# Auth Service

This package handles all user authentication and session management for the Tercul platform. It is responsible for registering new users, authenticating existing users, and managing JSON Web Tokens (JWTs).

## Architecture Overview

The auth service is designed to be a self-contained unit for all authentication-related logic. It provides a clear API for other parts of the application to interact with user sessions.

### Key Components

- **`service.go`**: The main entry point for the auth service. It implements the `Service` interface and contains the core business logic for registration, login, logout, and token management.

- **`commands.go`**: Contains the command handlers for all authentication-related actions, such as:
    - `Register`: Creates a new user account.
    - `Login`: Authenticates a user and issues a JWT.
    - `Logout`: Invalidates a user's session.
    - `RefreshToken`: Issues a new JWT for an active session.
    - `ForgotPassword` / `ResetPassword`: Handles the password reset flow.
    - `VerifyEmail` / `ResendVerificationEmail`: Manages email verification.
    - `ChangePassword`: Allows an authenticated user to change their password.

- **`interfaces.go`**: Defines the `Service` and `AuthRepository` interfaces, establishing a clear contract for the service's capabilities and its data persistence requirements.

- **`jwt.go` (in `internal/platform/auth`)**: The service relies on the `JWTManager` from this platform package to handle the creation and validation of JWTs.

## Usage

The `auth.Service` is primarily used by the GraphQL resolvers to handle authentication-related mutations.

### Example: User Registration

```go
// In a GraphQL resolver
registerInput := auth.RegisterInput{...}
authResponse, err := authService.Commands.Register(ctx, registerInput)
```

### Example: User Login

```go
// In a GraphQL resolver
loginInput := auth.LoginInput{...}
authResponse, err := authService.Commands.Login(ctx, loginInput)
```

## Dependencies

- **`internal/domain`**: Uses the core `User` domain entity.
- **`internal/platform/auth`**: Relies on the `JWTManager` to handle all JWT operations. This is a critical dependency for session management.
- **Database**: Persists user data via the `UserRepository`.
- **Logging**: Uses the centralized logger from `internal/platform/log`.
- **OpenTelemetry**: All service and command methods are instrumented for distributed tracing.