@spfn/auth 0.2.0-beta.24 → 0.2.0-beta.26

package/README.md

@@ -602,6 +602,7 @@ import {
 ```typescript
 import {
   authenticate,
+  optionalAuth,
   requirePermissions,
   requireAnyPermission,
   requireRole,
@@ -624,6 +625,18 @@ app.bind(
     // User has either content:read OR admin:access
   }
 );
+
+// Usage - optional auth (public route with optional user context)
+// Auto-skips global 'auth' middleware — no .skip(['auth']) needed
+export const getProducts = route.get('/products')
+  .use([optionalAuth])
+  .handler(async (c) => {
+    const auth = getOptionalAuth(c);  // AuthContext | undefined
+    if (auth) {
+      return getPersonalizedProducts(auth.userId);
+    }
+    return getPublicProducts();
+  });
 ```
 
 **Helpers:**
@@ -631,6 +644,7 @@ app.bind(
 import {
   // Context
   getAuth,
+  getOptionalAuth,
   getUser,
   getUserId,
   getKeyId,
@@ -2412,6 +2426,6 @@ MIT License - See LICENSE file for details.
 
 ---
 
-**Last Updated:** 2026-01-29
-**Document Version:** 2.5.0 (Technical Documentation)
+**Last Updated:** 2026-02-23
+**Document Version:** 2.6.0 (Technical Documentation)
 **Package Version:** 0.2.0-beta.15

package/dist/{authenticate-BmzJ6hTF.d.ts → authenticate-kCg_KD-V.d.ts}

@@ -799,6 +799,7 @@ interface AuthContext {
     user: User;
     userId: string;
     keyId: string;
+    role: string | null;
 }
 declare module 'hono' {
     interface ContextVariableMap {
@@ -836,5 +837,33 @@ declare module 'hono' {
  * ```
  */
 declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
+/**
+ * Optional authentication middleware
+ *
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
+ * - No token → continues without auth context
+ * - Invalid token → continues without auth context
+ * - Valid token → sets auth context normally
+ *
+ * Auto-skips the global 'auth' middleware when used at route level.
+ *
+ * @example
+ * ```typescript
+ * // No need for .skip(['auth']) — handled automatically
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);  // AuthContext | undefined
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
+ */
+declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, EmailSchema as a5, PhoneSchema as a6, PasswordSchema as a7, TargetTypeSchema as a8, VerificationPurposeSchema as a9, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
+export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import * as _spfn_core_nextjs from '@spfn/core/nextjs';
-import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-BmzJ6hTF.js';
-export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-BmzJ6hTF.js';
+import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-kCg_KD-V.js';
+export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-kCg_KD-V.js';
 import * as _spfn_core_route from '@spfn/core/route';
 import { HttpMethod } from '@spfn/core/route';
 import * as _sinclair_typebox from '@sinclair/typebox';

package/dist/server.d.ts

@@ -1,5 +1,5 @@
-import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-BmzJ6hTF.js';
-export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a5 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a7 as PasswordSchema, a6 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a8 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, a9 as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-BmzJ6hTF.js';
+import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-kCg_KD-V.js';
+export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a6 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a8 as PasswordSchema, a7 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a9 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, aa as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, a5 as optionalAuth, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-kCg_KD-V.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
@@ -2827,6 +2827,33 @@ declare class UsersRepository extends BaseRepository {
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
     } | null>;
+    /**
+     * ID로 사용자 + Role 조회 (leftJoin)
+     * Read replica 사용
+     *
+     * roleId가 null인 유저는 role: null 반환
+     */
+    findByIdWithRole(id: number): Promise<{
+        user: {
+            createdAt: Date;
+            updatedAt: Date;
+            id: number;
+            email: string | null;
+            phone: string | null;
+            passwordHash: string | null;
+            passwordChangeRequired: boolean;
+            roleId: number;
+            status: "active" | "inactive" | "suspended";
+            emailVerifiedAt: Date | null;
+            phoneVerifiedAt: Date | null;
+            lastLoginAt: Date | null;
+        };
+        role: {
+            name: string;
+            displayName: string;
+            priority: number;
+        } | null;
+    } | null>;
     /**
      * 사용자 생성
      * Write primary 사용
@@ -4640,6 +4667,32 @@ declare const roleGuard: _spfn_core_route.NamedMiddlewareFactory<"roleGuard", [o
 declare function getAuth(c: Context | {
     raw: Context;
 }): AuthContext;
+/**
+ * Get optional auth context from route context
+ *
+ * Returns AuthContext if authenticated, undefined otherwise.
+ * Use with `optionalAuth` middleware for routes that serve both
+ * authenticated and unauthenticated users.
+ *
+ * @example
+ * ```typescript
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
+ */
+declare function getOptionalAuth(c: Context | {
+    raw: Context;
+}): AuthContext | undefined;
 /**
  * Get authenticated user from route context
  *
@@ -4681,6 +4734,22 @@ declare function getUser(c: Context | {
 declare function getUserId(c: Context | {
     raw: Context;
 }): string;
+/**
+ * Get authenticated user's role from route context
+ *
+ * @returns Role name or null if user has no role
+ *
+ * @example
+ * ```typescript
+ * app.bind(adminContract, [authenticate], async (c) => {
+ *     const role = getRole(c);
+ *     // 'admin' | 'superadmin' | null
+ * });
+ * ```
+ */
+declare function getRole(c: Context | {
+    raw: Context;
+}): string | null;
 /**
  * Get current key ID from route context
  *
@@ -5135,4 +5204,4 @@ declare const authRegisterEvent: _spfn_core_event.EventDef<{
 type AuthLoginPayload = typeof authLoginEvent._payload;
 type AuthRegisterPayload = typeof authRegisterEvent._payload;
 
-export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js

@@ -5355,6 +5355,28 @@ var init_users_repository = __esm({
         }
         return null;
       }
+      /**
+       * ID로 사용자 + Role 조회 (leftJoin)
+       * Read replica 사용
+       *
+       * roleId가 null인 유저는 role: null 반환
+       */
+      async findByIdWithRole(id11) {
+        const result = await this.readDb.select({
+          user: users,
+          roleName: roles.name,
+          roleDisplayName: roles.displayName,
+          rolePriority: roles.priority
+        }).from(users).leftJoin(roles, eq(users.roleId, roles.id)).where(eq(users.id, id11)).limit(1);
+        const row = result[0];
+        if (!row) {
+          return null;
+        }
+        return {
+          user: row.user,
+          role: row.roleName ? { name: row.roleName, displayName: row.roleDisplayName, priority: row.rolePriority } : null
+        };
+      }
       /**
        * 사용자 생성
        * Write primary 사용
@@ -6760,12 +6782,21 @@ function getAuth(c) {
   }
   return c.get("auth");
 }
+function getOptionalAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
 function getUser(c) {
   return getAuth(c).user;
 }
 function getUserId(c) {
   return getAuth(c).userId;
 }
+function getRole(c) {
+  return getAuth(c).role;
+}
 function getKeyId(c) {
   return getAuth(c).keyId;
 }
@@ -8244,10 +8275,11 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
     }
     throw new UnauthorizedError({ message: "Authentication failed" });
   }
-  const user = await usersRepository2.findById(keyRecord.userId);
-  if (!user) {
+  const result = await usersRepository2.findByIdWithRole(keyRecord.userId);
+  if (!result) {
     throw new UnauthorizedError({ message: "User not found" });
   }
+  const { user, role } = result;
   if (user.status !== "active") {
     throw new AccountDisabledError2({ status: user.status });
   }
@@ -8255,7 +8287,8 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   c.set("auth", {
     user,
     userId: String(user.id),
-    keyId
+    keyId,
+    role: role?.name ?? null
   });
   const method = c.req.method;
   const path = c.req.path;
@@ -8270,6 +8303,51 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   });
   await next();
 });
+var optionalAuth = defineMiddleware("optionalAuth", async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    await next();
+    return;
+  }
+  const token = authHeader.substring(7);
+  try {
+    const decoded = decodeToken2(token);
+    if (!decoded || !decoded.keyId) {
+      await next();
+      return;
+    }
+    const keyId = decoded.keyId;
+    const keyRecord = await keysRepository2.findActiveByKeyId(keyId);
+    if (!keyRecord) {
+      await next();
+      return;
+    }
+    if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
+      await next();
+      return;
+    }
+    verifyClientToken2(
+      token,
+      keyRecord.publicKey,
+      keyRecord.algorithm
+    );
+    const result = await usersRepository2.findByIdWithRole(keyRecord.userId);
+    if (!result || result.user.status !== "active") {
+      await next();
+      return;
+    }
+    const { user, role } = result;
+    keysRepository2.updateLastUsedById(keyRecord.id).catch((err) => authLogger2.middleware.error("Failed to update lastUsedAt", err));
+    c.set("auth", {
+      user,
+      userId: String(user.id),
+      keyId,
+      role: role?.name ?? null
+    });
+  } catch {
+  }
+  await next();
+}, { skips: ["auth"] });
 
 // src/server/middleware/require-permission.ts
 import { defineMiddleware as defineMiddleware2 } from "@spfn/core/route";
@@ -8335,7 +8413,7 @@ var requireAnyPermission = defineMiddleware2(
 
 // src/server/middleware/require-role.ts
 import { defineMiddleware as defineMiddleware3 } from "@spfn/core/route";
-import { getAuth as getAuth3, hasAnyRole as hasAnyRole2, authLogger as authLogger4 } from "@spfn/auth/server";
+import { getAuth as getAuth3, authLogger as authLogger4 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
 import { InsufficientRoleError } from "@spfn/auth/errors";
 var requireRole = defineMiddleware3(
@@ -8349,11 +8427,11 @@ var requireRole = defineMiddleware3(
       });
       throw new ForbiddenError2({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const allowed = await hasAnyRole2(userId, roleNames);
-    if (!allowed) {
+    const { userId, role: userRole } = auth;
+    if (!userRole || !roleNames.includes(userRole)) {
       authLogger4.middleware.warn("Role check failed", {
         userId,
+        userRole,
         requiredRoles: roleNames,
         path: c.req.path
       });
@@ -8361,6 +8439,7 @@ var requireRole = defineMiddleware3(
     }
     authLogger4.middleware.debug("Role check passed", {
       userId,
+      userRole,
       roles: roleNames
     });
     await next();
@@ -8369,7 +8448,7 @@ var requireRole = defineMiddleware3(
 
 // src/server/middleware/role-guard.ts
 import { defineMiddleware as defineMiddleware4 } from "@spfn/core/route";
-import { getAuth as getAuth4, getUserRole as getUserRole2, authLogger as authLogger5 } from "@spfn/auth/server";
+import { getAuth as getAuth4, authLogger as authLogger5 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
 import { InsufficientRoleError as InsufficientRoleError2 } from "@spfn/auth/errors";
 var roleGuard = defineMiddleware4(
@@ -8386,8 +8465,7 @@ var roleGuard = defineMiddleware4(
       });
       throw new ForbiddenError3({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const userRole = await getUserRole2(userId);
+    const { userId, role: userRole } = auth;
     if (deny && deny.length > 0) {
       if (userRole && deny.includes(userRole)) {
         authLogger5.middleware.warn("Role guard denied", {
@@ -9257,6 +9335,8 @@ export {
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
+  getOptionalAuth,
+  getRole,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,
@@ -9285,6 +9365,7 @@ export {
   logoutService,
   oauthCallbackService,
   oauthStartService,
+  optionalAuth,
   parseDuration,
   permissions,
   permissionsRepository,