@spfn/auth 0.1.0-alpha.0 → 0.1.0-alpha.1

package/dist/server/entities/user-permissions.d.ts

@@ -0,0 +1,163 @@
+import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
+
+/**
+ * @spfn/auth - User-Permissions Override Entity
+ *
+ * Per-user permission grants/revocations
+ *
+ * Features:
+ * - Grant additional permissions to specific users
+ * - Revoke role-inherited permissions from specific users
+ * - Temporary permissions with expiration
+ * - Audit trail with reason field
+ *
+ * Priority:
+ * User permissions override role permissions
+ */
+declare const userPermissions: drizzle_orm_pg_core.PgTableWithColumns<{
+    name: "user_permissions";
+    schema: string;
+    columns: {
+        createdAt: drizzle_orm_pg_core.PgColumn<{
+            name: "created_at";
+            tableName: "user_permissions";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        updatedAt: drizzle_orm_pg_core.PgColumn<{
+            name: "updated_at";
+            tableName: "user_permissions";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        id: drizzle_orm_pg_core.PgColumn<{
+            name: "id";
+            tableName: "user_permissions";
+            dataType: "number";
+            columnType: "PgBigSerial53";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        userId: drizzle_orm_pg_core.PgColumn<{
+            name: "user_id";
+            tableName: "user_permissions";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        permissionId: drizzle_orm_pg_core.PgColumn<{
+            name: "permission_id";
+            tableName: "user_permissions";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        granted: drizzle_orm_pg_core.PgColumn<{
+            name: "granted";
+            tableName: "user_permissions";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        reason: drizzle_orm_pg_core.PgColumn<{
+            name: "reason";
+            tableName: "user_permissions";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        expiresAt: drizzle_orm_pg_core.PgColumn<{
+            name: "expires_at";
+            tableName: "user_permissions";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+type UserPermission = typeof userPermissions.$inferSelect;
+type NewUserPermission = typeof userPermissions.$inferInsert;
+
+export { type NewUserPermission, type UserPermission, userPermissions };

package/dist/server/entities/user-permissions.js

@@ -0,0 +1,191 @@
+// src/server/entities/user-permissions.ts
+import { bigint as bigint2, boolean as boolean4, text as text4, timestamp as timestamp2, index as index4, unique } from "drizzle-orm/pg-core";
+import { id as id4, timestamps as timestamps4, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
+
+// src/server/entities/users.ts
+import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
+import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { sql } from "drizzle-orm";
+
+// src/server/entities/roles.ts
+import { text, boolean, integer, index } from "drizzle-orm/pg-core";
+import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
+var schema = createFunctionSchema("@spfn/auth");
+var roles = schema.table(
+  "roles",
+  {
+    // Primary key
+    id: id(),
+    // Role identifier (used in code, e.g., 'admin', 'editor')
+    // Must be unique, lowercase, kebab-case recommended
+    name: text("name").notNull().unique(),
+    // Display name for UI (e.g., 'Administrator', 'Content Editor')
+    displayName: text("display_name").notNull(),
+    // Role description
+    description: text("description"),
+    // Built-in role flag
+    // true: Core package roles (user, admin, superadmin) - cannot be deleted
+    // false: Custom or preset roles - can be deleted
+    isBuiltin: boolean("is_builtin").notNull().default(false),
+    // System role flag
+    // true: Defined in code (builtin or preset) - deletion restricted
+    // false: Runtime created custom role - fully manageable
+    isSystem: boolean("is_system").notNull().default(false),
+    // Active status
+    // false: Deactivated role (users cannot be assigned)
+    isActive: boolean("is_active").notNull().default(true),
+    // Priority level (higher = more privileged)
+    // superadmin: 100, admin: 80, user: 10
+    // Used for role hierarchy and conflict resolution
+    priority: integer("priority").notNull().default(10),
+    ...timestamps()
+  },
+  (table) => [
+    index("roles_name_idx").on(table.name),
+    index("roles_is_system_idx").on(table.isSystem),
+    index("roles_is_active_idx").on(table.isActive),
+    index("roles_is_builtin_idx").on(table.isBuiltin),
+    index("roles_priority_idx").on(table.priority)
+  ]
+);
+
+// src/server/entities/users.ts
+var schema2 = createFunctionSchema2("@spfn/auth");
+var users = schema2.table(
+  "users",
+  {
+    // Identity
+    id: id2(),
+    // Email address (unique identifier)
+    // Used for: login, password reset, notifications
+    email: text2("email").unique(),
+    // Phone number in E.164 international format
+    // Format: +[country code][number] (e.g., +821012345678)
+    // Used for: SMS login, 2FA, notifications
+    phone: text2("phone").unique(),
+    // Authentication
+    // Bcrypt password hash ($2b$10$[salt][hash], 60 chars)
+    // Nullable to support OAuth-only accounts
+    passwordHash: text2("password_hash"),
+    // Force password change on next login
+    // Use cases: initial setup, security breach, policy violation
+    passwordChangeRequired: boolean2("password_change_required").notNull().default(false),
+    // Authorization (Role-Based Access Control)
+    // Foreign key to roles table
+    // References built-in roles: user (default), admin, superadmin
+    // Can also reference custom roles created at runtime
+    roleId: bigint("role_id", { mode: "number" }).references(() => roles.id).notNull(),
+    // Account status
+    // - active: Normal operation (default)
+    // - inactive: Deactivated (user request, dormant)
+    // - suspended: Locked (security incident, ToS violation)
+    status: text2(
+      "status",
+      {
+        enum: ["active", "inactive", "suspended"]
+      }
+    ).notNull().default("active"),
+    // Verification timestamps
+    // null = unverified, timestamp = verified at this time
+    // Email verification (via verification code or magic link)
+    emailVerifiedAt: timestamp("email_verified_at", { withTimezone: true }),
+    // Phone verification (via SMS OTP)
+    phoneVerifiedAt: timestamp("phone_verified_at", { withTimezone: true }),
+    // Metadata
+    // Last successful login timestamp
+    // Used for: security auditing, dormant account detection
+    lastLoginAt: timestamp("last_login_at", { withTimezone: true }),
+    ...timestamps2()
+  },
+  (table) => [
+    // Database constraints
+    // Ensure at least one identifier exists (email OR phone)
+    check(
+      "email_or_phone_check",
+      sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`
+    ),
+    // Indexes for query optimization
+    index2("users_email_idx").on(table.email),
+    index2("users_phone_idx").on(table.phone),
+    index2("users_status_idx").on(table.status),
+    index2("users_role_id_idx").on(table.roleId)
+  ]
+);
+
+// src/server/entities/permissions.ts
+import { text as text3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
+import { id as id3, timestamps as timestamps3, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
+var schema3 = createFunctionSchema3("@spfn/auth");
+var permissions = schema3.table(
+  "permissions",
+  {
+    // Primary key
+    id: id3(),
+    // Permission identifier (e.g., 'user:delete', 'post:publish')
+    // Format: resource:action or namespace:resource:action
+    // Must be unique
+    name: text3("name").notNull().unique(),
+    // Display name for UI
+    displayName: text3("display_name").notNull(),
+    // Permission description
+    description: text3("description"),
+    // Category for grouping (e.g., 'user', 'post', 'admin', 'system')
+    category: text3("category"),
+    // Built-in permission flag
+    // true: Core package permissions - cannot be deleted
+    // false: Custom or preset permissions
+    isBuiltin: boolean3("is_builtin").notNull().default(false),
+    // System permission flag
+    // true: Defined in code (builtin or preset)
+    // false: Runtime created custom permission
+    isSystem: boolean3("is_system").notNull().default(false),
+    // Active status
+    // false: Deactivated permission (not enforced)
+    isActive: boolean3("is_active").notNull().default(true),
+    ...timestamps3()
+  },
+  (table) => [
+    index3("permissions_name_idx").on(table.name),
+    index3("permissions_category_idx").on(table.category),
+    index3("permissions_is_system_idx").on(table.isSystem),
+    index3("permissions_is_active_idx").on(table.isActive),
+    index3("permissions_is_builtin_idx").on(table.isBuiltin)
+  ]
+);
+
+// src/server/entities/user-permissions.ts
+var schema4 = createFunctionSchema4("@spfn/auth");
+var userPermissions = schema4.table(
+  "user_permissions",
+  {
+    // Primary key
+    id: id4(),
+    // Foreign key to users table
+    userId: bigint2("user_id", { mode: "number" }).notNull().references(() => users.id, { onDelete: "cascade" }),
+    // Foreign key to permissions table
+    permissionId: bigint2("permission_id", { mode: "number" }).notNull().references(() => permissions.id, { onDelete: "cascade" }),
+    // Grant or revoke
+    // true: Grant this permission (even if role doesn't have it)
+    // false: Revoke this permission (even if role has it)
+    granted: boolean4("granted").notNull().default(true),
+    // Reason for grant/revocation (audit trail)
+    reason: text4("reason"),
+    // Expiration timestamp (optional)
+    // null: Permanent override
+    // timestamp: Permission expires at this time
+    expiresAt: timestamp2("expires_at", { withTimezone: true }),
+    ...timestamps4()
+  },
+  (table) => [
+    // Indexes for query performance
+    index4("user_permissions_user_id_idx").on(table.userId),
+    index4("user_permissions_permission_id_idx").on(table.permissionId),
+    index4("user_permissions_expires_at_idx").on(table.expiresAt),
+    // Unique constraint: one user-permission pair only
+    unique("user_permissions_unique").on(table.userId, table.permissionId)
+  ]
+);
+export {
+  userPermissions
+};
+//# sourceMappingURL=user-permissions.js.map

package/dist/server/entities/user-permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/entities/user-permissions.ts","../../../src/server/entities/users.ts","../../../src/server/entities/roles.ts","../../../src/server/entities/permissions.ts"],"sourcesContent":["/**\n * @spfn/auth - User-Permissions Override Entity\n *\n * Per-user permission grants/revocations\n *\n * Features:\n * - Grant additional permissions to specific users\n * - Revoke role-inherited permissions from specific users\n * - Temporary permissions with expiration\n * - Audit trail with reason field\n *\n * Priority:\n * User permissions override role permissions\n */\n\nimport { bigint, boolean, text, timestamp, index, unique } from 'drizzle-orm/pg-core';\nimport { id, timestamps, createFunctionSchema } from '@spfn/core/db';\nimport { users } from './users';\nimport { permissions } from './permissions';\n\nconst schema = createFunctionSchema('@spfn/auth');\n\nexport const userPermissions = schema.table('user_permissions',\n    {\n        // Primary key\n        id: id(),\n\n        // Foreign key to users table\n        userId: bigint('user_id', { mode: 'number' })\n            .notNull()\n            .references(() => users.id, { onDelete: 'cascade' }),\n\n        // Foreign key to permissions table\n        permissionId: bigint('permission_id', { mode: 'number' })\n            .notNull()\n            .references(() => permissions.id, { onDelete: 'cascade' }),\n\n        // Grant or revoke\n        // true: Grant this permission (even if role doesn't have it)\n        // false: Revoke this permission (even if role has it)\n        granted: boolean('granted').notNull().default(true),\n\n        // Reason for grant/revocation (audit trail)\n        reason: text('reason'),\n\n        // Expiration timestamp (optional)\n        // null: Permanent override\n        // timestamp: Permission expires at this time\n        expiresAt: timestamp('expires_at', { withTimezone: true }),\n\n        ...timestamps(),\n    },\n    (table) => [\n        // Indexes for query performance\n        index('user_permissions_user_id_idx').on(table.userId),\n        index('user_permissions_permission_id_idx').on(table.permissionId),\n        index('user_permissions_expires_at_idx').on(table.expiresAt),\n\n        // Unique constraint: one user-permission pair only\n        unique('user_permissions_unique').on(table.userId, table.permissionId),\n    ]\n);\n\n// Type exports\nexport type UserPermission = typeof userPermissions.$inferSelect;\nexport type NewUserPermission = typeof userPermissions.$inferInsert;","/**\n * @spfn/auth - Users Entity\n *\n * Main user table supporting multiple authentication methods\n *\n * Features:\n * - Email or phone-based registration\n * - Password authentication (bcrypt)\n * - OAuth support (nullable passwordHash)\n * - Role-based access control (RBAC)\n * - Account status management\n * - Email/phone verification\n */\n\nimport { text, timestamp, check, boolean, bigint, index } from 'drizzle-orm/pg-core';\nimport { id, timestamps, createFunctionSchema } from '@spfn/core/db';\nimport { sql } from 'drizzle-orm';\nimport { roles } from './roles';\n\nconst schema = createFunctionSchema('@spfn/auth');\n\nexport const users = schema.table('users',\n    {\n        // Identity\n        id: id(),\n\n        // Email address (unique identifier)\n        // Used for: login, password reset, notifications\n        email: text('email').unique(),\n\n        // Phone number in E.164 international format\n        // Format: +[country code][number] (e.g., +821012345678)\n        // Used for: SMS login, 2FA, notifications\n        phone: text('phone').unique(),\n\n        // Authentication\n        // Bcrypt password hash ($2b$10$[salt][hash], 60 chars)\n        // Nullable to support OAuth-only accounts\n        passwordHash: text('password_hash'),\n\n        // Force password change on next login\n        // Use cases: initial setup, security breach, policy violation\n        passwordChangeRequired: boolean('password_change_required').notNull().default(false),\n\n        // Authorization (Role-Based Access Control)\n        // Foreign key to roles table\n        // References built-in roles: user (default), admin, superadmin\n        // Can also reference custom roles created at runtime\n        roleId: bigint('role_id', { mode: 'number' })\n            .references(() => roles.id)\n            .notNull(),\n\n        // Account status\n        // - active: Normal operation (default)\n        // - inactive: Deactivated (user request, dormant)\n        // - suspended: Locked (security incident, ToS violation)\n        status: text(\n            'status',\n            {\n                enum: ['active', 'inactive', 'suspended']\n            }\n        ).notNull().default('active'),\n\n        // Verification timestamps\n        // null = unverified, timestamp = verified at this time\n        // Email verification (via verification code or magic link)\n        emailVerifiedAt: timestamp('email_verified_at', { withTimezone: true }),\n\n        // Phone verification (via SMS OTP)\n        phoneVerifiedAt: timestamp('phone_verified_at', { withTimezone: true }),\n\n        // Metadata\n        // Last successful login timestamp\n        // Used for: security auditing, dormant account detection\n        lastLoginAt: timestamp('last_login_at', { withTimezone: true }),\n\n        ...timestamps(),\n    },\n    (table) => [\n        // Database constraints\n        // Ensure at least one identifier exists (email OR phone)\n        check(\n            'email_or_phone_check',\n            sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`\n        ),\n\n        // Indexes for query optimization\n        index('users_email_idx').on(table.email),\n        index('users_phone_idx').on(table.phone),\n        index('users_status_idx').on(table.status),\n        index('users_role_id_idx').on(table.roleId),\n    ]\n);\n\n// Type exports\nexport type User = typeof users.$inferSelect;\nexport type NewUser = typeof users.$inferInsert;\nexport type UserStatus = 'active' | 'inactive' | 'suspended';\n\n// Helper type with computed verification status\nexport type UserWithVerification = User &\n{\n    isEmailVerified: boolean;\n    isPhoneVerified: boolean;\n};","/**\n * @spfn/auth - Roles Entity\n *\n * Role-based access control (RBAC) roles table\n *\n * Features:\n * - Built-in roles (user, admin, superadmin) - cannot be deleted\n * - System roles (preset roles) - can be deactivated\n * - Custom roles (runtime created) - fully manageable\n * - Priority-based hierarchy\n */\n\nimport { text, boolean, integer, index } from 'drizzle-orm/pg-core';\nimport { id, timestamps, createFunctionSchema } from '@spfn/core/db';\n\nconst schema = createFunctionSchema('@spfn/auth');\n\nexport const roles = schema.table('roles',\n    {\n        // Primary key\n        id: id(),\n\n        // Role identifier (used in code, e.g., 'admin', 'editor')\n        // Must be unique, lowercase, kebab-case recommended\n        name: text('name').notNull().unique(),\n\n        // Display name for UI (e.g., 'Administrator', 'Content Editor')\n        displayName: text('display_name').notNull(),\n\n        // Role description\n        description: text('description'),\n\n        // Built-in role flag\n        // true: Core package roles (user, admin, superadmin) - cannot be deleted\n        // false: Custom or preset roles - can be deleted\n        isBuiltin: boolean('is_builtin').notNull().default(false),\n\n        // System role flag\n        // true: Defined in code (builtin or preset) - deletion restricted\n        // false: Runtime created custom role - fully manageable\n        isSystem: boolean('is_system').notNull().default(false),\n\n        // Active status\n        // false: Deactivated role (users cannot be assigned)\n        isActive: boolean('is_active').notNull().default(true),\n\n        // Priority level (higher = more privileged)\n        // superadmin: 100, admin: 80, user: 10\n        // Used for role hierarchy and conflict resolution\n        priority: integer('priority').notNull().default(10),\n\n        ...timestamps(),\n    },\n    (table) => [\n        index('roles_name_idx').on(table.name),\n        index('roles_is_system_idx').on(table.isSystem),\n        index('roles_is_active_idx').on(table.isActive),\n        index('roles_is_builtin_idx').on(table.isBuiltin),\n        index('roles_priority_idx').on(table.priority),\n    ]\n);\n\n// Type exports\nexport type RoleEntity = typeof roles.$inferSelect;\nexport type NewRoleEntity = typeof roles.$inferInsert;\n\n// Legacy alias for backward compatibility\nexport type Role = RoleEntity;\nexport type NewRole = NewRoleEntity;","/**\n * @spfn/auth - Permissions Entity\n *\n * Granular permissions for RBAC system\n *\n * Features:\n * - Built-in permissions (auth:*, user:*, rbac:*) - required for package\n * - System permissions (preset permissions) - optional\n * - Custom permissions (app-specific) - defined by developers\n * - Category grouping for organization\n */\n\nimport { text, boolean, index } from 'drizzle-orm/pg-core';\nimport { id, timestamps, createFunctionSchema } from '@spfn/core/db';\n\nconst schema = createFunctionSchema('@spfn/auth');\n\nexport const permissions = schema.table('permissions',\n    {\n        // Primary key\n        id: id(),\n\n        // Permission identifier (e.g., 'user:delete', 'post:publish')\n        // Format: resource:action or namespace:resource:action\n        // Must be unique\n        name: text('name').notNull().unique(),\n\n        // Display name for UI\n        displayName: text('display_name').notNull(),\n\n        // Permission description\n        description: text('description'),\n\n        // Category for grouping (e.g., 'user', 'post', 'admin', 'system')\n        category: text('category'),\n\n        // Built-in permission flag\n        // true: Core package permissions - cannot be deleted\n        // false: Custom or preset permissions\n        isBuiltin: boolean('is_builtin').notNull().default(false),\n\n        // System permission flag\n        // true: Defined in code (builtin or preset)\n        // false: Runtime created custom permission\n        isSystem: boolean('is_system').notNull().default(false),\n\n        // Active status\n        // false: Deactivated permission (not enforced)\n        isActive: boolean('is_active').notNull().default(true),\n\n        ...timestamps(),\n    },\n    (table) => [\n        index('permissions_name_idx').on(table.name),\n        index('permissions_category_idx').on(table.category),\n        index('permissions_is_system_idx').on(table.isSystem),\n        index('permissions_is_active_idx').on(table.isActive),\n        index('permissions_is_builtin_idx').on(table.isBuiltin),\n    ]\n);\n\n// Type exports\nexport type PermissionEntity = typeof permissions.$inferSelect;\nexport type NewPermissionEntity = typeof permissions.$inferInsert;\n\n// Legacy alias for backward compatibility\nexport type Permission = PermissionEntity;\nexport type NewPermission = NewPermissionEntity;"],"mappings":";AAeA,SAAS,UAAAA,SAAQ,WAAAC,UAAS,QAAAC,OAAM,aAAAC,YAAW,SAAAC,QAAO,cAAc;AAChE,SAAS,MAAAC,KAAI,cAAAC,aAAY,wBAAAC,6BAA4B;;;ACFrD,SAAS,QAAAC,OAAM,WAAW,OAAO,WAAAC,UAAS,QAAQ,SAAAC,cAAa;AAC/D,SAAS,MAAAC,KAAI,cAAAC,aAAY,wBAAAC,6BAA4B;AACrD,SAAS,WAAW;;;ACJpB,SAAS,MAAM,SAAS,SAAS,aAAa;AAC9C,SAAS,IAAI,YAAY,4BAA4B;AAErD,IAAM,SAAS,qBAAqB,YAAY;AAEzC,IAAM,QAAQ,OAAO;AAAA,EAAM;AAAA,EAC9B;AAAA;AAAA,IAEI,IAAI,GAAG;AAAA;AAAA;AAAA,IAIP,MAAM,KAAK,MAAM,EAAE,QAAQ,EAAE,OAAO;AAAA;AAAA,IAGpC,aAAa,KAAK,cAAc,EAAE,QAAQ;AAAA;AAAA,IAG1C,aAAa,KAAK,aAAa;AAAA;AAAA;AAAA;AAAA,IAK/B,WAAW,QAAQ,YAAY,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA;AAAA;AAAA,IAKxD,UAAU,QAAQ,WAAW,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA;AAAA,IAItD,UAAU,QAAQ,WAAW,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA;AAAA;AAAA,IAKrD,UAAU,QAAQ,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;AAAA,IAElD,GAAG,WAAW;AAAA,EAClB;AAAA,EACA,CAAC,UAAU;AAAA,IACP,MAAM,gBAAgB,EAAE,GAAG,MAAM,IAAI;AAAA,IACrC,MAAM,qBAAqB,EAAE,GAAG,MAAM,QAAQ;AAAA,IAC9C,MAAM,qBAAqB,EAAE,GAAG,MAAM,QAAQ;AAAA,IAC9C,MAAM,sBAAsB,EAAE,GAAG,MAAM,SAAS;AAAA,IAChD,MAAM,oBAAoB,EAAE,GAAG,MAAM,QAAQ;AAAA,EACjD;AACJ;;;ADzCA,IAAMC,UAASC,sBAAqB,YAAY;AAEzC,IAAM,QAAQD,QAAO;AAAA,EAAM;AAAA,EAC9B;AAAA;AAAA,IAEI,IAAIE,IAAG;AAAA;AAAA;AAAA,IAIP,OAAOC,MAAK,OAAO,EAAE,OAAO;AAAA;AAAA;AAAA;AAAA,IAK5B,OAAOA,MAAK,OAAO,EAAE,OAAO;AAAA;AAAA;AAAA;AAAA,IAK5B,cAAcA,MAAK,eAAe;AAAA;AAAA;AAAA,IAIlC,wBAAwBC,SAAQ,0BAA0B,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA,IAMnF,QAAQ,OAAO,WAAW,EAAE,MAAM,SAAS,CAAC,EACvC,WAAW,MAAM,MAAM,EAAE,EACzB,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,IAMb,QAAQD;AAAA,MACJ;AAAA,MACA;AAAA,QACI,MAAM,CAAC,UAAU,YAAY,WAAW;AAAA,MAC5C;AAAA,IACJ,EAAE,QAAQ,EAAE,QAAQ,QAAQ;AAAA;AAAA;AAAA;AAAA,IAK5B,iBAAiB,UAAU,qBAAqB,EAAE,cAAc,KAAK,CAAC;AAAA;AAAA,IAGtE,iBAAiB,UAAU,qBAAqB,EAAE,cAAc,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA,IAKtE,aAAa,UAAU,iBAAiB,EAAE,cAAc,KAAK,CAAC;AAAA,IAE9D,GAAGE,YAAW;AAAA,EAClB;AAAA,EACA,CAAC,UAAU;AAAA;AAAA;AAAA,IAGP;AAAA,MACI;AAAA,MACA,MAAM,MAAM,KAAK,mBAAmB,MAAM,KAAK;AAAA,IACnD;AAAA;AAAA,IAGAC,OAAM,iBAAiB,EAAE,GAAG,MAAM,KAAK;AAAA,IACvCA,OAAM,iBAAiB,EAAE,GAAG,MAAM,KAAK;AAAA,IACvCA,OAAM,kBAAkB,EAAE,GAAG,MAAM,MAAM;AAAA,IACzCA,OAAM,mBAAmB,EAAE,GAAG,MAAM,MAAM;AAAA,EAC9C;AACJ;;;AEhFA,SAAS,QAAAC,OAAM,WAAAC,UAAS,SAAAC,cAAa;AACrC,SAAS,MAAAC,KAAI,cAAAC,aAAY,wBAAAC,6BAA4B;AAErD,IAAMC,UAASD,sBAAqB,YAAY;AAEzC,IAAM,cAAcC,QAAO;AAAA,EAAM;AAAA,EACpC;AAAA;AAAA,IAEI,IAAIH,IAAG;AAAA;AAAA;AAAA;AAAA,IAKP,MAAMH,MAAK,MAAM,EAAE,QAAQ,EAAE,OAAO;AAAA;AAAA,IAGpC,aAAaA,MAAK,cAAc,EAAE,QAAQ;AAAA;AAAA,IAG1C,aAAaA,MAAK,aAAa;AAAA;AAAA,IAG/B,UAAUA,MAAK,UAAU;AAAA;AAAA;AAAA;AAAA,IAKzB,WAAWC,SAAQ,YAAY,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA;AAAA;AAAA,IAKxD,UAAUA,SAAQ,WAAW,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA;AAAA,IAItD,UAAUA,SAAQ,WAAW,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,IAErD,GAAGG,YAAW;AAAA,EAClB;AAAA,EACA,CAAC,UAAU;AAAA,IACPF,OAAM,sBAAsB,EAAE,GAAG,MAAM,IAAI;AAAA,IAC3CA,OAAM,0BAA0B,EAAE,GAAG,MAAM,QAAQ;AAAA,IACnDA,OAAM,2BAA2B,EAAE,GAAG,MAAM,QAAQ;AAAA,IACpDA,OAAM,2BAA2B,EAAE,GAAG,MAAM,QAAQ;AAAA,IACpDA,OAAM,4BAA4B,EAAE,GAAG,MAAM,SAAS;AAAA,EAC1D;AACJ;;;AHvCA,IAAMK,UAASC,sBAAqB,YAAY;AAEzC,IAAM,kBAAkBD,QAAO;AAAA,EAAM;AAAA,EACxC;AAAA;AAAA,IAEI,IAAIE,IAAG;AAAA;AAAA,IAGP,QAAQC,QAAO,WAAW,EAAE,MAAM,SAAS,CAAC,EACvC,QAAQ,EACR,WAAW,MAAM,MAAM,IAAI,EAAE,UAAU,UAAU,CAAC;AAAA;AAAA,IAGvD,cAAcA,QAAO,iBAAiB,EAAE,MAAM,SAAS,CAAC,EACnD,QAAQ,EACR,WAAW,MAAM,YAAY,IAAI,EAAE,UAAU,UAAU,CAAC;AAAA;AAAA;AAAA;AAAA,IAK7D,SAASC,SAAQ,SAAS,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,IAGlD,QAAQC,MAAK,QAAQ;AAAA;AAAA;AAAA;AAAA,IAKrB,WAAWC,WAAU,cAAc,EAAE,cAAc,KAAK,CAAC;AAAA,IAEzD,GAAGC,YAAW;AAAA,EAClB;AAAA,EACA,CAAC,UAAU;AAAA;AAAA,IAEPC,OAAM,8BAA8B,EAAE,GAAG,MAAM,MAAM;AAAA,IACrDA,OAAM,oCAAoC,EAAE,GAAG,MAAM,YAAY;AAAA,IACjEA,OAAM,iCAAiC,EAAE,GAAG,MAAM,SAAS;AAAA;AAAA,IAG3D,OAAO,yBAAyB,EAAE,GAAG,MAAM,QAAQ,MAAM,YAAY;AAAA,EACzE;AACJ;","names":["bigint","boolean","text","timestamp","index","id","timestamps","createFunctionSchema","text","boolean","index","id","timestamps","createFunctionSchema","schema","createFunctionSchema","id","text","boolean","timestamps","index","text","boolean","index","id","timestamps","createFunctionSchema","schema","schema","createFunctionSchema","id","bigint","boolean","text","timestamp","timestamps","index"]}

package/dist/server/entities/user-public-keys.d.ts

@@ -0,0 +1,227 @@
+import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
+
+/**
+ * @spfn/auth - User Public Keys Entity
+ *
+ * Stores client-generated public keys for JWT verification
+ * Supports key rotation and multi-key management per user
+ */
+/**
+ * User Public Keys Table
+ * Each user can have multiple public keys (for rotation)
+ */
+declare const userPublicKeys: drizzle_orm_pg_core.PgTableWithColumns<{
+    name: "user_public_keys";
+    schema: string;
+    columns: {
+        id: drizzle_orm_pg_core.PgColumn<{
+            name: "id";
+            tableName: "user_public_keys";
+            dataType: "number";
+            columnType: "PgBigSerial53";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        userId: drizzle_orm_pg_core.PgColumn<{
+            name: `${string}_id`;
+            tableName: "user_public_keys";
+            dataType: "number";
+            columnType: "PgBigSerial53";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        keyId: drizzle_orm_pg_core.PgColumn<{
+            name: "key_id";
+            tableName: "user_public_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        publicKey: drizzle_orm_pg_core.PgColumn<{
+            name: "public_key";
+            tableName: "user_public_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        algorithm: drizzle_orm_pg_core.PgColumn<{
+            name: "algorithm";
+            tableName: "user_public_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: "ES256" | "RS256";
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: ["ES256", "RS256"];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        fingerprint: drizzle_orm_pg_core.PgColumn<{
+            name: "fingerprint";
+            tableName: "user_public_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        isActive: drizzle_orm_pg_core.PgColumn<{
+            name: "is_active";
+            tableName: "user_public_keys";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        createdAt: drizzle_orm_pg_core.PgColumn<{
+            name: "created_at";
+            tableName: "user_public_keys";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        lastUsedAt: drizzle_orm_pg_core.PgColumn<{
+            name: "last_used_at";
+            tableName: "user_public_keys";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        expiresAt: drizzle_orm_pg_core.PgColumn<{
+            name: "expires_at";
+            tableName: "user_public_keys";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        revokedAt: drizzle_orm_pg_core.PgColumn<{
+            name: "revoked_at";
+            tableName: "user_public_keys";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        revokedReason: drizzle_orm_pg_core.PgColumn<{
+            name: "revoked_reason";
+            tableName: "user_public_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+type UserPublicKey = typeof userPublicKeys.$inferSelect;
+type NewUserPublicKey = typeof userPublicKeys.$inferInsert;
+
+export { type NewUserPublicKey, type UserPublicKey, userPublicKeys };