@spfn/auth 0.2.0-beta.11 → 0.2.0-beta.13

package/dist/server.js

@@ -1359,7 +1359,7 @@ var init_literal2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/boolean/boolean.mjs
-function Boolean(options) {
+function Boolean2(options) {
   return CreateType({ [Kind]: "Boolean", type: "boolean" }, options);
 }
 var init_boolean = __esm({
@@ -1441,7 +1441,7 @@ var init_string2 = __esm({
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/syntax.mjs
 function* FromUnion(syntax) {
   const trim = syntax.trim().replace(/"|'/g, "");
-  return trim === "boolean" ? yield Boolean() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
+  return trim === "boolean" ? yield Boolean2() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
     const literals = trim.split("|").map((literal) => Literal(literal.trim()));
     return literals.length === 0 ? Never() : literals.length === 1 ? literals[0] : UnionEvaluated(literals);
   })();
@@ -4244,7 +4244,7 @@ __export(type_exports3, {
   AsyncIterator: () => AsyncIterator,
   Awaited: () => Awaited,
   BigInt: () => BigInt,
-  Boolean: () => Boolean,
+  Boolean: () => Boolean2,
   Capitalize: () => Capitalize,
   Composite: () => Composite,
   Const: () => Const,
@@ -6407,6 +6407,96 @@ var init_invitations_repository = __esm({
   }
 });
 
+// src/server/repositories/social-accounts.repository.ts
+import { eq as eq10, and as and7 } from "drizzle-orm";
+import { BaseRepository as BaseRepository10 } from "@spfn/core/db";
+var SocialAccountsRepository, socialAccountsRepository;
+var init_social_accounts_repository = __esm({
+  "src/server/repositories/social-accounts.repository.ts"() {
+    "use strict";
+    init_entities();
+    SocialAccountsRepository = class extends BaseRepository10 {
+      /**
+       * provider와 providerUserId로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByProviderAndProviderId(provider, providerUserId) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.provider, provider),
+            eq10(userSocialAccounts.providerUserId, providerUserId)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * userId로 모든 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserId(userId) {
+        return await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+      }
+      /**
+       * userId와 provider로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserIdAndProvider(userId, provider) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 생성
+       * Write primary 사용
+       */
+      async create(data) {
+        return await this._create(userSocialAccounts, {
+          ...data,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        });
+      }
+      /**
+       * 토큰 정보 업데이트
+       * Write primary 사용
+       */
+      async updateTokens(id11, data) {
+        const result = await this.db.update(userSocialAccounts).set({
+          ...data,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteById(id11) {
+        const result = await this.db.delete(userSocialAccounts).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * userId와 provider로 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteByUserIdAndProvider(userId, provider) {
+        const result = await this.db.delete(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).returning();
+        return result[0] ?? null;
+      }
+    };
+    socialAccountsRepository = new SocialAccountsRepository();
+  }
+});
+
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6420,6 +6510,7 @@ var init_repositories = __esm({
     init_user_permissions_repository();
     init_user_profiles_repository();
     init_invitations_repository();
+    init_social_accounts_repository();
   }
 });
 
@@ -6546,7 +6637,7 @@ var init_role_service = __esm({
 import "@spfn/auth/config";
 
 // src/server/routes/index.ts
-import { defineRouter as defineRouter4 } from "@spfn/core/route";
+import { defineRouter as defineRouter5 } from "@spfn/core/route";
 
 // src/server/routes/auth/index.ts
 init_schema3();
@@ -7075,7 +7166,9 @@ var COOKIE_NAMES = {
   /** Encrypted session data (userId, privateKey, keyId, algorithm) */
   SESSION: "spfn_session",
   /** Current key ID (for key rotation) */
-  SESSION_KEY_ID: "spfn_session_key_id"
+  SESSION_KEY_ID: "spfn_session_key_id",
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  OAUTH_PENDING: "spfn_oauth_pending"
 };
 function parseDuration(duration) {
   if (typeof duration === "number") {
@@ -7560,6 +7653,334 @@ async function updateUserProfileService(userId, params) {
   return profile;
 }
 
+// src/server/services/oauth.service.ts
+init_repositories();
+import { env as env7 } from "@spfn/auth/config";
+import { ValidationError as ValidationError2 } from "@spfn/core/errors";
+
+// src/server/lib/oauth/google.ts
+import { env as env5 } from "@spfn/auth/config";
+var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
+function isGoogleOAuthEnabled() {
+  return !!(env5.SPFN_AUTH_GOOGLE_CLIENT_ID && env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
+}
+function getGoogleOAuthConfig() {
+  const clientId = env5.SPFN_AUTH_GOOGLE_CLIENT_ID;
+  const clientSecret = env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error("Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET.");
+  }
+  const redirectUri = env5.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${env5.SPFN_API_URL}/_auth/oauth/google/callback`;
+  return {
+    clientId,
+    clientSecret,
+    redirectUri
+  };
+}
+function getDefaultScopes() {
+  const envScopes = env5.SPFN_AUTH_GOOGLE_SCOPES;
+  if (envScopes) {
+    return envScopes.split(",").map((s) => s.trim()).filter(Boolean);
+  }
+  return ["email", "profile"];
+}
+function getGoogleAuthUrl(state, scopes) {
+  const resolvedScopes = scopes ?? getDefaultScopes();
+  const config = getGoogleOAuthConfig();
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: config.redirectUri,
+    response_type: "code",
+    scope: resolvedScopes.join(" "),
+    state,
+    access_type: "offline",
+    // refresh_token 받기 위해
+    prompt: "consent"
+    // 매번 동의 화면 표시 (refresh_token 보장)
+  });
+  return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+}
+async function exchangeCodeForTokens(code) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      redirect_uri: config.redirectUri,
+      grant_type: "authorization_code",
+      code
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to exchange code for tokens: ${error}`);
+  }
+  return response.json();
+}
+async function getGoogleUserInfo(accessToken) {
+  const response = await fetch(GOOGLE_USERINFO_URL, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to get user info: ${error}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(refreshToken) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to refresh access token: ${error}`);
+  }
+  return response.json();
+}
+
+// src/server/lib/oauth/state.ts
+import * as jose from "jose";
+import { env as env6 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env6.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm
+  };
+  const jwe = await new jose.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
+async function verifyOAuthState(encryptedState) {
+  const key = await getStateKey();
+  const jwe = decodeURIComponent(encryptedState);
+  const { payload } = await jose.jwtDecrypt(jwe, key);
+  return payload.state;
+}
+
+// src/server/services/oauth.service.ts
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm } = params;
+  if (provider === "google") {
+    if (!isGoogleOAuthEnabled()) {
+      throw new ValidationError2({
+        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
+      });
+    }
+    const state = await createOAuthState({
+      provider: "google",
+      returnUrl,
+      publicKey,
+      keyId,
+      fingerprint,
+      algorithm
+    });
+    const authUrl = getGoogleAuthUrl(state);
+    return { authUrl };
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function oauthCallbackService(params) {
+  const { provider, code, state } = params;
+  const stateData = await verifyOAuthState(state);
+  if (stateData.provider !== provider) {
+    throw new ValidationError2({
+      message: "OAuth state provider mismatch"
+    });
+  }
+  if (provider === "google") {
+    return handleGoogleCallback(code, stateData);
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function handleGoogleCallback(code, stateData) {
+  const tokens = await exchangeCodeForTokens(code);
+  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
+    "google",
+    googleUser.id
+  );
+  let userId;
+  let isNewUser = false;
+  if (existingSocialAccount) {
+    userId = existingSocialAccount.userId;
+    await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    });
+  } else {
+    const result = await createOrLinkUser(googleUser, tokens);
+    userId = result.userId;
+    isNewUser = result.isNewUser;
+  }
+  await registerPublicKeyService({
+    userId,
+    keyId: stateData.keyId,
+    publicKey: stateData.publicKey,
+    fingerprint: stateData.fingerprint,
+    algorithm: stateData.algorithm
+  });
+  await updateLastLoginService(userId);
+  const appUrl = env7.SPFN_APP_URL;
+  const callbackPath = env7.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
+  const redirectUrl = buildRedirectUrl(callbackUrl, {
+    userId: String(userId),
+    keyId: stateData.keyId,
+    returnUrl: stateData.returnUrl,
+    isNewUser: String(isNewUser)
+  });
+  return {
+    redirectUrl,
+    userId: String(userId),
+    keyId: stateData.keyId,
+    isNewUser
+  };
+}
+async function createOrLinkUser(googleUser, tokens) {
+  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+  let userId;
+  let isNewUser = false;
+  if (existingUser) {
+    if (!googleUser.verified_email) {
+      throw new ValidationError2({
+        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+      });
+    }
+    userId = existingUser.id;
+    if (!existingUser.emailVerifiedAt) {
+      await usersRepository.updateById(existingUser.id, {
+        emailVerifiedAt: /* @__PURE__ */ new Date()
+      });
+    }
+  } else {
+    const { getRoleByName: getRoleByName3 } = await Promise.resolve().then(() => (init_role_service(), role_service_exports));
+    const userRole = await getRoleByName3("user");
+    if (!userRole) {
+      throw new Error("Default user role not found. Run initializeAuth() first.");
+    }
+    const newUser = await usersRepository.create({
+      email: googleUser.verified_email ? googleUser.email : null,
+      phone: null,
+      passwordHash: null,
+      // OAuth 사용자는 비밀번호 없음
+      passwordChangeRequired: false,
+      roleId: userRole.id,
+      status: "active",
+      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+    });
+    userId = newUser.id;
+    isNewUser = true;
+  }
+  await socialAccountsRepository.create({
+    userId,
+    provider: "google",
+    providerUserId: googleUser.id,
+    providerEmail: googleUser.email,
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? null,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return { userId, isNewUser };
+}
+function buildRedirectUrl(baseUrl, params) {
+  const url = new URL(baseUrl, "http://placeholder");
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  if (baseUrl.startsWith("http")) {
+    return url.toString();
+  }
+  return `${url.pathname}${url.search}`;
+}
+function buildOAuthErrorUrl(error) {
+  const errorUrl = env7.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  return errorUrl.replace("{error}", encodeURIComponent(error));
+}
+function isOAuthProviderEnabled(provider) {
+  switch (provider) {
+    case "google":
+      return isGoogleOAuthEnabled();
+    case "github":
+    case "kakao":
+    case "naver":
+      return false;
+    default:
+      return false;
+  }
+}
+function getEnabledOAuthProviders() {
+  const providers = [];
+  if (isGoogleOAuthEnabled()) {
+    providers.push("google");
+  }
+  return providers;
+}
+var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
+async function getGoogleAccessToken(userId) {
+  const account = await socialAccountsRepository.findByUserIdAndProvider(userId, "google");
+  if (!account) {
+    throw new ValidationError2({
+      message: "No Google account linked. User must sign in with Google first."
+    });
+  }
+  const isExpired = !account.tokenExpiresAt || account.tokenExpiresAt.getTime() < Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+  if (!isExpired && account.accessToken) {
+    return account.accessToken;
+  }
+  if (!account.refreshToken) {
+    throw new ValidationError2({
+      message: "Google refresh token not available. User must re-authenticate with Google."
+    });
+  }
+  const tokens = await refreshAccessToken(account.refreshToken);
+  await socialAccountsRepository.updateTokens(account.id, {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? account.refreshToken,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return tokens.access_token;
+}
+
 // src/server/routes/auth/index.ts
 init_esm();
 import { Transactional } from "@spfn/core/db";
@@ -8170,8 +8591,135 @@ var userRouter = defineRouter3({
   updateUserProfile
 });
 
+// src/server/routes/oauth/index.ts
+init_esm();
+init_types();
+import { Transactional as Transactional2 } from "@spfn/core/db";
+import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    return c.redirect(buildOAuthErrorUrl("Google OAuth is not configured"));
+  }
+  const authUrl = getGoogleAuthUrl(query.state);
+  return c.redirect(authUrl);
+});
+var oauthGoogleCallback = route4.get("/_auth/oauth/google/callback").input({
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from Google"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from Google"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from Google"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: "google",
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var oauthStart = route4.post("/_auth/oauth/start").input({
+  body: Type.Object({
+    provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+      description: "OAuth provider (google, github, kakao, naver)"
+    }),
+    returnUrl: Type.String({
+      description: "URL to redirect after OAuth success"
+    }),
+    publicKey: Type.String({
+      description: "Client public key (Base64 DER)"
+    }),
+    keyId: Type.String({
+      description: "Key identifier (UUID)"
+    }),
+    fingerprint: Type.String({
+      description: "Key fingerprint (SHA-256 hex)"
+    }),
+    algorithm: Type.Union(KEY_ALGORITHM.map((a) => Type.Literal(a)), {
+      description: "Key algorithm (ES256 or RS256)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  const result = await oauthStartService(body);
+  return result;
+});
+var oauthProviders = route4.get("/_auth/oauth/providers").skip(["auth"]).handler(async () => {
+  return {
+    providers: getEnabledOAuthProviders()
+  };
+});
+var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    throw new Error("Google OAuth is not configured");
+  }
+  if (!body.state) {
+    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+  }
+  return { authUrl: getGoogleAuthUrl(body.state) };
+});
+var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
+  body: Type.Object({
+    userId: Type.String({ description: "User ID from OAuth callback" }),
+    keyId: Type.String({ description: "Key ID from OAuth state" }),
+    returnUrl: Type.Optional(Type.String({ description: "URL to redirect after login" }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  return {
+    success: true,
+    returnUrl: body.returnUrl || "/"
+  };
+});
+var oauthRouter = defineRouter4({
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize
+});
+
 // src/server/routes/index.ts
-var mainAuthRouter = defineRouter4({
+var mainAuthRouter = defineRouter5({
   // Auth routes
   checkAccountExists,
   sendVerificationCode,
@@ -8182,6 +8730,13 @@ var mainAuthRouter = defineRouter4({
   rotateKey,
   changePassword,
   getAuthSession,
+  // OAuth routes
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize,
   // Invitation routes
   getInvitation,
   acceptInvitation: acceptInvitation2,
@@ -8302,11 +8857,11 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 }
 
 // src/server/lib/session.ts
-import * as jose from "jose";
-import { env as env5 } from "@spfn/auth/config";
+import * as jose2 from "jose";
+import { env as env8 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env5.SPFN_AUTH_SESSION_SECRET;
+  const secret = env8.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -8314,24 +8869,24 @@ async function getSessionSecretKey() {
 }
 async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
   const secret = await getSessionSecretKey();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  return await new jose2.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
 }
 async function unsealSession(jwt4) {
   try {
     const secret = await getSessionSecretKey();
-    const { payload } = await jose.jwtDecrypt(jwt4, secret, {
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
     return payload.data;
   } catch (err) {
-    if (err instanceof jose.errors.JWTExpired) {
+    if (err instanceof jose2.errors.JWTExpired) {
       throw new Error("Session expired");
     }
-    if (err instanceof jose.errors.JWEDecryptionFailed) {
+    if (err instanceof jose2.errors.JWEDecryptionFailed) {
       throw new Error("Invalid session");
     }
-    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+    if (err instanceof jose2.errors.JWTClaimValidationFailed) {
       throw new Error("Session validation failed");
     }
     throw new Error("Failed to unseal session");
@@ -8340,7 +8895,7 @@ async function unsealSession(jwt4) {
 async function getSessionInfo(jwt4) {
   const secret = await getSessionSecretKey();
   try {
-    const { payload } = await jose.jwtDecrypt(jwt4, secret);
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret);
     return {
       issuedAt: new Date(payload.iat * 1e3),
       expiresAt: new Date(payload.exp * 1e3),
@@ -8364,14 +8919,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env9 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env6.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env9.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env6.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env9.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -8398,11 +8953,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env6.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env9.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env6.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env6.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env9.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env9.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -8424,8 +8979,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env6.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env6.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env9.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env9.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -8515,6 +9070,7 @@ export {
   RolePermissionsRepository,
   RolesRepository,
   SOCIAL_PROVIDERS,
+  SocialAccountsRepository,
   TargetTypeSchema,
   USER_STATUSES,
   UserPermissionsRepository,
@@ -8530,16 +9086,19 @@ export {
   mainAuthRouter as authRouter,
   authSchema,
   authenticate,
+  buildOAuthErrorUrl,
   cancelInvitation,
   changePasswordService,
   checkAccountExistsService,
   configureAuth,
   createAuthLifecycle,
   createInvitation,
+  createOAuthState,
   createRole,
   decodeToken,
   deleteInvitation,
   deleteRole,
+  exchangeCodeForTokens,
   expireOldInvitations,
   generateClientToken,
   generateKeyPair,
@@ -8550,6 +9109,11 @@ export {
   getAuth,
   getAuthConfig,
   getAuthSessionService,
+  getEnabledOAuthProviders,
+  getGoogleAccessToken,
+  getGoogleAuthUrl,
+  getGoogleOAuthConfig,
+  getGoogleUserInfo,
   getInvitationByToken,
   getInvitationWithDetails,
   getKeyId,
@@ -8574,13 +9138,18 @@ export {
   hashPassword,
   initializeAuth,
   invitationsRepository,
+  isGoogleOAuthEnabled,
+  isOAuthProviderEnabled,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
+  oauthCallbackService,
+  oauthStartService,
   parseDuration,
   permissions,
   permissionsRepository,
+  refreshAccessToken,
   registerPublicKeyService,
   registerService,
   removePermissionFromRole,
@@ -8600,6 +9169,7 @@ export {
   setRolePermissions,
   shouldRefreshSession,
   shouldRotateKey,
+  socialAccountsRepository,
   unsealSession,
   updateLastLoginService,
   updateRole,
@@ -8621,6 +9191,7 @@ export {
   verifyClientToken,
   verifyCodeService,
   verifyKeyFingerprint,
+  verifyOAuthState,
   verifyPassword,
   verifyToken
 };