options.passwordResetRepository)
+            : null,
+        inject: [AUTHENTICATION_OPTIONS, ModuleRef],
+      },
+    ];
+
+    // With async options, controllers/services are registered eagerly since
+    // the features array is not available at static definition time.
+    // The FeatureEnabledGuard on each controller gates access at runtime.
     return {
       module: AuthenticationModule,
       global: true,
@@ -184,33 +211,28 @@ export class AuthenticationModule {
         TwoFactorChallengeController,
       ],
       providers: [
-        {
-          provide: AUTHENTICATION_OPTIONS,
-          useFactory: asyncOptions.useFactory,
-          inject: asyncOptions.inject ?? [],
-        },
-        {
-          provide: USER_REPOSITORY,
-          useFactory: (options: AuthenticationModuleOptions) => {
-            return new options.userRepository();
-          },
-          inject: [AUTHENTICATION_OPTIONS],
-        },
+        optionsProvider,
+        ...repositoryProviders,
+        // Core services
         AuthService,
         EncryptionService,
         RecoveryCodeService,
         ConfirmPasswordService,
+        // Passport strategies
         LocalStrategy,
         JwtStrategy,
         JwtRefreshStrategy,
+        // Guards
         JwtAuthGuard,
         LoginThrottleGuard,
         TwoFactorThrottleGuard,
         VerificationThrottleGuard,
         FeatureEnabledGuard,
         PasswordConfirmedGuard,
         GuestGuard,
+        // Interceptors
         CanonicalizeUsernameInterceptor,
+        // Feature services (gated at runtime by FeatureEnabledGuard)
         RegistrationService,
         PasswordResetService,
         EmailVerificationService,

src/controllers/two-factor.controller.ts

@@ -25,8 +25,8 @@ export class TwoFactorController {
   @Post("two-factor-authentication")
   @UseGuards(PasswordConfirmedGuard)
   @HttpCode(HttpStatus.OK)
-  async enable(@CurrentUser() user: AuthUser, @Body() body: { force?: boolean }) {
-    await this.twoFactorService.enable(user, body.force ?? false);
+  async enable(@CurrentUser() user: AuthUser, @Body() body?: { force?: boolean }) {
+    await this.twoFactorService.enable(user, body?.force ?? false);
     return { message: "Two-factor authentication enabled." };
   }
 

test/authentication.module.spec.ts

@@ -1,4 +1,5 @@
-import { describe, it, expect } from "vitest";
+import { describe, it, expect, vi } from "vitest";
+import { ModuleRef } from "@nestjs/core";
 import { AuthenticationModule } from "../src/authentication.module";
 import { Feature } from "../src/interfaces";
 import { AuthController } from "../src/controllers/auth.controller";
@@ -384,7 +385,7 @@ describe("AuthenticationModule", () => {
       expect(userRepoProvider.inject).toContain(AUTHENTICATION_OPTIONS);
     });
 
-    it("should create user repository instance from options", () => {
+    it("should create user repository instance via ModuleRef", async () => {
       const result = AuthenticationModule.forRootAsync({
         useFactory: () => baseOptions,
       });
@@ -393,8 +394,52 @@ describe("AuthenticationModule", () => {
       const userRepoProvider = providers.find(
         (p: any) => typeof p === "object" && p.provide === USER_REPOSITORY,
       );
-      const instance = userRepoProvider.useFactory(baseOptions);
+      expect(userRepoProvider.inject).toContain(ModuleRef);
+
+      const mockModuleRef = {
+        create: vi.fn().mockResolvedValue(new MockUserRepository()),
+      };
+      const instance = await userRepoProvider.useFactory(baseOptions, mockModuleRef);
       expect(instance).toBeInstanceOf(MockUserRepository);
+      expect(mockModuleRef.create).toHaveBeenCalledWith(MockUserRepository);
+    });
+
+    it("should provide PASSWORD_RESET_REPOSITORY via ModuleRef when configured", async () => {
+      const optsWithReset = {
+        ...baseOptions,
+        passwordResetRepository: MockPasswordResetRepository as any,
+      };
+      const result = AuthenticationModule.forRootAsync({
+        useFactory: () => optsWithReset,
+      });
+      const providers = result.providers as any[];
+
+      const resetRepoProvider = providers.find(
+        (p: any) => typeof p === "object" && p.provide === PASSWORD_RESET_REPOSITORY,
+      );
+      expect(resetRepoProvider).toBeDefined();
+
+      const mockModuleRef = {
+        create: vi.fn().mockResolvedValue(new MockPasswordResetRepository()),
+      };
+      const instance = await resetRepoProvider.useFactory(optsWithReset, mockModuleRef);
+      expect(instance).toBeInstanceOf(MockPasswordResetRepository);
+      expect(mockModuleRef.create).toHaveBeenCalledWith(MockPasswordResetRepository);
+    });
+
+    it("should return null for PASSWORD_RESET_REPOSITORY when not configured", async () => {
+      const result = AuthenticationModule.forRootAsync({
+        useFactory: () => baseOptions,
+      });
+      const providers = result.providers as any[];
+
+      const resetRepoProvider = providers.find(
+        (p: any) => typeof p === "object" && p.provide === PASSWORD_RESET_REPOSITORY,
+      );
+      const mockModuleRef = { create: vi.fn() };
+      const instance = await resetRepoProvider.useFactory(baseOptions, mockModuleRef);
+      expect(instance).toBeNull();
+      expect(mockModuleRef.create).not.toHaveBeenCalled();
     });
 
     it("should use empty inject array when inject is not provided", () => {