Skip to content

domain.events.auth_events

src.domain.events.auth_events

Authentication domain events (Phase 1 - MVP).

Pattern: 3 events per workflow (ATTEMPTED → SUCCEEDED/FAILED) - *Attempted: User initiated action (before business logic) - *Succeeded: Operation completed successfully (after business commit) - *Failed: Operation failed (after business rollback)

Handlers: - LoggingEventHandler: ALL 3 events - AuditEventHandler: ALL 3 events - EmailEventHandler: SUCCEEDED only - SessionEventHandler: SUCCEEDED only

Classes

UserRegistrationAttempted dataclass

Bases: DomainEvent

User registration attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record USER_REGISTRATION_ATTEMPTED

Attributes:

Name Type Description
email str

Email address attempted.
Source code in src/domain/events/auth_events.py 
26
27
28
29
30
31
32
33
34
35
36
37
38
@dataclass(frozen=True, kw_only=True)
class UserRegistrationAttempted(DomainEvent):
    """User registration attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record USER_REGISTRATION_ATTEMPTED

    Attributes:
        email: Email address attempted.
    """

    email: str

UserRegistrationSucceeded dataclass

Bases: DomainEvent

User registration completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record USER_REGISTERED - EmailEventHandler: Send verification email

Attributes:

Name Type Description
user_id UUID

ID of newly registered user.
email str

User's email address.
verification_token str

Email verification token (for email handler).
Source code in src/domain/events/auth_events.py 
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
@dataclass(frozen=True, kw_only=True)
class UserRegistrationSucceeded(DomainEvent):
    """User registration completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record USER_REGISTERED
    - EmailEventHandler: Send verification email

    Attributes:
        user_id: ID of newly registered user.
        email: User's email address.
        verification_token: Email verification token (for email handler).
    """

    user_id: UUID
    email: str
    verification_token: str

UserRegistrationFailed dataclass

Bases: DomainEvent

User registration failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record USER_REGISTRATION_FAILED

Attributes:

Name Type Description
email str

Email address attempted.
reason str

Failure reason (e.g., "duplicate_email", "invalid_email").
Source code in src/domain/events/auth_events.py 
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
@dataclass(frozen=True, kw_only=True)
class UserRegistrationFailed(DomainEvent):
    """User registration failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record USER_REGISTRATION_FAILED

    Attributes:
        email: Email address attempted.
        reason: Failure reason (e.g., "duplicate_email", "invalid_email").
    """

    email: str
    reason: str

UserLoginAttempted dataclass

Bases: DomainEvent

User login attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record USER_LOGIN_ATTEMPTED

Attributes:

Name Type Description
email str

Email address attempted.
Source code in src/domain/events/auth_events.py 
83
84
85
86
87
88
89
90
91
92
93
94
95
@dataclass(frozen=True, kw_only=True)
class UserLoginAttempted(DomainEvent):
    """User login attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record USER_LOGIN_ATTEMPTED

    Attributes:
        email: Email address attempted.
    """

    email: str

UserLoginSucceeded dataclass

Bases: DomainEvent

User login completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record USER_LOGIN_SUCCESS

Attributes:

Name Type Description
user_id UUID

ID of logged in user.
email str

User's email address.
session_id UUID | None

Created session ID (for tracking).
Source code in src/domain/events/auth_events.py 
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
@dataclass(frozen=True, kw_only=True)
class UserLoginSucceeded(DomainEvent):
    """User login completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record USER_LOGIN_SUCCESS

    Attributes:
        user_id: ID of logged in user.
        email: User's email address.
        session_id: Created session ID (for tracking).
    """

    user_id: UUID
    email: str
    session_id: UUID | None = None

UserLoginFailed dataclass

Bases: DomainEvent

User login failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record USER_LOGIN_FAILED

Attributes:

Name Type Description
email str

Email address attempted.
reason str

Failure reason (e.g., "invalid_credentials", "email_not_verified", "account_locked").
user_id UUID | None

User ID if found (for tracking lockout).
Source code in src/domain/events/auth_events.py 
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
@dataclass(frozen=True, kw_only=True)
class UserLoginFailed(DomainEvent):
    """User login failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record USER_LOGIN_FAILED

    Attributes:
        email: Email address attempted.
        reason: Failure reason (e.g., "invalid_credentials", "email_not_verified",
            "account_locked").
        user_id: User ID if found (for tracking lockout).
    """

    email: str
    reason: str
    user_id: UUID | None = None

EmailVerificationAttempted dataclass

Bases: DomainEvent

Email verification attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record EMAIL_VERIFICATION_ATTEMPTED

Attributes:

Name Type Description
token str

Verification token attempted (truncated for security).
Source code in src/domain/events/auth_events.py 
142
143
144
145
146
147
148
149
150
151
152
153
154
@dataclass(frozen=True, kw_only=True)
class EmailVerificationAttempted(DomainEvent):
    """Email verification attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record EMAIL_VERIFICATION_ATTEMPTED

    Attributes:
        token: Verification token attempted (truncated for security).
    """

    token: str  # First 8 chars only for logging

EmailVerificationSucceeded dataclass

Bases: DomainEvent

Email verification completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record EMAIL_VERIFIED

Attributes:

Name Type Description
user_id UUID

ID of verified user.
email str

User's email address.
Source code in src/domain/events/auth_events.py 
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
@dataclass(frozen=True, kw_only=True)
class EmailVerificationSucceeded(DomainEvent):
    """Email verification completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record EMAIL_VERIFIED

    Attributes:
        user_id: ID of verified user.
        email: User's email address.
    """

    user_id: UUID
    email: str

EmailVerificationFailed dataclass

Bases: DomainEvent

Email verification failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record EMAIL_VERIFICATION_FAILED

Attributes:

Name Type Description
token str

Verification token attempted (truncated for security).
reason str

Failure reason (e.g., "token_not_found", "token_expired", "token_already_used").
Source code in src/domain/events/auth_events.py 
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
@dataclass(frozen=True, kw_only=True)
class EmailVerificationFailed(DomainEvent):
    """Email verification failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record EMAIL_VERIFICATION_FAILED

    Attributes:
        token: Verification token attempted (truncated for security).
        reason: Failure reason (e.g., "token_not_found", "token_expired",
            "token_already_used").
    """

    token: str  # First 8 chars only for logging
    reason: str

UserPasswordChangeAttempted dataclass

Bases: DomainEvent

User password change attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record USER_PASSWORD_CHANGE_ATTEMPTED

Attributes:

Name Type Description
user_id UUID

ID of user attempting password change.
Source code in src/domain/events/auth_events.py 
197
198
199
200
201
202
203
204
205
206
207
208
209
@dataclass(frozen=True, kw_only=True)
class UserPasswordChangeAttempted(DomainEvent):
    """User password change attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record USER_PASSWORD_CHANGE_ATTEMPTED

    Attributes:
        user_id: ID of user attempting password change.
    """

    user_id: UUID

UserPasswordChangeSucceeded dataclass

Bases: DomainEvent

User password change completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record USER_PASSWORD_CHANGED - EmailEventHandler: Send password changed notification - SessionEventHandler: Revoke all sessions (force re-login)

Attributes:

Name Type Description
user_id UUID

ID of user whose password changed.
initiated_by str

Who initiated change ("user" or "admin").
Source code in src/domain/events/auth_events.py 
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
@dataclass(frozen=True, kw_only=True)
class UserPasswordChangeSucceeded(DomainEvent):
    """User password change completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record USER_PASSWORD_CHANGED
    - EmailEventHandler: Send password changed notification
    - SessionEventHandler: Revoke all sessions (force re-login)

    Attributes:
        user_id: ID of user whose password changed.
        initiated_by: Who initiated change ("user" or "admin").
    """

    user_id: UUID
    initiated_by: str

UserPasswordChangeFailed dataclass

Bases: DomainEvent

User password change failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record USER_PASSWORD_CHANGE_FAILED

Attributes:

Name Type Description
user_id UUID

ID of user attempting password change.
reason str

Failure reason (e.g., "user_not_found", "invalid_password").
Source code in src/domain/events/auth_events.py 
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
@dataclass(frozen=True, kw_only=True)
class UserPasswordChangeFailed(DomainEvent):
    """User password change failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record USER_PASSWORD_CHANGE_FAILED

    Attributes:
        user_id: ID of user attempting password change.
        reason: Failure reason (e.g., "user_not_found", "invalid_password").
    """

    user_id: UUID
    reason: str

AuthTokenRefreshAttempted dataclass

Bases: DomainEvent

Auth token refresh attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record AUTH_TOKEN_REFRESH_ATTEMPTED

Attributes:

Name Type Description
user_id UUID | None

User requesting refresh (if known from token).
Source code in src/domain/events/auth_events.py 
253
254
255
256
257
258
259
260
261
262
263
264
265
@dataclass(frozen=True, kw_only=True)
class AuthTokenRefreshAttempted(DomainEvent):
    """Auth token refresh attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record AUTH_TOKEN_REFRESH_ATTEMPTED

    Attributes:
        user_id: User requesting refresh (if known from token).
    """

    user_id: UUID | None = None

AuthTokenRefreshSucceeded dataclass

Bases: DomainEvent

Auth token refresh completed successfully (rotation done).

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record AUTH_TOKEN_REFRESHED

Attributes:

Name Type Description
user_id UUID

User whose tokens were refreshed.
session_id UUID

Session associated with token.
Source code in src/domain/events/auth_events.py 
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
@dataclass(frozen=True, kw_only=True)
class AuthTokenRefreshSucceeded(DomainEvent):
    """Auth token refresh completed successfully (rotation done).

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record AUTH_TOKEN_REFRESHED

    Attributes:
        user_id: User whose tokens were refreshed.
        session_id: Session associated with token.
    """

    user_id: UUID
    session_id: UUID

AuthTokenRefreshFailed dataclass

Bases: DomainEvent

Auth token refresh failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record AUTH_TOKEN_REFRESH_FAILED

Attributes:

Name Type Description
user_id UUID | None

User requesting refresh (if known).
reason str

Failure reason (e.g., "token_expired", "token_revoked", "token_invalid", "user_not_found").
Source code in src/domain/events/auth_events.py 
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
@dataclass(frozen=True, kw_only=True)
class AuthTokenRefreshFailed(DomainEvent):
    """Auth token refresh failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record AUTH_TOKEN_REFRESH_FAILED

    Attributes:
        user_id: User requesting refresh (if known).
        reason: Failure reason (e.g., "token_expired", "token_revoked",
            "token_invalid", "user_not_found").
    """

    user_id: UUID | None = None
    reason: str

UserLogoutAttempted dataclass

Bases: DomainEvent

User logout attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record USER_LOGOUT_ATTEMPTED

Attributes:

Name Type Description
user_id UUID

User attempting logout.
Source code in src/domain/events/auth_events.py 
308
309
310
311
312
313
314
315
316
317
318
319
320
@dataclass(frozen=True, kw_only=True)
class UserLogoutAttempted(DomainEvent):
    """User logout attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record USER_LOGOUT_ATTEMPTED

    Attributes:
        user_id: User attempting logout.
    """

    user_id: UUID

UserLogoutSucceeded dataclass

Bases: DomainEvent

User logout completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record USER_LOGGED_OUT

Attributes:

Name Type Description
user_id UUID

User who logged out.
session_id UUID | None

Session that was terminated.
Source code in src/domain/events/auth_events.py 
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
@dataclass(frozen=True, kw_only=True)
class UserLogoutSucceeded(DomainEvent):
    """User logout completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record USER_LOGGED_OUT

    Attributes:
        user_id: User who logged out.
        session_id: Session that was terminated.
    """

    user_id: UUID
    session_id: UUID | None = None

UserLogoutFailed dataclass

Bases: DomainEvent

User logout failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record USER_LOGOUT_FAILED

Attributes:

Name Type Description
user_id UUID

User attempting logout.
reason str

Failure reason.
Source code in src/domain/events/auth_events.py 
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
@dataclass(frozen=True, kw_only=True)
class UserLogoutFailed(DomainEvent):
    """User logout failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record USER_LOGOUT_FAILED

    Attributes:
        user_id: User attempting logout.
        reason: Failure reason.
    """

    user_id: UUID
    reason: str

PasswordResetRequestAttempted dataclass

Bases: DomainEvent

Password reset request attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record PASSWORD_RESET_REQUEST_ATTEMPTED

Attributes:

Name Type Description
email str

Email address for reset request.
Source code in src/domain/events/auth_events.py 
362
363
364
365
366
367
368
369
370
371
372
373
374
@dataclass(frozen=True, kw_only=True)
class PasswordResetRequestAttempted(DomainEvent):
    """Password reset request attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record PASSWORD_RESET_REQUEST_ATTEMPTED

    Attributes:
        email: Email address for reset request.
    """

    email: str

PasswordResetRequestSucceeded dataclass

Bases: DomainEvent

Password reset request completed (email sent).

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record PASSWORD_RESET_REQUESTED - EmailEventHandler: Send password reset email

Attributes:

Name Type Description
user_id UUID

User requesting reset.
email str

User's email address.
reset_token str

Password reset token (for email handler).
Source code in src/domain/events/auth_events.py 
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
@dataclass(frozen=True, kw_only=True)
class PasswordResetRequestSucceeded(DomainEvent):
    """Password reset request completed (email sent).

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record PASSWORD_RESET_REQUESTED
    - EmailEventHandler: Send password reset email

    Attributes:
        user_id: User requesting reset.
        email: User's email address.
        reset_token: Password reset token (for email handler).
    """

    user_id: UUID
    email: str
    reset_token: str

PasswordResetRequestFailed dataclass

Bases: DomainEvent

Password reset request failed.

Note: This event is only logged internally. API always returns success to prevent user enumeration.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record PASSWORD_RESET_REQUEST_FAILED (internal only)

Attributes:

Name Type Description
email str

Email address attempted.
reason str

Failure reason (e.g., "user_not_found").
Source code in src/domain/events/auth_events.py 
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
@dataclass(frozen=True, kw_only=True)
class PasswordResetRequestFailed(DomainEvent):
    """Password reset request failed.

    Note: This event is only logged internally. API always returns success
    to prevent user enumeration.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record PASSWORD_RESET_REQUEST_FAILED (internal only)

    Attributes:
        email: Email address attempted.
        reason: Failure reason (e.g., "user_not_found").
    """

    email: str
    reason: str

PasswordResetConfirmAttempted dataclass

Bases: DomainEvent

Password reset confirmation attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record PASSWORD_RESET_CONFIRM_ATTEMPTED

Attributes:

Name Type Description
token str

Password reset token (truncated for security).
Source code in src/domain/events/auth_events.py 
417
418
419
420
421
422
423
424
425
426
427
428
429
@dataclass(frozen=True, kw_only=True)
class PasswordResetConfirmAttempted(DomainEvent):
    """Password reset confirmation attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record PASSWORD_RESET_CONFIRM_ATTEMPTED

    Attributes:
        token: Password reset token (truncated for security).
    """

    token: str  # First 8 chars only for logging

PasswordResetConfirmSucceeded dataclass

Bases: DomainEvent

Password reset confirmation completed (password updated).

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record PASSWORD_RESET_COMPLETED - EmailEventHandler: Send password changed notification - SessionEventHandler: Revoke all sessions (force re-login)

Attributes:

Name Type Description
user_id UUID

User whose password was reset.
email str

User's email address.
Source code in src/domain/events/auth_events.py 
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
@dataclass(frozen=True, kw_only=True)
class PasswordResetConfirmSucceeded(DomainEvent):
    """Password reset confirmation completed (password updated).

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record PASSWORD_RESET_COMPLETED
    - EmailEventHandler: Send password changed notification
    - SessionEventHandler: Revoke all sessions (force re-login)

    Attributes:
        user_id: User whose password was reset.
        email: User's email address.
    """

    user_id: UUID
    email: str

PasswordResetConfirmFailed dataclass

Bases: DomainEvent

Password reset confirmation failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record PASSWORD_RESET_CONFIRM_FAILED

Attributes:

Name Type Description
token str

Password reset token (truncated for security).
reason str

Failure reason (e.g., "token_expired", "token_not_found").
Source code in src/domain/events/auth_events.py 
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
@dataclass(frozen=True, kw_only=True)
class PasswordResetConfirmFailed(DomainEvent):
    """Password reset confirmation failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record PASSWORD_RESET_CONFIRM_FAILED

    Attributes:
        token: Password reset token (truncated for security).
        reason: Failure reason (e.g., "token_expired", "token_not_found").
    """

    token: str  # First 8 chars only for logging
    reason: str

GlobalTokenRotationAttempted dataclass

Bases: DomainEvent

Global token rotation attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_ATTEMPTED

Attributes:

Name Type Description
triggered_by str

Who triggered rotation (admin user ID or "system").
reason str

Why rotation is being triggered.
Source code in src/domain/events/auth_events.py 
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
@dataclass(frozen=True, kw_only=True)
class GlobalTokenRotationAttempted(DomainEvent):
    """Global token rotation attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_ATTEMPTED

    Attributes:
        triggered_by: Who triggered rotation (admin user ID or "system").
        reason: Why rotation is being triggered.
    """

    triggered_by: str  # User ID or "system"
    reason: str

GlobalTokenRotationSucceeded dataclass

Bases: DomainEvent

Global token rotation completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_SUCCEEDED

Attributes:

Name Type Description
triggered_by str

Who triggered rotation (admin user ID or "system").
previous_version int

Previous global minimum token version.
new_version int

New global minimum token version.
reason str

Why rotation was triggered.
grace_period_seconds int

Grace period before full enforcement.
Source code in src/domain/events/auth_events.py 
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
@dataclass(frozen=True, kw_only=True)
class GlobalTokenRotationSucceeded(DomainEvent):
    """Global token rotation completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_SUCCEEDED

    Attributes:
        triggered_by: Who triggered rotation (admin user ID or "system").
        previous_version: Previous global minimum token version.
        new_version: New global minimum token version.
        reason: Why rotation was triggered.
        grace_period_seconds: Grace period before full enforcement.
    """

    triggered_by: str  # User ID or "system"
    previous_version: int
    new_version: int
    reason: str
    grace_period_seconds: int

GlobalTokenRotationFailed dataclass

Bases: DomainEvent

Global token rotation failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_FAILED

Attributes:

Name Type Description
triggered_by str

Who triggered rotation (admin user ID or "system").
reason str

Original reason for rotation attempt.
failure_reason str

Why rotation failed (e.g., "config_not_found").
Source code in src/domain/events/auth_events.py 
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
@dataclass(frozen=True, kw_only=True)
class GlobalTokenRotationFailed(DomainEvent):
    """Global token rotation failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record GLOBAL_TOKEN_ROTATION_FAILED

    Attributes:
        triggered_by: Who triggered rotation (admin user ID or "system").
        reason: Original reason for rotation attempt.
        failure_reason: Why rotation failed (e.g., "config_not_found").
    """

    triggered_by: str  # User ID or "system"
    reason: str
    failure_reason: str

UserTokenRotationAttempted dataclass

Bases: DomainEvent

Per-user token rotation attempt initiated.

Triggers: - LoggingEventHandler: Log attempt - AuditEventHandler: Record USER_TOKEN_ROTATION_ATTEMPTED

Attributes:

Name Type Description
user_id UUID

User whose tokens are being rotated.
triggered_by str

Who triggered rotation (user_id, admin_id, or "system").
reason str

Why rotation is being triggered.
Source code in src/domain/events/auth_events.py 
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
@dataclass(frozen=True, kw_only=True)
class UserTokenRotationAttempted(DomainEvent):
    """Per-user token rotation attempt initiated.

    Triggers:
    - LoggingEventHandler: Log attempt
    - AuditEventHandler: Record USER_TOKEN_ROTATION_ATTEMPTED

    Attributes:
        user_id: User whose tokens are being rotated.
        triggered_by: Who triggered rotation (user_id, admin_id, or "system").
        reason: Why rotation is being triggered.
    """

    user_id: UUID
    triggered_by: str  # User ID, admin ID, or "system"
    reason: str

UserTokenRotationSucceeded dataclass

Bases: DomainEvent

Per-user token rotation completed successfully.

Triggers: - LoggingEventHandler: Log success - AuditEventHandler: Record USER_TOKEN_ROTATION_SUCCEEDED

Attributes:

Name Type Description
user_id UUID

User whose tokens were rotated.
triggered_by str

Who triggered rotation (user_id, admin_id, or "system").
previous_version int

Previous user minimum token version.
new_version int

New user minimum token version.
reason str

Why rotation was triggered.
Source code in src/domain/events/auth_events.py 
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
@dataclass(frozen=True, kw_only=True)
class UserTokenRotationSucceeded(DomainEvent):
    """Per-user token rotation completed successfully.

    Triggers:
    - LoggingEventHandler: Log success
    - AuditEventHandler: Record USER_TOKEN_ROTATION_SUCCEEDED

    Attributes:
        user_id: User whose tokens were rotated.
        triggered_by: Who triggered rotation (user_id, admin_id, or "system").
        previous_version: Previous user minimum token version.
        new_version: New user minimum token version.
        reason: Why rotation was triggered.
    """

    user_id: UUID
    triggered_by: str  # User ID, admin ID, or "system"
    previous_version: int
    new_version: int
    reason: str

UserTokenRotationFailed dataclass

Bases: DomainEvent

Per-user token rotation failed.

Triggers: - LoggingEventHandler: Log failure - AuditEventHandler: Record USER_TOKEN_ROTATION_FAILED

Attributes:

Name Type Description
user_id UUID

User whose tokens were being rotated.
triggered_by str

Who triggered rotation (user_id, admin_id, or "system").
reason str

Original reason for rotation attempt.
failure_reason str

Why rotation failed (e.g., "user_not_found").
Source code in src/domain/events/auth_events.py 
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
@dataclass(frozen=True, kw_only=True)
class UserTokenRotationFailed(DomainEvent):
    """Per-user token rotation failed.

    Triggers:
    - LoggingEventHandler: Log failure
    - AuditEventHandler: Record USER_TOKEN_ROTATION_FAILED

    Attributes:
        user_id: User whose tokens were being rotated.
        triggered_by: Who triggered rotation (user_id, admin_id, or "system").
        reason: Original reason for rotation attempt.
        failure_reason: Why rotation failed (e.g., "user_not_found").
    """

    user_id: UUID
    triggered_by: str  # User ID, admin ID, or "system"
    reason: str
    failure_reason: str

TokenRejectedDueToRotation dataclass

Bases: DomainEvent

Token rejected because it failed version validation.

This is a security monitoring event, not a user workflow. Emitted during token refresh when version check fails.

Triggers: - LoggingEventHandler: Log rejection (security monitoring) - AuditEventHandler: Record TOKEN_REJECTED_VERSION_MISMATCH

Attributes:

Name Type Description
user_id UUID | None

User whose token was rejected (if known).
token_version int

Version of the rejected token.
required_version int

Minimum version required.
rejection_reason str

Why token was rejected (global_rotation, user_rotation).
Source code in src/domain/events/auth_events.py 
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
@dataclass(frozen=True, kw_only=True)
class TokenRejectedDueToRotation(DomainEvent):
    """Token rejected because it failed version validation.

    This is a security monitoring event, not a user workflow.
    Emitted during token refresh when version check fails.

    Triggers:
    - LoggingEventHandler: Log rejection (security monitoring)
    - AuditEventHandler: Record TOKEN_REJECTED_VERSION_MISMATCH

    Attributes:
        user_id: User whose token was rejected (if known).
        token_version: Version of the rejected token.
        required_version: Minimum version required.
        rejection_reason: Why token was rejected (global_rotation, user_rotation).
    """

    user_id: UUID | None
    token_version: int
    required_version: int
    rejection_reason: str