@spfn/auth 0.2.0-beta.2 → 0.2.0-beta.21

package/dist/server.js

@@ -1,11 +1,5 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -1365,7 +1359,7 @@ var init_literal2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/boolean/boolean.mjs
-function Boolean(options) {
+function Boolean2(options) {
   return CreateType({ [Kind]: "Boolean", type: "boolean" }, options);
 }
 var init_boolean = __esm({
@@ -1447,7 +1441,7 @@ var init_string2 = __esm({
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/syntax.mjs
 function* FromUnion(syntax) {
   const trim = syntax.trim().replace(/"|'/g, "");
-  return trim === "boolean" ? yield Boolean() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
+  return trim === "boolean" ? yield Boolean2() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
     const literals = trim.split("|").map((literal) => Literal(literal.trim()));
     return literals.length === 0 ? Never() : literals.length === 1 ? literals[0] : UnionEvaluated(literals);
   })();
@@ -4250,7 +4244,7 @@ __export(type_exports3, {
   AsyncIterator: () => AsyncIterator,
   Awaited: () => Awaited,
   BigInt: () => BigInt,
-  Boolean: () => Boolean,
+  Boolean: () => Boolean2,
   Capitalize: () => Capitalize,
   Composite: () => Composite,
   Const: () => Const,
@@ -6132,6 +6126,23 @@ var init_user_profiles_repository = __esm({
         const result = await this.db.delete(userProfiles).where(eq8(userProfiles.userId, userId)).returning();
         return result[0] ?? null;
       }
+      /**
+       * 프로필 Upsert (by User ID)
+       *
+       * 프로필이 없으면 생성, 있으면 업데이트
+       * 새로 생성 시 displayName은 필수 (없으면 'User'로 설정)
+       */
+      async upsertByUserId(userId, data) {
+        const existing = await this.findByUserId(userId);
+        if (existing) {
+          return await this.updateByUserId(userId, data);
+        }
+        return await this.create({
+          userId,
+          displayName: data.displayName || "User",
+          ...data
+        });
+      }
       /**
        * User ID로 프로필 데이터 조회 (formatted)
        *
@@ -6151,6 +6162,7 @@ var init_user_profiles_repository = __esm({
           location: userProfiles.location,
           company: userProfiles.company,
           jobTitle: userProfiles.jobTitle,
+          metadata: userProfiles.metadata,
           createdAt: userProfiles.createdAt,
           updatedAt: userProfiles.updatedAt
         }).from(userProfiles).where(eq8(userProfiles.userId, userId)).limit(1).then((rows) => rows[0] ?? null);
@@ -6170,6 +6182,7 @@ var init_user_profiles_repository = __esm({
           location: profile.location,
           company: profile.company,
           jobTitle: profile.jobTitle,
+          metadata: profile.metadata,
           createdAt: profile.createdAt,
           updatedAt: profile.updatedAt
         };
@@ -6394,6 +6407,96 @@ var init_invitations_repository = __esm({
   }
 });
 
+// src/server/repositories/social-accounts.repository.ts
+import { eq as eq10, and as and7 } from "drizzle-orm";
+import { BaseRepository as BaseRepository10 } from "@spfn/core/db";
+var SocialAccountsRepository, socialAccountsRepository;
+var init_social_accounts_repository = __esm({
+  "src/server/repositories/social-accounts.repository.ts"() {
+    "use strict";
+    init_entities();
+    SocialAccountsRepository = class extends BaseRepository10 {
+      /**
+       * provider와 providerUserId로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByProviderAndProviderId(provider, providerUserId) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.provider, provider),
+            eq10(userSocialAccounts.providerUserId, providerUserId)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * userId로 모든 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserId(userId) {
+        return await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+      }
+      /**
+       * userId와 provider로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserIdAndProvider(userId, provider) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 생성
+       * Write primary 사용
+       */
+      async create(data) {
+        return await this._create(userSocialAccounts, {
+          ...data,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        });
+      }
+      /**
+       * 토큰 정보 업데이트
+       * Write primary 사용
+       */
+      async updateTokens(id11, data) {
+        const result = await this.db.update(userSocialAccounts).set({
+          ...data,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteById(id11) {
+        const result = await this.db.delete(userSocialAccounts).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * userId와 provider로 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteByUserIdAndProvider(userId, provider) {
+        const result = await this.db.delete(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).returning();
+        return result[0] ?? null;
+      }
+    };
+    socialAccountsRepository = new SocialAccountsRepository();
+  }
+});
+
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6407,6 +6510,7 @@ var init_repositories = __esm({
     init_user_permissions_repository();
     init_user_profiles_repository();
     init_invitations_repository();
+    init_social_accounts_repository();
   }
 });
 
@@ -6533,7 +6637,7 @@ var init_role_service = __esm({
 import "@spfn/auth/config";
 
 // src/server/routes/index.ts
-import { defineRouter as defineRouter4 } from "@spfn/core/route";
+import { defineRouter as defineRouter5 } from "@spfn/core/route";
 
 // src/server/routes/auth/index.ts
 init_schema3();
@@ -6682,9 +6786,10 @@ import {
 } from "@spfn/auth/errors";
 
 // src/server/services/verification.service.ts
-import { env as env5 } from "@spfn/auth/config";
+import { env as env3 } from "@spfn/auth/config";
 import { InvalidVerificationCodeError } from "@spfn/auth/errors";
 import jwt2 from "jsonwebtoken";
+import { sendEmail, sendSMS } from "@spfn/notification/server";
 
 // src/server/logger.ts
 import { logger as rootLogger } from "@spfn/core/logger";
@@ -6694,7 +6799,8 @@ var authLogger = {
   interceptor: {
     general: rootLogger.child("@spfn/auth:interceptor:general"),
     login: rootLogger.child("@spfn/auth:interceptor:login"),
-    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation")
+    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation"),
+    oauth: rootLogger.child("@spfn/auth:interceptor:oauth")
   },
   service: rootLogger.child("@spfn/auth:service"),
   setup: rootLogger.child("@spfn/auth:setup"),
@@ -6704,410 +6810,6 @@ var authLogger = {
 
 // src/server/services/verification.service.ts
 init_repositories();
-
-// src/server/services/sms/provider.ts
-var currentProvider = null;
-var fallbackProvider = {
-  name: "fallback",
-  sendSMS: async (params) => {
-    authLogger.sms.debug("DEV MODE - SMS not actually sent", {
-      phone: params.phone,
-      message: params.message,
-      purpose: params.purpose || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-sms"
-    };
-  }
-};
-function registerSMSProvider(provider) {
-  currentProvider = provider;
-  authLogger.sms.info("Registered SMS provider", { name: provider.name });
-}
-function getSMSProvider() {
-  return currentProvider || fallbackProvider;
-}
-async function sendSMS(params) {
-  const provider = getSMSProvider();
-  return await provider.sendSMS(params);
-}
-
-// src/server/services/sms/aws-sns.provider.ts
-import { env as env3 } from "@spfn/auth/config";
-function isValidE164Phone(phone) {
-  const e164Regex = /^\+[1-9]\d{1,14}$/;
-  return e164Regex.test(phone);
-}
-function createAWSSNSProvider() {
-  try {
-    const { SNSClient, PublishCommand } = __require("@aws-sdk/client-sns");
-    return {
-      name: "aws-sns",
-      sendSMS: async (params) => {
-        const { phone, message, purpose } = params;
-        if (!isValidE164Phone(phone)) {
-          return {
-            success: false,
-            error: "Invalid phone number format. Must be E.164 format (e.g., +821012345678)"
-          };
-        }
-        if (!env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SNS credentials not configured. Set SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env3.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID && env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID,
-              secretAccessKey: env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SNSClient(config);
-          const command = new PublishCommand({
-            PhoneNumber: phone,
-            Message: message,
-            MessageAttributes: {
-              "AWS.SNS.SMS.SMSType": {
-                DataType: "String",
-                StringValue: "Transactional"
-                // For OTP codes
-              },
-              ...env3.SPFN_AUTH_AWS_SNS_SENDER_ID && {
-                "AWS.SNS.SMS.SenderID": {
-                  DataType: "String",
-                  StringValue: env3.SPFN_AUTH_AWS_SNS_SENDER_ID
-                }
-              }
-            }
-          });
-          const response = await client.send(command);
-          authLogger.sms.info("SMS sent via AWS SNS", {
-            phone,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.sms.error("Failed to send SMS via AWS SNS", {
-            phone,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send SMS via AWS SNS"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSNSProvider = createAWSSNSProvider();
-
-// src/server/services/sms/index.ts
-if (awsSNSProvider) {
-  registerSMSProvider(awsSNSProvider);
-}
-
-// src/server/services/email/provider.ts
-var currentProvider2 = null;
-var fallbackProvider2 = {
-  name: "fallback",
-  sendEmail: async (params) => {
-    authLogger.email.debug("DEV MODE - Email not actually sent", {
-      to: params.to,
-      subject: params.subject,
-      purpose: params.purpose || "N/A",
-      textPreview: params.text?.substring(0, 100) || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-email"
-    };
-  }
-};
-function registerEmailProvider(provider) {
-  currentProvider2 = provider;
-  authLogger.email.info("Registered email provider", { name: provider.name });
-}
-function getEmailProvider() {
-  return currentProvider2 || fallbackProvider2;
-}
-async function sendEmail(params) {
-  const provider = getEmailProvider();
-  return await provider.sendEmail(params);
-}
-
-// src/server/services/email/aws-ses.provider.ts
-import { env as env4 } from "@spfn/auth/config";
-function isValidEmail(email) {
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  return emailRegex.test(email);
-}
-function createAWSSESProvider() {
-  try {
-    const { SESClient, SendEmailCommand } = __require("@aws-sdk/client-ses");
-    return {
-      name: "aws-ses",
-      sendEmail: async (params) => {
-        const { to, subject, text: text10, html, purpose } = params;
-        if (!isValidEmail(to)) {
-          return {
-            success: false,
-            error: "Invalid email address format"
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SES credentials not configured. Set SPFN_AUTH_AWS_SES_ACCESS_KEY_ID environment variable."
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_FROM_EMAIL) {
-          return {
-            success: false,
-            error: "AWS SES sender email not configured. Set SPFN_AUTH_AWS_SES_FROM_EMAIL environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env4.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID && env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID,
-              secretAccessKey: env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SESClient(config);
-          const body = {};
-          if (text10) {
-            body.Text = {
-              Charset: "UTF-8",
-              Data: text10
-            };
-          }
-          if (html) {
-            body.Html = {
-              Charset: "UTF-8",
-              Data: html
-            };
-          }
-          const command = new SendEmailCommand({
-            Source: env4.SPFN_AUTH_AWS_SES_FROM_EMAIL,
-            Destination: {
-              ToAddresses: [to]
-            },
-            Message: {
-              Subject: {
-                Charset: "UTF-8",
-                Data: subject
-              },
-              Body: body
-            }
-          });
-          const response = await client.send(command);
-          authLogger.email.info("Email sent via AWS SES", {
-            to,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.email.error("Failed to send email via AWS SES", {
-            to,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send email via AWS SES"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSESProvider = createAWSSESProvider();
-
-// src/server/services/email/index.ts
-if (awsSESProvider) {
-  registerEmailProvider(awsSESProvider);
-}
-
-// src/server/services/email/templates/verification-code.ts
-function getSubject(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "Verify your email address";
-    case "login":
-      return "Your login verification code";
-    case "password_reset":
-      return "Reset your password";
-    default:
-      return "Your verification code";
-  }
-}
-function getPurposeText(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "complete your registration";
-    case "login":
-      return "verify your identity";
-    case "password_reset":
-      return "reset your password";
-    default:
-      return "verify your identity";
-  }
-}
-function generateText(params) {
-  const { code, expiresInMinutes = 5 } = params;
-  return `Your verification code is: ${code}
-
-This code will expire in ${expiresInMinutes} minutes.
-
-If you didn't request this code, please ignore this email.`;
-}
-function generateHTML(params) {
-  const { code, purpose, expiresInMinutes = 5, appName } = params;
-  const purposeText = getPurposeText(purpose);
-  return `<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Verification Code</title>
-</head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f5f5f5;">
-    <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 30px; border-radius: 10px 10px 0 0; text-align: center;">
-        <h1 style="color: white; margin: 0; font-size: 24px;">${appName ? appName : "Verification Code"}</h1>
-    </div>
-    <div style="background: #ffffff; padding: 30px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 10px 10px;">
-        <p style="margin-bottom: 20px; font-size: 16px;">
-            Please use the following verification code to ${purposeText}:
-        </p>
-        <div style="background: #f8f9fa; padding: 25px; border-radius: 8px; text-align: center; margin: 25px 0; border: 2px dashed #dee2e6;">
-            <span style="font-size: 36px; font-weight: bold; letter-spacing: 10px; color: #333; font-family: 'Courier New', monospace;">${code}</span>
-        </div>
-        <p style="color: #666; font-size: 14px; margin-top: 20px; text-align: center;">
-            <strong>This code will expire in ${expiresInMinutes} minutes.</strong>
-        </p>
-        <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
-        <p style="color: #999; font-size: 12px; text-align: center; margin: 0;">
-            If you didn't request this code, please ignore this email.
-        </p>
-    </div>
-    <div style="text-align: center; padding: 20px; color: #999; font-size: 11px;">
-        <p style="margin: 0;">This is an automated message. Please do not reply.</p>
-    </div>
-</body>
-</html>`;
-}
-function verificationCodeTemplate(params) {
-  return {
-    subject: getSubject(params.purpose),
-    text: generateText(params),
-    html: generateHTML(params)
-  };
-}
-
-// src/server/services/email/templates/registry.ts
-var customTemplates = {};
-function registerEmailTemplates(templates) {
-  customTemplates = { ...customTemplates, ...templates };
-  authLogger.email.info("Registered custom email templates", {
-    templates: Object.keys(templates)
-  });
-}
-function getVerificationCodeTemplate(params) {
-  if (customTemplates.verificationCode) {
-    return customTemplates.verificationCode(params);
-  }
-  return verificationCodeTemplate(params);
-}
-function getWelcomeTemplate(params) {
-  if (customTemplates.welcome) {
-    return customTemplates.welcome(params);
-  }
-  return {
-    subject: params.appName ? `Welcome to ${params.appName}!` : "Welcome!",
-    text: `Welcome! Your account has been created successfully.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Welcome${params.appName ? ` to ${params.appName}` : ""}!</h1>
-    <p>Your account has been created successfully.</p>
-</body>
-</html>`
-  };
-}
-function getPasswordResetTemplate(params) {
-  if (customTemplates.passwordReset) {
-    return customTemplates.passwordReset(params);
-  }
-  const expires = params.expiresInMinutes || 30;
-  return {
-    subject: "Reset your password",
-    text: `Click this link to reset your password: ${params.resetLink}
-
-This link will expire in ${expires} minutes.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Reset Your Password</h1>
-    <p>Click the button below to reset your password:</p>
-    <a href="${params.resetLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Reset Password</a>
-    <p style="color: #666; margin-top: 20px;">This link will expire in ${expires} minutes.</p>
-</body>
-</html>`
-  };
-}
-function getInvitationTemplate(params) {
-  if (customTemplates.invitation) {
-    return customTemplates.invitation(params);
-  }
-  const appName = params.appName || "our platform";
-  const inviterText = params.inviterName ? `${params.inviterName} has invited you` : "You have been invited";
-  const roleText = params.roleName ? ` as ${params.roleName}` : "";
-  return {
-    subject: `You're invited to join ${appName}`,
-    text: `${inviterText} to join ${appName}${roleText}.
-
-Click here to accept: ${params.inviteLink}`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>You're Invited!</h1>
-    <p>${inviterText} to join <strong>${appName}</strong>${roleText}.</p>
-    <a href="${params.inviteLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Accept Invitation</a>
-</body>
-</html>`
-  };
-}
-
-// src/server/services/verification.service.ts
 var VERIFICATION_TOKEN_EXPIRY = "15m";
 var VERIFICATION_CODE_EXPIRY_MINUTES = 5;
 var MAX_VERIFICATION_ATTEMPTS = 5;
@@ -7151,7 +6853,7 @@ async function markCodeAsUsed(codeId) {
   await verificationCodesRepository.markAsUsed(codeId);
 }
 function createVerificationToken(payload) {
-  return jwt2.sign(payload, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+  return jwt2.sign(payload, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
     expiresIn: VERIFICATION_TOKEN_EXPIRY,
     issuer: "spfn-auth",
     audience: "spfn-client"
@@ -7159,7 +6861,7 @@ function createVerificationToken(payload) {
 }
 function validateVerificationToken(token) {
   try {
-    const decoded = jwt2.verify(token, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+    const decoded = jwt2.verify(token, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
@@ -7173,17 +6875,14 @@ function validateVerificationToken(token) {
   }
 }
 async function sendVerificationEmail(email, code, purpose) {
-  const { subject, text: text10, html } = getVerificationCodeTemplate({
-    code,
-    purpose,
-    expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
-  });
   const result = await sendEmail({
     to: email,
-    subject,
-    text: text10,
-    html,
-    purpose
+    template: "verification-code",
+    data: {
+      code,
+      purpose,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.email.error("Failed to send verification email", {
@@ -7194,11 +6893,13 @@ async function sendVerificationEmail(email, code, purpose) {
   }
 }
 async function sendVerificationSMS(phone, code, purpose) {
-  const message = `Your verification code is: ${code}`;
   const result = await sendSMS({
-    phone,
-    message,
-    purpose
+    to: phone,
+    template: "verification-code",
+    data: {
+      code,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.sms.error("Failed to send verification SMS", {
@@ -7315,6 +7016,33 @@ async function updateUserService(userId, updates) {
   await usersRepository.updateById(userId, updates);
 }
 
+// src/server/events/index.ts
+init_esm();
+import { defineEvent } from "@spfn/core/event";
+var AuthProviderSchema = Type.Union([
+  Type.Literal("email"),
+  Type.Literal("phone"),
+  Type.Literal("google")
+]);
+var authLoginEvent = defineEvent(
+  "auth.login",
+  Type.Object({
+    userId: Type.String(),
+    provider: AuthProviderSchema,
+    email: Type.Optional(Type.String()),
+    phone: Type.Optional(Type.String())
+  })
+);
+var authRegisterEvent = defineEvent(
+  "auth.register",
+  Type.Object({
+    userId: Type.String(),
+    provider: AuthProviderSchema,
+    email: Type.Optional(Type.String()),
+    phone: Type.Optional(Type.String())
+  })
+);
+
 // src/server/services/auth.service.ts
 async function checkAccountExistsService(params) {
   const { email, phone } = params;
@@ -7381,11 +7109,18 @@ async function registerService(params) {
     fingerprint,
     algorithm
   });
-  return {
+  const result = {
     userId: String(newUser.id),
     email: newUser.email || void 0,
     phone: newUser.phone || void 0
   };
+  await authRegisterEvent.emit({
+    userId: result.userId,
+    provider: email ? "email" : "phone",
+    email: result.email,
+    phone: result.phone
+  });
+  return result;
 }
 async function loginService(params) {
   const { email, phone, password, publicKey, keyId, fingerprint, oldKeyId, algorithm } = params;
@@ -7418,12 +7153,19 @@ async function loginService(params) {
     algorithm
   });
   await updateLastLoginService(user.id);
-  return {
+  const result = {
     userId: String(user.id),
     email: user.email || void 0,
     phone: user.phone || void 0,
     passwordChangeRequired: user.passwordChangeRequired
   };
+  await authLoginEvent.emit({
+    userId: result.userId,
+    provider: email ? "email" : "phone",
+    email: result.email,
+    phone: result.phone
+  });
+  return result;
 }
 async function logoutService(params) {
   const { userId, keyId } = params;
@@ -7461,12 +7203,14 @@ init_repositories();
 init_rbac();
 
 // src/server/lib/config.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env4 } from "@spfn/auth/config";
 var COOKIE_NAMES = {
   /** Encrypted session data (userId, privateKey, keyId, algorithm) */
   SESSION: "spfn_session",
   /** Current key ID (for key rotation) */
-  SESSION_KEY_ID: "spfn_session_key_id"
+  SESSION_KEY_ID: "spfn_session_key_id",
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  OAUTH_PENDING: "spfn_oauth_pending"
 };
 function parseDuration(duration) {
   if (typeof duration === "number") {
@@ -7511,7 +7255,7 @@ function getSessionTtl(override) {
   if (globalConfig.sessionTtl !== void 0) {
     return parseDuration(globalConfig.sessionTtl);
   }
-  const envTtl = env6.SPFN_AUTH_SESSION_TTL;
+  const envTtl = env4.SPFN_AUTH_SESSION_TTL;
   if (envTtl) {
     return parseDuration(envTtl);
   }
@@ -7673,14 +7417,18 @@ async function hasAllPermissions(userId, permissionNames) {
   const perms = await getUserPermissions(userId);
   return permissionNames.every((p) => perms.includes(p));
 }
-async function hasRole(userId, roleName) {
+async function getUserRole(userId) {
   const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
   const user = await usersRepository.findById(userIdNum);
   if (!user || !user.roleId) {
-    return false;
+    return null;
   }
   const role = await rolesRepository.findById(user.roleId);
-  return role?.name === roleName;
+  return role?.name || null;
+}
+async function hasRole(userId, roleName) {
+  const role = await getUserRole(userId);
+  return role === roleName;
 }
 async function hasAnyRole(userId, roleNames) {
   for (const roleName of roleNames) {
@@ -7887,6 +7635,406 @@ async function getUserProfileService(userId) {
     profile
   };
 }
+function emptyToNull(value) {
+  if (value === "") {
+    return null;
+  }
+  return value;
+}
+async function updateUserProfileService(userId, params) {
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const updateData = {};
+  if (params.displayName !== void 0) {
+    updateData.displayName = emptyToNull(params.displayName) || "User";
+  }
+  if (params.firstName !== void 0) {
+    updateData.firstName = emptyToNull(params.firstName);
+  }
+  if (params.lastName !== void 0) {
+    updateData.lastName = emptyToNull(params.lastName);
+  }
+  if (params.avatarUrl !== void 0) {
+    updateData.avatarUrl = emptyToNull(params.avatarUrl);
+  }
+  if (params.bio !== void 0) {
+    updateData.bio = emptyToNull(params.bio);
+  }
+  if (params.locale !== void 0) {
+    updateData.locale = emptyToNull(params.locale) || "en";
+  }
+  if (params.timezone !== void 0) {
+    updateData.timezone = emptyToNull(params.timezone) || "UTC";
+  }
+  if (params.dateOfBirth !== void 0) {
+    updateData.dateOfBirth = emptyToNull(params.dateOfBirth);
+  }
+  if (params.gender !== void 0) {
+    updateData.gender = emptyToNull(params.gender);
+  }
+  if (params.website !== void 0) {
+    updateData.website = emptyToNull(params.website);
+  }
+  if (params.location !== void 0) {
+    updateData.location = emptyToNull(params.location);
+  }
+  if (params.company !== void 0) {
+    updateData.company = emptyToNull(params.company);
+  }
+  if (params.jobTitle !== void 0) {
+    updateData.jobTitle = emptyToNull(params.jobTitle);
+  }
+  if (params.metadata !== void 0) {
+    updateData.metadata = params.metadata;
+  }
+  const existing = await userProfilesRepository.findByUserId(userIdNum);
+  if (!existing && !updateData.displayName) {
+    updateData.displayName = "User";
+  }
+  await userProfilesRepository.upsertByUserId(userIdNum, updateData);
+  const profile = await userProfilesRepository.fetchProfileData(userIdNum);
+  return profile;
+}
+
+// src/server/services/oauth.service.ts
+init_repositories();
+import { env as env7 } from "@spfn/auth/config";
+import { ValidationError as ValidationError2 } from "@spfn/core/errors";
+
+// src/server/lib/oauth/google.ts
+import { env as env5 } from "@spfn/auth/config";
+var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
+function isGoogleOAuthEnabled() {
+  return !!(env5.SPFN_AUTH_GOOGLE_CLIENT_ID && env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
+}
+function getGoogleOAuthConfig() {
+  const clientId = env5.SPFN_AUTH_GOOGLE_CLIENT_ID;
+  const clientSecret = env5.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error("Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET.");
+  }
+  const baseUrl = env5.NEXT_PUBLIC_SPFN_API_URL || env5.SPFN_API_URL;
+  const redirectUri = env5.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${baseUrl}/_auth/oauth/google/callback`;
+  return {
+    clientId,
+    clientSecret,
+    redirectUri
+  };
+}
+function getDefaultScopes() {
+  const envScopes = env5.SPFN_AUTH_GOOGLE_SCOPES;
+  if (envScopes) {
+    return envScopes.split(",").map((s) => s.trim()).filter(Boolean);
+  }
+  return ["email", "profile"];
+}
+function getGoogleAuthUrl(state, scopes) {
+  const resolvedScopes = scopes ?? getDefaultScopes();
+  const config = getGoogleOAuthConfig();
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: config.redirectUri,
+    response_type: "code",
+    scope: resolvedScopes.join(" "),
+    state,
+    access_type: "offline",
+    // refresh_token 받기 위해
+    prompt: "consent"
+    // 매번 동의 화면 표시 (refresh_token 보장)
+  });
+  return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+}
+async function exchangeCodeForTokens(code) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      redirect_uri: config.redirectUri,
+      grant_type: "authorization_code",
+      code
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to exchange code for tokens: ${error}`);
+  }
+  return response.json();
+}
+async function getGoogleUserInfo(accessToken) {
+  const response = await fetch(GOOGLE_USERINFO_URL, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to get user info: ${error}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(refreshToken) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to refresh access token: ${error}`);
+  }
+  return response.json();
+}
+
+// src/server/lib/oauth/state.ts
+import * as jose from "jose";
+import { env as env6 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env6.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm
+  };
+  const jwe = await new jose.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
+async function verifyOAuthState(encryptedState) {
+  const key = await getStateKey();
+  const jwe = decodeURIComponent(encryptedState);
+  const { payload } = await jose.jwtDecrypt(jwe, key);
+  return payload.state;
+}
+
+// src/server/services/oauth.service.ts
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm } = params;
+  if (provider === "google") {
+    if (!isGoogleOAuthEnabled()) {
+      throw new ValidationError2({
+        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
+      });
+    }
+    const state = await createOAuthState({
+      provider: "google",
+      returnUrl,
+      publicKey,
+      keyId,
+      fingerprint,
+      algorithm
+    });
+    const authUrl = getGoogleAuthUrl(state);
+    return { authUrl };
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function oauthCallbackService(params) {
+  const { provider, code, state } = params;
+  const stateData = await verifyOAuthState(state);
+  if (stateData.provider !== provider) {
+    throw new ValidationError2({
+      message: "OAuth state provider mismatch"
+    });
+  }
+  if (provider === "google") {
+    return handleGoogleCallback(code, stateData);
+  }
+  throw new ValidationError2({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function handleGoogleCallback(code, stateData) {
+  const tokens = await exchangeCodeForTokens(code);
+  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
+    "google",
+    googleUser.id
+  );
+  let userId;
+  let isNewUser = false;
+  if (existingSocialAccount) {
+    userId = existingSocialAccount.userId;
+    await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    });
+  } else {
+    const result = await createOrLinkUser(googleUser, tokens);
+    userId = result.userId;
+    isNewUser = result.isNewUser;
+  }
+  await registerPublicKeyService({
+    userId,
+    keyId: stateData.keyId,
+    publicKey: stateData.publicKey,
+    fingerprint: stateData.fingerprint,
+    algorithm: stateData.algorithm
+  });
+  await updateLastLoginService(userId);
+  const appUrl = env7.NEXT_PUBLIC_SPFN_APP_URL || env7.SPFN_APP_URL;
+  const callbackPath = env7.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
+  const redirectUrl = buildRedirectUrl(callbackUrl, {
+    userId: String(userId),
+    keyId: stateData.keyId,
+    returnUrl: stateData.returnUrl,
+    isNewUser: String(isNewUser)
+  });
+  const user = await usersRepository.findById(userId);
+  const eventPayload = {
+    userId: String(userId),
+    provider: "google",
+    email: user?.email || void 0,
+    phone: user?.phone || void 0
+  };
+  if (isNewUser) {
+    await authRegisterEvent.emit(eventPayload);
+  } else {
+    await authLoginEvent.emit(eventPayload);
+  }
+  return {
+    redirectUrl,
+    userId: String(userId),
+    keyId: stateData.keyId,
+    isNewUser
+  };
+}
+async function createOrLinkUser(googleUser, tokens) {
+  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+  let userId;
+  let isNewUser = false;
+  if (existingUser) {
+    if (!googleUser.verified_email) {
+      throw new ValidationError2({
+        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+      });
+    }
+    userId = existingUser.id;
+    if (!existingUser.emailVerifiedAt) {
+      await usersRepository.updateById(existingUser.id, {
+        emailVerifiedAt: /* @__PURE__ */ new Date()
+      });
+    }
+  } else {
+    const { getRoleByName: getRoleByName3 } = await Promise.resolve().then(() => (init_role_service(), role_service_exports));
+    const userRole = await getRoleByName3("user");
+    if (!userRole) {
+      throw new Error("Default user role not found. Run initializeAuth() first.");
+    }
+    const newUser = await usersRepository.create({
+      email: googleUser.verified_email ? googleUser.email : null,
+      phone: null,
+      passwordHash: null,
+      // OAuth 사용자는 비밀번호 없음
+      passwordChangeRequired: false,
+      roleId: userRole.id,
+      status: "active",
+      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+    });
+    userId = newUser.id;
+    isNewUser = true;
+  }
+  await socialAccountsRepository.create({
+    userId,
+    provider: "google",
+    providerUserId: googleUser.id,
+    providerEmail: googleUser.email,
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? null,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return { userId, isNewUser };
+}
+function buildRedirectUrl(baseUrl, params) {
+  const url = new URL(baseUrl, "http://placeholder");
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  if (baseUrl.startsWith("http")) {
+    return url.toString();
+  }
+  return `${url.pathname}${url.search}`;
+}
+function buildOAuthErrorUrl(error) {
+  const errorUrl = env7.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  return errorUrl.replace("{error}", encodeURIComponent(error));
+}
+function isOAuthProviderEnabled(provider) {
+  switch (provider) {
+    case "google":
+      return isGoogleOAuthEnabled();
+    case "github":
+    case "kakao":
+    case "naver":
+      return false;
+    default:
+      return false;
+  }
+}
+function getEnabledOAuthProviders() {
+  const providers = [];
+  if (isGoogleOAuthEnabled()) {
+    providers.push("google");
+  }
+  return providers;
+}
+var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
+async function getGoogleAccessToken(userId) {
+  const account = await socialAccountsRepository.findByUserIdAndProvider(userId, "google");
+  if (!account) {
+    throw new ValidationError2({
+      message: "No Google account linked. User must sign in with Google first."
+    });
+  }
+  const isExpired = !account.tokenExpiresAt || account.tokenExpiresAt.getTime() < Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+  if (!isExpired && account.accessToken) {
+    return account.accessToken;
+  }
+  if (!account.refreshToken) {
+    throw new ValidationError2({
+      message: "Google refresh token not available. User must re-authenticate with Google."
+    });
+  }
+  const tokens = await refreshAccessToken(account.refreshToken);
+  await socialAccountsRepository.updateTokens(account.id, {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? account.refreshToken,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return tokens.access_token;
+}
 
 // src/server/routes/auth/index.ts
 init_esm();
@@ -7980,9 +8128,7 @@ var login = route.post("/_auth/login").input({
   const { body } = await c.data();
   return await loginService(body);
 });
-var logout = route.post("/_auth/logout").input({
-  body: Type.Object({})
-}).handler(async (c) => {
+var logout = route.post("/_auth/logout").handler(async (c) => {
   const auth = getAuth(c);
   if (!auth) {
     return c.noContent();
@@ -7991,9 +8137,7 @@ var logout = route.post("/_auth/logout").input({
   await logoutService({ userId: Number(userId), keyId });
   return c.noContent();
 });
-var rotateKey = route.post("/_auth/keys/rotate").input({
-  body: Type.Object({})
-}).interceptor({
+var rotateKey = route.post("/_auth/keys/rotate").interceptor({
   body: Type.Object({
     publicKey: Type.String({ description: "New public key" }),
     keyId: Type.String({ description: "New key identifier" }),
@@ -8223,6 +8367,59 @@ var requireRole = defineMiddleware3(
   }
 );
 
+// src/server/middleware/role-guard.ts
+import { defineMiddleware as defineMiddleware4 } from "@spfn/core/route";
+import { getAuth as getAuth4, getUserRole as getUserRole2, authLogger as authLogger5 } from "@spfn/auth/server";
+import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
+import { InsufficientRoleError as InsufficientRoleError2 } from "@spfn/auth/errors";
+var roleGuard = defineMiddleware4(
+  "roleGuard",
+  (options) => async (c, next) => {
+    const { allow, deny } = options;
+    if (!allow && !deny) {
+      throw new Error("roleGuard requires at least one of: allow, deny");
+    }
+    const auth = getAuth4(c);
+    if (!auth) {
+      authLogger5.middleware.warn("Role guard failed: not authenticated", {
+        path: c.req.path
+      });
+      throw new ForbiddenError3({ message: "Authentication required" });
+    }
+    const { userId } = auth;
+    const userRole = await getUserRole2(userId);
+    if (deny && deny.length > 0) {
+      if (userRole && deny.includes(userRole)) {
+        authLogger5.middleware.warn("Role guard denied", {
+          userId,
+          userRole,
+          deniedRoles: deny,
+          path: c.req.path
+        });
+        throw new InsufficientRoleError2({ requiredRoles: allow || [] });
+      }
+    }
+    if (allow && allow.length > 0) {
+      if (!userRole || !allow.includes(userRole)) {
+        authLogger5.middleware.warn("Role guard failed: role not allowed", {
+          userId,
+          userRole,
+          allowedRoles: allow,
+          path: c.req.path
+        });
+        throw new InsufficientRoleError2({ requiredRoles: allow });
+      }
+    }
+    authLogger5.middleware.debug("Role guard passed", {
+      userId,
+      userRole,
+      allow,
+      deny
+    });
+    await next();
+  }
+);
+
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
@@ -8416,21 +8613,277 @@ var invitationRouter = defineRouter2({
 });
 
 // src/server/routes/users/index.ts
+init_esm();
 import { defineRouter as defineRouter3, route as route3 } from "@spfn/core/route";
 var getUserProfile = route3.get("/_auth/users/profile").handler(async (c) => {
   const { userId } = getAuth(c);
   return await getUserProfileService(userId);
 });
+var updateUserProfile = route3.patch("/_auth/users/profile").input({
+  body: Type.Object({
+    displayName: Type.Optional(Type.String({ description: "Display name shown in UI" })),
+    firstName: Type.Optional(Type.String({ description: "First name" })),
+    lastName: Type.Optional(Type.String({ description: "Last name" })),
+    avatarUrl: Type.Optional(Type.String({ description: "Avatar/profile picture URL" })),
+    bio: Type.Optional(Type.String({ description: "Short bio/description" })),
+    locale: Type.Optional(Type.String({ description: "Locale/language preference (e.g., en, ko)" })),
+    timezone: Type.Optional(Type.String({ description: "Timezone (e.g., Asia/Seoul)" })),
+    dateOfBirth: Type.Optional(Type.String({ description: "Date of birth (YYYY-MM-DD)" })),
+    gender: Type.Optional(Type.String({ description: "Gender" })),
+    website: Type.Optional(Type.String({ description: "Personal or professional website" })),
+    location: Type.Optional(Type.String({ description: "Location (city, country, etc.)" })),
+    company: Type.Optional(Type.String({ description: "Company name" })),
+    jobTitle: Type.Optional(Type.String({ description: "Job title" })),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Any(), { description: "Additional metadata" }))
+  })
+}).handler(async (c) => {
+  const { userId } = getAuth(c);
+  const { body } = await c.data();
+  return await updateUserProfileService(userId, body);
+});
 var userRouter = defineRouter3({
-  getUserProfile
+  getUserProfile,
+  updateUserProfile
+});
+
+// src/server/routes/oauth/index.ts
+init_esm();
+init_types();
+import { Transactional as Transactional2 } from "@spfn/core/db";
+import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    return c.redirect(buildOAuthErrorUrl("Google OAuth is not configured"));
+  }
+  const authUrl = getGoogleAuthUrl(query.state);
+  return c.redirect(authUrl);
+});
+var oauthGoogleCallback = route4.get("/_auth/oauth/google/callback").input({
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from Google"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from Google"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from Google"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: "google",
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var oauthStart = route4.post("/_auth/oauth/start").input({
+  body: Type.Object({
+    provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+      description: "OAuth provider (google, github, kakao, naver)"
+    }),
+    returnUrl: Type.String({
+      description: "URL to redirect after OAuth success"
+    }),
+    publicKey: Type.String({
+      description: "Client public key (Base64 DER)"
+    }),
+    keyId: Type.String({
+      description: "Key identifier (UUID)"
+    }),
+    fingerprint: Type.String({
+      description: "Key fingerprint (SHA-256 hex)"
+    }),
+    algorithm: Type.Union(KEY_ALGORITHM.map((a) => Type.Literal(a)), {
+      description: "Key algorithm (ES256 or RS256)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  const result = await oauthStartService(body);
+  return result;
+});
+var oauthProviders = route4.get("/_auth/oauth/providers").skip(["auth"]).handler(async () => {
+  return {
+    providers: getEnabledOAuthProviders()
+  };
+});
+var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    throw new Error("Google OAuth is not configured");
+  }
+  if (!body.state) {
+    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+  }
+  return { authUrl: getGoogleAuthUrl(body.state) };
+});
+var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
+  body: Type.Object({
+    userId: Type.String({ description: "User ID from OAuth callback" }),
+    keyId: Type.String({ description: "Key ID from OAuth state" }),
+    returnUrl: Type.Optional(Type.String({ description: "URL to redirect after login" }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  return {
+    success: true,
+    userId: body.userId,
+    keyId: body.keyId,
+    returnUrl: body.returnUrl || "/"
+  };
+});
+var oauthRouter = defineRouter4({
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize
+});
+
+// src/server/routes/admin/index.ts
+init_esm();
+import { route as route5 } from "@spfn/core/route";
+var listRoles = route5.get("/_auth/admin/roles").input({
+  query: Type.Object({
+    includeInactive: Type.Optional(Type.Boolean({
+      description: "Include inactive roles (default: false)"
+    }))
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { query } = await c.data();
+  const roles2 = await getAllRoles(query.includeInactive ?? false);
+  return { roles: roles2 };
+});
+var createAdminRole = route5.post("/_auth/admin/roles").input({
+  body: Type.Object({
+    name: Type.String({ description: "Unique role name (slug)" }),
+    displayName: Type.String({ description: "Human-readable role name" }),
+    description: Type.Optional(Type.String({ description: "Role description" })),
+    priority: Type.Optional(Type.Number({ description: "Role priority (default: 10)" })),
+    permissionIds: Type.Optional(Type.Array(
+      Type.Number({ description: "Permission ID" }),
+      { description: "Permission IDs to assign" }
+    ))
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { body } = await c.data();
+  const role = await createRole({
+    name: body.name,
+    displayName: body.displayName,
+    description: body.description,
+    priority: body.priority,
+    permissionIds: body.permissionIds
+  });
+  return { role };
+});
+var updateAdminRole = route5.patch("/_auth/admin/roles/:id").input({
+  params: Type.Object({
+    id: Type.Number({ description: "Role ID" })
+  }),
+  body: Type.Object({
+    displayName: Type.Optional(Type.String({ description: "Human-readable role name" })),
+    description: Type.Optional(Type.String({ description: "Role description" })),
+    priority: Type.Optional(Type.Number({ description: "Role priority" })),
+    isActive: Type.Optional(Type.Boolean({ description: "Active status" }))
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { params, body } = await c.data();
+  const role = await updateRole(params.id, body);
+  return { role };
+});
+var deleteAdminRole = route5.delete("/_auth/admin/roles/:id").input({
+  params: Type.Object({
+    id: Type.Number({ description: "Role ID" })
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { params } = await c.data();
+  await deleteRole(params.id);
+  return c.noContent();
+});
+var updateUserRole = route5.patch("/_auth/admin/users/:userId/role").input({
+  params: Type.Object({
+    userId: Type.Number({ description: "User ID" })
+  }),
+  body: Type.Object({
+    roleId: Type.Number({ description: "New role ID to assign" })
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { params, body } = await c.data();
+  await updateUserService(params.userId, { roleId: body.roleId });
+  return { userId: params.userId, roleId: body.roleId };
 });
 
 // src/server/routes/index.ts
-var mainAuthRouter = defineRouter4({
-  // Flatten all routes at root level
-  ...authRouter.routes,
-  ...invitationRouter.routes,
-  ...userRouter.routes
+var mainAuthRouter = defineRouter5({
+  // Auth routes
+  checkAccountExists,
+  sendVerificationCode,
+  verifyCode,
+  register,
+  login,
+  logout,
+  rotateKey,
+  changePassword,
+  getAuthSession,
+  // OAuth routes
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize,
+  // Invitation routes
+  getInvitation,
+  acceptInvitation: acceptInvitation2,
+  createInvitation: createInvitation2,
+  listInvitations: listInvitations2,
+  cancelInvitation: cancelInvitation2,
+  resendInvitation: resendInvitation2,
+  deleteInvitation: deleteInvitation2,
+  // User routes
+  getUserProfile,
+  updateUserProfile,
+  // Admin routes (superadmin only)
+  listRoles,
+  createAdminRole,
+  updateAdminRole,
+  deleteAdminRole,
+  updateUserRole
 });
 
 // src/server.ts
@@ -8540,11 +8993,11 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 }
 
 // src/server/lib/session.ts
-import * as jose from "jose";
-import { env as env7 } from "@spfn/auth/config";
+import * as jose2 from "jose";
+import { env as env8 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const secret = env8.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -8552,24 +9005,24 @@ async function getSessionSecretKey() {
 }
 async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
   const secret = await getSessionSecretKey();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  return await new jose2.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
 }
 async function unsealSession(jwt4) {
   try {
     const secret = await getSessionSecretKey();
-    const { payload } = await jose.jwtDecrypt(jwt4, secret, {
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
     return payload.data;
   } catch (err) {
-    if (err instanceof jose.errors.JWTExpired) {
+    if (err instanceof jose2.errors.JWTExpired) {
       throw new Error("Session expired");
     }
-    if (err instanceof jose.errors.JWEDecryptionFailed) {
+    if (err instanceof jose2.errors.JWEDecryptionFailed) {
       throw new Error("Invalid session");
     }
-    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+    if (err instanceof jose2.errors.JWTClaimValidationFailed) {
       throw new Error("Session validation failed");
     }
     throw new Error("Failed to unseal session");
@@ -8578,7 +9031,7 @@ async function unsealSession(jwt4) {
 async function getSessionInfo(jwt4) {
   const secret = await getSessionSecretKey();
   try {
-    const { payload } = await jose.jwtDecrypt(jwt4, secret);
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret);
     return {
       issuedAt: new Date(payload.iat * 1e3),
       expiresAt: new Date(payload.exp * 1e3),
@@ -8602,14 +9055,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env8 } from "@spfn/auth/config";
+import { env as env9 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env8.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env9.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env8.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env9.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -8636,11 +9089,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env8.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env9.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env8.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env8.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env9.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env9.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -8662,8 +9115,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env8.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env8.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env9.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env9.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -8741,6 +9194,7 @@ function createAuthLifecycle(options = {}) {
   };
 }
 export {
+  AuthProviderSchema,
   COOKIE_NAMES,
   EmailSchema,
   INVITATION_STATUSES,
@@ -8753,6 +9207,7 @@ export {
   RolePermissionsRepository,
   RolesRepository,
   SOCIAL_PROVIDERS,
+  SocialAccountsRepository,
   TargetTypeSchema,
   USER_STATUSES,
   UserPermissionsRepository,
@@ -8765,19 +9220,24 @@ export {
   acceptInvitation,
   addPermissionToRole,
   authLogger,
+  authLoginEvent,
+  authRegisterEvent,
   mainAuthRouter as authRouter,
   authSchema,
   authenticate,
+  buildOAuthErrorUrl,
   cancelInvitation,
   changePasswordService,
   checkAccountExistsService,
   configureAuth,
   createAuthLifecycle,
   createInvitation,
+  createOAuthState,
   createRole,
   decodeToken,
   deleteInvitation,
   deleteRole,
+  exchangeCodeForTokens,
   expireOldInvitations,
   generateClientToken,
   generateKeyPair,
@@ -8788,12 +9248,15 @@ export {
   getAuth,
   getAuthConfig,
   getAuthSessionService,
+  getEnabledOAuthProviders,
+  getGoogleAccessToken,
+  getGoogleAuthUrl,
+  getGoogleOAuthConfig,
+  getGoogleUserInfo,
   getInvitationByToken,
-  getInvitationTemplate,
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
-  getPasswordResetTemplate,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,
@@ -8805,8 +9268,7 @@ export {
   getUserId,
   getUserPermissions,
   getUserProfileService,
-  getVerificationCodeTemplate,
-  getWelcomeTemplate,
+  getUserRole,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
@@ -8815,17 +9277,19 @@ export {
   hashPassword,
   initializeAuth,
   invitationsRepository,
+  isGoogleOAuthEnabled,
+  isOAuthProviderEnabled,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
+  oauthCallbackService,
+  oauthStartService,
   parseDuration,
   permissions,
   permissionsRepository,
-  registerEmailProvider,
-  registerEmailTemplates,
+  refreshAccessToken,
   registerPublicKeyService,
-  registerSMSProvider,
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
@@ -8833,21 +9297,22 @@ export {
   requireRole,
   resendInvitation,
   revokeKeyService,
+  roleGuard,
   rolePermissions,
   rolePermissionsRepository,
   roles,
   rolesRepository,
   rotateKeyService,
   sealSession,
-  sendEmail,
-  sendSMS,
   sendVerificationCodeService,
   setRolePermissions,
   shouldRefreshSession,
   shouldRotateKey,
+  socialAccountsRepository,
   unsealSession,
   updateLastLoginService,
   updateRole,
+  updateUserProfileService,
   updateUserService,
   userInvitations,
   userPermissions,
@@ -8865,6 +9330,7 @@ export {
   verifyClientToken,
   verifyCodeService,
   verifyKeyFingerprint,
+  verifyOAuthState,
   verifyPassword,
   verifyToken
 };