npm - @spfn/auth - Versions diffs - 0.2.0-beta.23 → 0.2.0-beta.25 - Mend

@spfn/auth 0.2.0-beta.23 → 0.2.0-beta.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/{authenticate-BmzJ6hTF.d.ts → authenticate-DAAEfzxa.d.ts} +2 -1
package/dist/index.d.ts +3 -3
package/dist/server.d.ts +92 -49
package/dist/server.js +38 -10
package/dist/server.js.map +1 -1
package/package.json +4 -4

package/dist/{authenticate-BmzJ6hTF.d.ts → authenticate-DAAEfzxa.d.ts} RENAMED Viewed

@@ -541,7 +541,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
         }[];
         userId: number;
         email: string | null;
@@ -799,6 +799,7 @@ interface AuthContext {
     user: User;
     userId: string;
     keyId: string;
+    role: string | null;
 }
 declare module 'hono' {
     interface ContextVariableMap {

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import * as _spfn_core_nextjs from '@spfn/core/nextjs';
-import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-BmzJ6hTF.js';
-export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-BmzJ6hTF.js';
+import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-DAAEfzxa.js';
+export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-DAAEfzxa.js';
 import * as _spfn_core_route from '@spfn/core/route';
 import { HttpMethod } from '@spfn/core/route';
 import * as _sinclair_typebox from '@sinclair/typebox';
@@ -168,7 +168,7 @@ declare const authApi: _spfn_core_nextjs.Client<_spfn_core_route.Router<{
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
         }[];
         userId: number;
         email: string | null;

package/dist/server.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-BmzJ6hTF.js';
-export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a5 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a7 as PasswordSchema, a6 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a8 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, a9 as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-BmzJ6hTF.js';
+import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-DAAEfzxa.js';
+export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a5 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a7 as PasswordSchema, a6 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a8 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, a9 as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-DAAEfzxa.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
@@ -1256,7 +1256,7 @@ declare function getAuthSessionService(userId: string | number | bigint): Promis
         id: number;
         name: string;
         displayName: string;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
     }[];
     userId: number;
     email: string | null;
@@ -2385,7 +2385,7 @@ declare const permissions: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "permissions";
             dataType: "string";
             columnType: "PgText";
-            data: "auth" | "custom" | "user" | "rbac" | "system";
+            data: "custom" | "user" | "auth" | "rbac" | "system";
             driverParam: string;
             notNull: false;
             hasDefault: false;
@@ -2827,6 +2827,33 @@ declare class UsersRepository extends BaseRepository {
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
     } | null>;
+    /**
+     * ID로 사용자 + Role 조회 (leftJoin)
+     * Read replica 사용
+     *
+     * roleId가 null인 유저는 role: null 반환
+     */
+    findByIdWithRole(id: number): Promise<{
+        user: {
+            createdAt: Date;
+            updatedAt: Date;
+            id: number;
+            email: string | null;
+            phone: string | null;
+            passwordHash: string | null;
+            passwordChangeRequired: boolean;
+            roleId: number;
+            status: "active" | "inactive" | "suspended";
+            emailVerifiedAt: Date | null;
+            phoneVerifiedAt: Date | null;
+            lastLoginAt: Date | null;
+        };
+        role: {
+            name: string;
+            displayName: string;
+            priority: number;
+        } | null;
+    } | null>;
     /**
      * 사용자 생성
      * Write primary 사용
@@ -2834,13 +2861,13 @@ declare class UsersRepository extends BaseRepository {
     create(data: NewUser): Promise<{
         email: string | null;
         phone: string | null;
+        status: "active" | "inactive" | "suspended";
         id: number;
+        createdAt: Date;
+        updatedAt: Date;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
-        createdAt: Date;
-        updatedAt: Date;
-        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -2906,13 +2933,13 @@ declare class UsersRepository extends BaseRepository {
     deleteById(id: number): Promise<{
         email: string | null;
         phone: string | null;
+        status: "active" | "inactive" | "suspended";
         id: number;
+        createdAt: Date;
+        updatedAt: Date;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
-        createdAt: Date;
-        updatedAt: Date;
-        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -2935,7 +2962,7 @@ declare class UsersRepository extends BaseRepository {
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
         }[];
     }>;
     /**
@@ -3045,16 +3072,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUserPublicKey): Promise<{
-        publicKey: string;
-        keyId: string;
-        fingerprint: string;
-        algorithm: "ES256" | "RS256";
         userId: number;
+        keyId: string;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        expiresAt: Date | null;
+        publicKey: string;
+        algorithm: "ES256" | "RS256";
+        fingerprint: string;
         lastUsedAt: Date | null;
+        expiresAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3081,16 +3108,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteByKeyIdAndUserId(keyId: string, userId: number): Promise<{
-        publicKey: string;
-        keyId: string;
-        fingerprint: string;
-        algorithm: "ES256" | "RS256";
         userId: number;
+        keyId: string;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        expiresAt: Date | null;
+        publicKey: string;
+        algorithm: "ES256" | "RS256";
+        fingerprint: string;
         lastUsedAt: Date | null;
+        expiresAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3205,14 +3232,14 @@ declare class VerificationCodesRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewVerificationCode): Promise<{
-        target: string;
-        targetType: "email" | "phone";
-        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
-        code: string;
         id: number;
         createdAt: Date;
         updatedAt: Date;
         expiresAt: Date;
+        target: string;
+        targetType: "email" | "phone";
+        code: string;
+        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
         usedAt: Date | null;
         attempts: number;
     }>;
@@ -3401,7 +3428,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3417,7 +3444,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3457,7 +3484,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3476,8 +3503,8 @@ declare class PermissionsRepository extends BaseRepository {
         isActive: boolean;
         createdAt: Date;
         updatedAt: Date;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         metadata: Record<string, any> | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
     }>;
 }
 declare const permissionsRepository: PermissionsRepository;
@@ -3522,9 +3549,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     createMany(data: NewRolePermission[]): Promise<{
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
+        roleId: number;
         permissionId: number;
     }[]>;
     /**
@@ -3540,9 +3567,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     setPermissionsForRole(roleId: number, permissionIds: number[]): Promise<{
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
+        roleId: number;
         permissionId: number;
     }[]>;
 }
@@ -3607,10 +3634,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        permissionId: number;
         expiresAt: Date | null;
-        reason: string | null;
+        permissionId: number;
         granted: boolean;
+        reason: string | null;
     }>;
     /**
      * 사용자 권한 오버라이드 업데이트
@@ -3633,10 +3660,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        permissionId: number;
         expiresAt: Date | null;
-        reason: string | null;
+        permissionId: number;
         granted: boolean;
+        reason: string | null;
     }>;
     /**
      * 사용자의 모든 권한 오버라이드 삭제
@@ -3715,7 +3742,6 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
-        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3728,6 +3754,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 업데이트 (by ID)
@@ -3784,7 +3811,6 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
-        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3797,6 +3823,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 삭제 (by User ID)
@@ -3807,7 +3834,6 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
-        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3820,6 +3846,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 Upsert (by User ID)
@@ -3833,7 +3860,6 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
-        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3846,6 +3872,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * User ID로 프로필 데이터 조회 (formatted)
@@ -3973,15 +4000,15 @@ declare class InvitationsRepository extends BaseRepository {
      */
     create(data: NewInvitation): Promise<{
         email: string;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        status: "pending" | "accepted" | "expired" | "cancelled";
+        roleId: number;
         metadata: Record<string, any> | null;
+        expiresAt: Date;
         token: string;
         invitedBy: number;
-        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4007,15 +4034,15 @@ declare class InvitationsRepository extends BaseRepository {
      */
     deleteById(id: number): Promise<{
         email: string;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        status: "pending" | "accepted" | "expired" | "cancelled";
+        roleId: number;
         metadata: Record<string, any> | null;
+        expiresAt: Date;
         token: string;
         invitedBy: number;
-        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4656,13 +4683,13 @@ declare function getUser(c: Context | {
 }): {
     email: string | null;
     phone: string | null;
+    status: "active" | "inactive" | "suspended";
     id: number;
+    createdAt: Date;
+    updatedAt: Date;
     passwordHash: string | null;
     passwordChangeRequired: boolean;
     roleId: number;
-    createdAt: Date;
-    updatedAt: Date;
-    status: "active" | "inactive" | "suspended";
     emailVerifiedAt: Date | null;
     phoneVerifiedAt: Date | null;
     lastLoginAt: Date | null;
@@ -4681,6 +4708,22 @@ declare function getUser(c: Context | {
 declare function getUserId(c: Context | {
     raw: Context;
 }): string;
+/**
+ * Get authenticated user's role from route context
+ *
+ * @returns Role name or null if user has no role
+ *
+ * @example
+ * ```typescript
+ * app.bind(adminContract, [authenticate], async (c) => {
+ *     const role = getRole(c);
+ *     // 'admin' | 'superadmin' | null
+ * });
+ * ```
+ */
+declare function getRole(c: Context | {
+    raw: Context;
+}): string | null;
 /**
  * Get current key ID from route context
  *
@@ -5135,4 +5178,4 @@ declare const authRegisterEvent: _spfn_core_event.EventDef<{
 type AuthLoginPayload = typeof authLoginEvent._payload;
 type AuthRegisterPayload = typeof authRegisterEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js CHANGED Viewed

@@ -5355,6 +5355,28 @@ var init_users_repository = __esm({
         }
         return null;
       }
+      /**
+       * ID로 사용자 + Role 조회 (leftJoin)
+       * Read replica 사용
+       *
+       * roleId가 null인 유저는 role: null 반환
+       */
+      async findByIdWithRole(id11) {
+        const result = await this.readDb.select({
+          user: users,
+          roleName: roles.name,
+          roleDisplayName: roles.displayName,
+          rolePriority: roles.priority
+        }).from(users).leftJoin(roles, eq(users.roleId, roles.id)).where(eq(users.id, id11)).limit(1);
+        const row = result[0];
+        if (!row) {
+          return null;
+        }
+        return {
+          user: row.user,
+          role: row.roleName ? { name: row.roleName, displayName: row.roleDisplayName, priority: row.rolePriority } : null
+        };
+      }
       /**
        * 사용자 생성
        * Write primary 사용
@@ -6766,6 +6788,9 @@ function getUser(c) {
 function getUserId(c) {
   return getAuth(c).userId;
 }
+function getRole(c) {
+  return getAuth(c).role;
+}
 function getKeyId(c) {
   return getAuth(c).keyId;
 }
@@ -8244,10 +8269,11 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
     }
     throw new UnauthorizedError({ message: "Authentication failed" });
   }
-  const user = await usersRepository2.findById(keyRecord.userId);
-  if (!user) {
+  const result = await usersRepository2.findByIdWithRole(keyRecord.userId);
+  if (!result) {
     throw new UnauthorizedError({ message: "User not found" });
   }
+  const { user, role } = result;
   if (user.status !== "active") {
     throw new AccountDisabledError2({ status: user.status });
   }
@@ -8255,7 +8281,8 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   c.set("auth", {
     user,
     userId: String(user.id),
-    keyId
+    keyId,
+    role: role?.name ?? null
   });
   const method = c.req.method;
   const path = c.req.path;
@@ -8335,7 +8362,7 @@ var requireAnyPermission = defineMiddleware2(
 // src/server/middleware/require-role.ts
 import { defineMiddleware as defineMiddleware3 } from "@spfn/core/route";
-import { getAuth as getAuth3, hasAnyRole as hasAnyRole2, authLogger as authLogger4 } from "@spfn/auth/server";
+import { getAuth as getAuth3, authLogger as authLogger4 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
 import { InsufficientRoleError } from "@spfn/auth/errors";
 var requireRole = defineMiddleware3(
@@ -8349,11 +8376,11 @@ var requireRole = defineMiddleware3(
       });
       throw new ForbiddenError2({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const allowed = await hasAnyRole2(userId, roleNames);
-    if (!allowed) {
+    const { userId, role: userRole } = auth;
+    if (!userRole || !roleNames.includes(userRole)) {
       authLogger4.middleware.warn("Role check failed", {
         userId,
+        userRole,
         requiredRoles: roleNames,
         path: c.req.path
       });
@@ -8361,6 +8388,7 @@ var requireRole = defineMiddleware3(
     }
     authLogger4.middleware.debug("Role check passed", {
       userId,
+      userRole,
       roles: roleNames
     });
     await next();
@@ -8369,7 +8397,7 @@ var requireRole = defineMiddleware3(
 // src/server/middleware/role-guard.ts
 import { defineMiddleware as defineMiddleware4 } from "@spfn/core/route";
-import { getAuth as getAuth4, getUserRole as getUserRole2, authLogger as authLogger5 } from "@spfn/auth/server";
+import { getAuth as getAuth4, authLogger as authLogger5 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
 import { InsufficientRoleError as InsufficientRoleError2 } from "@spfn/auth/errors";
 var roleGuard = defineMiddleware4(
@@ -8386,8 +8414,7 @@ var roleGuard = defineMiddleware4(
       });
       throw new ForbiddenError3({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const userRole = await getUserRole2(userId);
+    const { userId, role: userRole } = auth;
     if (deny && deny.length > 0) {
       if (userRole && deny.includes(userRole)) {
         authLogger5.middleware.warn("Role guard denied", {
@@ -9257,6 +9284,7 @@ export {
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
+  getRole,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,