@spfn/auth 0.2.0-beta.11 → 0.2.0-beta.13

package/dist/server.d.ts

@@ -1,5 +1,5 @@
-import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, q as AuthContext } from './authenticate-CU6_zQaa.js';
-export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, X as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, Z as PasswordSchema, Y as PhoneSchema, x as RegisterParams, O as RegisterPublicKeyParams, a as RegisterResult, T as RevokeKeyParams, Q as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, p as SocialProvider, _ as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, $ as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, W as authenticate, v as changePasswordService, r as checkAccountExistsService, t as loginService, u as logoutService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-CU6_zQaa.js';
+import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-Cz2FjLdB.js';
+export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a5 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a7 as PasswordSchema, a6 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a8 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, a9 as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-Cz2FjLdB.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
@@ -4139,6 +4139,136 @@ declare class InvitationsRepository extends BaseRepository {
 }
 declare const invitationsRepository: InvitationsRepository;
 
+/**
+ * Social Accounts Repository
+ *
+ * OAuth 소셜 계정 데이터 관리를 위한 Repository
+ * BaseRepository를 상속받아 자동 트랜잭션 컨텍스트 지원 및 Read/Write 분리
+ */
+
+/**
+ * Social Accounts Repository 클래스
+ */
+declare class SocialAccountsRepository extends BaseRepository {
+    /**
+     * provider와 providerUserId로 소셜 계정 조회
+     * Read replica 사용
+     */
+    findByProviderAndProviderId(provider: SocialProvider, providerUserId: string): Promise<{
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        userId: number;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+    /**
+     * userId로 모든 소셜 계정 조회
+     * Read replica 사용
+     */
+    findByUserId(userId: number): Promise<{
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        userId: number;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }[]>;
+    /**
+     * userId와 provider로 소셜 계정 조회
+     * Read replica 사용
+     */
+    findByUserIdAndProvider(userId: number, provider: SocialProvider): Promise<{
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        userId: number;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+    /**
+     * 소셜 계정 생성
+     * Write primary 사용
+     */
+    create(data: NewUserSocialAccount): Promise<{
+        userId: number;
+        id: number;
+        createdAt: Date;
+        updatedAt: Date;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+    /**
+     * 토큰 정보 업데이트
+     * Write primary 사용
+     */
+    updateTokens(id: number, data: {
+        accessToken?: string | null;
+        refreshToken?: string | null;
+        tokenExpiresAt?: Date | null;
+    }): Promise<{
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        userId: number;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+    /**
+     * 소셜 계정 삭제
+     * Write primary 사용
+     */
+    deleteById(id: number): Promise<{
+        userId: number;
+        id: number;
+        createdAt: Date;
+        updatedAt: Date;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+    /**
+     * userId와 provider로 소셜 계정 삭제
+     * Write primary 사용
+     */
+    deleteByUserIdAndProvider(userId: number, provider: SocialProvider): Promise<{
+        userId: number;
+        id: number;
+        createdAt: Date;
+        updatedAt: Date;
+        provider: "google" | "github" | "kakao" | "naver";
+        providerUserId: string;
+        providerEmail: string | null;
+        accessToken: string | null;
+        refreshToken: string | null;
+        tokenExpiresAt: Date | null;
+    }>;
+}
+declare const socialAccountsRepository: SocialAccountsRepository;
+
 /**
  * @spfn/auth - Password Helpers
  *
@@ -4685,6 +4815,8 @@ declare const COOKIE_NAMES: {
     readonly SESSION: "spfn_session";
     /** Current key ID (for key rotation) */
     readonly SESSION_KEY_ID: "spfn_session_key_id";
+    /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+    readonly OAUTH_PENDING: "spfn_oauth_pending";
 };
 /**
  * Parse duration string to seconds
@@ -4741,6 +4873,114 @@ declare function getAuthConfig(): AuthConfig;
  */
 declare function getSessionTtl(override?: string | number): number;
 
+/**
+ * Google OAuth 2.0 Client
+ *
+ * Authorization Code Flow 구현
+ * - getGoogleAuthUrl: Google 로그인 URL 생성
+ * - exchangeCodeForTokens: Code를 Token으로 교환
+ * - getGoogleUserInfo: 사용자 정보 조회
+ */
+interface GoogleTokenResponse {
+    access_token: string;
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+    token_type: string;
+    id_token?: string;
+}
+interface GoogleUserInfo {
+    id: string;
+    email: string;
+    verified_email: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    locale?: string;
+}
+/**
+ * Google OAuth가 활성화되어 있는지 확인
+ */
+declare function isGoogleOAuthEnabled(): boolean;
+/**
+ * Google OAuth 설정 가져오기
+ */
+declare function getGoogleOAuthConfig(): {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+};
+/**
+ * Google 로그인 URL 생성
+ *
+ * @param state - CSRF 방지용 state 파라미터 (암호화된 returnUrl + nonce 포함)
+ * @param scopes - 요청할 OAuth scopes (기본: env 또는 email, profile)
+ */
+declare function getGoogleAuthUrl(state: string, scopes?: string[]): string;
+/**
+ * Authorization Code를 Token으로 교환
+ *
+ * @param code - Google에서 받은 authorization code
+ */
+declare function exchangeCodeForTokens(code: string): Promise<GoogleTokenResponse>;
+/**
+ * Access Token으로 Google 사용자 정보 조회
+ *
+ * @param accessToken - Google access token
+ */
+declare function getGoogleUserInfo(accessToken: string): Promise<GoogleUserInfo>;
+/**
+ * Refresh Token으로 새 Access Token 획득
+ *
+ * @param refreshToken - Google refresh token
+ */
+declare function refreshAccessToken(refreshToken: string): Promise<GoogleTokenResponse>;
+
+/**
+ * OAuth State Management
+ *
+ * CSRF 방지를 위한 state 파라미터 암호화/복호화
+ * - returnUrl: OAuth 성공 후 리다이렉트할 URL
+ * - nonce: CSRF 방지용 일회용 토큰
+ * - provider: OAuth provider (google, github 등)
+ * - publicKey, keyId, fingerprint, algorithm: 클라이언트 키 정보
+ * - expiresAt: state 만료 시간
+ */
+
+interface OAuthState {
+    returnUrl: string;
+    nonce: string;
+    provider: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+}
+interface CreateOAuthStateParams {
+    provider: string;
+    returnUrl: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+}
+/**
+ * OAuth state 생성 및 암호화
+ *
+ * @param params - state 생성에 필요한 파라미터
+ * @returns 암호화된 state 문자열
+ */
+declare function createOAuthState(params: CreateOAuthStateParams): Promise<string>;
+/**
+ * OAuth state 복호화 및 검증
+ *
+ * @param encryptedState - 암호화된 state 문자열
+ * @returns 복호화된 state 객체
+ * @throws Error if state is invalid or expired (JWE exp claim으로 자동 검증)
+ */
+declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
+
 /**
  * @spfn/auth - Centralized Logger
  *
@@ -4836,4 +5076,4 @@ interface AuthLifecycleConfig {
  */
 declare function createAuthLifecycle(options?: AuthInitOptions): AuthLifecycleConfig;
 
-export { type AuthConfig, AuthContext, COOKIE_NAMES, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createRole, decodeToken, deleteInvitation, deleteRole, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };