@mesob/auth-hono 0.0.3 → 0.0.4

package/dist/index.js

@@ -467,8 +467,8 @@ var findUserById = (db, tenantId, userId) => {
 
 // src/handler.ts
 import { OpenAPIHono as OpenAPIHono2 } from "@hono/zod-openapi";
-import { getCookie as getCookie2 } from "hono/cookie";
-import { HTTPException as HTTPException11 } from "hono/http-exception";
+import { getCookie as getCookie3 } from "hono/cookie";
+import { HTTPException as HTTPException16 } from "hono/http-exception";
 
 // src/lib/crypto.ts
 import { scrypt } from "@noble/hashes/scrypt.js";
@@ -643,6 +643,9 @@ var changePasswordSchema = z.object({
   currentPassword: passwordField,
   newPassword: passwordField
 });
+var verifyPasswordSchema = z.object({
+  password: passwordField
+});
 var messageWithVerificationIdSchema = messageSchema.extend({
   verificationId: z.string().uuid().optional()
 });
@@ -652,9 +655,175 @@ var checkUserSchema = z.object({
 var checkUserResponseSchema = z.object({
   exists: z.boolean()
 });
+var updateProfileSchema = z.object({
+  fullName: z.string().min(1).max(255).optional().describe("User full name")
+});
+var updateEmailSchema = z.object({
+  email: z.string().email().describe("New email address")
+});
+var updatePhoneSchema = z.object({
+  phone: z.string().min(6).max(30).describe("New phone number")
+});
+var profileResponseSchema = z.object({
+  user: userSchema.describe("Updated user")
+});
+var pendingAccountChangeSchema = z.object({
+  changeType: z.enum(["email", "phone"]),
+  newEmail: z.string().email().nullable(),
+  newPhone: z.string().nullable(),
+  expiresAt: z.string().datetime()
+});
+var pendingAccountChangeResponseSchema = z.object({
+  accountChange: pendingAccountChangeSchema.nullable(),
+  verificationId: z.string().uuid().nullable()
+});
+
+// src/routes/handler/account-change-pending.ts
+import { HTTPException as HTTPException2 } from "hono/http-exception";
+
+// src/db/orm/iam/account-changes/expire-pending-account-changes.ts
+import { and as and3, eq as eq3, lte } from "drizzle-orm";
+var expirePendingAccountChanges = (db, tenantId, userId) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return db.update(accountChangesInIam).set({
+    status: "expired",
+    updatedAt: now
+  }).where(
+    and3(
+      eq3(accountChangesInIam.tenantId, tenantId),
+      eq3(accountChangesInIam.userId, userId),
+      eq3(accountChangesInIam.status, "pending"),
+      lte(accountChangesInIam.expiresAt, now)
+    )
+  );
+};
+
+// src/db/orm/iam/account-changes/find-pending-account-change.ts
+import { and as and4, desc, eq as eq4, gt as gt2 } from "drizzle-orm";
+var findPendingAccountChange = async (db, tenantId, userId) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return await db.select({
+    changeType: accountChangesInIam.changeType,
+    newEmail: accountChangesInIam.newEmail,
+    newPhone: accountChangesInIam.newPhone,
+    expiresAt: accountChangesInIam.expiresAt
+  }).from(accountChangesInIam).where(
+    and4(
+      eq4(accountChangesInIam.tenantId, tenantId),
+      eq4(accountChangesInIam.userId, userId),
+      eq4(accountChangesInIam.status, "pending"),
+      gt2(accountChangesInIam.expiresAt, now)
+    )
+  ).orderBy(desc(accountChangesInIam.createdAt)).limit(1).then(([row]) => {
+    if (!row) {
+      return null;
+    }
+    if (row.changeType !== "email" && row.changeType !== "phone") {
+      return null;
+    }
+    return {
+      changeType: row.changeType,
+      newEmail: row.newEmail ?? null,
+      newPhone: row.newPhone ?? null,
+      expiresAt: row.expiresAt
+    };
+  });
+};
+
+// src/db/orm/iam/verifications/find-active-verification-id.ts
+import { and as and5, desc as desc2, eq as eq5, gt as gt3 } from "drizzle-orm";
+var findActiveVerificationId = async (db, tenantId, userId, type, to) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return await db.select({
+    verificationId: verificationsInIam.id,
+    expiresAt: verificationsInIam.expiresAt
+  }).from(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type),
+      eq5(verificationsInIam.to, to),
+      gt3(verificationsInIam.expiresAt, now)
+    )
+  ).orderBy(desc2(verificationsInIam.createdAt)).limit(1).then(([row]) => row ? row : null);
+};
+
+// src/errors.ts
+var AUTH_ERRORS = {
+  USER_NOT_FOUND: "USER_NOT_FOUND",
+  INVALID_PASSWORD: "INVALID_PASSWORD",
+  USER_EXISTS: "USER_EXISTS",
+  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
+  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
+  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
+  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
+  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  ACCESS_DENIED: "ACCESS_DENIED",
+  HAS_NO_PASSWORD: "HAS_NO_PASSWORD"
+};
+
+// src/lib/tenant.ts
+import { HTTPException } from "hono/http-exception";
+var ensureTenantId = (config, tenantId) => {
+  if (config.enableTenant) {
+    if (!tenantId) {
+      throw new HTTPException(400, {
+        message: "Missing tenantId. Tenant isolation is enabled."
+      });
+    }
+    return tenantId;
+  }
+  if (!config.tenantId) {
+    throw new HTTPException(500, {
+      message: "tenantId must be provided in config when enableTenant is false."
+    });
+  }
+  return config.tenantId;
+};
+
+// src/routes/handler/account-change-pending.ts
+var accountChangePendingHandler = async (c) => {
+  const { config, database, tenantId, userId } = c.var;
+  if (!userId) {
+    throw new HTTPException2(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  await expirePendingAccountChanges(database, resolvedTenantId, userId);
+  const accountChange = await findPendingAccountChange(database, resolvedTenantId, userId);
+  if (!accountChange) {
+    return c.json({ accountChange: null, verificationId: null });
+  }
+  let verification = null;
+  if (accountChange.changeType === "email" && accountChange.newEmail) {
+    verification = await findActiveVerificationId(
+      database,
+      resolvedTenantId,
+      userId,
+      "email-verification",
+      accountChange.newEmail
+    );
+  }
+  if (accountChange.changeType === "phone" && accountChange.newPhone) {
+    verification = await findActiveVerificationId(
+      database,
+      resolvedTenantId,
+      userId,
+      "phone-otp-change-phone",
+      accountChange.newPhone
+    );
+  }
+  if (!verification) {
+    return c.json({ accountChange: null, verificationId: null });
+  }
+  return c.json({
+    accountChange,
+    verificationId: verification.verificationId
+  });
+};
 
 // src/db/orm/iam/users/find-user-by-email.ts
-import { and as and3, eq as eq3, sql as sql2 } from "drizzle-orm";
+import { and as and6, eq as eq6, sql as sql2 } from "drizzle-orm";
 var findUserByEmail = (db, tenantId, email) => {
   return db.select({
     id: usersInIam.id,
@@ -668,15 +837,15 @@ var findUserByEmail = (db, tenantId, email) => {
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt
   }).from(usersInIam).where(
-    and3(
-      eq3(usersInIam.tenantId, tenantId),
+    and6(
+      eq6(usersInIam.tenantId, tenantId),
       sql2`lower(${usersInIam.email}) = lower(${email})`
     )
   ).limit(1).then(([user]) => user || null);
 };
 
 // src/db/orm/iam/users/find-user-by-phone.ts
-import { and as and4, eq as eq4 } from "drizzle-orm";
+import { and as and7, eq as eq7 } from "drizzle-orm";
 var findUserByPhone = (db, tenantId, phone) => {
   return db.select({
     id: usersInIam.id,
@@ -689,7 +858,7 @@ var findUserByPhone = (db, tenantId, phone) => {
     emailVerified: usersInIam.emailVerified,
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt
-  }).from(usersInIam).where(and4(eq4(usersInIam.tenantId, tenantId), eq4(usersInIam.phone, phone))).limit(1).then(([user]) => user || null);
+  }).from(usersInIam).where(and7(eq7(usersInIam.tenantId, tenantId), eq7(usersInIam.phone, phone))).limit(1).then(([user]) => user || null);
 };
 
 // src/db/orm/iam/users/find-user-by-identifier.ts
@@ -703,25 +872,6 @@ var findUserByIdentifier = async (db, tenantId, identifier) => {
   return { user, type: "phone" };
 };
 
-// src/lib/tenant.ts
-import { HTTPException } from "hono/http-exception";
-var ensureTenantId = (config, tenantId) => {
-  if (config.enableTenant) {
-    if (!tenantId) {
-      throw new HTTPException(400, {
-        message: "Missing tenantId. Tenant isolation is enabled."
-      });
-    }
-    return tenantId;
-  }
-  if (!config.tenantId) {
-    throw new HTTPException(500, {
-      message: "tenantId must be provided in config when enableTenant is false."
-    });
-  }
-  return config.tenantId;
-};
-
 // src/routes/handler/check-user.ts
 var checkUserHandler = async (c) => {
   const body = c.req.valid("json");
@@ -738,7 +888,7 @@ var checkUserHandler = async (c) => {
 
 // src/routes/handler/email-verification-confirm.ts
 import { setCookie } from "hono/cookie";
-import { HTTPException as HTTPException2 } from "hono/http-exception";
+import { HTTPException as HTTPException3 } from "hono/http-exception";
 
 // src/db/orm/iam/sessions/insert-session.ts
 var insertSession = (db, data) => {
@@ -763,22 +913,22 @@ var insertSession = (db, data) => {
 };
 
 // src/db/orm/iam/users/update-user-verified.ts
-import { and as and5, eq as eq5 } from "drizzle-orm";
+import { and as and8, eq as eq8 } from "drizzle-orm";
 var updateUserVerified = (db, tenantId, userId, type) => {
   return db.update(usersInIam).set({
     [type === "email" ? "emailVerified" : "phoneVerified"]: true,
     lastSignInAt: (/* @__PURE__ */ new Date()).toISOString()
-  }).where(and5(eq5(usersInIam.id, userId), eq5(usersInIam.tenantId, tenantId)));
+  }).where(and8(eq8(usersInIam.id, userId), eq8(usersInIam.tenantId, tenantId)));
 };
 
 // src/db/orm/iam/verifications/consume-verification.ts
-import { eq as eq6 } from "drizzle-orm";
+import { eq as eq9 } from "drizzle-orm";
 var consumeVerification = (db, verificationId) => {
-  return db.delete(verificationsInIam).where(eq6(verificationsInIam.id, verificationId));
+  return db.delete(verificationsInIam).where(eq9(verificationsInIam.id, verificationId));
 };
 
 // src/db/orm/iam/verifications/find-verification-by-id.ts
-import { eq as eq7 } from "drizzle-orm";
+import { eq as eq10 } from "drizzle-orm";
 var findVerificationById = (db, verificationId) => {
   return db.select({
     id: verificationsInIam.id,
@@ -790,32 +940,17 @@ var findVerificationById = (db, verificationId) => {
     expiresAt: verificationsInIam.expiresAt,
     createdAt: verificationsInIam.createdAt,
     attempt: verificationsInIam.attempt
-  }).from(verificationsInIam).where(eq7(verificationsInIam.id, verificationId)).limit(1).then(([verification]) => verification || null);
+  }).from(verificationsInIam).where(eq10(verificationsInIam.id, verificationId)).limit(1).then(([verification]) => verification || null);
 };
 
 // src/db/orm/iam/verifications/update-verification-attempt.ts
-import { eq as eq8 } from "drizzle-orm";
+import { eq as eq11 } from "drizzle-orm";
 var updateVerificationAttempt = async (db, verificationId) => {
   const verification = await findVerificationById(db, verificationId);
   if (!verification) {
     return;
   }
-  await db.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq8(verificationsInIam.id, verificationId));
-};
-
-// src/errors.ts
-var AUTH_ERRORS = {
-  USER_NOT_FOUND: "USER_NOT_FOUND",
-  INVALID_PASSWORD: "INVALID_PASSWORD",
-  USER_EXISTS: "USER_EXISTS",
-  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
-  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
-  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
-  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
-  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
-  UNAUTHORIZED: "UNAUTHORIZED",
-  ACCESS_DENIED: "ACCESS_DENIED",
-  HAS_NO_PASSWORD: "HAS_NO_PASSWORD"
+  await db.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq11(verificationsInIam.id, verificationId));
 };
 
 // src/lib/session.ts
@@ -860,19 +995,19 @@ var emailVerificationConfirmHandler = async (c) => {
   const { verificationId, code } = body;
   const verification = await findVerificationById(database, verificationId);
   if (!verification) {
-    throw new HTTPException2(400, {
+    throw new HTTPException3(400, {
       message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
     });
   }
   if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
-    throw new HTTPException2(400, {
+    throw new HTTPException3(400, {
       message: AUTH_ERRORS.VERIFICATION_EXPIRED
     });
   }
   const hashedCode = await hashToken(code, config.secret);
   if (verification.code !== hashedCode) {
     await updateVerificationAttempt(database, verificationId);
-    throw new HTTPException2(400, {
+    throw new HTTPException3(400, {
       message: AUTH_ERRORS.VERIFICATION_MISMATCH
     });
   }
@@ -889,7 +1024,7 @@ var emailVerificationConfirmHandler = async (c) => {
     verification.userId
   );
   if (!user) {
-    throw new HTTPException2(500, { message: "User not found" });
+    throw new HTTPException3(500, { message: "User not found" });
   }
   const sessionToken = crypto.randomUUID();
   const hashedToken = await hashToken(sessionToken, config.secret);
@@ -925,16 +1060,52 @@ var emailVerificationConfirmHandler = async (c) => {
 };
 
 // src/routes/handler/email-verification-request.ts
-import { HTTPException as HTTPException3 } from "hono/http-exception";
+import { HTTPException as HTTPException4 } from "hono/http-exception";
+
+// src/db/orm/iam/account-changes/cancel-pending-account-changes.ts
+import { and as and9, eq as eq12 } from "drizzle-orm";
+var cancelPendingAccountChanges = (db, tenantId, userId, changeType) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return db.update(accountChangesInIam).set({
+    status: "cancelled",
+    cancelledAt: now,
+    updatedAt: now,
+    reason: "replaced"
+  }).where(
+    and9(
+      eq12(accountChangesInIam.tenantId, tenantId),
+      eq12(accountChangesInIam.userId, userId),
+      eq12(accountChangesInIam.changeType, changeType),
+      eq12(accountChangesInIam.status, "pending")
+    )
+  );
+};
+
+// src/db/orm/iam/account-changes/insert-pending-email-change.ts
+var insertPendingEmailChange = (db, data) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return db.insert(accountChangesInIam).values({
+    tenantId: data.tenantId,
+    userId: data.userId,
+    changeType: "email",
+    oldEmail: data.oldEmail,
+    newEmail: data.newEmail,
+    oldPhone: null,
+    newPhone: null,
+    status: "pending",
+    expiresAt: data.expiresAt,
+    updatedAt: now
+  });
+};
 
 // src/db/orm/iam/verifications/delete-verifications-by-user-and-type.ts
-import { and as and6, eq as eq9 } from "drizzle-orm";
+import { and as and10, eq as eq13 } from "drizzle-orm";
 var deleteVerificationsByUserAndType = (db, tenantId, userId, type) => {
   return db.delete(verificationsInIam).where(
-    and6(
-      eq9(verificationsInIam.tenantId, tenantId),
-      eq9(verificationsInIam.userId, userId),
-      eq9(verificationsInIam.type, type)
+    and10(
+      eq13(verificationsInIam.tenantId, tenantId),
+      eq13(verificationsInIam.userId, userId),
+      eq13(verificationsInIam.type, type)
     )
   );
 };
@@ -999,8 +1170,6 @@ var ResendEmailProvider = class {
   }
   async sendVerificationEmail(email, code, tenantName) {
     const subject = this.config.verificationSubject || `Verify your email${tenantName ? ` for ${tenantName}` : ""}`;
-    const verificationPath = this.config.verificationPath || "/verify-email";
-    const verificationUrl = `${this.config.frontendBaseUrl}${verificationPath}?token=${code}`;
     const html = `
       <!DOCTYPE html>
       <html>
@@ -1016,12 +1185,7 @@ var ResendEmailProvider = class {
             <div style="background: #f3f4f6; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 20px 0;">
               ${code}
             </div>
-            <p>Or click the link below:</p>
-            <p>
-              <a href="${verificationUrl}" style="background: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
-                Verify Email
-              </a>
-            </p>
+
             <p style="color: #6b7280; font-size: 14px; margin-top: 30px;">
               This code will expire in 1 hour. If you didn't request this, please ignore this email.
             </p>
@@ -1031,8 +1195,6 @@ var ResendEmailProvider = class {
     `;
     const text2 = `Your verification code is: ${code}
 
-Or visit: ${verificationUrl}
-
 This code will expire in 1 hour.`;
     await this.sendEmail({
       to: [email],
@@ -1043,8 +1205,6 @@ This code will expire in 1 hour.`;
   }
   async sendPasswordResetEmail(email, code, tenantName) {
     const subject = this.config.resetPasswordSubject || `Reset your password${tenantName ? ` for ${tenantName}` : ""}`;
-    const resetPath = this.config.resetPasswordPath || "/reset-password";
-    const resetUrl = `${this.config.frontendBaseUrl}${resetPath}?token=${code}`;
     const html = `
       <!DOCTYPE html>
       <html>
@@ -1060,12 +1220,6 @@ This code will expire in 1 hour.`;
             <div style="background: #f3f4f6; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 20px 0;">
               ${code}
             </div>
-            <p>Or click the link below:</p>
-            <p>
-              <a href="${resetUrl}" style="background: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
-                Reset Password
-              </a>
-            </p>
             <p style="color: #6b7280; font-size: 14px; margin-top: 30px;">
               This code will expire in 1 hour. If you didn't request this, please ignore this email.
             </p>
@@ -1075,8 +1229,6 @@ This code will expire in 1 hour.`;
     `;
     const text2 = `Your password reset code is: ${code}
 
-Or visit: ${resetUrl}
-
 This code will expire in 1 hour.`;
     await this.sendEmail({
       to: [email],
@@ -1108,7 +1260,7 @@ var emailVerificationRequestHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const email = body.email || user?.email;
   if (!email) {
-    throw new HTTPException3(400, { message: "Email required" });
+    throw new HTTPException4(400, { message: "Email required" });
   }
   let userId = user?.id;
   if (!userId) {
@@ -1118,7 +1270,7 @@ var emailVerificationRequestHandler = async (c) => {
       email
     );
     if (!lookup.user) {
-      throw new HTTPException3(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+      throw new HTTPException4(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
     }
     userId = lookup.user.id;
   }
@@ -1139,26 +1291,42 @@ var emailVerificationRequestHandler = async (c) => {
     expiresAt,
     to: email
   });
+  if (user?.id && body.email) {
+    await cancelPendingAccountChanges(
+      database,
+      resolvedTenantId,
+      user.id,
+      "email"
+    );
+    await insertPendingEmailChange(database, {
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      oldEmail: user.email ?? "",
+      newEmail: body.email,
+      expiresAt: verification.expiresAt
+    });
+  }
   const emailProvider = new ResendEmailProvider(config.email.resend);
   await emailProvider.sendVerificationEmail(email, code);
   return c.json({ verificationId: verification.id });
 };
 
 // src/routes/handler/me.ts
-import { HTTPException as HTTPException4 } from "hono/http-exception";
+import { HTTPException as HTTPException5 } from "hono/http-exception";
 var meHandler = (c) => {
   const { user } = c.var;
   if (!user) {
-    throw new HTTPException4(401, { message: "Unauthorized" });
+    throw new HTTPException5(401, { message: "Unauthorized" });
   }
   return c.json({ user });
 };
 
 // src/routes/handler/password-change.ts
-import { HTTPException as HTTPException5 } from "hono/http-exception";
+import { getCookie } from "hono/cookie";
+import { HTTPException as HTTPException6 } from "hono/http-exception";
 
 // src/db/orm/iam/accounts/find-account-by-provider.ts
-import { and as and7, eq as eq10 } from "drizzle-orm";
+import { and as and11, eq as eq14 } from "drizzle-orm";
 var findAccountByProvider = (db, tenantId, userId, provider) => {
   return db.select({
     id: accountsInIam.id,
@@ -1168,34 +1336,34 @@ var findAccountByProvider = (db, tenantId, userId, provider) => {
     providerAccountId: accountsInIam.providerAccountId,
     password: accountsInIam.password
   }).from(accountsInIam).where(
-    and7(
-      eq10(accountsInIam.tenantId, tenantId),
-      eq10(accountsInIam.userId, userId),
-      eq10(accountsInIam.provider, provider)
+    and11(
+      eq14(accountsInIam.tenantId, tenantId),
+      eq14(accountsInIam.userId, userId),
+      eq14(accountsInIam.provider, provider)
     )
   ).limit(1).then(([account]) => account || null);
 };
 
 // src/db/orm/iam/accounts/update-account-password.ts
-import { and as and8, eq as eq11 } from "drizzle-orm";
+import { and as and12, eq as eq15 } from "drizzle-orm";
 var updateAccountPassword = (db, tenantId, userId, password) => {
   return db.update(accountsInIam).set({ password }).where(
-    and8(
-      eq11(accountsInIam.tenantId, tenantId),
-      eq11(accountsInIam.userId, userId),
-      eq11(accountsInIam.provider, "credentials")
+    and12(
+      eq15(accountsInIam.tenantId, tenantId),
+      eq15(accountsInIam.userId, userId),
+      eq15(accountsInIam.provider, "credentials")
     )
   );
 };
 
 // src/db/orm/iam/sessions/delete-session-by-id.ts
-import { eq as eq12 } from "drizzle-orm";
+import { eq as eq16 } from "drizzle-orm";
 var deleteSessionById = (db, sessionId) => {
-  return db.delete(sessionsInIam).where(eq12(sessionsInIam.id, sessionId));
+  return db.delete(sessionsInIam).where(eq16(sessionsInIam.id, sessionId));
 };
 
 // src/db/orm/iam/sessions/list-sessions-for-user.ts
-import { and as and9, asc, eq as eq13, gt as gt2 } from "drizzle-orm";
+import { and as and13, asc, eq as eq17, gt as gt4 } from "drizzle-orm";
 var listSessionsForUser = (db, tenantId, userId) => {
   return db.select({
     id: sessionsInIam.id,
@@ -1207,10 +1375,10 @@ var listSessionsForUser = (db, tenantId, userId) => {
     userAgent: sessionsInIam.userAgent,
     ip: sessionsInIam.ip
   }).from(sessionsInIam).where(
-    and9(
-      eq13(sessionsInIam.tenantId, tenantId),
-      eq13(sessionsInIam.userId, userId),
-      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    and13(
+      eq17(sessionsInIam.tenantId, tenantId),
+      eq17(sessionsInIam.userId, userId),
+      gt4(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).orderBy(asc(sessionsInIam.createdAt)).then((sessions) => sessions);
 };
@@ -1220,10 +1388,10 @@ var changePasswordHandler = async (c) => {
   const body = c.req.valid("json");
   const { config, database, tenantId, userId, user } = c.var;
   if (!userId) {
-    throw new HTTPException5(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+    throw new HTTPException6(401, { message: AUTH_ERRORS.UNAUTHORIZED });
   }
   if (!user) {
-    throw new HTTPException5(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+    throw new HTTPException6(401, { message: AUTH_ERRORS.UNAUTHORIZED });
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { currentPassword, newPassword } = body;
@@ -1234,11 +1402,11 @@ var changePasswordHandler = async (c) => {
     "credentials"
   );
   if (!account?.password) {
-    throw new HTTPException5(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
+    throw new HTTPException6(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
   }
   const passwordValid = await verifyPassword(currentPassword, account.password);
   if (!passwordValid) {
-    throw new HTTPException5(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
+    throw new HTTPException6(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
   }
   const passwordHash = await hashPassword(newPassword);
   await updateAccountPassword(database, resolvedTenantId, userId, passwordHash);
@@ -1247,7 +1415,7 @@ var changePasswordHandler = async (c) => {
     resolvedTenantId,
     userId
   );
-  const currentSessionToken = c.req.cookie("session_token");
+  const currentSessionToken = getCookie(c, "session_token");
   if (currentSessionToken) {
     const hashedToken = await hashToken(currentSessionToken, config.secret);
     const currentSession = await findSessionByToken(database, hashedToken);
@@ -1372,7 +1540,7 @@ var forgotPasswordHandler = async (c) => {
 
 // src/routes/handler/password-reset.ts
 import { setCookie as setCookie2 } from "hono/cookie";
-import { HTTPException as HTTPException6 } from "hono/http-exception";
+import { HTTPException as HTTPException7 } from "hono/http-exception";
 var resetPasswordHandler = async (c) => {
   const body = c.req.valid("json");
   const { config, database, tenantId } = c.var;
@@ -1380,17 +1548,17 @@ var resetPasswordHandler = async (c) => {
   const { verificationId, code, password } = body;
   const verification = await findVerificationById(database, verificationId);
   if (!verification) {
-    throw new HTTPException6(400, {
+    throw new HTTPException7(400, {
       message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
     });
   }
   if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
-    throw new HTTPException6(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
+    throw new HTTPException7(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
   }
   const hashedCode = await hashToken(code, config.secret);
   if (verification.code !== hashedCode) {
     await updateVerificationAttempt(database, verificationId);
-    throw new HTTPException6(400, {
+    throw new HTTPException7(400, {
       message: AUTH_ERRORS.VERIFICATION_MISMATCH
     });
   }
@@ -1428,7 +1596,7 @@ var resetPasswordHandler = async (c) => {
     verification.userId
   );
   if (!user) {
-    throw new HTTPException6(500, { message: "User not found" });
+    throw new HTTPException7(500, { message: "User not found" });
   }
   setCookie2(c, "session_token", sessionToken, {
     httpOnly: true,
@@ -1451,9 +1619,38 @@ var resetPasswordHandler = async (c) => {
   });
 };
 
+// src/routes/handler/password-verify.ts
+import { HTTPException as HTTPException8 } from "hono/http-exception";
+var verifyPasswordHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, userId, user } = c.var;
+  if (!userId) {
+    throw new HTTPException8(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  if (!user) {
+    throw new HTTPException8(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { password } = body;
+  const account = await findAccountByProvider(
+    database,
+    resolvedTenantId,
+    userId,
+    "credentials"
+  );
+  if (!account?.password) {
+    throw new HTTPException8(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
+  }
+  const passwordValid = await verifyPassword(password, account.password);
+  if (!passwordValid) {
+    throw new HTTPException8(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
+  }
+  return c.json({ message: "Password verified" });
+};
+
 // src/routes/handler/phone-verification-confirm.ts
 import { setCookie as setCookie3 } from "hono/cookie";
-import { HTTPException as HTTPException7 } from "hono/http-exception";
+import { HTTPException as HTTPException9 } from "hono/http-exception";
 var phoneVerificationConfirmHandler = async (c) => {
   const body = c.req.valid("json");
   const { config, database, tenantId } = c.var;
@@ -1461,17 +1658,17 @@ var phoneVerificationConfirmHandler = async (c) => {
   const { verificationId, code, context } = body;
   const verification = await findVerificationById(database, verificationId);
   if (!verification) {
-    throw new HTTPException7(400, {
+    throw new HTTPException9(400, {
       message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
     });
   }
   if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
-    throw new HTTPException7(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
+    throw new HTTPException9(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
   }
   const hashedCode = await hashToken(code, config.secret);
   if (verification.code !== hashedCode) {
     await updateVerificationAttempt(database, verificationId);
-    throw new HTTPException7(400, {
+    throw new HTTPException9(400, {
       message: AUTH_ERRORS.VERIFICATION_MISMATCH
     });
   }
@@ -1500,7 +1697,7 @@ var phoneVerificationConfirmHandler = async (c) => {
   }
   const user = verification.userId ? await findUserById(database, resolvedTenantId, verification.userId) : null;
   if (!user) {
-    throw new HTTPException7(500, { message: "User not found" });
+    throw new HTTPException9(500, { message: "User not found" });
   }
   if (context === "sign-in" || context === "change-phone" || context === "sign-up") {
     const sessionToken = crypto.randomUUID();
@@ -1545,14 +1742,33 @@ var phoneVerificationConfirmHandler = async (c) => {
 };
 
 // src/routes/handler/phone-verification-request.ts
-import { HTTPException as HTTPException8 } from "hono/http-exception";
+import { HTTPException as HTTPException10 } from "hono/http-exception";
+
+// src/db/orm/iam/account-changes/insert-pending-phone-change.ts
+var insertPendingPhoneChange = (db, data) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return db.insert(accountChangesInIam).values({
+    tenantId: data.tenantId,
+    userId: data.userId,
+    changeType: "phone",
+    oldPhone: data.oldPhone,
+    newPhone: data.newPhone,
+    oldEmail: null,
+    newEmail: null,
+    status: "pending",
+    expiresAt: data.expiresAt,
+    updatedAt: now
+  });
+};
+
+// src/routes/handler/phone-verification-request.ts
 var phoneVerificationRequestHandler = async (c) => {
   const body = c.req.valid("json");
   const { config, database, tenantId, user } = c.var;
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { phone, context } = body;
   if (!phone) {
-    throw new HTTPException8(400, { message: "Phone required" });
+    throw new HTTPException10(400, { message: "Phone required" });
   }
   let userId = user?.id;
   if (!userId) {
@@ -1562,12 +1778,12 @@ var phoneVerificationRequestHandler = async (c) => {
       phone
     );
     if (!lookup.user) {
-      throw new HTTPException8(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+      throw new HTTPException10(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
     }
     userId = lookup.user.id;
   }
   if (!userId) {
-    throw new HTTPException8(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+    throw new HTTPException10(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
   }
   await deleteVerificationsByUserAndType(
     database,
@@ -1586,6 +1802,21 @@ var phoneVerificationRequestHandler = async (c) => {
     expiresAt,
     to: phone
   });
+  if (context === "change-phone" && user?.id) {
+    await cancelPendingAccountChanges(
+      database,
+      resolvedTenantId,
+      user.id,
+      "phone"
+    );
+    await insertPendingPhoneChange(database, {
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      oldPhone: user.phone ?? "",
+      newPhone: phone,
+      expiresAt: verification.expiresAt
+    });
+  }
   const smsProvider = new AfroSmsProvider(config.phone.smsConfig);
   await smsProvider.sendVerificationSms(phone, code);
   return c.json({ verificationId: verification.id });
@@ -1608,7 +1839,7 @@ var sessionHandler = (c) => {
 
 // src/routes/handler/sign-in.ts
 import { setCookie as setCookie4 } from "hono/cookie";
-import { HTTPException as HTTPException9 } from "hono/http-exception";
+import { HTTPException as HTTPException11 } from "hono/http-exception";
 
 // src/db/orm/iam/sessions/delete-oldest-sessions.ts
 var deleteOldestSessions = async (db, tenantId, userId, keepCount) => {
@@ -1623,9 +1854,9 @@ var deleteOldestSessions = async (db, tenantId, userId, keepCount) => {
 };
 
 // src/db/orm/iam/users/update-last-sign-in.ts
-import { and as and10, eq as eq14 } from "drizzle-orm";
+import { and as and14, eq as eq18 } from "drizzle-orm";
 var updateLastSignIn = (db, tenantId, userId) => {
-  return db.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(and10(eq14(usersInIam.id, userId), eq14(usersInIam.tenantId, tenantId)));
+  return db.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(and14(eq18(usersInIam.id, userId), eq18(usersInIam.tenantId, tenantId)));
 };
 
 // src/routes/handler/sign-in.ts
@@ -1640,7 +1871,7 @@ var signInHandler = async (c) => {
     identifier
   );
   if (!lookup.user) {
-    throw new HTTPException9(401, { message: AUTH_ERRORS.USER_NOT_FOUND });
+    throw new HTTPException11(401, { message: AUTH_ERRORS.USER_NOT_FOUND });
   }
   const account = await findAccountByProvider(
     database,
@@ -1649,13 +1880,14 @@ var signInHandler = async (c) => {
     "credentials"
   );
   if (!account?.password) {
-    throw new HTTPException9(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
+    throw new HTTPException11(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
   }
   const passwordValid = await verifyPassword(password, account.password);
   if (!passwordValid) {
-    throw new HTTPException9(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
+    throw new HTTPException11(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
   }
   const isEmail = lookup.type === "email";
+  const isPhone = lookup.type === "phone";
   const isVerified = isEmail ? lookup.user.emailVerified : lookup.user.phoneVerified;
   if (isEmail && config.email.verificationRequired && !isVerified) {
     const code = generateOtpCode(6);
@@ -1676,7 +1908,7 @@ var signInHandler = async (c) => {
       requiresVerification: true
     });
   }
-  if (!isEmail && config.phone.verificationRequired && !isVerified) {
+  if (isPhone && config.phone.verificationRequired && !isVerified) {
     const code = generateOtpCode(config.phone.otpLength);
     const hashedCode = await hashToken(code, config.secret);
     const expiresAt2 = addDuration(config.phone.otpExpiresIn);
@@ -1738,11 +1970,11 @@ var signInHandler = async (c) => {
 };
 
 // src/routes/handler/sign-out.ts
-import { deleteCookie, getCookie } from "hono/cookie";
+import { deleteCookie, getCookie as getCookie2 } from "hono/cookie";
 var signOutHandler = async (c) => {
   const { config, database, tenantId } = c.var;
   ensureTenantId(config, tenantId);
-  const sessionToken = getCookie(c, "session_token");
+  const sessionToken = getCookie2(c, "session_token");
   if (!sessionToken) {
     return c.json({ message: "Signed out" });
   }
@@ -1763,7 +1995,7 @@ var signOutHandler = async (c) => {
 
 // src/routes/handler/sign-up.ts
 import { setCookie as setCookie5 } from "hono/cookie";
-import { HTTPException as HTTPException10 } from "hono/http-exception";
+import { HTTPException as HTTPException12 } from "hono/http-exception";
 
 // src/db/orm/iam/accounts/insert-credentials-account.ts
 var insertCredentialsAccount = (db, data) => {
@@ -1777,7 +2009,7 @@ var insertCredentialsAccount = (db, data) => {
 };
 
 // src/db/orm/iam/users/find-user-by-handle.ts
-import { and as and11, eq as eq15, sql as sql3 } from "drizzle-orm";
+import { and as and15, eq as eq19, sql as sql3 } from "drizzle-orm";
 var findUserByHandle = (db, tenantId, handle) => {
   return db.select({
     id: usersInIam.id,
@@ -1791,8 +2023,8 @@ var findUserByHandle = (db, tenantId, handle) => {
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt
   }).from(usersInIam).where(
-    and11(
-      eq15(usersInIam.tenantId, tenantId),
+    and15(
+      eq19(usersInIam.tenantId, tenantId),
       sql3`lower(${usersInIam.handle}) = lower(${handle})`
     )
   ).limit(1).then(([user]) => user || null);
@@ -1830,7 +2062,7 @@ var signUpHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { email, phone, password, fullName, handle } = body;
   if (!(email || phone)) {
-    throw new HTTPException10(400, {
+    throw new HTTPException12(400, {
       message: "Either email or phone is required"
     });
   }
@@ -1841,7 +2073,7 @@ var signUpHandler = async (c) => {
     identifier
   );
   if (existing.user) {
-    throw new HTTPException10(409, { message: AUTH_ERRORS.USER_EXISTS });
+    throw new HTTPException12(409, { message: AUTH_ERRORS.USER_EXISTS });
   }
   const userHandle = handle || generateHandle(email || phone);
   const existingHandle = await findUserByHandle(
@@ -1850,7 +2082,7 @@ var signUpHandler = async (c) => {
     userHandle
   );
   if (existingHandle) {
-    throw new HTTPException10(409, { message: "Handle already taken" });
+    throw new HTTPException12(409, { message: "Handle already taken" });
   }
   const user = await insertUser(database, {
     tenantId: resolvedTenantId,
@@ -1943,6 +2175,227 @@ var signUpHandler = async (c) => {
   });
 };
 
+// src/routes/handler/update-email.ts
+import { HTTPException as HTTPException13 } from "hono/http-exception";
+
+// src/db/orm/iam/account-changes/mark-pending-account-change-applied.ts
+import { and as and16, eq as eq20 } from "drizzle-orm";
+var markPendingAccountChangeApplied = (db, tenantId, userId, changeType, newValue) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const valueCondition = changeType === "email" ? eq20(accountChangesInIam.newEmail, newValue) : eq20(accountChangesInIam.newPhone, newValue);
+  return db.update(accountChangesInIam).set({
+    status: "applied",
+    confirmedAt: now,
+    updatedAt: now
+  }).where(
+    and16(
+      eq20(accountChangesInIam.tenantId, tenantId),
+      eq20(accountChangesInIam.userId, userId),
+      eq20(accountChangesInIam.changeType, changeType),
+      eq20(accountChangesInIam.status, "pending"),
+      valueCondition
+    )
+  );
+};
+
+// src/db/orm/iam/accounts/update-credentials-provider-account-id.ts
+import { and as and17, eq as eq21 } from "drizzle-orm";
+var updateCredentialsProviderAccountId = async (db, tenantId, userId, providerAccountId) => {
+  const updated = await db.update(accountsInIam).set({ providerAccountId }).where(
+    and17(
+      eq21(accountsInIam.tenantId, tenantId),
+      eq21(accountsInIam.userId, userId),
+      eq21(accountsInIam.provider, "credentials")
+    )
+  ).returning({ id: accountsInIam.id }).then(([row]) => row?.id);
+  return Boolean(updated);
+};
+
+// src/db/orm/iam/sessions/delete-other-sessions.ts
+import { and as and18, eq as eq22, ne } from "drizzle-orm";
+var deleteOtherSessions = (db, tenantId, userId, currentSessionId) => {
+  return db.delete(sessionsInIam).where(
+    and18(
+      eq22(sessionsInIam.tenantId, tenantId),
+      eq22(sessionsInIam.userId, userId),
+      ne(sessionsInIam.id, currentSessionId)
+    )
+  );
+};
+
+// src/db/orm/iam/users/update-user-email.ts
+import { and as and19, eq as eq23, sql as sql4 } from "drizzle-orm";
+var updateUserEmail = (db, tenantId, userId, email) => {
+  return db.update(usersInIam).set({
+    email,
+    emailVerified: true,
+    updatedAt: sql4`CURRENT_TIMESTAMP`
+  }).where(and19(eq23(usersInIam.id, userId), eq23(usersInIam.tenantId, tenantId))).returning({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).then(([user]) => user || null);
+};
+
+// src/routes/handler/update-email.ts
+var updateEmailHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, userId, user, session } = c.var;
+  if (!userId) {
+    throw new HTTPException13(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  if (!user) {
+    throw new HTTPException13(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  if (user.email && session?.id) {
+    await deleteOtherSessions(database, resolvedTenantId, userId, session.id);
+  }
+  const updatedUser = await updateUserEmail(
+    database,
+    resolvedTenantId,
+    userId,
+    body.email
+  );
+  if (!updatedUser) {
+    throw new HTTPException13(404, { message: "User not found" });
+  }
+  await markPendingAccountChangeApplied(
+    database,
+    resolvedTenantId,
+    userId,
+    "email",
+    body.email
+  );
+  await updateCredentialsProviderAccountId(
+    database,
+    resolvedTenantId,
+    userId,
+    body.email
+  );
+  return c.json({ user: updatedUser }, 200);
+};
+
+// src/routes/handler/update-phone.ts
+import { HTTPException as HTTPException14 } from "hono/http-exception";
+
+// src/db/orm/iam/users/update-user-phone.ts
+import { and as and20, eq as eq24, sql as sql5 } from "drizzle-orm";
+var updateUserPhone = (db, tenantId, userId, phone) => {
+  return db.update(usersInIam).set({
+    phone,
+    phoneVerified: true,
+    updatedAt: sql5`CURRENT_TIMESTAMP`
+  }).where(and20(eq24(usersInIam.id, userId), eq24(usersInIam.tenantId, tenantId))).returning({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).then(([user]) => user || null);
+};
+
+// src/routes/handler/update-phone.ts
+var updatePhoneHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, userId, user, session } = c.var;
+  if (!userId) {
+    throw new HTTPException14(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  if (!user) {
+    throw new HTTPException14(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  if (user.phone && session?.id) {
+    await deleteOtherSessions(database, resolvedTenantId, userId, session.id);
+  }
+  const updatedUser = await updateUserPhone(
+    database,
+    resolvedTenantId,
+    userId,
+    body.phone
+  );
+  if (!updatedUser) {
+    throw new HTTPException14(404, { message: "User not found" });
+  }
+  await markPendingAccountChangeApplied(
+    database,
+    resolvedTenantId,
+    userId,
+    "phone",
+    body.phone
+  );
+  await updateCredentialsProviderAccountId(
+    database,
+    resolvedTenantId,
+    userId,
+    body.phone
+  );
+  return c.json({ user: updatedUser }, 200);
+};
+
+// src/routes/handler/update-profile.ts
+import { HTTPException as HTTPException15 } from "hono/http-exception";
+
+// src/db/orm/iam/users/update-user-profile.ts
+import { and as and21, eq as eq25, sql as sql6 } from "drizzle-orm";
+var updateUserProfile = async (db, tenantId, userId, data) => {
+  const updateData = {};
+  if (data.fullName !== void 0) {
+    updateData.fullName = data.fullName;
+  }
+  return await db.update(usersInIam).set({
+    ...updateData,
+    updatedAt: sql6`CURRENT_TIMESTAMP`
+  }).where(and21(eq25(usersInIam.id, userId), eq25(usersInIam.tenantId, tenantId))).returning({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).then(([user]) => user || null);
+};
+
+// src/routes/handler/update-profile.ts
+var updateProfileHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, userId, user } = c.var;
+  if (!userId) {
+    throw new HTTPException15(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  if (!user) {
+    throw new HTTPException15(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const updatedUser = await updateUserProfile(
+    database,
+    resolvedTenantId,
+    userId,
+    body
+  );
+  if (!updatedUser) {
+    throw new HTTPException15(404, { message: "User not found" });
+  }
+  return c.json({ user: updatedUser }, 200);
+};
+
 // src/routes/auth.route.ts
 var signUpRoute = createRoute({
   method: "post",
@@ -2088,6 +2541,26 @@ var sessionRoute = createRoute({
     }
   }
 });
+var accountChangePendingRoute = createRoute({
+  method: "get",
+  path: "/account-change/pending",
+  tags: ["Profile"],
+  summary: "Get pending account change (email/phone)",
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: pendingAccountChangeResponseSchema
+        }
+      },
+      description: "Pending account change"
+    },
+    401: {
+      content: { "application/json": { schema: errorResponseSchema } },
+      description: "Unauthorized"
+    }
+  }
+});
 var emailVerificationRequestRoute = createRoute({
   method: "post",
   path: "/email/verification/request",
@@ -2238,6 +2711,31 @@ var resetPasswordRoute = createRoute({
     }
   }
 });
+var verifyPasswordRoute = createRoute({
+  method: "post",
+  path: "/password/verify",
+  tags: ["Password"],
+  summary: "Verify password",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: verifyPasswordSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: { "application/json": { schema: messageSchema } },
+      description: "Password verified"
+    },
+    401: {
+      content: { "application/json": { schema: errorResponseSchema } },
+      description: "Invalid password"
+    }
+  }
+});
 var changePasswordRoute = createRoute({
   method: "post",
   path: "/password/change",
@@ -2263,8 +2761,131 @@ var changePasswordRoute = createRoute({
     }
   }
 });
+var updateProfileRoute = createRoute({
+  method: "put",
+  path: "/profile",
+  tags: ["Profile"],
+  summary: "Update user profile",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: updateProfileSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: profileResponseSchema
+        }
+      },
+      description: "Profile updated"
+    },
+    401: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "Unauthorized"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "User not found"
+    }
+  }
+});
+var updateEmailRoute = createRoute({
+  method: "put",
+  path: "/profile/email",
+  tags: ["Profile"],
+  summary: "Update user email",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: updateEmailSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: profileResponseSchema
+        }
+      },
+      description: "Email updated"
+    },
+    401: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "Unauthorized"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "User not found"
+    }
+  }
+});
+var updatePhoneRoute = createRoute({
+  method: "put",
+  path: "/profile/phone",
+  tags: ["Profile"],
+  summary: "Update user phone",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: updatePhoneSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: profileResponseSchema
+        }
+      },
+      description: "Phone updated"
+    },
+    401: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "Unauthorized"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "User not found"
+    }
+  }
+});
 var createAuthRoutes = () => {
-  const authRoutes = new OpenAPIHono().openapi(signUpRoute, signUpHandler).openapi(signInRoute, signInHandler).openapi(checkUserRoute, checkUserHandler).openapi(signOutRoute, signOutHandler).openapi(meRoute, meHandler).openapi(sessionRoute, sessionHandler).openapi(emailVerificationRequestRoute, emailVerificationRequestHandler).openapi(emailVerificationConfirmRoute, emailVerificationConfirmHandler).openapi(phoneVerificationRequestRoute, phoneVerificationRequestHandler).openapi(phoneVerificationConfirmRoute, phoneVerificationConfirmHandler).openapi(forgotPasswordRoute, forgotPasswordHandler).openapi(resetPasswordRoute, resetPasswordHandler).openapi(changePasswordRoute, changePasswordHandler);
+  const authRoutes = new OpenAPIHono().openapi(signUpRoute, signUpHandler).openapi(signInRoute, signInHandler).openapi(checkUserRoute, checkUserHandler).openapi(signOutRoute, signOutHandler).openapi(meRoute, meHandler).openapi(sessionRoute, sessionHandler).openapi(accountChangePendingRoute, accountChangePendingHandler).openapi(emailVerificationRequestRoute, emailVerificationRequestHandler).openapi(emailVerificationConfirmRoute, emailVerificationConfirmHandler).openapi(phoneVerificationRequestRoute, phoneVerificationRequestHandler).openapi(phoneVerificationConfirmRoute, phoneVerificationConfirmHandler).openapi(forgotPasswordRoute, forgotPasswordHandler).openapi(resetPasswordRoute, resetPasswordHandler).openapi(verifyPasswordRoute, verifyPasswordHandler).openapi(changePasswordRoute, changePasswordHandler).openapi(updateProfileRoute, updateProfileHandler).openapi(updateEmailRoute, updateEmailHandler).openapi(updatePhoneRoute, updatePhoneHandler);
   return authRoutes;
 };
 
@@ -2272,18 +2893,18 @@ var createAuthRoutes = () => {
 var createAuthMiddleware = (config, database, getTenantId) => {
   const enableTenant = config.enableTenant ?? true;
   return async (c, next) => {
-    const sessionToken = getCookie2(c, "session_token") || void 0;
+    const sessionToken = getCookie3(c, "session_token") || void 0;
     let tenantId = getTenantId(c);
     if (enableTenant) {
       if (!tenantId) {
-        throw new HTTPException11(400, {
+        throw new HTTPException16(400, {
           message: "Missing tenantId. Tenant isolation is enabled."
         });
       }
     } else {
       tenantId = config.tenantId;
       if (!tenantId) {
-        throw new HTTPException11(500, {
+        throw new HTTPException16(500, {
           message: "tenantId must be provided in config when enableTenant is false."
         });
       }