@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.86

package/dist/server.d.ts

@@ -1,7 +1,7 @@
 import { User } from './server/entities/users.js';
 import { Role } from './server/entities/roles.js';
 import { Invitation, InvitationWithDetails, InvitationStatus } from './server/entities/invitations.js';
-import { S as SessionPayload } from './api-BcQM4WKb.js';
+import { SessionPayload } from './lib/types/api.js';
 import { Context, Next } from 'hono';
 import 'drizzle-orm/pg-core';
 
@@ -46,35 +46,39 @@ interface AuthInitOptions {
      * ```typescript
      * {
      *   // Extend built-in admin role
-     *   admin: ['post:create', 'post:publish'],
+     *   admin: ['project:create', 'project:delete'],
      *
      *   // Define custom role permissions
-     *   'content-creator': ['post:create', 'post:publish'],
+     *   'project-manager': ['project:create', 'task:assign'],
      * }
      * ```
      */
     rolePermissions?: Record<string, string[]>;
-    /**
-     * Use all preset roles and permissions
-     * Includes: moderator, editor, viewer and related permissions
-     * @default false
-     */
-    usePresets?: boolean;
-    /**
-     * Select specific preset roles to include
-     * Available: MODERATOR, EDITOR, VIEWER
-     */
-    presetRoles?: Array<'MODERATOR' | 'EDITOR' | 'VIEWER'>;
-    /**
-     * Select specific preset permissions to include
-     */
-    presetPermissions?: Array<'CONTENT_READ' | 'CONTENT_WRITE' | 'CONTENT_DELETE' | 'CONTENT_PUBLISH' | 'COMMENT_MODERATE' | 'SYSTEM_CONFIG' | 'ANALYTICS_VIEW'>;
     /**
      * Default role name for new users
      * Must be a valid role name that exists after initialization
      * @default 'user'
      */
     defaultRole?: string;
+    /**
+     * Default session TTL (Time To Live)
+     *
+     * Supports:
+     * - Number: seconds (e.g., 2592000)
+     * - String: duration format ('30d', '12h', '45m', '3600s')
+     *
+     * Can be overridden at runtime with `remember` parameter.
+     *
+     * @default '7d' (7 days)
+     *
+     * @example
+     * ```typescript
+     * {
+     *   sessionTtl: '30d',  // 30 days
+     * }
+     * ```
+     */
+    sessionTtl?: string | number;
 }
 
 /**
@@ -102,29 +106,6 @@ declare const BUILTIN_ROLE_PERMISSIONS: Record<string, string[]>;
 type BuiltinRoleName = keyof typeof BUILTIN_ROLE_PERMISSIONS;
 type BuiltinPermissionName = typeof BUILTIN_PERMISSIONS[keyof typeof BUILTIN_PERMISSIONS]['name'];
 
-/**
- * @spfn/auth - Preset Roles and Permissions
- *
- * Optional preset roles and permissions for common use cases
- * Developers can choose to use these or define their own
- */
-
-/**
- * Preset roles (optional)
- * Common roles that developers can optionally include
- */
-declare const PRESET_ROLES: Record<string, RoleConfig>;
-/**
- * Preset permissions (optional)
- * Common permissions for typical application features
- */
-declare const PRESET_PERMISSIONS: Record<string, PermissionConfig>;
-/**
- * Preset role-permission mappings
- * Recommended permissions for each preset role
- */
-declare const PRESET_ROLE_PERMISSIONS: Record<string, string[]>;
-
 /**
  * @spfn/auth - Auth Service
  *
@@ -303,6 +284,43 @@ declare function updateLastLoginService(userId: number): Promise<void>;
  */
 declare function updateUserService(userId: number, updates: Partial<Omit<User, 'id' | 'createdAt'>>): Promise<void>;
 
+/**
+ * @spfn/auth - Me Service
+ *
+ * Service for retrieving current user information
+ */
+interface GetMeResult {
+    userId: string;
+    email?: string;
+    phone?: string;
+    role: {
+        id: number;
+        name: string;
+        displayName: string;
+        priority: number;
+    };
+    permissions: Array<{
+        id: number;
+        name: string;
+        displayName: string;
+        category?: string;
+    }>;
+}
+/**
+ * Get current user information including role and permissions
+ *
+ * @param userId - User ID (string, number, or bigint)
+ * @returns User info with role and permissions
+ *
+ * @example
+ * ```typescript
+ * const userInfo = await getMeService('123');
+ * console.log(userInfo.role.name); // 'admin'
+ * console.log(userInfo.permissions.length); // 15
+ * ```
+ */
+declare function getMeService(userId: string | number | bigint): Promise<GetMeResult>;
+
 /**
  * @spfn/auth - RBAC Initialization Service
  *
@@ -312,23 +330,29 @@ declare function updateUserService(userId: number, updates: Partial<Omit<User, '
 /**
  * Initialize auth package with RBAC system
  *
- * Creates built-in roles, permissions, and optionally presets or custom configurations
+ * Creates built-in roles, permissions, and custom configurations
  *
  * @param options - Initialization options
  *
  * @example
  * ```typescript
- * // Minimal - only built-in roles
+ * // Minimal - only built-in roles (user, admin, superadmin)
  * await initializeAuth();
  *
- * // With presets
- * await initializeAuth({ usePresets: true });
- *
  * // Custom roles and permissions
  * await initializeAuth({
- *   roles: [{ name: 'editor', displayName: 'Editor', priority: 30 }],
- *   permissions: [{ name: 'post:create', displayName: 'Create Posts' }],
- *   rolePermissions: { editor: ['post:create'] },
+ *   roles: [
+ *     { name: 'project-manager', displayName: 'Project Manager', priority: 50 },
+ *     { name: 'developer', displayName: 'Developer', priority: 30 },
+ *   ],
+ *   permissions: [
+ *     { name: 'project:create', displayName: 'Create Project', category: 'project' },
+ *     { name: 'task:assign', displayName: 'Assign Task', category: 'task' },
+ *   ],
+ *   rolePermissions: {
+ *     'project-manager': ['project:create', 'task:assign'],
+ *     'developer': ['task:complete'],
+ *   },
  * });
  * ```
  */
@@ -345,7 +369,7 @@ declare function initializeAuth(options?: AuthInitOptions): Promise<void>;
  * Combines role-based permissions with user-specific overrides
  * Handles expiration of temporary permissions
  *
- * @param userId - User ID (string or bigint)
+ * @param userId - User ID (string, number, or bigint)
  * @returns Array of permission names
  *
  * @example
@@ -354,7 +378,7 @@ declare function initializeAuth(options?: AuthInitOptions): Promise<void>;
  * // ['auth:self:manage', 'user:read', 'post:create']
  * ```
  */
-declare function getUserPermissions(userId: string | bigint): Promise<string[]>;
+declare function getUserPermissions(userId: string | number | bigint): Promise<string[]>;
 /**
  * Check if user has a specific permission
  *
@@ -369,7 +393,7 @@ declare function getUserPermissions(userId: string | bigint): Promise<string[]>;
  * }
  * ```
  */
-declare function hasPermission(userId: string | bigint, permissionName: string): Promise<boolean>;
+declare function hasPermission(userId: string | number | bigint, permissionName: string): Promise<boolean>;
 /**
  * Check if user has any of the specified permissions
  *
@@ -384,7 +408,7 @@ declare function hasPermission(userId: string | bigint, permissionName: string):
  * }
  * ```
  */
-declare function hasAnyPermission(userId: string | bigint, permissionNames: string[]): Promise<boolean>;
+declare function hasAnyPermission(userId: string | number | bigint, permissionNames: string[]): Promise<boolean>;
 /**
  * Check if user has all of the specified permissions
  *
@@ -399,7 +423,7 @@ declare function hasAnyPermission(userId: string | bigint, permissionNames: stri
  * }
  * ```
  */
-declare function hasAllPermissions(userId: string | bigint, permissionNames: string[]): Promise<boolean>;
+declare function hasAllPermissions(userId: string | number | bigint, permissionNames: string[]): Promise<boolean>;
 /**
  * Check if user has a specific role
  *
@@ -414,7 +438,7 @@ declare function hasAllPermissions(userId: string | bigint, permissionNames: str
  * }
  * ```
  */
-declare function hasRole(userId: string | bigint, roleName: string): Promise<boolean>;
+declare function hasRole(userId: string | number | bigint, roleName: string): Promise<boolean>;
 /**
  * Check if user has any of the specified roles
  *
@@ -422,7 +446,7 @@ declare function hasRole(userId: string | bigint, roleName: string): Promise<boo
  * @param roleNames - Array of role names
  * @returns true if user has at least one role
  */
-declare function hasAnyRole(userId: string | bigint, roleNames: string[]): Promise<boolean>;
+declare function hasAnyRole(userId: string | number | bigint, roleNames: string[]): Promise<boolean>;
 
 /**
  * @spfn/auth - Role Service
@@ -812,8 +836,10 @@ declare function validatePasswordStrength(password: string): {
 interface TokenPayload extends SessionPayload {
     exp?: number;
     iat?: number;
+    iss?: string;
     keyId?: string;
     timestamp?: number;
+    [key: string]: any;
 }
 /**
  * Generate a JWT token (legacy server-signed)
@@ -997,11 +1023,14 @@ declare function sendVerificationSMS(phone: string, code: string, purpose: strin
  * Verify client-signed JWT token with public key
  *
  * Flow:
- * 1. Extract Authorization header + X-Key-Id header
- * 2. Fetch public key from database
- * 3. Verify JWT signature with public key
- * 4. Validate user status
- * 5. Attach user to context
+ * 1. Extract Authorization header
+ * 2. Decode JWT to extract keyId
+ * 3. Fetch public key from database
+ * 4. Check key expiration
+ * 5. Verify JWT signature with public key
+ * 6. Validate user status
+ * 7. Update last used timestamp
+ * 8. Attach user to context
  *
  * Security Checks:
  * - Token signature verification
@@ -1240,4 +1269,4 @@ declare function requireRole(...roleNames: string[]): (c: Context, next: Next) =
  */
 declare function ensureAdminExists(): Promise<void>;
 
-export { type AuthContext, type AuthInitOptions, BUILTIN_PERMISSIONS, BUILTIN_ROLES, BUILTIN_ROLE_PERMISSIONS, type BuiltinPermissionName, type BuiltinRoleName, type ChangePasswordParams, type CheckAccountExistsParams, type CheckAccountExistsResult, type LoginParams, type LoginResult, type LogoutParams, PRESET_PERMISSIONS, PRESET_ROLES, PRESET_ROLE_PERMISSIONS, type PermissionConfig, type RegisterParams, type RegisterPublicKeyParams, type RegisterResult, type RevokeKeyParams, type RoleConfig, type RotateKeyParams, type RotateKeyResult, type SendVerificationCodeParams, type SendVerificationCodeResult, type TokenPayload, type VerificationTokenPayload, type VerifyCodeParams, type VerifyCodeResult, acceptInvitation, addPermissionToRole, authenticate, cancelInvitation, changePasswordService, checkAccountExistsService, createInvitation, createRole, createVerificationToken, decodeToken, deleteInvitation, deleteRole, ensureAdminExists, expireOldInvitations, generateToken, generateVerificationCode, getAllRoles, getAuth, getInvitationByToken, getInvitationWithDetails, getKeyId, getRoleByName, getRolePermissions, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, listInvitations, loginService, logoutService, markCodeAsUsed, registerPublicKeyService, registerService, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, revokeKeyService, rotateKeyService, sendVerificationCodeService, sendVerificationEmail, sendVerificationSMS, setRolePermissions, storeVerificationCode, updateLastLoginService, updateRole, updateUserService, validateInvitation, validatePasswordStrength, validateVerificationCode, validateVerificationToken, verifyClientToken, verifyCodeService, verifyKeyFingerprint, verifyPassword, verifyToken };
+export { type AuthContext, type AuthInitOptions, BUILTIN_PERMISSIONS, BUILTIN_ROLES, BUILTIN_ROLE_PERMISSIONS, type BuiltinPermissionName, type BuiltinRoleName, type ChangePasswordParams, type CheckAccountExistsParams, type CheckAccountExistsResult, type GetMeResult, type LoginParams, type LoginResult, type LogoutParams, type PermissionConfig, type RegisterParams, type RegisterPublicKeyParams, type RegisterResult, type RevokeKeyParams, type RoleConfig, type RotateKeyParams, type RotateKeyResult, type SendVerificationCodeParams, type SendVerificationCodeResult, type TokenPayload, type VerificationTokenPayload, type VerifyCodeParams, type VerifyCodeResult, acceptInvitation, addPermissionToRole, authenticate, cancelInvitation, changePasswordService, checkAccountExistsService, createInvitation, createRole, createVerificationToken, decodeToken, deleteInvitation, deleteRole, ensureAdminExists, expireOldInvitations, generateToken, generateVerificationCode, getAllRoles, getAuth, getInvitationByToken, getInvitationWithDetails, getKeyId, getMeService, getRoleByName, getRolePermissions, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, listInvitations, loginService, logoutService, markCodeAsUsed, registerPublicKeyService, registerService, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, revokeKeyService, rotateKeyService, sendVerificationCodeService, sendVerificationEmail, sendVerificationSMS, setRolePermissions, storeVerificationCode, updateLastLoginService, updateRole, updateUserService, validateInvitation, validatePasswordStrength, validateVerificationCode, validateVerificationToken, verifyClientToken, verifyCodeService, verifyKeyFingerprint, verifyPassword, verifyToken };