@spfn/auth 0.1.0-alpha.88 → 0.2.0-beta.2

package/dist/dto-CLYtuAom.d.ts

@@ -0,0 +1,630 @@
+import * as _sinclair_typebox from '@sinclair/typebox';
+import { Static } from '@sinclair/typebox';
+import * as _spfn_core_route from '@spfn/core/route';
+import { User } from '@spfn/auth/server';
+
+/**
+ * @spfn/auth - Shared Types
+ *
+ * Common types and constants used across the auth package
+ */
+/**
+ * Supported JWT signature algorithms
+ *
+ * - ES256: ECDSA with P-256 and SHA-256 (recommended, smaller keys)
+ * - RS256: RSA with SHA-256 (fallback, larger keys)
+ */
+declare const KEY_ALGORITHM: readonly ["ES256", "RS256"];
+/**
+ * Key algorithm type derived from the const array
+ */
+type KeyAlgorithmType = typeof KEY_ALGORITHM[number];
+/**
+ * Invitation status enum values
+ * Single source of truth for all invitation statuses
+ */
+declare const INVITATION_STATUSES: readonly ["pending", "accepted", "expired", "cancelled"];
+/**
+ * Invitation status type derived from the const array
+ */
+type InvitationStatus = typeof INVITATION_STATUSES[number];
+/**
+ * User status enum values
+ * Single source of truth for all user statuses
+ */
+declare const USER_STATUSES: readonly ["active", "inactive", "suspended"];
+/**
+ * User status type derived from the const array
+ */
+type UserStatus = typeof USER_STATUSES[number];
+/**
+ * Social provider enum values
+ * Single source of truth for supported OAuth providers
+ */
+declare const SOCIAL_PROVIDERS: readonly ["google", "github", "kakao", "naver"];
+/**
+ * Social provider type derived from the const array
+ */
+type SocialProvider = typeof SOCIAL_PROVIDERS[number];
+
+/**
+ * @spfn/auth - Auth Service
+ *
+ * Core authentication logic: registration, login, logout, password management
+ */
+
+interface CheckAccountExistsParams {
+    email?: string;
+    phone?: string;
+}
+interface CheckAccountExistsResult {
+    exists: boolean;
+    identifier: string;
+    identifierType: 'email' | 'phone';
+}
+interface RegisterParams {
+    email?: string;
+    phone?: string;
+    verificationToken: string;
+    password: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm?: KeyAlgorithmType;
+}
+interface RegisterResult {
+    userId: string;
+    email?: string;
+    phone?: string;
+}
+interface LoginParams {
+    email?: string;
+    phone?: string;
+    password: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    oldKeyId?: string;
+    algorithm?: KeyAlgorithmType;
+}
+interface LoginResult {
+    userId: string;
+    email?: string;
+    phone?: string;
+    passwordChangeRequired: boolean;
+}
+interface LogoutParams {
+    userId: number;
+    keyId: string;
+}
+interface ChangePasswordParams {
+    userId: number;
+    currentPassword: string;
+    newPassword: string;
+    passwordHash?: string;
+}
+/**
+ * Check if an account exists by email or phone
+ */
+declare function checkAccountExistsService(params: CheckAccountExistsParams): Promise<CheckAccountExistsResult>;
+/**
+ * Register a new user account
+ */
+declare function registerService(params: RegisterParams): Promise<RegisterResult>;
+/**
+ * Authenticate user and create session
+ */
+declare function loginService(params: LoginParams): Promise<LoginResult>;
+/**
+ * Logout user (revoke current key)
+ */
+declare function logoutService(params: LogoutParams): Promise<void>;
+/**
+ * Change user password
+ */
+declare function changePasswordService(params: ChangePasswordParams): Promise<void>;
+
+declare const EmailSchema: _sinclair_typebox.TString;
+declare const PhoneSchema: _sinclair_typebox.TString;
+declare const PasswordSchema: _sinclair_typebox.TString;
+declare const TargetTypeSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+type VerificationTargetType = Static<typeof TargetTypeSchema>;
+declare const VERIFICATION_TARGET_TYPES: readonly ["email", "phone"];
+declare const VerificationPurposeSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+type VerificationPurpose = Static<typeof VerificationPurposeSchema>;
+declare const VERIFICATION_PURPOSES: readonly ["registration", "login", "password_reset", "email_change", "phone_change"];
+
+/**
+ * @spfn/auth - Verification Service
+ *
+ * Handles OTP code generation, validation, and delivery
+ */
+
+interface SendVerificationCodeParams {
+    target: string;
+    targetType: VerificationTargetType;
+    purpose: VerificationPurpose;
+}
+interface SendVerificationCodeResult {
+    success: boolean;
+    expiresAt: string;
+}
+interface VerifyCodeParams {
+    target: string;
+    targetType: VerificationTargetType;
+    code: string;
+    purpose: VerificationPurpose;
+}
+interface VerifyCodeResult {
+    valid: boolean;
+    verificationToken: string;
+}
+/**
+ * Send verification code via email or SMS
+ */
+declare function sendVerificationCodeService(params: SendVerificationCodeParams): Promise<SendVerificationCodeResult>;
+/**
+ * Verify OTP code and return verification token
+ */
+declare function verifyCodeService(params: VerifyCodeParams): Promise<{
+    valid: boolean;
+    verificationToken: string;
+}>;
+
+/**
+ * @spfn/auth - Key Service
+ *
+ * Handles public key registration, rotation, and revocation
+ */
+
+interface RegisterPublicKeyParams {
+    userId: number;
+    keyId: string;
+    publicKey: string;
+    fingerprint: string;
+    algorithm?: KeyAlgorithmType;
+}
+interface RotateKeyParams {
+    userId: number;
+    oldKeyId: string;
+    newKeyId: string;
+    newPublicKey: string;
+    fingerprint: string;
+    algorithm?: KeyAlgorithmType;
+}
+interface RotateKeyResult {
+    success: boolean;
+    keyId: string;
+}
+interface RevokeKeyParams {
+    userId: number;
+    keyId: string;
+    reason: string;
+}
+/**
+ * Register a new public key for a user
+ */
+declare function registerPublicKeyService(params: RegisterPublicKeyParams): Promise<void>;
+/**
+ * Rotate user's public key (revoke old, register new)
+ */
+declare function rotateKeyService(params: RotateKeyParams): Promise<RotateKeyResult>;
+/**
+ * Revoke a user's public key
+ */
+declare function revokeKeyService(params: RevokeKeyParams): Promise<void>;
+
+/**
+ * @spfn/auth - RBAC Type Definitions
+ *
+ * Type definitions for role and permission configuration
+ */
+/**
+ * Permission category enum values
+ * Single source of truth for permission categories
+ */
+declare const PERMISSION_CATEGORIES: readonly ["auth", "user", "rbac", "system", "custom"];
+/**
+ * Permission category type derived from the const array
+ */
+type PermissionCategory = typeof PERMISSION_CATEGORIES[number];
+interface RoleConfig {
+    name: string;
+    displayName: string;
+    description?: string;
+    priority?: number;
+    isSystem?: boolean;
+    isBuiltin?: boolean;
+}
+interface PermissionConfig {
+    name: string;
+    displayName: string;
+    description?: string;
+    category?: PermissionCategory;
+    isSystem?: boolean;
+    isBuiltin?: boolean;
+}
+interface AuthInitOptions {
+    /**
+     * Additional roles to create
+     * Built-in roles (user, admin, superadmin) are automatically included
+     */
+    roles?: RoleConfig[];
+    /**
+     * Additional permissions to create
+     * Built-in permissions are automatically included
+     */
+    permissions?: PermissionConfig[];
+    /**
+     * Role-Permission mappings
+     * Built-in mappings are automatically included
+     * You can extend built-in roles or define mappings for custom roles
+     *
+     * @example
+     * ```typescript
+     * {
+     *   // Extend built-in admin role
+     *   admin: ['project:create', 'project:delete'],
+     *
+     *   // Define custom role permissions
+     *   'project-manager': ['project:create', 'task:assign'],
+     * }
+     * ```
+     */
+    rolePermissions?: Record<string, string[]>;
+    /**
+     * Default role name for new users
+     * Must be a valid role name that exists after initialization
+     * @default 'user'
+     */
+    defaultRole?: string;
+    /**
+     * Default session TTL (Time To Live)
+     *
+     * Supports:
+     * - Number: seconds (e.g., 2592000)
+     * - String: duration format ('30d', '12h', '45m', '3600s')
+     *
+     * Can be overridden at runtime with `remember` parameter.
+     *
+     * @default '7d' (7 days)
+     *
+     * @example
+     * ```typescript
+     * {
+     *   sessionTtl: '30d',  // 30 days
+     * }
+     * ```
+     */
+    sessionTtl?: string | number;
+}
+
+/**
+ * @spfn/auth - Main Router
+ *
+ * Combines all auth-related routes into a single router
+ */
+/**
+ * Main auth router
+ * Exports all authentication-related routes
+ *
+ * Routes:
+ * - Auth: /_auth/exists, /_auth/codes, /_auth/login, /_auth/logout, etc.
+ * - Invitations: /_auth/invitations/*
+ * - Users: /_auth/users/*
+ */
+declare const mainAuthRouter: _spfn_core_route.Router<{
+    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
+    getInvitation: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            token: _sinclair_typebox.TString;
+        }>;
+    }, {}, {
+        email: string;
+        role: string;
+        roleDisplayName: string;
+        invitedBy: string;
+        expiresAt: string;
+        metadata: Record<string, any> | undefined;
+    }>;
+    acceptInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            token: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, {
+        userId: number;
+        email: string;
+        role: string;
+    }>;
+    createInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+            roleId: _sinclair_typebox.TNumber;
+            expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TAny>;
+        }>;
+    }, {}, {
+        id: number;
+        email: string;
+        token: string;
+        roleId: number;
+        expiresAt: string;
+        invitationUrl: string;
+    }>;
+    listInvitations: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            status: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"pending" | "accepted" | "expired" | "cancelled">[]>>;
+            page: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            limit: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+        }>;
+    }, {}, {
+        invitations: {
+            id: number;
+            email: string;
+            token: string;
+            roleId: number;
+            invitedBy: number;
+            status: "pending" | "accepted" | "expired" | "cancelled";
+            expiresAt: Date;
+            acceptedAt: Date | null;
+            cancelledAt: Date | null;
+            metadata: Record<string, any> | null;
+            createdAt: Date;
+            updatedAt: Date;
+            role: {
+                id: number;
+                name: string;
+                displayName: string;
+            };
+            inviter: {
+                id: number;
+                email: string | null;
+            };
+        }[];
+        total: number;
+        page: number;
+        limit: number;
+        totalPages: number;
+    }>;
+    cancelInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+            reason: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        cancelledAt: string;
+    }>;
+    resendInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+            expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+        }>;
+    }, {}, {
+        expiresAt: string;
+    }>;
+    deleteInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, Response>;
+    checkAccountExists: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            phone: _sinclair_typebox.TString;
+        }>]>;
+    }, {}, CheckAccountExistsResult>;
+    sendVerificationCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, SendVerificationCodeResult>;
+    verifyCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            code: _sinclair_typebox.TString;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, {
+        valid: boolean;
+        verificationToken: string;
+    }>;
+    register: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            verificationToken: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RegisterResult>;
+    login: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, LoginResult>;
+    logout: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{}>;
+    }, {}, Response>;
+    rotateKey: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{}>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RotateKeyResult>;
+    changePassword: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            currentPassword: _sinclair_typebox.TString;
+            newPassword: _sinclair_typebox.TString;
+        }>;
+    }, {}, Response>;
+    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+        role: {
+            id: number;
+            name: string;
+            displayName: string;
+            priority: number;
+        };
+        permissions: {
+            id: number;
+            name: string;
+            displayName: string;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        }[];
+        userId: number;
+        email: string | null;
+        emailVerified: boolean;
+        phoneVerified: boolean;
+    }>;
+}>;
+
+interface AuthContext {
+    user: User;
+    userId: string;
+    keyId: string;
+}
+declare module 'hono' {
+    interface ContextVariableMap {
+        auth: AuthContext;
+    }
+}
+/**
+ * Authentication middleware
+ *
+ * Verifies client-signed JWT token using stored public key
+ * Must be applied to routes that require authentication
+ *
+ * @example
+ * ```typescript
+ * // In server.config.ts
+ * import { authenticate } from '@spfn/auth/server/middleware';
+ *
+ * export default defineServerConfig()
+ *   .middlewares([authenticate])
+ *   .routes(appRouter)
+ *   .build();
+ *
+ * // In route file - skip auth for public routes
+ * export const publicRoute = route.get('/health')
+ *   .skip(['auth'])  // Type-safe skip
+ *   .handler(async (c) => c.success({ status: 'ok' }));
+ *
+ * // Protected route - auth applied automatically
+ * export const protectedRoute = route.get('/profile')
+ *   .handler(async (c) => {
+ *     const auth = c.get('auth');  // Get auth context
+ *     const { user, userId, keyId } = auth;
+ *     // Or access directly: c.get('auth').user
+ *   });
+ * ```
+ */
+declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
+
+/**
+ * Role information for client/API responses
+ */
+interface Role {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    priority: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Permission information for client/API responses
+ */
+interface Permission {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    category: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    metadata: Record<string, any> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface AuthSession {
+    userId: number;
+    email: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    role: Role;
+    permissions: Permission[];
+}
+interface ProfileInfo {
+    profileId: number;
+    displayName: string;
+    firstName: string | null;
+    lastName: string | null;
+    avatarUrl: string | null;
+    bio: string | null;
+    locale: string;
+    timezone: string;
+    website: string | null;
+    location: string | null;
+    company: string | null;
+    jobTitle: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * User Profile Response
+ *
+ * Complete user data including:
+ * - User fields at top level (userId, email, etc.)
+ * - Profile data as nested field (optional)
+ *
+ * Excludes:
+ * - Role and permissions (use auth session API)
+ */
+interface UserProfile {
+    userId: number;
+    email: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    lastLoginAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date;
+    profile: ProfileInfo | null;
+}
+
+export { VerificationPurposeSchema as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type RegisterPublicKeyParams as O, type PermissionConfig as P, type RotateKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RevokeKeyParams as T, type UserProfile as U, type VerificationTargetType as V, authenticate as W, EmailSchema as X, PhoneSchema as Y, PasswordSchema as Z, TargetTypeSchema as _, type RegisterResult as a, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };