@spfn/auth 0.2.0-beta.40 → 0.2.0-beta.42

package/dist/server.js

@@ -7153,6 +7153,30 @@ var authRegisterEvent = defineEvent(
     metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
   })
 );
+var invitationCreatedEvent = defineEvent(
+  "auth.invitation.created",
+  Type.Object({
+    invitationId: Type.String(),
+    email: Type.String(),
+    token: Type.String(),
+    roleId: Type.Number(),
+    invitedBy: Type.String(),
+    expiresAt: Type.String(),
+    isResend: Type.Boolean(),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+  })
+);
+var invitationAcceptedEvent = defineEvent(
+  "auth.invitation.accepted",
+  Type.Object({
+    invitationId: Type.String(),
+    email: Type.String(),
+    userId: Type.String(),
+    roleId: Type.Number(),
+    invitedBy: Type.String(),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+  })
+);
 
 // src/server/services/auth.service.ts
 async function checkAccountExistsService(params) {
@@ -7566,7 +7590,7 @@ function calculateExpiresAt(days = 7) {
   return expiresAt;
 }
 async function createInvitation(params) {
-  const { email, roleId, invitedBy, expiresInDays = 7, metadata } = params;
+  const { email, roleId, invitedBy, expiresInDays = 7, expiresAt: expiresAtParam, metadata } = params;
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
   if (!emailRegex.test(email)) {
     throw new Error("Invalid email format");
@@ -7588,7 +7612,7 @@ async function createInvitation(params) {
     throw new Error(`User with id ${invitedBy} not found`);
   }
   const token = generateInvitationToken();
-  const expiresAt = calculateExpiresAt(expiresInDays);
+  const expiresAt = expiresAtParam ?? calculateExpiresAt(expiresInDays);
   const invitation = await invitationsRepository.create({
     email,
     token,
@@ -7598,7 +7622,16 @@ async function createInvitation(params) {
     expiresAt,
     metadata: metadata || null
   });
-  console.log(`[Auth] \u2705 Created invitation: ${email} as ${role.name} (expires: ${expiresAt.toISOString()})`);
+  await invitationCreatedEvent.emit({
+    invitationId: String(invitation.id),
+    email,
+    token,
+    roleId,
+    invitedBy: String(invitedBy),
+    expiresAt: expiresAt.toISOString(),
+    isResend: false,
+    metadata
+  });
   return invitation;
 }
 async function getInvitationByToken(token) {
@@ -7662,7 +7695,14 @@ async function acceptInvitation(params) {
     "accepted",
     /* @__PURE__ */ new Date()
   );
-  console.log(`[Auth] \u2705 Invitation accepted: ${invitation.email} as ${role.name}`);
+  await invitationAcceptedEvent.emit({
+    invitationId: String(invitation.id),
+    email: invitation.email,
+    userId: String(newUser.id),
+    roleId: Number(invitation.roleId),
+    invitedBy: String(invitation.invitedBy),
+    metadata: invitation.metadata
+  });
   return {
     userId: newUser.id,
     email: newUser.email,
@@ -7707,7 +7747,16 @@ async function resendInvitation(id11, expiresInDays = 7) {
   if (!updated) {
     throw new Error("Failed to update invitation");
   }
-  console.log(`[Auth] \u{1F4E7} Invitation resent: ${invitation.email} (new expiry: ${newExpiresAt.toISOString()})`);
+  await invitationCreatedEvent.emit({
+    invitationId: String(invitation.id),
+    email: invitation.email,
+    token: invitation.token,
+    roleId: Number(invitation.roleId),
+    invitedBy: String(invitation.invitedBy),
+    expiresAt: newExpiresAt.toISOString(),
+    isResend: true,
+    metadata: invitation.metadata
+  });
   return updated;
 }
 
@@ -8675,6 +8724,10 @@ var createInvitation2 = route2.post("/_auth/invitations").input({
       maximum: 30,
       description: "Days until invitation expires (default: 7)"
     })),
+    expiresAt: Type.Optional(Type.String({
+      format: "date-time",
+      description: "Exact expiration timestamp (ISO 8601). Takes precedence over expiresInDays."
+    })),
     metadata: Type.Optional(Type.Any({
       description: "Custom metadata (welcome message, department, etc.)"
     }))
@@ -8687,6 +8740,7 @@ var createInvitation2 = route2.post("/_auth/invitations").input({
     roleId: body.roleId,
     invitedBy: Number(userId),
     expiresInDays: body.expiresInDays,
+    expiresAt: body.expiresAt ? new Date(body.expiresAt) : void 0,
     metadata: body.metadata
   });
   const baseUrl = process.env.SPFN_API_URL || "http://localhost:8790";
@@ -8992,6 +9046,7 @@ var oauthRouter = defineRouter4({
 
 // src/server/routes/admin/index.ts
 init_esm();
+import { ForbiddenError as ForbiddenError4 } from "@spfn/core/errors";
 import { route as route5 } from "@spfn/core/route";
 var listRoles = route5.get("/_auth/admin/roles").input({
   query: Type.Object({
@@ -9059,6 +9114,14 @@ var updateUserRole = route5.patch("/_auth/admin/users/:userId/role").input({
   })
 }).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
   const { params, body } = await c.data();
+  const auth = getAuth(c);
+  if (params.userId === Number(auth.userId)) {
+    throw new ForbiddenError4({ message: "Cannot change your own role" });
+  }
+  const targetRole = await getUserRole(params.userId);
+  if (targetRole === "superadmin") {
+    throw new ForbiddenError4({ message: "Cannot modify superadmin role" });
+  }
   await updateUserService(params.userId, { roleId: body.roleId });
   return { userId: params.userId, roleId: body.roleId };
 });
@@ -9498,6 +9561,8 @@ export {
   hasRole,
   hashPassword,
   initializeAuth,
+  invitationAcceptedEvent,
+  invitationCreatedEvent,
   invitationsRepository,
   isGoogleOAuthEnabled,
   isOAuthProviderEnabled,