@spfn/auth 0.1.0-alpha.88 → 0.2.0-beta.2

package/dist/errors.d.ts

@@ -0,0 +1,196 @@
+import { UnauthorizedError, ForbiddenError, ConflictError, ValidationError, ErrorRegistry } from '@spfn/core/errors';
+
+/**
+ * Authentication & Authorization Error Classes
+ *
+ * Custom error classes for auth-specific scenarios
+ */
+
+/**
+ * Invalid Credentials Error (401)
+ *
+ * Thrown when login credentials are incorrect
+ */
+declare class InvalidCredentialsError extends UnauthorizedError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Invalid Token Error (401)
+ *
+ * Thrown when authentication token is invalid or malformed
+ */
+declare class InvalidTokenError extends UnauthorizedError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Token Expired Error (401)
+ *
+ * Thrown when authentication token has expired
+ */
+declare class TokenExpiredError extends UnauthorizedError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Key Expired Error (401)
+ *
+ * Thrown when public key has expired
+ */
+declare class KeyExpiredError extends UnauthorizedError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Account Disabled Error (403)
+ *
+ * Thrown when user account is disabled or inactive
+ */
+declare class AccountDisabledError extends ForbiddenError {
+    constructor(data?: {
+        status?: string;
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Account Already Exists Error (409)
+ *
+ * Thrown when trying to register with existing email/phone
+ */
+declare class AccountAlreadyExistsError extends ConflictError {
+    constructor(data?: {
+        identifier?: string;
+        identifierType?: 'email' | 'phone';
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Invalid Verification Code Error (400)
+ *
+ * Thrown when verification code is invalid, expired, or already used
+ */
+declare class InvalidVerificationCodeError extends ValidationError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Invalid Verification Token Error (400)
+ *
+ * Thrown when verification token is invalid or expired
+ */
+declare class InvalidVerificationTokenError extends ValidationError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Invalid Key Fingerprint Error (400)
+ *
+ * Thrown when public key fingerprint doesn't match the public key
+ */
+declare class InvalidKeyFingerprintError extends ValidationError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Verification Token Purpose Mismatch Error (400)
+ *
+ * Thrown when verification token purpose doesn't match expected purpose
+ */
+declare class VerificationTokenPurposeMismatchError extends ValidationError {
+    constructor(data?: {
+        expected?: string;
+        actual?: string;
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Verification Token Target Mismatch Error (400)
+ *
+ * Thrown when verification token target doesn't match provided email/phone
+ */
+declare class VerificationTokenTargetMismatchError extends ValidationError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Insufficient Permissions Error (403)
+ *
+ * Thrown when user lacks required permissions for the operation
+ */
+declare class InsufficientPermissionsError extends ForbiddenError {
+    constructor(data?: {
+        requiredPermissions?: string[];
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+/**
+ * Insufficient Role Error (403)
+ *
+ * Thrown when user lacks required role for the operation
+ */
+declare class InsufficientRoleError extends ForbiddenError {
+    constructor(data?: {
+        requiredRoles?: string[];
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
+
+type authErrors_AccountAlreadyExistsError = AccountAlreadyExistsError;
+declare const authErrors_AccountAlreadyExistsError: typeof AccountAlreadyExistsError;
+type authErrors_AccountDisabledError = AccountDisabledError;
+declare const authErrors_AccountDisabledError: typeof AccountDisabledError;
+type authErrors_InsufficientPermissionsError = InsufficientPermissionsError;
+declare const authErrors_InsufficientPermissionsError: typeof InsufficientPermissionsError;
+type authErrors_InsufficientRoleError = InsufficientRoleError;
+declare const authErrors_InsufficientRoleError: typeof InsufficientRoleError;
+type authErrors_InvalidCredentialsError = InvalidCredentialsError;
+declare const authErrors_InvalidCredentialsError: typeof InvalidCredentialsError;
+type authErrors_InvalidKeyFingerprintError = InvalidKeyFingerprintError;
+declare const authErrors_InvalidKeyFingerprintError: typeof InvalidKeyFingerprintError;
+type authErrors_InvalidTokenError = InvalidTokenError;
+declare const authErrors_InvalidTokenError: typeof InvalidTokenError;
+type authErrors_InvalidVerificationCodeError = InvalidVerificationCodeError;
+declare const authErrors_InvalidVerificationCodeError: typeof InvalidVerificationCodeError;
+type authErrors_InvalidVerificationTokenError = InvalidVerificationTokenError;
+declare const authErrors_InvalidVerificationTokenError: typeof InvalidVerificationTokenError;
+type authErrors_KeyExpiredError = KeyExpiredError;
+declare const authErrors_KeyExpiredError: typeof KeyExpiredError;
+type authErrors_TokenExpiredError = TokenExpiredError;
+declare const authErrors_TokenExpiredError: typeof TokenExpiredError;
+type authErrors_VerificationTokenPurposeMismatchError = VerificationTokenPurposeMismatchError;
+declare const authErrors_VerificationTokenPurposeMismatchError: typeof VerificationTokenPurposeMismatchError;
+type authErrors_VerificationTokenTargetMismatchError = VerificationTokenTargetMismatchError;
+declare const authErrors_VerificationTokenTargetMismatchError: typeof VerificationTokenTargetMismatchError;
+declare namespace authErrors {
+  export { authErrors_AccountAlreadyExistsError as AccountAlreadyExistsError, authErrors_AccountDisabledError as AccountDisabledError, authErrors_InsufficientPermissionsError as InsufficientPermissionsError, authErrors_InsufficientRoleError as InsufficientRoleError, authErrors_InvalidCredentialsError as InvalidCredentialsError, authErrors_InvalidKeyFingerprintError as InvalidKeyFingerprintError, authErrors_InvalidTokenError as InvalidTokenError, authErrors_InvalidVerificationCodeError as InvalidVerificationCodeError, authErrors_InvalidVerificationTokenError as InvalidVerificationTokenError, authErrors_KeyExpiredError as KeyExpiredError, authErrors_TokenExpiredError as TokenExpiredError, authErrors_VerificationTokenPurposeMismatchError as VerificationTokenPurposeMismatchError, authErrors_VerificationTokenTargetMismatchError as VerificationTokenTargetMismatchError };
+}
+
+/**
+ * Auth Error Exports
+ */
+
+declare const authErrorRegistry: ErrorRegistry;
+
+export { AccountAlreadyExistsError, AccountDisabledError, authErrors as AuthError, InsufficientPermissionsError, InsufficientRoleError, InvalidCredentialsError, InvalidKeyFingerprintError, InvalidTokenError, InvalidVerificationCodeError, InvalidVerificationTokenError, KeyExpiredError, TokenExpiredError, VerificationTokenPurposeMismatchError, VerificationTokenTargetMismatchError, authErrorRegistry };

package/dist/errors.js

@@ -0,0 +1,173 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/errors/index.ts
+import { ErrorRegistry } from "@spfn/core/errors";
+
+// src/errors/auth-errors.ts
+var auth_errors_exports = {};
+__export(auth_errors_exports, {
+  AccountAlreadyExistsError: () => AccountAlreadyExistsError,
+  AccountDisabledError: () => AccountDisabledError,
+  InsufficientPermissionsError: () => InsufficientPermissionsError,
+  InsufficientRoleError: () => InsufficientRoleError,
+  InvalidCredentialsError: () => InvalidCredentialsError,
+  InvalidKeyFingerprintError: () => InvalidKeyFingerprintError,
+  InvalidTokenError: () => InvalidTokenError,
+  InvalidVerificationCodeError: () => InvalidVerificationCodeError,
+  InvalidVerificationTokenError: () => InvalidVerificationTokenError,
+  KeyExpiredError: () => KeyExpiredError,
+  TokenExpiredError: () => TokenExpiredError,
+  VerificationTokenPurposeMismatchError: () => VerificationTokenPurposeMismatchError,
+  VerificationTokenTargetMismatchError: () => VerificationTokenTargetMismatchError
+});
+import {
+  ValidationError,
+  UnauthorizedError,
+  ForbiddenError,
+  ConflictError
+} from "@spfn/core/errors";
+var InvalidCredentialsError = class extends UnauthorizedError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid credentials", details: data.details });
+    this.name = "InvalidCredentialsError";
+  }
+};
+var InvalidTokenError = class extends UnauthorizedError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid authentication token", details: data.details });
+    this.name = "InvalidTokenError";
+  }
+};
+var TokenExpiredError = class extends UnauthorizedError {
+  constructor(data = {}) {
+    super({ message: data.message || "Authentication token has expired", details: data.details });
+    this.name = "TokenExpiredError";
+  }
+};
+var KeyExpiredError = class extends UnauthorizedError {
+  constructor(data = {}) {
+    super({ message: data.message || "Public key has expired", details: data.details });
+    this.name = "KeyExpiredError";
+  }
+};
+var AccountDisabledError = class extends ForbiddenError {
+  constructor(data = {}) {
+    const status = data.status || "disabled";
+    super({
+      message: data.message || `Account is ${status}`,
+      details: { status, ...data.details }
+    });
+    this.name = "AccountDisabledError";
+  }
+};
+var AccountAlreadyExistsError = class extends ConflictError {
+  constructor(data = {}) {
+    super({
+      message: data.message || "Account already exists",
+      details: {
+        identifier: data.identifier,
+        identifierType: data.identifierType,
+        ...data.details
+      }
+    });
+    this.name = "AccountAlreadyExistsError";
+  }
+};
+var InvalidVerificationCodeError = class extends ValidationError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid verification code", details: data.details });
+    this.name = "InvalidVerificationCodeError";
+  }
+};
+var InvalidVerificationTokenError = class extends ValidationError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid or expired verification token", details: data.details });
+    this.name = "InvalidVerificationTokenError";
+  }
+};
+var InvalidKeyFingerprintError = class extends ValidationError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid key fingerprint", details: data.details });
+    this.name = "InvalidKeyFingerprintError";
+  }
+};
+var VerificationTokenPurposeMismatchError = class extends ValidationError {
+  constructor(data = {}) {
+    const expected = data.expected || "unknown";
+    const actual = data.actual || "unknown";
+    super({
+      message: data.message || `Verification token is for ${actual}, but ${expected} was expected`,
+      details: { expected, actual, ...data.details }
+    });
+    this.name = "VerificationTokenPurposeMismatchError";
+  }
+};
+var VerificationTokenTargetMismatchError = class extends ValidationError {
+  constructor(data = {}) {
+    super({
+      message: data.message || "Verification token does not match provided email/phone",
+      details: data.details
+    });
+    this.name = "VerificationTokenTargetMismatchError";
+  }
+};
+var InsufficientPermissionsError = class extends ForbiddenError {
+  constructor(data = {}) {
+    const requiredPermissions = data.requiredPermissions || [];
+    super({
+      message: data.message || `Missing required permissions: ${requiredPermissions.join(", ")}`,
+      details: { requiredPermissions, ...data.details }
+    });
+    this.name = "InsufficientPermissionsError";
+  }
+};
+var InsufficientRoleError = class extends ForbiddenError {
+  constructor(data = {}) {
+    const requiredRoles = data.requiredRoles || [];
+    super({
+      message: data.message || `Required roles: ${requiredRoles.join(", ")}`,
+      details: { requiredRoles, ...data.details }
+    });
+    this.name = "InsufficientRoleError";
+  }
+};
+
+// src/errors/index.ts
+var authErrorRegistry = new ErrorRegistry();
+authErrorRegistry.append([
+  InvalidCredentialsError,
+  InvalidTokenError,
+  TokenExpiredError,
+  KeyExpiredError,
+  AccountDisabledError,
+  AccountAlreadyExistsError,
+  InvalidVerificationCodeError,
+  InvalidVerificationTokenError,
+  InvalidKeyFingerprintError,
+  VerificationTokenPurposeMismatchError,
+  VerificationTokenTargetMismatchError,
+  InsufficientPermissionsError,
+  InsufficientRoleError
+]);
+export {
+  AccountAlreadyExistsError,
+  AccountDisabledError,
+  auth_errors_exports as AuthError,
+  InsufficientPermissionsError,
+  InsufficientRoleError,
+  InvalidCredentialsError,
+  InvalidKeyFingerprintError,
+  InvalidTokenError,
+  InvalidVerificationCodeError,
+  InvalidVerificationTokenError,
+  KeyExpiredError,
+  TokenExpiredError,
+  VerificationTokenPurposeMismatchError,
+  VerificationTokenTargetMismatchError,
+  authErrorRegistry
+};
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/errors/index.ts","../src/errors/auth-errors.ts"],"sourcesContent":["/**\n * Auth Error Exports\n */\n\nimport { ErrorRegistry } from \"@spfn/core/errors\";\n\nimport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport const authErrorRegistry = new ErrorRegistry();\nauthErrorRegistry.append([\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n]);\n\nexport * as AuthError from './auth-errors';","/**\n * Authentication & Authorization Error Classes\n *\n * Custom error classes for auth-specific scenarios\n */\n\nimport {\n    ValidationError,\n    UnauthorizedError,\n    ForbiddenError,\n    ConflictError\n} from '@spfn/core/errors';\n\n/**\n * Invalid Credentials Error (401)\n *\n * Thrown when login credentials are incorrect\n */\nexport class InvalidCredentialsError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid credentials', details: data.details });\n        this.name = 'InvalidCredentialsError';\n    }\n}\n\n/**\n * Invalid Token Error (401)\n *\n * Thrown when authentication token is invalid or malformed\n */\nexport class InvalidTokenError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid authentication token', details: data.details });\n        this.name = 'InvalidTokenError';\n    }\n}\n\n/**\n * Token Expired Error (401)\n *\n * Thrown when authentication token has expired\n */\nexport class TokenExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Authentication token has expired', details: data.details });\n        this.name = 'TokenExpiredError';\n    }\n}\n\n/**\n * Key Expired Error (401)\n *\n * Thrown when public key has expired\n */\nexport class KeyExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Public key has expired', details: data.details });\n        this.name = 'KeyExpiredError';\n    }\n}\n\n/**\n * Account Disabled Error (403)\n *\n * Thrown when user account is disabled or inactive\n */\nexport class AccountDisabledError extends ForbiddenError\n{\n    constructor(data: { status?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const status = data.status || 'disabled';\n        super({\n            message: data.message || `Account is ${status}`,\n            details: { status, ...data.details }\n        });\n        this.name = 'AccountDisabledError';\n    }\n}\n\n/**\n * Account Already Exists Error (409)\n *\n * Thrown when trying to register with existing email/phone\n */\nexport class AccountAlreadyExistsError extends ConflictError\n{\n    constructor(data: { identifier?: string; identifierType?: 'email' | 'phone'; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Account already exists',\n            details: {\n                identifier: data.identifier,\n                identifierType: data.identifierType,\n                ...data.details\n            }\n        });\n        this.name = 'AccountAlreadyExistsError';\n    }\n}\n\n/**\n * Invalid Verification Code Error (400)\n *\n * Thrown when verification code is invalid, expired, or already used\n */\nexport class InvalidVerificationCodeError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid verification code', details: data.details });\n        this.name = 'InvalidVerificationCodeError';\n    }\n}\n\n/**\n * Invalid Verification Token Error (400)\n *\n * Thrown when verification token is invalid or expired\n */\nexport class InvalidVerificationTokenError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid or expired verification token', details: data.details });\n        this.name = 'InvalidVerificationTokenError';\n    }\n}\n\n/**\n * Invalid Key Fingerprint Error (400)\n *\n * Thrown when public key fingerprint doesn't match the public key\n */\nexport class InvalidKeyFingerprintError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid key fingerprint', details: data.details });\n        this.name = 'InvalidKeyFingerprintError';\n    }\n}\n\n/**\n * Verification Token Purpose Mismatch Error (400)\n *\n * Thrown when verification token purpose doesn't match expected purpose\n */\nexport class VerificationTokenPurposeMismatchError extends ValidationError\n{\n    constructor(data: { expected?: string; actual?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const expected = data.expected || 'unknown';\n        const actual = data.actual || 'unknown';\n        super({\n            message: data.message || `Verification token is for ${actual}, but ${expected} was expected`,\n            details: { expected, actual, ...data.details }\n        });\n        this.name = 'VerificationTokenPurposeMismatchError';\n    }\n}\n\n/**\n * Verification Token Target Mismatch Error (400)\n *\n * Thrown when verification token target doesn't match provided email/phone\n */\nexport class VerificationTokenTargetMismatchError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Verification token does not match provided email/phone',\n            details: data.details\n        });\n        this.name = 'VerificationTokenTargetMismatchError';\n    }\n}\n\n/**\n * Insufficient Permissions Error (403)\n *\n * Thrown when user lacks required permissions for the operation\n */\nexport class InsufficientPermissionsError extends ForbiddenError\n{\n    constructor(data: { requiredPermissions?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredPermissions = data.requiredPermissions || [];\n        super({\n            message: data.message || `Missing required permissions: ${requiredPermissions.join(', ')}`,\n            details: { requiredPermissions, ...data.details }\n        });\n        this.name = 'InsufficientPermissionsError';\n    }\n}\n\n/**\n * Insufficient Role Error (403)\n *\n * Thrown when user lacks required role for the operation\n */\nexport class InsufficientRoleError extends ForbiddenError\n{\n    constructor(data: { requiredRoles?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredRoles = data.requiredRoles || [];\n        super({\n            message: data.message || `Required roles: ${requiredRoles.join(', ')}`,\n            details: { requiredRoles, ...data.details }\n        });\n        this.name = 'InsufficientRoleError';\n    }\n}"],"mappings":";;;;;;;AAIA,SAAS,qBAAqB;;;ACJ9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAOA,IAAM,0BAAN,cAAsC,kBAC7C;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,uBAAuB,SAAS,KAAK,QAAQ,CAAC;AAC/E,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,gCAAgC,SAAS,KAAK,QAAQ,CAAC;AACxF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,oCAAoC,SAAS,KAAK,QAAQ,CAAC;AAC5F,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,kBAAN,cAA8B,kBACrC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,0BAA0B,SAAS,KAAK,QAAQ,CAAC;AAClF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uBAAN,cAAmC,eAC1C;AAAA,EACI,YAAY,OAA6E,CAAC,GAC1F;AACI,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,cAAc,MAAM;AAAA,MAC7C,SAAS,EAAE,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACvC,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,4BAAN,cAAwC,cAC/C;AAAA,EACI,YAAY,OAAqH,CAAC,GAClI;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS;AAAA,QACL,YAAY,KAAK;AAAA,QACjB,gBAAgB,KAAK;AAAA,QACrB,GAAG,KAAK;AAAA,MACZ;AAAA,IACJ,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,gBAClD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,6BAA6B,SAAS,KAAK,QAAQ,CAAC;AACrF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,gCAAN,cAA4C,gBACnD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,yCAAyC,SAAS,KAAK,QAAQ,CAAC;AACjG,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,6BAAN,cAAyC,gBAChD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,2BAA2B,SAAS,KAAK,QAAQ,CAAC;AACnF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wCAAN,cAAoD,gBAC3D;AAAA,EACI,YAAY,OAAgG,CAAC,GAC7G;AACI,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,6BAA6B,MAAM,SAAS,QAAQ;AAAA,MAC7E,SAAS,EAAE,UAAU,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACjD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uCAAN,cAAmD,gBAC1D;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,KAAK;AAAA,IAClB,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,eAClD;AAAA,EACI,YAAY,OAA4F,CAAC,GACzG;AACI,UAAM,sBAAsB,KAAK,uBAAuB,CAAC;AACzD,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,iCAAiC,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACxF,SAAS,EAAE,qBAAqB,GAAG,KAAK,QAAQ;AAAA,IACpD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wBAAN,cAAoC,eAC3C;AAAA,EACI,YAAY,OAAsF,CAAC,GACnG;AACI,UAAM,gBAAgB,KAAK,iBAAiB,CAAC;AAC7C,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,mBAAmB,cAAc,KAAK,IAAI,CAAC;AAAA,MACpE,SAAS,EAAE,eAAe,GAAG,KAAK,QAAQ;AAAA,IAC9C,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;;;ADtLO,IAAM,oBAAoB,IAAI,cAAc;AACnD,kBAAkB,OAAO;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACJ,CAAC;","names":[]}

package/dist/index.d.ts

@@ -1,14 +1,273 @@
-export { spfnPlugin } from './plugin.js';
-export { ChangePasswordData, CheckAccountExistsData, LoginData, Permission, SessionPayload } from './lib/types/api.js';
-export { ApiResponseSchema, ErrorResponseSchema, SuccessResponseSchema } from './lib/types/schemas.js';
-export { NewUser, User, UserStatus, UserWithVerification, users } from './server/entities/users.js';
-export { NewUserSocialAccount, UserSocialAccount, userSocialAccounts } from './server/entities/user-social-accounts.js';
-export { NewUserPublicKey, UserPublicKey, userPublicKeys } from './server/entities/user-public-keys.js';
-export { NewVerificationCode, VerificationCode, verificationCodes } from './server/entities/verification-codes.js';
-export { NewRole, NewRoleEntity, Role, RoleEntity, roles } from './server/entities/roles.js';
-export { NewPermissionEntity, PermissionEntity, permissions } from './server/entities/permissions.js';
-export { NewRolePermission, RolePermission, rolePermissions } from './server/entities/role-permissions.js';
-export { NewUserPermission, UserPermission, userPermissions } from './server/entities/user-permissions.js';
-import '@spfn/core/server';
-import '@sinclair/typebox';
-import 'drizzle-orm/pg-core';
+import * as _spfn_core_nextjs from '@spfn/core/nextjs';
+import { R as RoleConfig, P as PermissionConfig, U as UserProfile, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, m as mainAuthRouter } from './dto-CLYtuAom.js';
+export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, c as ProfileInfo, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './dto-CLYtuAom.js';
+import * as _spfn_core_route from '@spfn/core/route';
+import * as _sinclair_typebox from '@sinclair/typebox';
+import '@spfn/auth/server';
+
+/**
+ * @spfn/auth - Built-in Roles and Permissions
+ *
+ * Core roles and permissions required by the auth package
+ * These cannot be deleted and are automatically created on initialization
+ */
+
+/**
+ * Built-in roles (required by package)
+ * These roles are always created and cannot be deleted
+ */
+declare const BUILTIN_ROLES: Record<string, RoleConfig>;
+/**
+ * Built-in permissions (required by package)
+ * These permissions are always created and cannot be deleted
+ */
+declare const BUILTIN_PERMISSIONS: Record<string, PermissionConfig>;
+/**
+ * Built-in role-permission mappings
+ * Defines default permissions for each built-in role
+ */
+declare const BUILTIN_ROLE_PERMISSIONS: Record<string, string[]>;
+type BuiltinRoleName = keyof typeof BUILTIN_ROLE_PERMISSIONS;
+type BuiltinPermissionName = typeof BUILTIN_PERMISSIONS[keyof typeof BUILTIN_PERMISSIONS]['name'];
+
+/**
+ * Email regex pattern (RFC 5322 compliant)
+ * Validates: local-part@domain.tld
+ * - Local part: alphanumeric, dots, hyphens, underscores
+ * - Domain: alphanumeric, hyphens, dots
+ * - TLD: minimum 2 characters
+ */
+declare const EMAIL_PATTERN = "^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$";
+/**
+ * Phone regex pattern (E.164 format)
+ * Format: +[country code][number] (1-15 digits total)
+ */
+declare const PHONE_PATTERN = "^\\+[1-9]\\d{1,14}$";
+/**
+ * SHA-256 fingerprint pattern (64 hex characters)
+ */
+declare const FINGERPRINT_PATTERN = "^[a-f0-9]{64}$";
+/**
+ * UUID v4 pattern (8-4-4-4-12 format)
+ */
+declare const UUID_PATTERN = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$";
+/**
+ * Base64 pattern (DER encoded keys)
+ * Matches standard Base64 with padding
+ */
+declare const BASE64_PATTERN = "^[A-Za-z0-9+/]+=*$";
+
+/**
+ * Type-safe API client for auth routes
+ *
+ * @example
+ * ```typescript
+ * import { authApi } from '@spfn/auth';
+ *
+ * // Get current session
+ * const session = await authApi.getAuthSession.call({});
+ *
+ * // Login
+ * const result = await authApi.login.call({
+ *     body: { email, password, fingerprint, publicKey, keyId }
+ * });
+ * ```
+ */
+declare const authApi: _spfn_core_nextjs.Client<_spfn_core_route.Router<{
+    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
+    getInvitation: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            token: _sinclair_typebox.TString;
+        }>;
+    }, {}, {
+        email: string;
+        role: string;
+        roleDisplayName: string;
+        invitedBy: string;
+        expiresAt: string;
+        metadata: Record<string, any> | undefined;
+    }>;
+    acceptInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            token: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, {
+        userId: number;
+        email: string;
+        role: string;
+    }>;
+    createInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+            roleId: _sinclair_typebox.TNumber;
+            expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TAny>;
+        }>;
+    }, {}, {
+        id: number;
+        email: string;
+        token: string;
+        roleId: number;
+        expiresAt: string;
+        invitationUrl: string;
+    }>;
+    listInvitations: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            status: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"pending" | "accepted" | "expired" | "cancelled">[]>>;
+            page: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            limit: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+        }>;
+    }, {}, {
+        invitations: {
+            id: number;
+            email: string;
+            token: string;
+            roleId: number;
+            invitedBy: number;
+            status: "pending" | "accepted" | "expired" | "cancelled";
+            expiresAt: Date;
+            acceptedAt: Date | null;
+            cancelledAt: Date | null;
+            metadata: Record<string, any> | null;
+            createdAt: Date;
+            updatedAt: Date;
+            role: {
+                id: number;
+                name: string;
+                displayName: string;
+            };
+            inviter: {
+                id: number;
+                email: string | null;
+            };
+        }[];
+        total: number;
+        page: number;
+        limit: number;
+        totalPages: number;
+    }>;
+    cancelInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+            reason: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        cancelledAt: string;
+    }>;
+    resendInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+            expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+        }>;
+    }, {}, {
+        expiresAt: string;
+    }>;
+    deleteInvitation: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, Response>;
+    checkAccountExists: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            phone: _sinclair_typebox.TString;
+        }>]>;
+    }, {}, CheckAccountExistsResult>;
+    sendVerificationCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, SendVerificationCodeResult>;
+    verifyCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            code: _sinclair_typebox.TString;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, {
+        valid: boolean;
+        verificationToken: string;
+    }>;
+    register: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            verificationToken: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RegisterResult>;
+    login: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, LoginResult>;
+    logout: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{}>;
+    }, {}, Response>;
+    rotateKey: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{}>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RotateKeyResult>;
+    changePassword: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            currentPassword: _sinclair_typebox.TString;
+            newPassword: _sinclair_typebox.TString;
+        }>;
+    }, {}, Response>;
+    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+        role: {
+            id: number;
+            name: string;
+            displayName: string;
+            priority: number;
+        };
+        permissions: {
+            id: number;
+            name: string;
+            displayName: string;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        }[];
+        userId: number;
+        email: string | null;
+        emailVerified: boolean;
+        phoneVerified: boolean;
+    }>;
+}>>;
+type AuthRouter = typeof mainAuthRouter;
+
+export { type AuthRouter, BASE64_PATTERN, BUILTIN_PERMISSIONS, BUILTIN_ROLES, BUILTIN_ROLE_PERMISSIONS, type BuiltinPermissionName, type BuiltinRoleName, EMAIL_PATTERN, FINGERPRINT_PATTERN, PHONE_PATTERN, PermissionConfig, RoleConfig, UUID_PATTERN, UserProfile, authApi };