@spfn/auth 0.2.0-beta.3 → 0.2.0-beta.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +689 -180
  2. package/dist/{dto-CLYtuAom.d.ts → authenticate-CT2Xy98P.d.ts} +390 -150
  3. package/dist/config.d.ts +100 -44
  4. package/dist/config.js +64 -35
  5. package/dist/config.js.map +1 -1
  6. package/dist/errors.d.ts +16 -2
  7. package/dist/errors.js +12 -0
  8. package/dist/errors.js.map +1 -1
  9. package/dist/index.d.ts +256 -103
  10. package/dist/index.js +45 -1
  11. package/dist/index.js.map +1 -1
  12. package/dist/nextjs/api.js +202 -1
  13. package/dist/nextjs/api.js.map +1 -1
  14. package/dist/nextjs/client.d.ts +28 -0
  15. package/dist/nextjs/client.js +80 -0
  16. package/dist/nextjs/client.js.map +1 -0
  17. package/dist/nextjs/server.d.ts +89 -2
  18. package/dist/nextjs/server.js +147 -22
  19. package/dist/nextjs/server.js.map +1 -1
  20. package/dist/server.d.ts +620 -404
  21. package/dist/server.js +1087 -484
  22. package/dist/server.js.map +1 -1
  23. package/migrations/0001_smooth_the_fury.sql +3 -0
  24. package/migrations/meta/0001_snapshot.json +1660 -0
  25. package/migrations/meta/_journal.json +7 -0
  26. package/package.json +14 -10
package/dist/{dto-CLYtuAom.d.ts → authenticate-CT2Xy98P.d.ts} RENAMED
@@ -1,8 +1,86 @@
1
+ import * as _spfn_core_route from '@spfn/core/route';
1
2
  import * as _sinclair_typebox from '@sinclair/typebox';
2
3
  import { Static } from '@sinclair/typebox';
3
- import * as _spfn_core_route from '@spfn/core/route';
4
4
  import { User } from '@spfn/auth/server';
5
5
 
6
+ /**
7
+ * Role information for client/API responses
8
+ */
9
+ interface Role {
10
+ id: number;
11
+ name: string;
12
+ displayName: string;
13
+ description: string | null;
14
+ isBuiltin: boolean;
15
+ isSystem: boolean;
16
+ isActive: boolean;
17
+ priority: number;
18
+ createdAt: Date;
19
+ updatedAt: Date;
20
+ }
21
+ /**
22
+ * Permission information for client/API responses
23
+ */
24
+ interface Permission {
25
+ id: number;
26
+ name: string;
27
+ displayName: string;
28
+ description: string | null;
29
+ category: string | null;
30
+ isBuiltin: boolean;
31
+ isSystem: boolean;
32
+ isActive: boolean;
33
+ metadata: Record<string, any> | null;
34
+ createdAt: Date;
35
+ updatedAt: Date;
36
+ }
37
+ interface AuthSession {
38
+ userId: number;
39
+ email: string | null;
40
+ emailVerified: boolean;
41
+ phoneVerified: boolean;
42
+ role: Role;
43
+ permissions: Permission[];
44
+ }
45
+ interface ProfileInfo {
46
+ profileId: number;
47
+ displayName: string;
48
+ firstName: string | null;
49
+ lastName: string | null;
50
+ avatarUrl: string | null;
51
+ bio: string | null;
52
+ locale: string;
53
+ timezone: string;
54
+ website: string | null;
55
+ location: string | null;
56
+ company: string | null;
57
+ jobTitle: string | null;
58
+ metadata: Record<string, any> | null;
59
+ createdAt: Date;
60
+ updatedAt: Date;
61
+ }
62
+ /**
63
+ * User Profile Response
64
+ *
65
+ * Complete user data including:
66
+ * - User fields at top level (userId, email, etc.)
67
+ * - Profile data as nested field (optional)
68
+ *
69
+ * Excludes:
70
+ * - Role and permissions (use auth session API)
71
+ */
72
+ interface UserProfile {
73
+ userId: number;
74
+ email: string | null;
75
+ username: string | null;
76
+ emailVerified: boolean;
77
+ phoneVerified: boolean;
78
+ lastLoginAt: Date | null;
79
+ createdAt: Date;
80
+ updatedAt: Date;
81
+ profile: ProfileInfo | null;
82
+ }
83
+
6
84
  /**
7
85
  * @spfn/auth - Shared Types
8
86
  *
@@ -299,6 +377,73 @@ interface AuthInitOptions {
299
377
  sessionTtl?: string | number;
300
378
  }
301
379
 
380
+ /**
381
+ * @spfn/auth - OAuth Service
382
+ *
383
+ * OAuth 인증 비즈니스 로직
384
+ * - Google OAuth Authorization Code Flow
385
+ * - 소셜 계정 연결/생성
386
+ * - publicKey는 state에서 추출하여 등록
387
+ */
388
+
389
+ interface OAuthStartParams {
390
+ provider: SocialProvider;
391
+ returnUrl: string;
392
+ publicKey: string;
393
+ keyId: string;
394
+ fingerprint: string;
395
+ algorithm: KeyAlgorithmType;
396
+ }
397
+ interface OAuthStartResult {
398
+ authUrl: string;
399
+ }
400
+ interface OAuthCallbackParams {
401
+ provider: SocialProvider;
402
+ code: string;
403
+ state: string;
404
+ }
405
+ interface OAuthCallbackResult {
406
+ redirectUrl: string;
407
+ userId: string;
408
+ keyId: string;
409
+ isNewUser: boolean;
410
+ }
411
+ /**
412
+ * OAuth 로그인 시작 - Provider 로그인 페이지로 리다이렉트할 URL 생성
413
+ *
414
+ * Next.js에서 키쌍을 생성한 후, publicKey를 state에 포함하여 호출
415
+ */
416
+ declare function oauthStartService(params: OAuthStartParams): Promise<OAuthStartResult>;
417
+ /**
418
+ * OAuth 콜백 처리 - Code를 Token으로 교환하고 사용자 생성/연결
419
+ *
420
+ * state에서 publicKey를 추출하여 서버에 등록
421
+ * Next.js는 반환된 userId, keyId로 세션을 구성
422
+ */
423
+ declare function oauthCallbackService(params: OAuthCallbackParams): Promise<OAuthCallbackResult>;
424
+ /**
425
+ * OAuth 에러 리다이렉트 URL 생성
426
+ */
427
+ declare function buildOAuthErrorUrl(error: string): string;
428
+ /**
429
+ * OAuth provider가 활성화되어 있는지 확인
430
+ */
431
+ declare function isOAuthProviderEnabled(provider: SocialProvider): boolean;
432
+ /**
433
+ * 활성화된 모든 OAuth provider 목록
434
+ */
435
+ declare function getEnabledOAuthProviders(): SocialProvider[];
436
+ /**
437
+ * Google access token 조회 (만료 시 자동 리프레시)
438
+ *
439
+ * 저장된 토큰이 만료 임박(5분 이내) 또는 만료 상태이면
440
+ * refresh token으로 자동 갱신 후 DB 업데이트하여 유효한 토큰 반환.
441
+ *
442
+ * @param userId - 사용자 ID
443
+ * @returns 유효한 Google access token
444
+ */
445
+ declare function getGoogleAccessToken(userId: number): Promise<string>;
446
+
302
447
  /**
303
448
  * @spfn/auth - Main Router
304
449
  *
@@ -310,11 +455,146 @@ interface AuthInitOptions {
310
455
  *
311
456
  * Routes:
312
457
  * - Auth: /_auth/exists, /_auth/codes, /_auth/login, /_auth/logout, etc.
458
+ * - OAuth: /_auth/oauth/google, /_auth/oauth/google/callback, etc.
313
459
  * - Invitations: /_auth/invitations/*
314
460
  * - Users: /_auth/users/*
461
+ * - Admin: /_auth/admin/* (superadmin only)
315
462
  */
316
463
  declare const mainAuthRouter: _spfn_core_route.Router<{
317
- getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
464
+ checkAccountExists: _spfn_core_route.RouteDef<{
465
+ body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
466
+ email: _sinclair_typebox.TString;
467
+ }>, _sinclair_typebox.TObject<{
468
+ phone: _sinclair_typebox.TString;
469
+ }>]>;
470
+ }, {}, CheckAccountExistsResult>;
471
+ sendVerificationCode: _spfn_core_route.RouteDef<{
472
+ body: _sinclair_typebox.TObject<{
473
+ target: _sinclair_typebox.TString;
474
+ targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
475
+ purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
476
+ }>;
477
+ }, {}, SendVerificationCodeResult>;
478
+ verifyCode: _spfn_core_route.RouteDef<{
479
+ body: _sinclair_typebox.TObject<{
480
+ target: _sinclair_typebox.TString;
481
+ targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
482
+ code: _sinclair_typebox.TString;
483
+ purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
484
+ }>;
485
+ }, {}, {
486
+ valid: boolean;
487
+ verificationToken: string;
488
+ }>;
489
+ register: _spfn_core_route.RouteDef<{
490
+ body: _sinclair_typebox.TObject<{
491
+ email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
492
+ phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
493
+ verificationToken: _sinclair_typebox.TString;
494
+ password: _sinclair_typebox.TString;
495
+ }>;
496
+ }, {
497
+ body: _sinclair_typebox.TObject<{
498
+ publicKey: _sinclair_typebox.TString;
499
+ keyId: _sinclair_typebox.TString;
500
+ fingerprint: _sinclair_typebox.TString;
501
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
502
+ }>;
503
+ }, RegisterResult>;
504
+ login: _spfn_core_route.RouteDef<{
505
+ body: _sinclair_typebox.TObject<{
506
+ email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
507
+ phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
508
+ password: _sinclair_typebox.TString;
509
+ }>;
510
+ }, {
511
+ body: _sinclair_typebox.TObject<{
512
+ publicKey: _sinclair_typebox.TString;
513
+ keyId: _sinclair_typebox.TString;
514
+ fingerprint: _sinclair_typebox.TString;
515
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
516
+ oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
517
+ }>;
518
+ }, LoginResult>;
519
+ logout: _spfn_core_route.RouteDef<{}, {}, void>;
520
+ rotateKey: _spfn_core_route.RouteDef<{}, {
521
+ body: _sinclair_typebox.TObject<{
522
+ publicKey: _sinclair_typebox.TString;
523
+ keyId: _sinclair_typebox.TString;
524
+ fingerprint: _sinclair_typebox.TString;
525
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
526
+ }>;
527
+ }, RotateKeyResult>;
528
+ changePassword: _spfn_core_route.RouteDef<{
529
+ body: _sinclair_typebox.TObject<{
530
+ currentPassword: _sinclair_typebox.TString;
531
+ newPassword: _sinclair_typebox.TString;
532
+ }>;
533
+ }, {}, void>;
534
+ getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
535
+ role: {
536
+ id: number;
537
+ name: string;
538
+ displayName: string;
539
+ priority: number;
540
+ };
541
+ permissions: {
542
+ id: number;
543
+ name: string;
544
+ displayName: string;
545
+ category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
546
+ }[];
547
+ userId: number;
548
+ email: string | null;
549
+ emailVerified: boolean;
550
+ phoneVerified: boolean;
551
+ }>;
552
+ oauthGoogleStart: _spfn_core_route.RouteDef<{
553
+ query: _sinclair_typebox.TObject<{
554
+ state: _sinclair_typebox.TString;
555
+ }>;
556
+ }, {}, Response>;
557
+ oauthGoogleCallback: _spfn_core_route.RouteDef<{
558
+ query: _sinclair_typebox.TObject<{
559
+ code: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
560
+ state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
561
+ error: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
562
+ error_description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
563
+ }>;
564
+ }, {}, Response>;
565
+ oauthStart: _spfn_core_route.RouteDef<{
566
+ body: _sinclair_typebox.TObject<{
567
+ provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver">[]>;
568
+ returnUrl: _sinclair_typebox.TString;
569
+ publicKey: _sinclair_typebox.TString;
570
+ keyId: _sinclair_typebox.TString;
571
+ fingerprint: _sinclair_typebox.TString;
572
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
573
+ }>;
574
+ }, {}, OAuthStartResult>;
575
+ oauthProviders: _spfn_core_route.RouteDef<{}, {}, {
576
+ providers: ("google" | "github" | "kakao" | "naver")[];
577
+ }>;
578
+ getGoogleOAuthUrl: _spfn_core_route.RouteDef<{
579
+ body: _sinclair_typebox.TObject<{
580
+ returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
581
+ state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
582
+ }>;
583
+ }, {}, {
584
+ authUrl: string;
585
+ }>;
586
+ oauthFinalize: _spfn_core_route.RouteDef<{
587
+ body: _sinclair_typebox.TObject<{
588
+ userId: _sinclair_typebox.TString;
589
+ keyId: _sinclair_typebox.TString;
590
+ returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
591
+ }>;
592
+ }, {}, {
593
+ success: boolean;
594
+ userId: string;
595
+ keyId: string;
596
+ returnUrl: string;
597
+ }>;
318
598
  getInvitation: _spfn_core_route.RouteDef<{
319
599
  params: _sinclair_typebox.TObject<{
320
600
  token: _sinclair_typebox.TString;
@@ -414,98 +694,105 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
414
694
  body: _sinclair_typebox.TObject<{
415
695
  id: _sinclair_typebox.TNumber;
416
696
  }>;
417
- }, {}, Response>;
418
- checkAccountExists: _spfn_core_route.RouteDef<{
419
- body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
420
- email: _sinclair_typebox.TString;
421
- }>, _sinclair_typebox.TObject<{
422
- phone: _sinclair_typebox.TString;
423
- }>]>;
424
- }, {}, CheckAccountExistsResult>;
425
- sendVerificationCode: _spfn_core_route.RouteDef<{
697
+ }, {}, void>;
698
+ getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
699
+ updateUserProfile: _spfn_core_route.RouteDef<{
426
700
  body: _sinclair_typebox.TObject<{
427
- target: _sinclair_typebox.TString;
428
- targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
429
- purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
701
+ displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
702
+ firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
703
+ lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
704
+ avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
705
+ bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
706
+ locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
707
+ timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
708
+ dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
709
+ gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
710
+ website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
711
+ location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
712
+ company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
713
+ jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
714
+ metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
430
715
  }>;
431
- }, {}, SendVerificationCodeResult>;
432
- verifyCode: _spfn_core_route.RouteDef<{
433
- body: _sinclair_typebox.TObject<{
434
- target: _sinclair_typebox.TString;
435
- targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
436
- code: _sinclair_typebox.TString;
437
- purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
716
+ }, {}, ProfileInfo>;
717
+ listRoles: _spfn_core_route.RouteDef<{
718
+ query: _sinclair_typebox.TObject<{
719
+ includeInactive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
438
720
  }>;
439
721
  }, {}, {
440
- valid: boolean;
441
- verificationToken: string;
722
+ roles: {
723
+ description: string | null;
724
+ id: number;
725
+ name: string;
726
+ displayName: string;
727
+ isBuiltin: boolean;
728
+ isSystem: boolean;
729
+ isActive: boolean;
730
+ priority: number;
731
+ createdAt: Date;
732
+ updatedAt: Date;
733
+ }[];
442
734
  }>;
443
- register: _spfn_core_route.RouteDef<{
735
+ createAdminRole: _spfn_core_route.RouteDef<{
444
736
  body: _sinclair_typebox.TObject<{
445
- email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
446
- phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
447
- verificationToken: _sinclair_typebox.TString;
448
- password: _sinclair_typebox.TString;
737
+ name: _sinclair_typebox.TString;
738
+ displayName: _sinclair_typebox.TString;
739
+ description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
740
+ priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
741
+ permissionIds: _sinclair_typebox.TOptional<_sinclair_typebox.TArray<_sinclair_typebox.TNumber>>;
449
742
  }>;
450
- }, {
451
- body: _sinclair_typebox.TObject<{
452
- publicKey: _sinclair_typebox.TString;
453
- keyId: _sinclair_typebox.TString;
454
- fingerprint: _sinclair_typebox.TString;
455
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
456
- }>;
457
- }, RegisterResult>;
458
- login: _spfn_core_route.RouteDef<{
459
- body: _sinclair_typebox.TObject<{
460
- email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
461
- phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
462
- password: _sinclair_typebox.TString;
463
- }>;
464
- }, {
465
- body: _sinclair_typebox.TObject<{
466
- publicKey: _sinclair_typebox.TString;
467
- keyId: _sinclair_typebox.TString;
468
- fingerprint: _sinclair_typebox.TString;
469
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
470
- oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
471
- }>;
472
- }, LoginResult>;
473
- logout: _spfn_core_route.RouteDef<{
474
- body: _sinclair_typebox.TObject<{}>;
475
- }, {}, Response>;
476
- rotateKey: _spfn_core_route.RouteDef<{
477
- body: _sinclair_typebox.TObject<{}>;
478
- }, {
479
- body: _sinclair_typebox.TObject<{
480
- publicKey: _sinclair_typebox.TString;
481
- keyId: _sinclair_typebox.TString;
482
- fingerprint: _sinclair_typebox.TString;
483
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
484
- }>;
485
- }, RotateKeyResult>;
486
- changePassword: _spfn_core_route.RouteDef<{
487
- body: _sinclair_typebox.TObject<{
488
- currentPassword: _sinclair_typebox.TString;
489
- newPassword: _sinclair_typebox.TString;
490
- }>;
491
- }, {}, Response>;
492
- getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
743
+ }, {}, {
493
744
  role: {
745
+ description: string | null;
494
746
  id: number;
495
747
  name: string;
496
748
  displayName: string;
749
+ isBuiltin: boolean;
750
+ isSystem: boolean;
751
+ isActive: boolean;
497
752
  priority: number;
753
+ createdAt: Date;
754
+ updatedAt: Date;
498
755
  };
499
- permissions: {
756
+ }>;
757
+ updateAdminRole: _spfn_core_route.RouteDef<{
758
+ params: _sinclair_typebox.TObject<{
759
+ id: _sinclair_typebox.TNumber;
760
+ }>;
761
+ body: _sinclair_typebox.TObject<{
762
+ displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
763
+ description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
764
+ priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
765
+ isActive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
766
+ }>;
767
+ }, {}, {
768
+ role: {
769
+ description: string | null;
500
770
  id: number;
501
771
  name: string;
502
772
  displayName: string;
503
- category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
504
- }[];
773
+ isBuiltin: boolean;
774
+ isSystem: boolean;
775
+ isActive: boolean;
776
+ priority: number;
777
+ createdAt: Date;
778
+ updatedAt: Date;
779
+ };
780
+ }>;
781
+ deleteAdminRole: _spfn_core_route.RouteDef<{
782
+ params: _sinclair_typebox.TObject<{
783
+ id: _sinclair_typebox.TNumber;
784
+ }>;
785
+ }, {}, void>;
786
+ updateUserRole: _spfn_core_route.RouteDef<{
787
+ params: _sinclair_typebox.TObject<{
788
+ userId: _sinclair_typebox.TNumber;
789
+ }>;
790
+ body: _sinclair_typebox.TObject<{
791
+ roleId: _sinclair_typebox.TNumber;
792
+ }>;
793
+ }, {}, {
505
794
  userId: number;
506
- email: string | null;
507
- emailVerified: boolean;
508
- phoneVerified: boolean;
795
+ roleId: number;
509
796
  }>;
510
797
  }>;
511
798
 
@@ -513,6 +800,7 @@ interface AuthContext {
513
800
  user: User;
514
801
  userId: string;
515
802
  keyId: string;
803
+ role: string | null;
516
804
  }
517
805
  declare module 'hono' {
518
806
  interface ContextVariableMap {
@@ -550,81 +838,33 @@ declare module 'hono' {
550
838
  * ```
551
839
  */
552
840
  declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
553
-
554
- /**
555
- * Role information for client/API responses
556
- */
557
- interface Role {
558
- id: number;
559
- name: string;
560
- displayName: string;
561
- description: string | null;
562
- isBuiltin: boolean;
563
- isSystem: boolean;
564
- isActive: boolean;
565
- priority: number;
566
- createdAt: Date;
567
- updatedAt: Date;
568
- }
569
- /**
570
- * Permission information for client/API responses
571
- */
572
- interface Permission {
573
- id: number;
574
- name: string;
575
- displayName: string;
576
- description: string | null;
577
- category: string | null;
578
- isBuiltin: boolean;
579
- isSystem: boolean;
580
- isActive: boolean;
581
- metadata: Record<string, any> | null;
582
- createdAt: Date;
583
- updatedAt: Date;
584
- }
585
- interface AuthSession {
586
- userId: number;
587
- email: string | null;
588
- emailVerified: boolean;
589
- phoneVerified: boolean;
590
- role: Role;
591
- permissions: Permission[];
592
- }
593
- interface ProfileInfo {
594
- profileId: number;
595
- displayName: string;
596
- firstName: string | null;
597
- lastName: string | null;
598
- avatarUrl: string | null;
599
- bio: string | null;
600
- locale: string;
601
- timezone: string;
602
- website: string | null;
603
- location: string | null;
604
- company: string | null;
605
- jobTitle: string | null;
606
- createdAt: Date;
607
- updatedAt: Date;
608
- }
609
841
  /**
610
- * User Profile Response
842
+ * Optional authentication middleware
611
843
  *
612
- * Complete user data including:
613
- * - User fields at top level (userId, email, etc.)
614
- * - Profile data as nested field (optional)
844
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
845
+ * - No token continues without auth context
846
+ * - Invalid token continues without auth context
847
+ * - Valid token → sets auth context normally
615
848
  *
616
- * Excludes:
617
- * - Role and permissions (use auth session API)
849
+ * Auto-skips the global 'auth' middleware when used at route level.
850
+ *
851
+ * @example
852
+ * ```typescript
853
+ * // No need for .skip(['auth']) — handled automatically
854
+ * export const getProducts = route.get('/products')
855
+ * .use([optionalAuth])
856
+ * .handler(async (c) => {
857
+ * const auth = getOptionalAuth(c); // AuthContext | undefined
858
+ *
859
+ * if (auth)
860
+ * {
861
+ * return getPersonalizedProducts(auth.userId);
862
+ * }
863
+ *
864
+ * return getPublicProducts();
865
+ * });
866
+ * ```
618
867
  */
619
- interface UserProfile {
620
- userId: number;
621
- email: string | null;
622
- emailVerified: boolean;
623
- phoneVerified: boolean;
624
- lastLoginAt: Date | null;
625
- createdAt: Date;
626
- updatedAt: Date;
627
- profile: ProfileInfo | null;
628
- }
868
+ declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
629
869
 
630
- export { VerificationPurposeSchema as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type RegisterPublicKeyParams as O, type PermissionConfig as P, type RotateKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RevokeKeyParams as T, type UserProfile as U, type VerificationTargetType as V, authenticate as W, EmailSchema as X, PhoneSchema as Y, PasswordSchema as Z, TargetTypeSchema as _, type RegisterResult as a, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
870
+ export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };