@spfn/auth 0.2.0-beta.3 → 0.2.0-beta.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +689 -180
  2. package/dist/{dto-CLYtuAom.d.ts → authenticate-Brx2N-Ip.d.ts} +413 -147
  3. package/dist/config.d.ts +100 -44
  4. package/dist/config.js +64 -35
  5. package/dist/config.js.map +1 -1
  6. package/dist/errors.d.ts +16 -2
  7. package/dist/errors.js +12 -0
  8. package/dist/errors.js.map +1 -1
  9. package/dist/index.d.ts +279 -100
  10. package/dist/index.js +47 -1
  11. package/dist/index.js.map +1 -1
  12. package/dist/nextjs/api.js +202 -1
  13. package/dist/nextjs/api.js.map +1 -1
  14. package/dist/nextjs/client.d.ts +28 -0
  15. package/dist/nextjs/client.js +80 -0
  16. package/dist/nextjs/client.js.map +1 -0
  17. package/dist/nextjs/server.d.ts +89 -2
  18. package/dist/nextjs/server.js +147 -22
  19. package/dist/nextjs/server.js.map +1 -1
  20. package/dist/server.d.ts +576 -360
  21. package/dist/server.js +1089 -484
  22. package/dist/server.js.map +1 -1
  23. package/migrations/0001_smooth_the_fury.sql +3 -0
  24. package/migrations/meta/0001_snapshot.json +1660 -0
  25. package/migrations/meta/_journal.json +7 -0
  26. package/package.json +14 -10
package/dist/{dto-CLYtuAom.d.ts → authenticate-Brx2N-Ip.d.ts} RENAMED
@@ -1,8 +1,86 @@
1
+ import * as _spfn_core_route from '@spfn/core/route';
1
2
  import * as _sinclair_typebox from '@sinclair/typebox';
2
3
  import { Static } from '@sinclair/typebox';
3
- import * as _spfn_core_route from '@spfn/core/route';
4
4
  import { User } from '@spfn/auth/server';
5
5
 
6
+ /**
7
+ * Role information for client/API responses
8
+ */
9
+ interface Role {
10
+ id: number;
11
+ name: string;
12
+ displayName: string;
13
+ description: string | null;
14
+ isBuiltin: boolean;
15
+ isSystem: boolean;
16
+ isActive: boolean;
17
+ priority: number;
18
+ createdAt: Date;
19
+ updatedAt: Date;
20
+ }
21
+ /**
22
+ * Permission information for client/API responses
23
+ */
24
+ interface Permission {
25
+ id: number;
26
+ name: string;
27
+ displayName: string;
28
+ description: string | null;
29
+ category: string | null;
30
+ isBuiltin: boolean;
31
+ isSystem: boolean;
32
+ isActive: boolean;
33
+ metadata: Record<string, any> | null;
34
+ createdAt: Date;
35
+ updatedAt: Date;
36
+ }
37
+ interface AuthSession {
38
+ userId: number;
39
+ email: string | null;
40
+ emailVerified: boolean;
41
+ phoneVerified: boolean;
42
+ role: Role;
43
+ permissions: Permission[];
44
+ }
45
+ interface ProfileInfo {
46
+ profileId: number;
47
+ displayName: string;
48
+ firstName: string | null;
49
+ lastName: string | null;
50
+ avatarUrl: string | null;
51
+ bio: string | null;
52
+ locale: string;
53
+ timezone: string;
54
+ website: string | null;
55
+ location: string | null;
56
+ company: string | null;
57
+ jobTitle: string | null;
58
+ metadata: Record<string, any> | null;
59
+ createdAt: Date;
60
+ updatedAt: Date;
61
+ }
62
+ /**
63
+ * User Profile Response
64
+ *
65
+ * Complete user data including:
66
+ * - User fields at top level (userId, email, etc.)
67
+ * - Profile data as nested field (optional)
68
+ *
69
+ * Excludes:
70
+ * - Role and permissions (use auth session API)
71
+ */
72
+ interface UserProfile {
73
+ userId: number;
74
+ email: string | null;
75
+ username: string | null;
76
+ emailVerified: boolean;
77
+ phoneVerified: boolean;
78
+ lastLoginAt: Date | null;
79
+ createdAt: Date;
80
+ updatedAt: Date;
81
+ profile: ProfileInfo | null;
82
+ }
83
+
6
84
  /**
7
85
  * @spfn/auth - Shared Types
8
86
  *
@@ -299,6 +377,73 @@ interface AuthInitOptions {
299
377
  sessionTtl?: string | number;
300
378
  }
301
379
 
380
+ /**
381
+ * @spfn/auth - OAuth Service
382
+ *
383
+ * OAuth 인증 비즈니스 로직
384
+ * - Google OAuth Authorization Code Flow
385
+ * - 소셜 계정 연결/생성
386
+ * - publicKey는 state에서 추출하여 등록
387
+ */
388
+
389
+ interface OAuthStartParams {
390
+ provider: SocialProvider;
391
+ returnUrl: string;
392
+ publicKey: string;
393
+ keyId: string;
394
+ fingerprint: string;
395
+ algorithm: KeyAlgorithmType;
396
+ }
397
+ interface OAuthStartResult {
398
+ authUrl: string;
399
+ }
400
+ interface OAuthCallbackParams {
401
+ provider: SocialProvider;
402
+ code: string;
403
+ state: string;
404
+ }
405
+ interface OAuthCallbackResult {
406
+ redirectUrl: string;
407
+ userId: string;
408
+ keyId: string;
409
+ isNewUser: boolean;
410
+ }
411
+ /**
412
+ * OAuth 로그인 시작 - Provider 로그인 페이지로 리다이렉트할 URL 생성
413
+ *
414
+ * Next.js에서 키쌍을 생성한 후, publicKey를 state에 포함하여 호출
415
+ */
416
+ declare function oauthStartService(params: OAuthStartParams): Promise<OAuthStartResult>;
417
+ /**
418
+ * OAuth 콜백 처리 - Code를 Token으로 교환하고 사용자 생성/연결
419
+ *
420
+ * state에서 publicKey를 추출하여 서버에 등록
421
+ * Next.js는 반환된 userId, keyId로 세션을 구성
422
+ */
423
+ declare function oauthCallbackService(params: OAuthCallbackParams): Promise<OAuthCallbackResult>;
424
+ /**
425
+ * OAuth 에러 리다이렉트 URL 생성
426
+ */
427
+ declare function buildOAuthErrorUrl(error: string): string;
428
+ /**
429
+ * OAuth provider가 활성화되어 있는지 확인
430
+ */
431
+ declare function isOAuthProviderEnabled(provider: SocialProvider): boolean;
432
+ /**
433
+ * 활성화된 모든 OAuth provider 목록
434
+ */
435
+ declare function getEnabledOAuthProviders(): SocialProvider[];
436
+ /**
437
+ * Google access token 조회 (만료 시 자동 리프레시)
438
+ *
439
+ * 저장된 토큰이 만료 임박(5분 이내) 또는 만료 상태이면
440
+ * refresh token으로 자동 갱신 후 DB 업데이트하여 유효한 토큰 반환.
441
+ *
442
+ * @param userId - 사용자 ID
443
+ * @returns 유효한 Google access token
444
+ */
445
+ declare function getGoogleAccessToken(userId: number): Promise<string>;
446
+
302
447
  /**
303
448
  * @spfn/auth - Main Router
304
449
  *
@@ -310,11 +455,146 @@ interface AuthInitOptions {
310
455
  *
311
456
  * Routes:
312
457
  * - Auth: /_auth/exists, /_auth/codes, /_auth/login, /_auth/logout, etc.
458
+ * - OAuth: /_auth/oauth/google, /_auth/oauth/google/callback, etc.
313
459
  * - Invitations: /_auth/invitations/*
314
460
  * - Users: /_auth/users/*
461
+ * - Admin: /_auth/admin/* (superadmin only)
315
462
  */
316
463
  declare const mainAuthRouter: _spfn_core_route.Router<{
317
- getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
464
+ checkAccountExists: _spfn_core_route.RouteDef<{
465
+ body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
466
+ email: _sinclair_typebox.TString;
467
+ }>, _sinclair_typebox.TObject<{
468
+ phone: _sinclair_typebox.TString;
469
+ }>]>;
470
+ }, {}, CheckAccountExistsResult>;
471
+ sendVerificationCode: _spfn_core_route.RouteDef<{
472
+ body: _sinclair_typebox.TObject<{
473
+ target: _sinclair_typebox.TString;
474
+ targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
475
+ purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
476
+ }>;
477
+ }, {}, SendVerificationCodeResult>;
478
+ verifyCode: _spfn_core_route.RouteDef<{
479
+ body: _sinclair_typebox.TObject<{
480
+ target: _sinclair_typebox.TString;
481
+ targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
482
+ code: _sinclair_typebox.TString;
483
+ purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
484
+ }>;
485
+ }, {}, {
486
+ valid: boolean;
487
+ verificationToken: string;
488
+ }>;
489
+ register: _spfn_core_route.RouteDef<{
490
+ body: _sinclair_typebox.TObject<{
491
+ email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
492
+ phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
493
+ verificationToken: _sinclair_typebox.TString;
494
+ password: _sinclair_typebox.TString;
495
+ }>;
496
+ }, {
497
+ body: _sinclair_typebox.TObject<{
498
+ publicKey: _sinclair_typebox.TString;
499
+ keyId: _sinclair_typebox.TString;
500
+ fingerprint: _sinclair_typebox.TString;
501
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
502
+ }>;
503
+ }, RegisterResult>;
504
+ login: _spfn_core_route.RouteDef<{
505
+ body: _sinclair_typebox.TObject<{
506
+ email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
507
+ phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
508
+ password: _sinclair_typebox.TString;
509
+ }>;
510
+ }, {
511
+ body: _sinclair_typebox.TObject<{
512
+ publicKey: _sinclair_typebox.TString;
513
+ keyId: _sinclair_typebox.TString;
514
+ fingerprint: _sinclair_typebox.TString;
515
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
516
+ oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
517
+ }>;
518
+ }, LoginResult>;
519
+ logout: _spfn_core_route.RouteDef<{}, {}, void>;
520
+ rotateKey: _spfn_core_route.RouteDef<{}, {
521
+ body: _sinclair_typebox.TObject<{
522
+ publicKey: _sinclair_typebox.TString;
523
+ keyId: _sinclair_typebox.TString;
524
+ fingerprint: _sinclair_typebox.TString;
525
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
526
+ }>;
527
+ }, RotateKeyResult>;
528
+ changePassword: _spfn_core_route.RouteDef<{
529
+ body: _sinclair_typebox.TObject<{
530
+ currentPassword: _sinclair_typebox.TString;
531
+ newPassword: _sinclair_typebox.TString;
532
+ }>;
533
+ }, {}, void>;
534
+ getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
535
+ role: {
536
+ id: number;
537
+ name: string;
538
+ displayName: string;
539
+ priority: number;
540
+ };
541
+ permissions: {
542
+ id: number;
543
+ name: string;
544
+ displayName: string;
545
+ category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
546
+ }[];
547
+ userId: number;
548
+ email: string | null;
549
+ emailVerified: boolean;
550
+ phoneVerified: boolean;
551
+ }>;
552
+ oauthGoogleStart: _spfn_core_route.RouteDef<{
553
+ query: _sinclair_typebox.TObject<{
554
+ state: _sinclair_typebox.TString;
555
+ }>;
556
+ }, {}, Response>;
557
+ oauthGoogleCallback: _spfn_core_route.RouteDef<{
558
+ query: _sinclair_typebox.TObject<{
559
+ code: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
560
+ state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
561
+ error: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
562
+ error_description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
563
+ }>;
564
+ }, {}, Response>;
565
+ oauthStart: _spfn_core_route.RouteDef<{
566
+ body: _sinclair_typebox.TObject<{
567
+ provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver">[]>;
568
+ returnUrl: _sinclair_typebox.TString;
569
+ publicKey: _sinclair_typebox.TString;
570
+ keyId: _sinclair_typebox.TString;
571
+ fingerprint: _sinclair_typebox.TString;
572
+ algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
573
+ }>;
574
+ }, {}, OAuthStartResult>;
575
+ oauthProviders: _spfn_core_route.RouteDef<{}, {}, {
576
+ providers: ("google" | "github" | "kakao" | "naver")[];
577
+ }>;
578
+ getGoogleOAuthUrl: _spfn_core_route.RouteDef<{
579
+ body: _sinclair_typebox.TObject<{
580
+ returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
581
+ state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
582
+ }>;
583
+ }, {}, {
584
+ authUrl: string;
585
+ }>;
586
+ oauthFinalize: _spfn_core_route.RouteDef<{
587
+ body: _sinclair_typebox.TObject<{
588
+ userId: _sinclair_typebox.TString;
589
+ keyId: _sinclair_typebox.TString;
590
+ returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
591
+ }>;
592
+ }, {}, {
593
+ success: boolean;
594
+ userId: string;
595
+ keyId: string;
596
+ returnUrl: string;
597
+ }>;
318
598
  getInvitation: _spfn_core_route.RouteDef<{
319
599
  params: _sinclair_typebox.TObject<{
320
600
  token: _sinclair_typebox.TString;
@@ -414,98 +694,131 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
414
694
  body: _sinclair_typebox.TObject<{
415
695
  id: _sinclair_typebox.TNumber;
416
696
  }>;
417
- }, {}, Response>;
418
- checkAccountExists: _spfn_core_route.RouteDef<{
419
- body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
420
- email: _sinclair_typebox.TString;
421
- }>, _sinclair_typebox.TObject<{
422
- phone: _sinclair_typebox.TString;
423
- }>]>;
424
- }, {}, CheckAccountExistsResult>;
425
- sendVerificationCode: _spfn_core_route.RouteDef<{
697
+ }, {}, void>;
698
+ getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
699
+ updateUserProfile: _spfn_core_route.RouteDef<{
426
700
  body: _sinclair_typebox.TObject<{
427
- target: _sinclair_typebox.TString;
428
- targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
429
- purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
701
+ displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
702
+ firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
703
+ lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
704
+ avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
705
+ bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
706
+ locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
707
+ timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
708
+ dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
709
+ gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
710
+ website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
711
+ location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
712
+ company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
713
+ jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
714
+ metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
430
715
  }>;
431
- }, {}, SendVerificationCodeResult>;
432
- verifyCode: _spfn_core_route.RouteDef<{
433
- body: _sinclair_typebox.TObject<{
434
- target: _sinclair_typebox.TString;
435
- targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
436
- code: _sinclair_typebox.TString;
437
- purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
716
+ }, {}, ProfileInfo>;
717
+ checkUsername: _spfn_core_route.RouteDef<{
718
+ query: _sinclair_typebox.TObject<{
719
+ username: _sinclair_typebox.TString;
438
720
  }>;
439
721
  }, {}, {
440
- valid: boolean;
441
- verificationToken: string;
722
+ available: boolean;
442
723
  }>;
443
- register: _spfn_core_route.RouteDef<{
444
- body: _sinclair_typebox.TObject<{
445
- email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
446
- phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
447
- verificationToken: _sinclair_typebox.TString;
448
- password: _sinclair_typebox.TString;
449
- }>;
450
- }, {
451
- body: _sinclair_typebox.TObject<{
452
- publicKey: _sinclair_typebox.TString;
453
- keyId: _sinclair_typebox.TString;
454
- fingerprint: _sinclair_typebox.TString;
455
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
456
- }>;
457
- }, RegisterResult>;
458
- login: _spfn_core_route.RouteDef<{
724
+ updateUsername: _spfn_core_route.RouteDef<{
459
725
  body: _sinclair_typebox.TObject<{
460
- email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
461
- phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
462
- password: _sinclair_typebox.TString;
726
+ username: _sinclair_typebox.TUnion<[_sinclair_typebox.TString, _sinclair_typebox.TNull]>;
463
727
  }>;
464
- }, {
465
- body: _sinclair_typebox.TObject<{
466
- publicKey: _sinclair_typebox.TString;
467
- keyId: _sinclair_typebox.TString;
468
- fingerprint: _sinclair_typebox.TString;
469
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
470
- oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
471
- }>;
472
- }, LoginResult>;
473
- logout: _spfn_core_route.RouteDef<{
474
- body: _sinclair_typebox.TObject<{}>;
475
- }, {}, Response>;
476
- rotateKey: _spfn_core_route.RouteDef<{
477
- body: _sinclair_typebox.TObject<{}>;
478
- }, {
479
- body: _sinclair_typebox.TObject<{
480
- publicKey: _sinclair_typebox.TString;
481
- keyId: _sinclair_typebox.TString;
482
- fingerprint: _sinclair_typebox.TString;
483
- algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
728
+ }, {}, {
729
+ createdAt: Date;
730
+ updatedAt: Date;
731
+ id: number;
732
+ email: string | null;
733
+ phone: string | null;
734
+ username: string | null;
735
+ passwordHash: string | null;
736
+ passwordChangeRequired: boolean;
737
+ roleId: number;
738
+ status: "active" | "inactive" | "suspended";
739
+ emailVerifiedAt: Date | null;
740
+ phoneVerifiedAt: Date | null;
741
+ lastLoginAt: Date | null;
742
+ }>;
743
+ listRoles: _spfn_core_route.RouteDef<{
744
+ query: _sinclair_typebox.TObject<{
745
+ includeInactive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
484
746
  }>;
485
- }, RotateKeyResult>;
486
- changePassword: _spfn_core_route.RouteDef<{
747
+ }, {}, {
748
+ roles: {
749
+ description: string | null;
750
+ id: number;
751
+ name: string;
752
+ displayName: string;
753
+ isBuiltin: boolean;
754
+ isSystem: boolean;
755
+ isActive: boolean;
756
+ priority: number;
757
+ createdAt: Date;
758
+ updatedAt: Date;
759
+ }[];
760
+ }>;
761
+ createAdminRole: _spfn_core_route.RouteDef<{
487
762
  body: _sinclair_typebox.TObject<{
488
- currentPassword: _sinclair_typebox.TString;
489
- newPassword: _sinclair_typebox.TString;
763
+ name: _sinclair_typebox.TString;
764
+ displayName: _sinclair_typebox.TString;
765
+ description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
766
+ priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
767
+ permissionIds: _sinclair_typebox.TOptional<_sinclair_typebox.TArray<_sinclair_typebox.TNumber>>;
490
768
  }>;
491
- }, {}, Response>;
492
- getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
769
+ }, {}, {
493
770
  role: {
771
+ description: string | null;
494
772
  id: number;
495
773
  name: string;
496
774
  displayName: string;
775
+ isBuiltin: boolean;
776
+ isSystem: boolean;
777
+ isActive: boolean;
497
778
  priority: number;
779
+ createdAt: Date;
780
+ updatedAt: Date;
498
781
  };
499
- permissions: {
782
+ }>;
783
+ updateAdminRole: _spfn_core_route.RouteDef<{
784
+ params: _sinclair_typebox.TObject<{
785
+ id: _sinclair_typebox.TNumber;
786
+ }>;
787
+ body: _sinclair_typebox.TObject<{
788
+ displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
789
+ description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
790
+ priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
791
+ isActive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
792
+ }>;
793
+ }, {}, {
794
+ role: {
795
+ description: string | null;
500
796
  id: number;
501
797
  name: string;
502
798
  displayName: string;
503
- category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
504
- }[];
799
+ isBuiltin: boolean;
800
+ isSystem: boolean;
801
+ isActive: boolean;
802
+ priority: number;
803
+ createdAt: Date;
804
+ updatedAt: Date;
805
+ };
806
+ }>;
807
+ deleteAdminRole: _spfn_core_route.RouteDef<{
808
+ params: _sinclair_typebox.TObject<{
809
+ id: _sinclair_typebox.TNumber;
810
+ }>;
811
+ }, {}, void>;
812
+ updateUserRole: _spfn_core_route.RouteDef<{
813
+ params: _sinclair_typebox.TObject<{
814
+ userId: _sinclair_typebox.TNumber;
815
+ }>;
816
+ body: _sinclair_typebox.TObject<{
817
+ roleId: _sinclair_typebox.TNumber;
818
+ }>;
819
+ }, {}, {
505
820
  userId: number;
506
- email: string | null;
507
- emailVerified: boolean;
508
- phoneVerified: boolean;
821
+ roleId: number;
509
822
  }>;
510
823
  }>;
511
824
 
@@ -513,6 +826,7 @@ interface AuthContext {
513
826
  user: User;
514
827
  userId: string;
515
828
  keyId: string;
829
+ role: string | null;
516
830
  }
517
831
  declare module 'hono' {
518
832
  interface ContextVariableMap {
@@ -550,81 +864,33 @@ declare module 'hono' {
550
864
  * ```
551
865
  */
552
866
  declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
553
-
554
- /**
555
- * Role information for client/API responses
556
- */
557
- interface Role {
558
- id: number;
559
- name: string;
560
- displayName: string;
561
- description: string | null;
562
- isBuiltin: boolean;
563
- isSystem: boolean;
564
- isActive: boolean;
565
- priority: number;
566
- createdAt: Date;
567
- updatedAt: Date;
568
- }
569
- /**
570
- * Permission information for client/API responses
571
- */
572
- interface Permission {
573
- id: number;
574
- name: string;
575
- displayName: string;
576
- description: string | null;
577
- category: string | null;
578
- isBuiltin: boolean;
579
- isSystem: boolean;
580
- isActive: boolean;
581
- metadata: Record<string, any> | null;
582
- createdAt: Date;
583
- updatedAt: Date;
584
- }
585
- interface AuthSession {
586
- userId: number;
587
- email: string | null;
588
- emailVerified: boolean;
589
- phoneVerified: boolean;
590
- role: Role;
591
- permissions: Permission[];
592
- }
593
- interface ProfileInfo {
594
- profileId: number;
595
- displayName: string;
596
- firstName: string | null;
597
- lastName: string | null;
598
- avatarUrl: string | null;
599
- bio: string | null;
600
- locale: string;
601
- timezone: string;
602
- website: string | null;
603
- location: string | null;
604
- company: string | null;
605
- jobTitle: string | null;
606
- createdAt: Date;
607
- updatedAt: Date;
608
- }
609
867
  /**
610
- * User Profile Response
868
+ * Optional authentication middleware
611
869
  *
612
- * Complete user data including:
613
- * - User fields at top level (userId, email, etc.)
614
- * - Profile data as nested field (optional)
870
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
871
+ * - No token continues without auth context
872
+ * - Invalid token continues without auth context
873
+ * - Valid token → sets auth context normally
615
874
  *
616
- * Excludes:
617
- * - Role and permissions (use auth session API)
875
+ * Auto-skips the global 'auth' middleware when used at route level.
876
+ *
877
+ * @example
878
+ * ```typescript
879
+ * // No need for .skip(['auth']) — handled automatically
880
+ * export const getProducts = route.get('/products')
881
+ * .use([optionalAuth])
882
+ * .handler(async (c) => {
883
+ * const auth = getOptionalAuth(c); // AuthContext | undefined
884
+ *
885
+ * if (auth)
886
+ * {
887
+ * return getPersonalizedProducts(auth.userId);
888
+ * }
889
+ *
890
+ * return getPublicProducts();
891
+ * });
892
+ * ```
618
893
  */
619
- interface UserProfile {
620
- userId: number;
621
- email: string | null;
622
- emailVerified: boolean;
623
- phoneVerified: boolean;
624
- lastLoginAt: Date | null;
625
- createdAt: Date;
626
- updatedAt: Date;
627
- profile: ProfileInfo | null;
628
- }
894
+ declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
629
895
 
630
- export { VerificationPurposeSchema as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type RegisterPublicKeyParams as O, type PermissionConfig as P, type RotateKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RevokeKeyParams as T, type UserProfile as U, type VerificationTargetType as V, authenticate as W, EmailSchema as X, PhoneSchema as Y, PasswordSchema as Z, TargetTypeSchema as _, type RegisterResult as a, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
896
+ export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };