@spfn/auth 0.2.0-beta.10 → 0.2.0-beta.12

package/dist/server.js

@@ -1,11 +1,5 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -6413,6 +6407,96 @@ var init_invitations_repository = __esm({
   }
 });
 
+// src/server/repositories/social-accounts.repository.ts
+import { eq as eq10, and as and7 } from "drizzle-orm";
+import { BaseRepository as BaseRepository10 } from "@spfn/core/db";
+var SocialAccountsRepository, socialAccountsRepository;
+var init_social_accounts_repository = __esm({
+  "src/server/repositories/social-accounts.repository.ts"() {
+    "use strict";
+    init_entities();
+    SocialAccountsRepository = class extends BaseRepository10 {
+      /**
+       * provider와 providerUserId로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByProviderAndProviderId(provider, providerUserId) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.provider, provider),
+            eq10(userSocialAccounts.providerUserId, providerUserId)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * userId로 모든 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserId(userId) {
+        return await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+      }
+      /**
+       * userId와 provider로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserIdAndProvider(userId, provider) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 생성
+       * Write primary 사용
+       */
+      async create(data) {
+        return await this._create(userSocialAccounts, {
+          ...data,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        });
+      }
+      /**
+       * 토큰 정보 업데이트
+       * Write primary 사용
+       */
+      async updateTokens(id11, data) {
+        const result = await this.db.update(userSocialAccounts).set({
+          ...data,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteById(id11) {
+        const result = await this.db.delete(userSocialAccounts).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * userId와 provider로 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteByUserIdAndProvider(userId, provider) {
+        const result = await this.db.delete(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).returning();
+        return result[0] ?? null;
+      }
+    };
+    socialAccountsRepository = new SocialAccountsRepository();
+  }
+});
+
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6426,6 +6510,7 @@ var init_repositories = __esm({
     init_user_permissions_repository();
     init_user_profiles_repository();
     init_invitations_repository();
+    init_social_accounts_repository();
   }
 });
 
@@ -6552,7 +6637,7 @@ var init_role_service = __esm({
 import "@spfn/auth/config";
 
 // src/server/routes/index.ts
-import { defineRouter as defineRouter4 } from "@spfn/core/route";
+import { defineRouter as defineRouter5 } from "@spfn/core/route";
 
 // src/server/routes/auth/index.ts
 init_schema3();
@@ -6701,9 +6786,10 @@ import {
 } from "@spfn/auth/errors";
 
 // src/server/services/verification.service.ts
-import { env as env5 } from "@spfn/auth/config";
+import { env as env3 } from "@spfn/auth/config";
 import { InvalidVerificationCodeError } from "@spfn/auth/errors";
 import jwt2 from "jsonwebtoken";
+import { sendEmail, sendSMS } from "@spfn/notification/server";
 
 // src/server/logger.ts
 import { logger as rootLogger } from "@spfn/core/logger";
@@ -6723,425 +6809,6 @@ var authLogger = {
 
 // src/server/services/verification.service.ts
 init_repositories();
-
-// src/server/services/sms/provider.ts
-var currentProvider = null;
-var fallbackProvider = {
-  name: "fallback",
-  sendSMS: async (params) => {
-    authLogger.sms.debug("DEV MODE - SMS not actually sent", {
-      phone: params.phone,
-      message: params.message,
-      purpose: params.purpose || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-sms"
-    };
-  }
-};
-function registerSMSProvider(provider) {
-  currentProvider = provider;
-  authLogger.sms.info("Registered SMS provider", { name: provider.name });
-}
-function getSMSProvider() {
-  return currentProvider || fallbackProvider;
-}
-async function sendSMS(params) {
-  const provider = getSMSProvider();
-  return await provider.sendSMS(params);
-}
-
-// src/server/services/sms/aws-sns.provider.ts
-import { env as env3 } from "@spfn/auth/config";
-function isValidE164Phone(phone) {
-  const e164Regex = /^\+[1-9]\d{1,14}$/;
-  return e164Regex.test(phone);
-}
-function createAWSSNSProvider() {
-  try {
-    const { SNSClient, PublishCommand } = __require("@aws-sdk/client-sns");
-    return {
-      name: "aws-sns",
-      sendSMS: async (params) => {
-        const { phone, message, purpose } = params;
-        if (!isValidE164Phone(phone)) {
-          return {
-            success: false,
-            error: "Invalid phone number format. Must be E.164 format (e.g., +821012345678)"
-          };
-        }
-        if (!env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SNS credentials not configured. Set SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env3.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID && env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID,
-              secretAccessKey: env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SNSClient(config);
-          const command = new PublishCommand({
-            PhoneNumber: phone,
-            Message: message,
-            MessageAttributes: {
-              "AWS.SNS.SMS.SMSType": {
-                DataType: "String",
-                StringValue: "Transactional"
-                // For OTP codes
-              },
-              ...env3.SPFN_AUTH_AWS_SNS_SENDER_ID && {
-                "AWS.SNS.SMS.SenderID": {
-                  DataType: "String",
-                  StringValue: env3.SPFN_AUTH_AWS_SNS_SENDER_ID
-                }
-              }
-            }
-          });
-          const response = await client.send(command);
-          authLogger.sms.info("SMS sent via AWS SNS", {
-            phone,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.sms.error("Failed to send SMS via AWS SNS", {
-            phone,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send SMS via AWS SNS"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSNSProvider = createAWSSNSProvider();
-
-// src/server/services/sms/index.ts
-if (awsSNSProvider) {
-  registerSMSProvider(awsSNSProvider);
-}
-
-// src/server/services/email/provider.ts
-var currentProvider2 = null;
-var fallbackProvider2 = {
-  name: "fallback",
-  sendEmail: async (params) => {
-    authLogger.email.debug("DEV MODE - Email not actually sent", {
-      to: params.to,
-      subject: params.subject,
-      purpose: params.purpose || "N/A",
-      textPreview: params.text?.substring(0, 100) || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-email"
-    };
-  }
-};
-function registerEmailProvider(provider) {
-  currentProvider2 = provider;
-  authLogger.email.info("Registered email provider", { name: provider.name });
-}
-function getEmailProvider() {
-  return currentProvider2 || fallbackProvider2;
-}
-async function sendEmail(params) {
-  const provider = getEmailProvider();
-  return await provider.sendEmail(params);
-}
-
-// src/server/services/email/aws-ses.provider.ts
-import { env as env4 } from "@spfn/auth/config";
-function isValidEmail(email) {
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  return emailRegex.test(email);
-}
-function createAWSSESProvider() {
-  return {
-    name: "aws-ses",
-    sendEmail: async (params) => {
-      const { to, subject, text: text10, html, purpose } = params;
-      if (!isValidEmail(to)) {
-        return {
-          success: false,
-          error: "Invalid email address format"
-        };
-      }
-      if (!env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID) {
-        authLogger.email.warn("AWS SES credentials not configured", {
-          hint: "Set SPFN_AUTH_AWS_SES_ACCESS_KEY_ID environment variable"
-        });
-        return {
-          success: false,
-          error: "AWS SES credentials not configured. Set SPFN_AUTH_AWS_SES_ACCESS_KEY_ID environment variable."
-        };
-      }
-      if (!env4.SPFN_AUTH_AWS_SES_FROM_EMAIL) {
-        authLogger.email.warn("AWS SES sender email not configured", {
-          hint: "Set SPFN_AUTH_AWS_SES_FROM_EMAIL environment variable"
-        });
-        return {
-          success: false,
-          error: "AWS SES sender email not configured. Set SPFN_AUTH_AWS_SES_FROM_EMAIL environment variable."
-        };
-      }
-      let SESClient;
-      let SendEmailCommand;
-      try {
-        const ses = await import("@aws-sdk/client-ses");
-        SESClient = ses.SESClient;
-        SendEmailCommand = ses.SendEmailCommand;
-      } catch (error) {
-        authLogger.email.warn("@aws-sdk/client-ses not installed", {
-          error: error instanceof Error ? error.message : String(error),
-          hint: "Run: pnpm add @aws-sdk/client-ses"
-        });
-        return {
-          success: false,
-          error: "@aws-sdk/client-ses not installed. Run: pnpm add @aws-sdk/client-ses"
-        };
-      }
-      try {
-        const config = {
-          region: env4.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-        };
-        if (env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID && env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY) {
-          config.credentials = {
-            accessKeyId: env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID,
-            secretAccessKey: env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY
-          };
-        }
-        const client = new SESClient(config);
-        const body = {};
-        if (text10) {
-          body.Text = {
-            Charset: "UTF-8",
-            Data: text10
-          };
-        }
-        if (html) {
-          body.Html = {
-            Charset: "UTF-8",
-            Data: html
-          };
-        }
-        const command = new SendEmailCommand({
-          Source: env4.SPFN_AUTH_AWS_SES_FROM_EMAIL,
-          Destination: {
-            ToAddresses: [to]
-          },
-          Message: {
-            Subject: {
-              Charset: "UTF-8",
-              Data: subject
-            },
-            Body: body
-          }
-        });
-        const response = await client.send(command);
-        authLogger.email.info("Email sent via AWS SES", {
-          to,
-          messageId: response.MessageId,
-          purpose: purpose || "N/A"
-        });
-        return {
-          success: true,
-          messageId: response.MessageId
-        };
-      } catch (error) {
-        const err = error;
-        authLogger.email.error("Failed to send email via AWS SES", {
-          to,
-          error: err.message
-        });
-        return {
-          success: false,
-          error: err.message || "Failed to send email via AWS SES"
-        };
-      }
-    }
-  };
-}
-var awsSESProvider = createAWSSESProvider();
-
-// src/server/services/email/index.ts
-registerEmailProvider(awsSESProvider);
-
-// src/server/services/email/templates/verification-code.ts
-function getSubject(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "Verify your email address";
-    case "login":
-      return "Your login verification code";
-    case "password_reset":
-      return "Reset your password";
-    default:
-      return "Your verification code";
-  }
-}
-function getPurposeText(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "complete your registration";
-    case "login":
-      return "verify your identity";
-    case "password_reset":
-      return "reset your password";
-    default:
-      return "verify your identity";
-  }
-}
-function generateText(params) {
-  const { code, expiresInMinutes = 5 } = params;
-  return `Your verification code is: ${code}
-
-This code will expire in ${expiresInMinutes} minutes.
-
-If you didn't request this code, please ignore this email.`;
-}
-function generateHTML(params) {
-  const { code, purpose, expiresInMinutes = 5, appName } = params;
-  const purposeText = getPurposeText(purpose);
-  return `<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Verification Code</title>
-</head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f5f5f5;">
-    <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 30px; border-radius: 10px 10px 0 0; text-align: center;">
-        <h1 style="color: white; margin: 0; font-size: 24px;">${appName ? appName : "Verification Code"}</h1>
-    </div>
-    <div style="background: #ffffff; padding: 30px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 10px 10px;">
-        <p style="margin-bottom: 20px; font-size: 16px;">
-            Please use the following verification code to ${purposeText}:
-        </p>
-        <div style="background: #f8f9fa; padding: 25px; border-radius: 8px; text-align: center; margin: 25px 0; border: 2px dashed #dee2e6;">
-            <span style="font-size: 36px; font-weight: bold; letter-spacing: 10px; color: #333; font-family: 'Courier New', monospace;">${code}</span>
-        </div>
-        <p style="color: #666; font-size: 14px; margin-top: 20px; text-align: center;">
-            <strong>This code will expire in ${expiresInMinutes} minutes.</strong>
-        </p>
-        <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
-        <p style="color: #999; font-size: 12px; text-align: center; margin: 0;">
-            If you didn't request this code, please ignore this email.
-        </p>
-    </div>
-    <div style="text-align: center; padding: 20px; color: #999; font-size: 11px;">
-        <p style="margin: 0;">This is an automated message. Please do not reply.</p>
-    </div>
-</body>
-</html>`;
-}
-function verificationCodeTemplate(params) {
-  return {
-    subject: getSubject(params.purpose),
-    text: generateText(params),
-    html: generateHTML(params)
-  };
-}
-
-// src/server/services/email/templates/registry.ts
-var customTemplates = {};
-function registerEmailTemplates(templates) {
-  customTemplates = { ...customTemplates, ...templates };
-  authLogger.email.info("Registered custom email templates", {
-    templates: Object.keys(templates)
-  });
-}
-function getVerificationCodeTemplate(params) {
-  if (customTemplates.verificationCode) {
-    return customTemplates.verificationCode(params);
-  }
-  return verificationCodeTemplate(params);
-}
-function getWelcomeTemplate(params) {
-  if (customTemplates.welcome) {
-    return customTemplates.welcome(params);
-  }
-  return {
-    subject: params.appName ? `Welcome to ${params.appName}!` : "Welcome!",
-    text: `Welcome! Your account has been created successfully.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Welcome${params.appName ? ` to ${params.appName}` : ""}!</h1>
-    <p>Your account has been created successfully.</p>
-</body>
-</html>`
-  };
-}
-function getPasswordResetTemplate(params) {
-  if (customTemplates.passwordReset) {
-    return customTemplates.passwordReset(params);
-  }
-  const expires = params.expiresInMinutes || 30;
-  return {
-    subject: "Reset your password",
-    text: `Click this link to reset your password: ${params.resetLink}
-
-This link will expire in ${expires} minutes.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Reset Your Password</h1>
-    <p>Click the button below to reset your password:</p>
-    <a href="${params.resetLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Reset Password</a>
-    <p style="color: #666; margin-top: 20px;">This link will expire in ${expires} minutes.</p>
-</body>
-</html>`
-  };
-}
-function getInvitationTemplate(params) {
-  if (customTemplates.invitation) {
-    return customTemplates.invitation(params);
-  }
-  const appName = params.appName || "our platform";
-  const inviterText = params.inviterName ? `${params.inviterName} has invited you` : "You have been invited";
-  const roleText = params.roleName ? ` as ${params.roleName}` : "";
-  return {
-    subject: `You're invited to join ${appName}`,
-    text: `${inviterText} to join ${appName}${roleText}.
-
-Click here to accept: ${params.inviteLink}`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>You're Invited!</h1>
-    <p>${inviterText} to join <strong>${appName}</strong>${roleText}.</p>
-    <a href="${params.inviteLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Accept Invitation</a>
-</body>
-</html>`
-  };
-}
-
-// src/server/services/verification.service.ts
 var VERIFICATION_TOKEN_EXPIRY = "15m";
 var VERIFICATION_CODE_EXPIRY_MINUTES = 5;
 var MAX_VERIFICATION_ATTEMPTS = 5;
@@ -7185,7 +6852,7 @@ async function markCodeAsUsed(codeId) {
   await verificationCodesRepository.markAsUsed(codeId);
 }
 function createVerificationToken(payload) {
-  return jwt2.sign(payload, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+  return jwt2.sign(payload, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
     expiresIn: VERIFICATION_TOKEN_EXPIRY,
     issuer: "spfn-auth",
     audience: "spfn-client"
@@ -7193,7 +6860,7 @@ function createVerificationToken(payload) {
 }
 function validateVerificationToken(token) {
   try {
-    const decoded = jwt2.verify(token, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+    const decoded = jwt2.verify(token, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
@@ -7207,17 +6874,14 @@ function validateVerificationToken(token) {
   }
 }
 async function sendVerificationEmail(email, code, purpose) {
-  const { subject, text: text10, html } = getVerificationCodeTemplate({
-    code,
-    purpose,
-    expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
-  });
   const result = await sendEmail({
     to: email,
-    subject,
-    text: text10,
-    html,
-    purpose
+    template: "verification-code",
+    data: {
+      code,
+      purpose,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.email.error("Failed to send verification email", {
@@ -7228,11 +6892,13 @@ async function sendVerificationEmail(email, code, purpose) {
   }
 }
 async function sendVerificationSMS(phone, code, purpose) {
-  const message = `Your verification code is: ${code}`;
   const result = await sendSMS({
-    phone,
-    message,
-    purpose
+    to: phone,
+    template: "verification-code",
+    data: {
+      code,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.sms.error("Failed to send verification SMS", {
@@ -7495,12 +7161,14 @@ init_repositories();
 init_rbac();
 
 // src/server/lib/config.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env4 } from "@spfn/auth/config";
 var COOKIE_NAMES = {
   /** Encrypted session data (userId, privateKey, keyId, algorithm) */
   SESSION: "spfn_session",
   /** Current key ID (for key rotation) */
-  SESSION_KEY_ID: "spfn_session_key_id"
+  SESSION_KEY_ID: "spfn_session_key_id",
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  OAUTH_PENDING: "spfn_oauth_pending"
 };
 function parseDuration(duration) {
   if (typeof duration === "number") {
@@ -7545,7 +7213,7 @@ function getSessionTtl(override) {
   if (globalConfig.sessionTtl !== void 0) {
     return parseDuration(globalConfig.sessionTtl);
   }
-  const envTtl = env6.SPFN_AUTH_SESSION_TTL;
+  const envTtl = env4.SPFN_AUTH_SESSION_TTL;
   if (envTtl) {
     return parseDuration(envTtl);
   }
@@ -7985,6 +7653,301 @@ async function updateUserProfileService(userId, params) {
   return profile;
 }
 
+// src/server/services/oauth.service.ts
+init_repositories();
+import { env as env7 } from "@spfn/auth/config";
+import { ValidationError as ValidationError2 } from "@spfn/core/errors";
+
+// src/server/lib/oauth/google.ts
+import { env as env5 } from "@spfn/auth/config";
+var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
+function isGoogleOAuthEnabled() {
+  return !!(env5.SPFN_AUTH_GOOGLE_CLIENT_ID && env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
+}
+function getGoogleOAuthConfig() {
+  const clientId = env5.SPFN_AUTH_GOOGLE_CLIENT_ID;
+  const clientSecret = env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error("Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET.");
+  }
+  const redirectUri = env5.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${env5.SPFN_API_URL}/_auth/oauth/google/callback`;
+  return {
+    clientId,
+    clientSecret,
+    redirectUri
+  };
+}
+function getGoogleAuthUrl(state, scopes = ["email", "profile"]) {
+  const config = getGoogleOAuthConfig();
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: config.redirectUri,
+    response_type: "code",
+    scope: scopes.join(" "),
+    state,
+    access_type: "offline",
+    // refresh_token 받기 위해
+    prompt: "consent"
+    // 매번 동의 화면 표시 (refresh_token 보장)
+  });
+  return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+}
+async function exchangeCodeForTokens(code) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      redirect_uri: config.redirectUri,
+      grant_type: "authorization_code",
+      code
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to exchange code for tokens: ${error}`);
+  }
+  return response.json();
+}
+async function getGoogleUserInfo(accessToken) {
+  const response = await fetch(GOOGLE_USERINFO_URL, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to get user info: ${error}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(refreshToken) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to refresh access token: ${error}`);
+  }
+  return response.json();
+}
+
+// src/server/lib/oauth/state.ts
+import * as jose from "jose";
+import { env as env6 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env6.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm
+  };
+  const jwe = await new jose.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
+async function verifyOAuthState(encryptedState) {
+  const key = await getStateKey();
+  const jwe = decodeURIComponent(encryptedState);
+  const { payload } = await jose.jwtDecrypt(jwe, key);
+  return payload.state;
+}
+
+// src/server/services/oauth.service.ts
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm } = params;
+  if (provider === "google") {
+    if (!isGoogleOAuthEnabled()) {
+      throw new ValidationError2({
+        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
+      });
+    }
+    const state = await createOAuthState({
+      provider: "google",
+      returnUrl,
+      publicKey,
+      keyId,
+      fingerprint,
+      algorithm
+    });
+    const authUrl = getGoogleAuthUrl(state);
+    return { authUrl };
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function oauthCallbackService(params) {
+  const { provider, code, state } = params;
+  const stateData = await verifyOAuthState(state);
+  if (stateData.provider !== provider) {
+    throw new ValidationError2({
+      message: "OAuth state provider mismatch"
+    });
+  }
+  if (provider === "google") {
+    return handleGoogleCallback(code, stateData);
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function handleGoogleCallback(code, stateData) {
+  const tokens = await exchangeCodeForTokens(code);
+  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
+    "google",
+    googleUser.id
+  );
+  let userId;
+  let isNewUser = false;
+  if (existingSocialAccount) {
+    userId = existingSocialAccount.userId;
+    await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    });
+  } else {
+    const result = await createOrLinkUser(googleUser, tokens);
+    userId = result.userId;
+    isNewUser = result.isNewUser;
+  }
+  await registerPublicKeyService({
+    userId,
+    keyId: stateData.keyId,
+    publicKey: stateData.publicKey,
+    fingerprint: stateData.fingerprint,
+    algorithm: stateData.algorithm
+  });
+  await updateLastLoginService(userId);
+  const appUrl = env7.SPFN_APP_URL;
+  const callbackPath = env7.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
+  const redirectUrl = buildRedirectUrl(callbackUrl, {
+    userId: String(userId),
+    keyId: stateData.keyId,
+    returnUrl: stateData.returnUrl,
+    isNewUser: String(isNewUser)
+  });
+  return {
+    redirectUrl,
+    userId: String(userId),
+    keyId: stateData.keyId,
+    isNewUser
+  };
+}
+async function createOrLinkUser(googleUser, tokens) {
+  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+  let userId;
+  let isNewUser = false;
+  if (existingUser) {
+    if (!googleUser.verified_email) {
+      throw new ValidationError2({
+        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+      });
+    }
+    userId = existingUser.id;
+    if (!existingUser.emailVerifiedAt) {
+      await usersRepository.updateById(existingUser.id, {
+        emailVerifiedAt: /* @__PURE__ */ new Date()
+      });
+    }
+  } else {
+    const { getRoleByName: getRoleByName3 } = await Promise.resolve().then(() => (init_role_service(), role_service_exports));
+    const userRole = await getRoleByName3("user");
+    if (!userRole) {
+      throw new Error("Default user role not found. Run initializeAuth() first.");
+    }
+    const newUser = await usersRepository.create({
+      email: googleUser.verified_email ? googleUser.email : null,
+      phone: null,
+      passwordHash: null,
+      // OAuth 사용자는 비밀번호 없음
+      passwordChangeRequired: false,
+      roleId: userRole.id,
+      status: "active",
+      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+    });
+    userId = newUser.id;
+    isNewUser = true;
+  }
+  await socialAccountsRepository.create({
+    userId,
+    provider: "google",
+    providerUserId: googleUser.id,
+    providerEmail: googleUser.email,
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? null,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return { userId, isNewUser };
+}
+function buildRedirectUrl(baseUrl, params) {
+  const url = new URL(baseUrl, "http://placeholder");
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  if (baseUrl.startsWith("http")) {
+    return url.toString();
+  }
+  return `${url.pathname}${url.search}`;
+}
+function buildOAuthErrorUrl(error) {
+  const errorUrl = env7.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  return errorUrl.replace("{error}", encodeURIComponent(error));
+}
+function isOAuthProviderEnabled(provider) {
+  switch (provider) {
+    case "google":
+      return isGoogleOAuthEnabled();
+    case "github":
+    case "kakao":
+    case "naver":
+      return false;
+    default:
+      return false;
+  }
+}
+function getEnabledOAuthProviders() {
+  const providers = [];
+  if (isGoogleOAuthEnabled()) {
+    providers.push("google");
+  }
+  return providers;
+}
+
 // src/server/routes/auth/index.ts
 init_esm();
 import { Transactional } from "@spfn/core/db";
@@ -8595,12 +8558,163 @@ var userRouter = defineRouter3({
   updateUserProfile
 });
 
+// src/server/routes/oauth/index.ts
+init_esm();
+init_types();
+import { Transactional as Transactional2 } from "@spfn/core/db";
+import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    return c.redirect(buildOAuthErrorUrl("Google OAuth is not configured"));
+  }
+  const authUrl = getGoogleAuthUrl(query.state);
+  return c.redirect(authUrl);
+});
+var oauthGoogleCallback = route4.get("/_auth/oauth/google/callback").input({
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from Google"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from Google"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from Google"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: "google",
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var oauthStart = route4.post("/_auth/oauth/start").input({
+  body: Type.Object({
+    provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+      description: "OAuth provider (google, github, kakao, naver)"
+    }),
+    returnUrl: Type.String({
+      description: "URL to redirect after OAuth success"
+    }),
+    publicKey: Type.String({
+      description: "Client public key (Base64 DER)"
+    }),
+    keyId: Type.String({
+      description: "Key identifier (UUID)"
+    }),
+    fingerprint: Type.String({
+      description: "Key fingerprint (SHA-256 hex)"
+    }),
+    algorithm: Type.Union(KEY_ALGORITHM.map((a) => Type.Literal(a)), {
+      description: "Key algorithm (ES256 or RS256)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  const result = await oauthStartService(body);
+  return result;
+});
+var oauthProviders = route4.get("/_auth/oauth/providers").skip(["auth"]).handler(async () => {
+  return {
+    providers: getEnabledOAuthProviders()
+  };
+});
+var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    throw new Error("Google OAuth is not configured");
+  }
+  if (!body.state) {
+    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+  }
+  return { authUrl: getGoogleAuthUrl(body.state) };
+});
+var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
+  body: Type.Object({
+    userId: Type.String({ description: "User ID from OAuth callback" }),
+    keyId: Type.String({ description: "Key ID from OAuth state" }),
+    returnUrl: Type.Optional(Type.String({ description: "URL to redirect after login" }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  return {
+    success: true,
+    returnUrl: body.returnUrl || "/"
+  };
+});
+var oauthRouter = defineRouter4({
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize
+});
+
 // src/server/routes/index.ts
-var mainAuthRouter = defineRouter4({
-  // Flatten all routes at root level
-  ...authRouter.routes,
-  ...invitationRouter.routes,
-  ...userRouter.routes
+var mainAuthRouter = defineRouter5({
+  // Auth routes
+  checkAccountExists,
+  sendVerificationCode,
+  verifyCode,
+  register,
+  login,
+  logout,
+  rotateKey,
+  changePassword,
+  getAuthSession,
+  // OAuth routes
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize,
+  // Invitation routes
+  getInvitation,
+  acceptInvitation: acceptInvitation2,
+  createInvitation: createInvitation2,
+  listInvitations: listInvitations2,
+  cancelInvitation: cancelInvitation2,
+  resendInvitation: resendInvitation2,
+  deleteInvitation: deleteInvitation2,
+  // User routes
+  getUserProfile,
+  updateUserProfile
 });
 
 // src/server.ts
@@ -8710,11 +8824,11 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 }
 
 // src/server/lib/session.ts
-import * as jose from "jose";
-import { env as env7 } from "@spfn/auth/config";
+import * as jose2 from "jose";
+import { env as env8 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const secret = env8.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -8722,24 +8836,24 @@ async function getSessionSecretKey() {
 }
 async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
   const secret = await getSessionSecretKey();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  return await new jose2.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
 }
 async function unsealSession(jwt4) {
   try {
     const secret = await getSessionSecretKey();
-    const { payload } = await jose.jwtDecrypt(jwt4, secret, {
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
     return payload.data;
   } catch (err) {
-    if (err instanceof jose.errors.JWTExpired) {
+    if (err instanceof jose2.errors.JWTExpired) {
       throw new Error("Session expired");
     }
-    if (err instanceof jose.errors.JWEDecryptionFailed) {
+    if (err instanceof jose2.errors.JWEDecryptionFailed) {
       throw new Error("Invalid session");
     }
-    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+    if (err instanceof jose2.errors.JWTClaimValidationFailed) {
       throw new Error("Session validation failed");
     }
     throw new Error("Failed to unseal session");
@@ -8748,7 +8862,7 @@ async function unsealSession(jwt4) {
 async function getSessionInfo(jwt4) {
   const secret = await getSessionSecretKey();
   try {
-    const { payload } = await jose.jwtDecrypt(jwt4, secret);
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret);
     return {
       issuedAt: new Date(payload.iat * 1e3),
       expiresAt: new Date(payload.exp * 1e3),
@@ -8772,14 +8886,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env8 } from "@spfn/auth/config";
+import { env as env9 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env8.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env9.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env8.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env9.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -8806,11 +8920,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env8.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env9.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env8.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env8.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env9.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env9.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -8832,8 +8946,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env8.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env8.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env9.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env9.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -8923,6 +9037,7 @@ export {
   RolePermissionsRepository,
   RolesRepository,
   SOCIAL_PROVIDERS,
+  SocialAccountsRepository,
   TargetTypeSchema,
   USER_STATUSES,
   UserPermissionsRepository,
@@ -8938,16 +9053,19 @@ export {
   mainAuthRouter as authRouter,
   authSchema,
   authenticate,
+  buildOAuthErrorUrl,
   cancelInvitation,
   changePasswordService,
   checkAccountExistsService,
   configureAuth,
   createAuthLifecycle,
   createInvitation,
+  createOAuthState,
   createRole,
   decodeToken,
   deleteInvitation,
   deleteRole,
+  exchangeCodeForTokens,
   expireOldInvitations,
   generateClientToken,
   generateKeyPair,
@@ -8958,12 +9076,14 @@ export {
   getAuth,
   getAuthConfig,
   getAuthSessionService,
+  getEnabledOAuthProviders,
+  getGoogleAuthUrl,
+  getGoogleOAuthConfig,
+  getGoogleUserInfo,
   getInvitationByToken,
-  getInvitationTemplate,
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
-  getPasswordResetTemplate,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,
@@ -8976,8 +9096,6 @@ export {
   getUserPermissions,
   getUserProfileService,
   getUserRole,
-  getVerificationCodeTemplate,
-  getWelcomeTemplate,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
@@ -8986,17 +9104,19 @@ export {
   hashPassword,
   initializeAuth,
   invitationsRepository,
+  isGoogleOAuthEnabled,
+  isOAuthProviderEnabled,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
+  oauthCallbackService,
+  oauthStartService,
   parseDuration,
   permissions,
   permissionsRepository,
-  registerEmailProvider,
-  registerEmailTemplates,
+  refreshAccessToken,
   registerPublicKeyService,
-  registerSMSProvider,
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
@@ -9011,12 +9131,11 @@ export {
   rolesRepository,
   rotateKeyService,
   sealSession,
-  sendEmail,
-  sendSMS,
   sendVerificationCodeService,
   setRolePermissions,
   shouldRefreshSession,
   shouldRotateKey,
+  socialAccountsRepository,
   unsealSession,
   updateLastLoginService,
   updateRole,
@@ -9038,6 +9157,7 @@ export {
   verifyClientToken,
   verifyCodeService,
   verifyKeyFingerprint,
+  verifyOAuthState,
   verifyPassword,
   verifyToken
 };