@spfn/auth 0.2.0-beta.25 → 0.2.0-beta.26

package/README.md

@@ -602,6 +602,7 @@ import {
 ```typescript
 import {
   authenticate,
+  optionalAuth,
   requirePermissions,
   requireAnyPermission,
   requireRole,
@@ -624,6 +625,18 @@ app.bind(
     // User has either content:read OR admin:access
   }
 );
+
+// Usage - optional auth (public route with optional user context)
+// Auto-skips global 'auth' middleware — no .skip(['auth']) needed
+export const getProducts = route.get('/products')
+  .use([optionalAuth])
+  .handler(async (c) => {
+    const auth = getOptionalAuth(c);  // AuthContext | undefined
+    if (auth) {
+      return getPersonalizedProducts(auth.userId);
+    }
+    return getPublicProducts();
+  });
 ```
 
 **Helpers:**
@@ -631,6 +644,7 @@ app.bind(
 import {
   // Context
   getAuth,
+  getOptionalAuth,
   getUser,
   getUserId,
   getKeyId,
@@ -2412,6 +2426,6 @@ MIT License - See LICENSE file for details.
 
 ---
 
-**Last Updated:** 2026-01-29
-**Document Version:** 2.5.0 (Technical Documentation)
+**Last Updated:** 2026-02-23
+**Document Version:** 2.6.0 (Technical Documentation)
 **Package Version:** 0.2.0-beta.15

package/dist/{authenticate-DAAEfzxa.d.ts → authenticate-kCg_KD-V.d.ts}

@@ -541,7 +541,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             id: number;
             name: string;
             displayName: string;
-            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
         }[];
         userId: number;
         email: string | null;
@@ -837,5 +837,33 @@ declare module 'hono' {
  * ```
  */
 declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
+/**
+ * Optional authentication middleware
+ *
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
+ * - No token → continues without auth context
+ * - Invalid token → continues without auth context
+ * - Valid token → sets auth context normally
+ *
+ * Auto-skips the global 'auth' middleware when used at route level.
+ *
+ * @example
+ * ```typescript
+ * // No need for .skip(['auth']) — handled automatically
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);  // AuthContext | undefined
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
+ */
+declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, EmailSchema as a5, PhoneSchema as a6, PasswordSchema as a7, TargetTypeSchema as a8, VerificationPurposeSchema as a9, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
+export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import * as _spfn_core_nextjs from '@spfn/core/nextjs';
-import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-DAAEfzxa.js';
-export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-DAAEfzxa.js';
+import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-kCg_KD-V.js';
+export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-kCg_KD-V.js';
 import * as _spfn_core_route from '@spfn/core/route';
 import { HttpMethod } from '@spfn/core/route';
 import * as _sinclair_typebox from '@sinclair/typebox';
@@ -168,7 +168,7 @@ declare const authApi: _spfn_core_nextjs.Client<_spfn_core_route.Router<{
             id: number;
             name: string;
             displayName: string;
-            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
         }[];
         userId: number;
         email: string | null;

package/dist/server.d.ts

@@ -1,5 +1,5 @@
-import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-DAAEfzxa.js';
-export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a5 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a7 as PasswordSchema, a6 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a8 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, a9 as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-DAAEfzxa.js';
+import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-kCg_KD-V.js';
+export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a6 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a8 as PasswordSchema, a7 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a9 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, aa as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, a5 as optionalAuth, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-kCg_KD-V.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
@@ -1256,7 +1256,7 @@ declare function getAuthSessionService(userId: string | number | bigint): Promis
         id: number;
         name: string;
         displayName: string;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
     }[];
     userId: number;
     email: string | null;
@@ -2385,7 +2385,7 @@ declare const permissions: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "permissions";
             dataType: "string";
             columnType: "PgText";
-            data: "custom" | "user" | "auth" | "rbac" | "system";
+            data: "auth" | "custom" | "user" | "rbac" | "system";
             driverParam: string;
             notNull: false;
             hasDefault: false;
@@ -2861,13 +2861,13 @@ declare class UsersRepository extends BaseRepository {
     create(data: NewUser): Promise<{
         email: string | null;
         phone: string | null;
-        status: "active" | "inactive" | "suspended";
         id: number;
-        createdAt: Date;
-        updatedAt: Date;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
+        createdAt: Date;
+        updatedAt: Date;
+        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -2933,13 +2933,13 @@ declare class UsersRepository extends BaseRepository {
     deleteById(id: number): Promise<{
         email: string | null;
         phone: string | null;
-        status: "active" | "inactive" | "suspended";
         id: number;
-        createdAt: Date;
-        updatedAt: Date;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
+        createdAt: Date;
+        updatedAt: Date;
+        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -2962,7 +2962,7 @@ declare class UsersRepository extends BaseRepository {
             id: number;
             name: string;
             displayName: string;
-            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
         }[];
     }>;
     /**
@@ -3072,16 +3072,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUserPublicKey): Promise<{
-        userId: number;
+        publicKey: string;
         keyId: string;
+        fingerprint: string;
+        algorithm: "ES256" | "RS256";
+        userId: number;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        publicKey: string;
-        algorithm: "ES256" | "RS256";
-        fingerprint: string;
-        lastUsedAt: Date | null;
         expiresAt: Date | null;
+        lastUsedAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3108,16 +3108,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteByKeyIdAndUserId(keyId: string, userId: number): Promise<{
-        userId: number;
+        publicKey: string;
         keyId: string;
+        fingerprint: string;
+        algorithm: "ES256" | "RS256";
+        userId: number;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        publicKey: string;
-        algorithm: "ES256" | "RS256";
-        fingerprint: string;
-        lastUsedAt: Date | null;
         expiresAt: Date | null;
+        lastUsedAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3232,14 +3232,14 @@ declare class VerificationCodesRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewVerificationCode): Promise<{
+        target: string;
+        targetType: "email" | "phone";
+        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
+        code: string;
         id: number;
         createdAt: Date;
         updatedAt: Date;
         expiresAt: Date;
-        target: string;
-        targetType: "email" | "phone";
-        code: string;
-        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
         usedAt: Date | null;
         attempts: number;
     }>;
@@ -3428,7 +3428,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3444,7 +3444,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3484,7 +3484,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3503,8 +3503,8 @@ declare class PermissionsRepository extends BaseRepository {
         isActive: boolean;
         createdAt: Date;
         updatedAt: Date;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         metadata: Record<string, any> | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
     }>;
 }
 declare const permissionsRepository: PermissionsRepository;
@@ -3549,9 +3549,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     createMany(data: NewRolePermission[]): Promise<{
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
         permissionId: number;
     }[]>;
     /**
@@ -3567,9 +3567,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     setPermissionsForRole(roleId: number, permissionIds: number[]): Promise<{
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
         permissionId: number;
     }[]>;
 }
@@ -3634,10 +3634,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        expiresAt: Date | null;
         permissionId: number;
-        granted: boolean;
+        expiresAt: Date | null;
         reason: string | null;
+        granted: boolean;
     }>;
     /**
      * 사용자 권한 오버라이드 업데이트
@@ -3660,10 +3660,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        expiresAt: Date | null;
         permissionId: number;
-        granted: boolean;
+        expiresAt: Date | null;
         reason: string | null;
+        granted: boolean;
     }>;
     /**
      * 사용자의 모든 권한 오버라이드 삭제
@@ -3742,6 +3742,7 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
+        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3754,7 +3755,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 업데이트 (by ID)
@@ -3811,6 +3811,7 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
+        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3823,7 +3824,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 삭제 (by User ID)
@@ -3834,6 +3834,7 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
+        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3846,7 +3847,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 Upsert (by User ID)
@@ -3860,6 +3860,7 @@ declare class UserProfilesRepository extends BaseRepository {
         displayName: string;
         createdAt: Date;
         updatedAt: Date;
+        metadata: Record<string, any> | null;
         firstName: string | null;
         lastName: string | null;
         avatarUrl: string | null;
@@ -3872,7 +3873,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * User ID로 프로필 데이터 조회 (formatted)
@@ -4000,15 +4000,15 @@ declare class InvitationsRepository extends BaseRepository {
      */
     create(data: NewInvitation): Promise<{
         email: string;
-        status: "pending" | "accepted" | "expired" | "cancelled";
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         metadata: Record<string, any> | null;
-        expiresAt: Date;
         token: string;
         invitedBy: number;
+        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4034,15 +4034,15 @@ declare class InvitationsRepository extends BaseRepository {
      */
     deleteById(id: number): Promise<{
         email: string;
-        status: "pending" | "accepted" | "expired" | "cancelled";
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         metadata: Record<string, any> | null;
-        expiresAt: Date;
         token: string;
         invitedBy: number;
+        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4667,6 +4667,32 @@ declare const roleGuard: _spfn_core_route.NamedMiddlewareFactory<"roleGuard", [o
 declare function getAuth(c: Context | {
     raw: Context;
 }): AuthContext;
+/**
+ * Get optional auth context from route context
+ *
+ * Returns AuthContext if authenticated, undefined otherwise.
+ * Use with `optionalAuth` middleware for routes that serve both
+ * authenticated and unauthenticated users.
+ *
+ * @example
+ * ```typescript
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
+ */
+declare function getOptionalAuth(c: Context | {
+    raw: Context;
+}): AuthContext | undefined;
 /**
  * Get authenticated user from route context
  *
@@ -4683,13 +4709,13 @@ declare function getUser(c: Context | {
 }): {
     email: string | null;
     phone: string | null;
-    status: "active" | "inactive" | "suspended";
     id: number;
-    createdAt: Date;
-    updatedAt: Date;
     passwordHash: string | null;
     passwordChangeRequired: boolean;
     roleId: number;
+    createdAt: Date;
+    updatedAt: Date;
+    status: "active" | "inactive" | "suspended";
     emailVerifiedAt: Date | null;
     phoneVerifiedAt: Date | null;
     lastLoginAt: Date | null;
@@ -5178,4 +5204,4 @@ declare const authRegisterEvent: _spfn_core_event.EventDef<{
 type AuthLoginPayload = typeof authLoginEvent._payload;
 type AuthRegisterPayload = typeof authRegisterEvent._payload;
 
-export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateRole, updateUserProfileService, updateUserService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js

@@ -6782,6 +6782,12 @@ function getAuth(c) {
   }
   return c.get("auth");
 }
+function getOptionalAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
 function getUser(c) {
   return getAuth(c).user;
 }
@@ -8297,6 +8303,51 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   });
   await next();
 });
+var optionalAuth = defineMiddleware("optionalAuth", async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    await next();
+    return;
+  }
+  const token = authHeader.substring(7);
+  try {
+    const decoded = decodeToken2(token);
+    if (!decoded || !decoded.keyId) {
+      await next();
+      return;
+    }
+    const keyId = decoded.keyId;
+    const keyRecord = await keysRepository2.findActiveByKeyId(keyId);
+    if (!keyRecord) {
+      await next();
+      return;
+    }
+    if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
+      await next();
+      return;
+    }
+    verifyClientToken2(
+      token,
+      keyRecord.publicKey,
+      keyRecord.algorithm
+    );
+    const result = await usersRepository2.findByIdWithRole(keyRecord.userId);
+    if (!result || result.user.status !== "active") {
+      await next();
+      return;
+    }
+    const { user, role } = result;
+    keysRepository2.updateLastUsedById(keyRecord.id).catch((err) => authLogger2.middleware.error("Failed to update lastUsedAt", err));
+    c.set("auth", {
+      user,
+      userId: String(user.id),
+      keyId,
+      role: role?.name ?? null
+    });
+  } catch {
+  }
+  await next();
+}, { skips: ["auth"] });
 
 // src/server/middleware/require-permission.ts
 import { defineMiddleware as defineMiddleware2 } from "@spfn/core/route";
@@ -9284,6 +9335,7 @@ export {
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
+  getOptionalAuth,
   getRole,
   getRoleByName,
   getRolePermissions,
@@ -9313,6 +9365,7 @@ export {
   logoutService,
   oauthCallbackService,
   oauthStartService,
+  optionalAuth,
   parseDuration,
   permissions,
   permissionsRepository,