npm - @spfn/auth - Versions diffs - 0.2.0-beta.1 → 0.2.0-beta.11 - Mend

@spfn/auth 0.2.0-beta.1 → 0.2.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +169 -168
package/dist/{dto-81uR9gzF.d.ts → authenticate-CU6_zQaa.d.ts} +184 -169
package/dist/config.d.ts +4 -0
package/dist/config.js +4 -0
package/dist/config.js.map +1 -1
package/dist/index.d.ts +146 -119
package/dist/index.js +24 -1
package/dist/index.js.map +1 -1
package/dist/nextjs/api.js +1 -1
package/dist/nextjs/api.js.map +1 -1
package/dist/nextjs/server.js +0 -2
package/dist/nextjs/server.js.map +1 -1
package/dist/server.d.ts +171 -403
package/dist/server.js +217 -461
package/dist/server.js.map +1 -1
package/migrations/0000_premium_famine.sql +292 -0
package/migrations/meta/0000_snapshot.json +1 -1
package/migrations/meta/_journal.json +2 -2
package/package.json +8 -11
package/migrations/0000_mysterious_colossus.sql +0 -197

package/dist/server.js CHANGED Viewed

@@ -1,11 +1,5 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -6132,6 +6126,23 @@ var init_user_profiles_repository = __esm({
         const result = await this.db.delete(userProfiles).where(eq8(userProfiles.userId, userId)).returning();
         return result[0] ?? null;
       }
+      /**
+       * 프로필 Upsert (by User ID)
+       *
+       * 프로필이 없으면 생성, 있으면 업데이트
+       * 새로 생성 시 displayName은 필수 (없으면 'User'로 설정)
+       */
+      async upsertByUserId(userId, data) {
+        const existing = await this.findByUserId(userId);
+        if (existing) {
+          return await this.updateByUserId(userId, data);
+        }
+        return await this.create({
+          userId,
+          displayName: data.displayName || "User",
+          ...data
+        });
+      }
       /**
        * User ID로 프로필 데이터 조회 (formatted)
        *
@@ -6151,6 +6162,7 @@ var init_user_profiles_repository = __esm({
           location: userProfiles.location,
           company: userProfiles.company,
           jobTitle: userProfiles.jobTitle,
+          metadata: userProfiles.metadata,
           createdAt: userProfiles.createdAt,
           updatedAt: userProfiles.updatedAt
         }).from(userProfiles).where(eq8(userProfiles.userId, userId)).limit(1).then((rows) => rows[0] ?? null);
@@ -6170,6 +6182,7 @@ var init_user_profiles_repository = __esm({
           location: profile.location,
           company: profile.company,
           jobTitle: profile.jobTitle,
+          metadata: profile.metadata,
           createdAt: profile.createdAt,
           updatedAt: profile.updatedAt
         };
@@ -6682,9 +6695,10 @@ import {
 } from "@spfn/auth/errors";
 // src/server/services/verification.service.ts
-import { env as env5 } from "@spfn/auth/config";
+import { env as env3 } from "@spfn/auth/config";
 import { InvalidVerificationCodeError } from "@spfn/auth/errors";
 import jwt2 from "jsonwebtoken";
+import { sendEmail, sendSMS } from "@spfn/notification/server";
 // src/server/logger.ts
 import { logger as rootLogger } from "@spfn/core/logger";
@@ -6704,410 +6718,6 @@ var authLogger = {
 // src/server/services/verification.service.ts
 init_repositories();
-// src/server/services/sms/provider.ts
-var currentProvider = null;
-var fallbackProvider = {
-  name: "fallback",
-  sendSMS: async (params) => {
-    authLogger.sms.debug("DEV MODE - SMS not actually sent", {
-      phone: params.phone,
-      message: params.message,
-      purpose: params.purpose || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-sms"
-    };
-  }
-};
-function registerSMSProvider(provider) {
-  currentProvider = provider;
-  authLogger.sms.info("Registered SMS provider", { name: provider.name });
-}
-function getSMSProvider() {
-  return currentProvider || fallbackProvider;
-}
-async function sendSMS(params) {
-  const provider = getSMSProvider();
-  return await provider.sendSMS(params);
-}
-// src/server/services/sms/aws-sns.provider.ts
-import { env as env3 } from "@spfn/auth/config";
-function isValidE164Phone(phone) {
-  const e164Regex = /^\+[1-9]\d{1,14}$/;
-  return e164Regex.test(phone);
-}
-function createAWSSNSProvider() {
-  try {
-    const { SNSClient, PublishCommand } = __require("@aws-sdk/client-sns");
-    return {
-      name: "aws-sns",
-      sendSMS: async (params) => {
-        const { phone, message, purpose } = params;
-        if (!isValidE164Phone(phone)) {
-          return {
-            success: false,
-            error: "Invalid phone number format. Must be E.164 format (e.g., +821012345678)"
-          };
-        }
-        if (!env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SNS credentials not configured. Set SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env3.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID && env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID,
-              secretAccessKey: env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SNSClient(config);
-          const command = new PublishCommand({
-            PhoneNumber: phone,
-            Message: message,
-            MessageAttributes: {
-              "AWS.SNS.SMS.SMSType": {
-                DataType: "String",
-                StringValue: "Transactional"
-                // For OTP codes
-              },
-              ...env3.SPFN_AUTH_AWS_SNS_SENDER_ID && {
-                "AWS.SNS.SMS.SenderID": {
-                  DataType: "String",
-                  StringValue: env3.SPFN_AUTH_AWS_SNS_SENDER_ID
-                }
-              }
-            }
-          });
-          const response = await client.send(command);
-          authLogger.sms.info("SMS sent via AWS SNS", {
-            phone,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.sms.error("Failed to send SMS via AWS SNS", {
-            phone,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send SMS via AWS SNS"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSNSProvider = createAWSSNSProvider();
-// src/server/services/sms/index.ts
-if (awsSNSProvider) {
-  registerSMSProvider(awsSNSProvider);
-}
-// src/server/services/email/provider.ts
-var currentProvider2 = null;
-var fallbackProvider2 = {
-  name: "fallback",
-  sendEmail: async (params) => {
-    authLogger.email.debug("DEV MODE - Email not actually sent", {
-      to: params.to,
-      subject: params.subject,
-      purpose: params.purpose || "N/A",
-      textPreview: params.text?.substring(0, 100) || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-email"
-    };
-  }
-};
-function registerEmailProvider(provider) {
-  currentProvider2 = provider;
-  authLogger.email.info("Registered email provider", { name: provider.name });
-}
-function getEmailProvider() {
-  return currentProvider2 || fallbackProvider2;
-}
-async function sendEmail(params) {
-  const provider = getEmailProvider();
-  return await provider.sendEmail(params);
-}
-// src/server/services/email/aws-ses.provider.ts
-import { env as env4 } from "@spfn/auth/config";
-function isValidEmail(email) {
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  return emailRegex.test(email);
-}
-function createAWSSESProvider() {
-  try {
-    const { SESClient, SendEmailCommand } = __require("@aws-sdk/client-ses");
-    return {
-      name: "aws-ses",
-      sendEmail: async (params) => {
-        const { to, subject, text: text10, html, purpose } = params;
-        if (!isValidEmail(to)) {
-          return {
-            success: false,
-            error: "Invalid email address format"
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SES credentials not configured. Set SPFN_AUTH_AWS_SES_ACCESS_KEY_ID environment variable."
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_FROM_EMAIL) {
-          return {
-            success: false,
-            error: "AWS SES sender email not configured. Set SPFN_AUTH_AWS_SES_FROM_EMAIL environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env4.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID && env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID,
-              secretAccessKey: env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SESClient(config);
-          const body = {};
-          if (text10) {
-            body.Text = {
-              Charset: "UTF-8",
-              Data: text10
-            };
-          }
-          if (html) {
-            body.Html = {
-              Charset: "UTF-8",
-              Data: html
-            };
-          }
-          const command = new SendEmailCommand({
-            Source: env4.SPFN_AUTH_AWS_SES_FROM_EMAIL,
-            Destination: {
-              ToAddresses: [to]
-            },
-            Message: {
-              Subject: {
-                Charset: "UTF-8",
-                Data: subject
-              },
-              Body: body
-            }
-          });
-          const response = await client.send(command);
-          authLogger.email.info("Email sent via AWS SES", {
-            to,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.email.error("Failed to send email via AWS SES", {
-            to,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send email via AWS SES"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSESProvider = createAWSSESProvider();
-// src/server/services/email/index.ts
-if (awsSESProvider) {
-  registerEmailProvider(awsSESProvider);
-}
-// src/server/services/email/templates/verification-code.ts
-function getSubject(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "Verify your email address";
-    case "login":
-      return "Your login verification code";
-    case "password_reset":
-      return "Reset your password";
-    default:
-      return "Your verification code";
-  }
-}
-function getPurposeText(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "complete your registration";
-    case "login":
-      return "verify your identity";
-    case "password_reset":
-      return "reset your password";
-    default:
-      return "verify your identity";
-  }
-}
-function generateText(params) {
-  const { code, expiresInMinutes = 5 } = params;
-  return `Your verification code is: ${code}
-This code will expire in ${expiresInMinutes} minutes.
-If you didn't request this code, please ignore this email.`;
-}
-function generateHTML(params) {
-  const { code, purpose, expiresInMinutes = 5, appName } = params;
-  const purposeText = getPurposeText(purpose);
-  return `<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Verification Code</title>
-</head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f5f5f5;">
-    <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 30px; border-radius: 10px 10px 0 0; text-align: center;">
-        <h1 style="color: white; margin: 0; font-size: 24px;">${appName ? appName : "Verification Code"}</h1>
-    </div>
-    <div style="background: #ffffff; padding: 30px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 10px 10px;">
-        <p style="margin-bottom: 20px; font-size: 16px;">
-            Please use the following verification code to ${purposeText}:
-        </p>
-        <div style="background: #f8f9fa; padding: 25px; border-radius: 8px; text-align: center; margin: 25px 0; border: 2px dashed #dee2e6;">
-            <span style="font-size: 36px; font-weight: bold; letter-spacing: 10px; color: #333; font-family: 'Courier New', monospace;">${code}</span>
-        </div>
-        <p style="color: #666; font-size: 14px; margin-top: 20px; text-align: center;">
-            <strong>This code will expire in ${expiresInMinutes} minutes.</strong>
-        </p>
-        <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
-        <p style="color: #999; font-size: 12px; text-align: center; margin: 0;">
-            If you didn't request this code, please ignore this email.
-        </p>
-    </div>
-    <div style="text-align: center; padding: 20px; color: #999; font-size: 11px;">
-        <p style="margin: 0;">This is an automated message. Please do not reply.</p>
-    </div>
-</body>
-</html>`;
-}
-function verificationCodeTemplate(params) {
-  return {
-    subject: getSubject(params.purpose),
-    text: generateText(params),
-    html: generateHTML(params)
-  };
-}
-// src/server/services/email/templates/registry.ts
-var customTemplates = {};
-function registerEmailTemplates(templates) {
-  customTemplates = { ...customTemplates, ...templates };
-  authLogger.email.info("Registered custom email templates", {
-    templates: Object.keys(templates)
-  });
-}
-function getVerificationCodeTemplate(params) {
-  if (customTemplates.verificationCode) {
-    return customTemplates.verificationCode(params);
-  }
-  return verificationCodeTemplate(params);
-}
-function getWelcomeTemplate(params) {
-  if (customTemplates.welcome) {
-    return customTemplates.welcome(params);
-  }
-  return {
-    subject: params.appName ? `Welcome to ${params.appName}!` : "Welcome!",
-    text: `Welcome! Your account has been created successfully.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Welcome${params.appName ? ` to ${params.appName}` : ""}!</h1>
-    <p>Your account has been created successfully.</p>
-</body>
-</html>`
-  };
-}
-function getPasswordResetTemplate(params) {
-  if (customTemplates.passwordReset) {
-    return customTemplates.passwordReset(params);
-  }
-  const expires = params.expiresInMinutes || 30;
-  return {
-    subject: "Reset your password",
-    text: `Click this link to reset your password: ${params.resetLink}
-This link will expire in ${expires} minutes.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Reset Your Password</h1>
-    <p>Click the button below to reset your password:</p>
-    <a href="${params.resetLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Reset Password</a>
-    <p style="color: #666; margin-top: 20px;">This link will expire in ${expires} minutes.</p>
-</body>
-</html>`
-  };
-}
-function getInvitationTemplate(params) {
-  if (customTemplates.invitation) {
-    return customTemplates.invitation(params);
-  }
-  const appName = params.appName || "our platform";
-  const inviterText = params.inviterName ? `${params.inviterName} has invited you` : "You have been invited";
-  const roleText = params.roleName ? ` as ${params.roleName}` : "";
-  return {
-    subject: `You're invited to join ${appName}`,
-    text: `${inviterText} to join ${appName}${roleText}.
-Click here to accept: ${params.inviteLink}`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>You're Invited!</h1>
-    <p>${inviterText} to join <strong>${appName}</strong>${roleText}.</p>
-    <a href="${params.inviteLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Accept Invitation</a>
-</body>
-</html>`
-  };
-}
-// src/server/services/verification.service.ts
 var VERIFICATION_TOKEN_EXPIRY = "15m";
 var VERIFICATION_CODE_EXPIRY_MINUTES = 5;
 var MAX_VERIFICATION_ATTEMPTS = 5;
@@ -7151,7 +6761,7 @@ async function markCodeAsUsed(codeId) {
   await verificationCodesRepository.markAsUsed(codeId);
 }
 function createVerificationToken(payload) {
-  return jwt2.sign(payload, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+  return jwt2.sign(payload, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
     expiresIn: VERIFICATION_TOKEN_EXPIRY,
     issuer: "spfn-auth",
     audience: "spfn-client"
@@ -7159,7 +6769,7 @@ function createVerificationToken(payload) {
 }
 function validateVerificationToken(token) {
   try {
-    const decoded = jwt2.verify(token, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+    const decoded = jwt2.verify(token, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
@@ -7173,17 +6783,14 @@ function validateVerificationToken(token) {
   }
 }
 async function sendVerificationEmail(email, code, purpose) {
-  const { subject, text: text10, html } = getVerificationCodeTemplate({
-    code,
-    purpose,
-    expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
-  });
   const result = await sendEmail({
     to: email,
-    subject,
-    text: text10,
-    html,
-    purpose
+    template: "verification-code",
+    data: {
+      code,
+      purpose,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.email.error("Failed to send verification email", {
@@ -7194,11 +6801,13 @@ async function sendVerificationEmail(email, code, purpose) {
   }
 }
 async function sendVerificationSMS(phone, code, purpose) {
-  const message = `Your verification code is: ${code}`;
   const result = await sendSMS({
-    phone,
-    message,
-    purpose
+    to: phone,
+    template: "verification-code",
+    data: {
+      code,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.sms.error("Failed to send verification SMS", {
@@ -7461,7 +7070,7 @@ init_repositories();
 init_rbac();
 // src/server/lib/config.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env4 } from "@spfn/auth/config";
 var COOKIE_NAMES = {
   /** Encrypted session data (userId, privateKey, keyId, algorithm) */
   SESSION: "spfn_session",
@@ -7511,7 +7120,7 @@ function getSessionTtl(override) {
   if (globalConfig.sessionTtl !== void 0) {
     return parseDuration(globalConfig.sessionTtl);
   }
-  const envTtl = env6.SPFN_AUTH_SESSION_TTL;
+  const envTtl = env4.SPFN_AUTH_SESSION_TTL;
   if (envTtl) {
     return parseDuration(envTtl);
   }
@@ -7673,14 +7282,18 @@ async function hasAllPermissions(userId, permissionNames) {
   const perms = await getUserPermissions(userId);
   return permissionNames.every((p) => perms.includes(p));
 }
-async function hasRole(userId, roleName) {
+async function getUserRole(userId) {
   const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
   const user = await usersRepository.findById(userIdNum);
   if (!user || !user.roleId) {
-    return false;
+    return null;
   }
   const role = await rolesRepository.findById(user.roleId);
-  return role?.name === roleName;
+  return role?.name || null;
+}
+async function hasRole(userId, roleName) {
+  const role = await getUserRole(userId);
+  return role === roleName;
 }
 async function hasAnyRole(userId, roleNames) {
   for (const roleName of roleNames) {
@@ -7887,6 +7500,65 @@ async function getUserProfileService(userId) {
     profile
   };
 }
+function emptyToNull(value) {
+  if (value === "") {
+    return null;
+  }
+  return value;
+}
+async function updateUserProfileService(userId, params) {
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const updateData = {};
+  if (params.displayName !== void 0) {
+    updateData.displayName = emptyToNull(params.displayName) || "User";
+  }
+  if (params.firstName !== void 0) {
+    updateData.firstName = emptyToNull(params.firstName);
+  }
+  if (params.lastName !== void 0) {
+    updateData.lastName = emptyToNull(params.lastName);
+  }
+  if (params.avatarUrl !== void 0) {
+    updateData.avatarUrl = emptyToNull(params.avatarUrl);
+  }
+  if (params.bio !== void 0) {
+    updateData.bio = emptyToNull(params.bio);
+  }
+  if (params.locale !== void 0) {
+    updateData.locale = emptyToNull(params.locale) || "en";
+  }
+  if (params.timezone !== void 0) {
+    updateData.timezone = emptyToNull(params.timezone) || "UTC";
+  }
+  if (params.dateOfBirth !== void 0) {
+    updateData.dateOfBirth = emptyToNull(params.dateOfBirth);
+  }
+  if (params.gender !== void 0) {
+    updateData.gender = emptyToNull(params.gender);
+  }
+  if (params.website !== void 0) {
+    updateData.website = emptyToNull(params.website);
+  }
+  if (params.location !== void 0) {
+    updateData.location = emptyToNull(params.location);
+  }
+  if (params.company !== void 0) {
+    updateData.company = emptyToNull(params.company);
+  }
+  if (params.jobTitle !== void 0) {
+    updateData.jobTitle = emptyToNull(params.jobTitle);
+  }
+  if (params.metadata !== void 0) {
+    updateData.metadata = params.metadata;
+  }
+  const existing = await userProfilesRepository.findByUserId(userIdNum);
+  if (!existing && !updateData.displayName) {
+    updateData.displayName = "User";
+  }
+  await userProfilesRepository.upsertByUserId(userIdNum, updateData);
+  const profile = await userProfilesRepository.fetchProfileData(userIdNum);
+  return profile;
+}
 // src/server/routes/auth/index.ts
 init_esm();
@@ -7980,9 +7652,7 @@ var login = route.post("/_auth/login").input({
   const { body } = await c.data();
   return await loginService(body);
 });
-var logout = route.post("/_auth/logout").input({
-  body: Type.Object({})
-}).handler(async (c) => {
+var logout = route.post("/_auth/logout").handler(async (c) => {
   const auth = getAuth(c);
   if (!auth) {
     return c.noContent();
@@ -7991,9 +7661,7 @@ var logout = route.post("/_auth/logout").input({
   await logoutService({ userId: Number(userId), keyId });
   return c.noContent();
 });
-var rotateKey = route.post("/_auth/keys/rotate").input({
-  body: Type.Object({})
-}).interceptor({
+var rotateKey = route.post("/_auth/keys/rotate").interceptor({
   body: Type.Object({
     publicKey: Type.String({ description: "New public key" }),
     keyId: Type.String({ description: "New key identifier" }),
@@ -8223,6 +7891,59 @@ var requireRole = defineMiddleware3(
   }
 );
+// src/server/middleware/role-guard.ts
+import { defineMiddleware as defineMiddleware4 } from "@spfn/core/route";
+import { getAuth as getAuth4, getUserRole as getUserRole2, authLogger as authLogger5 } from "@spfn/auth/server";
+import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
+import { InsufficientRoleError as InsufficientRoleError2 } from "@spfn/auth/errors";
+var roleGuard = defineMiddleware4(
+  "roleGuard",
+  (options) => async (c, next) => {
+    const { allow, deny } = options;
+    if (!allow && !deny) {
+      throw new Error("roleGuard requires at least one of: allow, deny");
+    }
+    const auth = getAuth4(c);
+    if (!auth) {
+      authLogger5.middleware.warn("Role guard failed: not authenticated", {
+        path: c.req.path
+      });
+      throw new ForbiddenError3({ message: "Authentication required" });
+    }
+    const { userId } = auth;
+    const userRole = await getUserRole2(userId);
+    if (deny && deny.length > 0) {
+      if (userRole && deny.includes(userRole)) {
+        authLogger5.middleware.warn("Role guard denied", {
+          userId,
+          userRole,
+          deniedRoles: deny,
+          path: c.req.path
+        });
+        throw new InsufficientRoleError2({ requiredRoles: allow || [] });
+      }
+    }
+    if (allow && allow.length > 0) {
+      if (!userRole || !allow.includes(userRole)) {
+        authLogger5.middleware.warn("Role guard failed: role not allowed", {
+          userId,
+          userRole,
+          allowedRoles: allow,
+          path: c.req.path
+        });
+        throw new InsufficientRoleError2({ requiredRoles: allow });
+      }
+    }
+    authLogger5.middleware.debug("Role guard passed", {
+      userId,
+      userRole,
+      allow,
+      deny
+    });
+    await next();
+  }
+);
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
@@ -8416,21 +8137,62 @@ var invitationRouter = defineRouter2({
 });
 // src/server/routes/users/index.ts
+init_esm();
 import { defineRouter as defineRouter3, route as route3 } from "@spfn/core/route";
 var getUserProfile = route3.get("/_auth/users/profile").handler(async (c) => {
   const { userId } = getAuth(c);
   return await getUserProfileService(userId);
 });
+var updateUserProfile = route3.patch("/_auth/users/profile").input({
+  body: Type.Object({
+    displayName: Type.Optional(Type.String({ description: "Display name shown in UI" })),
+    firstName: Type.Optional(Type.String({ description: "First name" })),
+    lastName: Type.Optional(Type.String({ description: "Last name" })),
+    avatarUrl: Type.Optional(Type.String({ description: "Avatar/profile picture URL" })),
+    bio: Type.Optional(Type.String({ description: "Short bio/description" })),
+    locale: Type.Optional(Type.String({ description: "Locale/language preference (e.g., en, ko)" })),
+    timezone: Type.Optional(Type.String({ description: "Timezone (e.g., Asia/Seoul)" })),
+    dateOfBirth: Type.Optional(Type.String({ description: "Date of birth (YYYY-MM-DD)" })),
+    gender: Type.Optional(Type.String({ description: "Gender" })),
+    website: Type.Optional(Type.String({ description: "Personal or professional website" })),
+    location: Type.Optional(Type.String({ description: "Location (city, country, etc.)" })),
+    company: Type.Optional(Type.String({ description: "Company name" })),
+    jobTitle: Type.Optional(Type.String({ description: "Job title" })),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Any(), { description: "Additional metadata" }))
+  })
+}).handler(async (c) => {
+  const { userId } = getAuth(c);
+  const { body } = await c.data();
+  return await updateUserProfileService(userId, body);
+});
 var userRouter = defineRouter3({
-  getUserProfile
+  getUserProfile,
+  updateUserProfile
 });
 // src/server/routes/index.ts
 var mainAuthRouter = defineRouter4({
-  // Flatten all routes at root level
-  ...authRouter.routes,
-  ...invitationRouter.routes,
-  ...userRouter.routes
+  // Auth routes
+  checkAccountExists,
+  sendVerificationCode,
+  verifyCode,
+  register,
+  login,
+  logout,
+  rotateKey,
+  changePassword,
+  getAuthSession,
+  // Invitation routes
+  getInvitation,
+  acceptInvitation: acceptInvitation2,
+  createInvitation: createInvitation2,
+  listInvitations: listInvitations2,
+  cancelInvitation: cancelInvitation2,
+  resendInvitation: resendInvitation2,
+  deleteInvitation: deleteInvitation2,
+  // User routes
+  getUserProfile,
+  updateUserProfile
 });
 // src/server.ts
@@ -8541,10 +8303,10 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 // src/server/lib/session.ts
 import * as jose from "jose";
-import { env as env7 } from "@spfn/auth/config";
+import { env as env5 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const secret = env5.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -8602,14 +8364,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 // src/server/setup.ts
-import { env as env8 } from "@spfn/auth/config";
+import { env as env6 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env8.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env6.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env8.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env6.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -8636,11 +8398,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env8.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env6.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env8.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env8.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env6.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env6.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -8662,8 +8424,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env8.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env8.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env6.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env6.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -8789,11 +8551,9 @@ export {
   getAuthConfig,
   getAuthSessionService,
   getInvitationByToken,
-  getInvitationTemplate,
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
-  getPasswordResetTemplate,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,
@@ -8805,8 +8565,7 @@ export {
   getUserId,
   getUserPermissions,
   getUserProfileService,
-  getVerificationCodeTemplate,
-  getWelcomeTemplate,
+  getUserRole,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
@@ -8822,10 +8581,7 @@ export {
   parseDuration,
   permissions,
   permissionsRepository,
-  registerEmailProvider,
-  registerEmailTemplates,
   registerPublicKeyService,
-  registerSMSProvider,
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
@@ -8833,14 +8589,13 @@ export {
   requireRole,
   resendInvitation,
   revokeKeyService,
+  roleGuard,
   rolePermissions,
   rolePermissionsRepository,
   roles,
   rolesRepository,
   rotateKeyService,
   sealSession,
-  sendEmail,
-  sendSMS,
   sendVerificationCodeService,
   setRolePermissions,
   shouldRefreshSession,
@@ -8848,6 +8603,7 @@ export {
   unsealSession,
   updateLastLoginService,
   updateRole,
+  updateUserProfileService,
   updateUserService,
   userInvitations,
   userPermissions,