npm - @spfn/auth - Versions diffs - 0.2.0-beta.43 → 0.2.0-beta.45 - Mend

@spfn/auth 0.2.0-beta.43 → 0.2.0-beta.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +2 -0
package/dist/{authenticate-CAJr3A4H.d.ts → authenticate-CRDUKQbi.d.ts} +6 -0
package/dist/index.d.ts +4 -2
package/dist/nextjs/server.d.ts +1 -0
package/dist/server.d.ts +148 -4
package/dist/server.js +197 -86
package/dist/server.js.map +1 -1
package/migrations/0003_perfect_deathbird.sql +3 -0
package/migrations/0004_concerned_rawhide_kid.sql +5 -0
package/migrations/meta/0003_snapshot.json +1689 -0
package/migrations/meta/0004_snapshot.json +1721 -0
package/migrations/meta/_journal.json +14 -0
package/package.json +2 -2

package/dist/server.js CHANGED Viewed

@@ -4564,7 +4564,7 @@ var init_roles = __esm({
 });
 // src/server/entities/users.ts
-import { text as text2, check, boolean as boolean2, index as index2 } from "drizzle-orm/pg-core";
+import { text as text2, check, boolean as boolean2, index as index2, uuid } from "drizzle-orm/pg-core";
 import { id as id2, timestamps as timestamps2, enumText, utcTimestamp, foreignKey } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
 var users;
@@ -4579,6 +4579,9 @@ var init_users = __esm({
       {
         // Identity
         id: id2(),
+        // Public-facing UUID (for URLs, external APIs)
+        // Never expose internal bigserial ID externally
+        publicId: uuid("public_id").notNull().unique().defaultRandom(),
         // Email address (unique identifier)
         // Used for: login, password reset, notifications
         email: text2("email").unique(),
@@ -4626,6 +4629,7 @@ var init_users = __esm({
           sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`
         ),
         // Indexes for query optimization
+        index2("users_public_id_idx").on(table.publicId),
         index2("users_email_idx").on(table.email),
         index2("users_phone_idx").on(table.phone),
         index2("users_username_idx").on(table.username),
@@ -5295,6 +5299,27 @@ var init_user_permissions = __esm({
   }
 });
+// src/server/entities/auth-metadata.ts
+import { text as text10, timestamp } from "drizzle-orm/pg-core";
+var authMetadata;
+var init_auth_metadata = __esm({
+  "src/server/entities/auth-metadata.ts"() {
+    "use strict";
+    init_schema4();
+    authMetadata = authSchema.table(
+      "auth_metadata",
+      {
+        // Metadata key (primary key)
+        key: text10("key").primaryKey(),
+        // Metadata value
+        value: text10("value").notNull(),
+        // Last updated timestamp
+        updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+      }
+    );
+  }
+});
 // src/server/entities/index.ts
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
@@ -5310,6 +5335,7 @@ var init_entities = __esm({
     init_permissions();
     init_role_permissions();
     init_user_permissions();
+    init_auth_metadata();
   }
 });
@@ -5355,6 +5381,14 @@ var init_users_repository = __esm({
         const result = await this.readDb.select().from(users).where(eq(users.username, username)).limit(1);
         return result[0] ?? null;
       }
+      /**
+       * Public ID(UUID)로 사용자 조회
+       * Read replica 사용
+       */
+      async findByPublicId(publicId) {
+        const result = await this.readDb.select().from(users).where(eq(users.publicId, publicId)).limit(1);
+        return result[0] ?? null;
+      }
       /**
        * 이메일 또는 전화번호로 사용자 조회
        * Read replica 사용
@@ -5495,6 +5529,7 @@ var init_users_repository = __esm({
       async fetchMinimalUserData(userId) {
         const user = await this.readDb.select({
           id: users.id,
+          publicId: users.publicId,
           email: users.email,
           username: users.username,
           emailVerifiedAt: users.emailVerifiedAt,
@@ -5505,6 +5540,7 @@ var init_users_repository = __esm({
         }
         return {
           userId: user.id,
+          publicId: user.publicId,
           email: user.email,
           username: user.username,
           isEmailVerified: !!user.emailVerifiedAt,
@@ -5521,6 +5557,7 @@ var init_users_repository = __esm({
       async fetchFullUserData(userId) {
         const user = await this.readDb.select({
           id: users.id,
+          publicId: users.publicId,
           email: users.email,
           username: users.username,
           emailVerifiedAt: users.emailVerifiedAt,
@@ -5534,6 +5571,7 @@ var init_users_repository = __esm({
         }
         return {
           userId: user.id,
+          publicId: user.publicId,
           email: user.email,
           username: user.username,
           isEmailVerified: !!user.emailVerifiedAt,
@@ -6299,16 +6337,16 @@ var init_invitations_repository = __esm({
       /**
        * 초대 상태 업데이트
        */
-      async updateStatus(id11, status, timestamp) {
+      async updateStatus(id11, status, timestamp2) {
         const updates = {
           status,
           updatedAt: /* @__PURE__ */ new Date()
         };
-        if (timestamp) {
+        if (timestamp2) {
           if (status === "accepted") {
-            updates.acceptedAt = timestamp;
+            updates.acceptedAt = timestamp2;
           } else if (status === "cancelled") {
-            updates.cancelledAt = timestamp;
+            updates.cancelledAt = timestamp2;
           }
         }
         const result = await this.db.update(userInvitations).set(updates).where(eq9(userInvitations.id, id11)).returning();
@@ -6542,6 +6580,43 @@ var init_social_accounts_repository = __esm({
   }
 });
+// src/server/repositories/auth-metadata.repository.ts
+import { BaseRepository as BaseRepository11 } from "@spfn/core/db";
+import { eq as eq11 } from "drizzle-orm";
+var AuthMetadataRepository, authMetadataRepository;
+var init_auth_metadata_repository = __esm({
+  "src/server/repositories/auth-metadata.repository.ts"() {
+    "use strict";
+    init_auth_metadata();
+    AuthMetadataRepository = class extends BaseRepository11 {
+      /**
+       * 키로 값 조회
+       */
+      async get(key) {
+        const result = await this.readDb.select().from(authMetadata).where(eq11(authMetadata.key, key)).limit(1);
+        return result[0]?.value ?? null;
+      }
+      /**
+       * 키-값 저장 (upsert)
+       */
+      async set(key, value) {
+        await this.db.insert(authMetadata).values({
+          key,
+          value,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).onConflictDoUpdate({
+          target: authMetadata.key,
+          set: {
+            value,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        });
+      }
+    };
+    authMetadataRepository = new AuthMetadataRepository();
+  }
+});
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6556,6 +6631,7 @@ var init_repositories = __esm({
     init_user_profiles_repository();
     init_invitations_repository();
     init_social_accounts_repository();
+    init_auth_metadata_repository();
   }
 });
@@ -7246,6 +7322,7 @@ async function registerService(params) {
   });
   const result = {
     userId: String(newUser.id),
+    publicId: newUser.publicId,
     email: newUser.email || void 0,
     phone: newUser.phone || void 0
   };
@@ -7291,6 +7368,7 @@ async function loginService(params) {
   await updateLastLoginService(user.id);
   const result = {
     userId: String(user.id),
+    publicId: user.publicId,
     email: user.email || void 0,
     phone: user.phone || void 0,
     passwordChangeRequired: user.passwordChangeRequired
@@ -7337,6 +7415,7 @@ async function changePasswordService(params) {
 // src/server/services/rbac.service.ts
 init_repositories();
 init_rbac();
+import { createHash } from "crypto";
 // src/server/lib/config.ts
 import { env as env5 } from "@spfn/auth/config";
@@ -7399,6 +7478,33 @@ function getSessionTtl(override) {
 }
 // src/server/services/rbac.service.ts
+var RBAC_HASH_KEY = "rbac_config_hash";
+function computeConfigHash(allRoles, allPermissions, allMappings) {
+  const payload = JSON.stringify({
+    roles: allRoles.map((r) => ({ name: r.name, displayName: r.displayName, description: r.description, priority: r.priority, isSystem: r.isSystem, isBuiltin: r.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    permissions: allPermissions.map((p) => ({ name: p.name, displayName: p.displayName, description: p.description, category: p.category, isSystem: p.isSystem, isBuiltin: p.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    mappings: Object.keys(allMappings).sort().reduce((acc, key) => {
+      acc[key] = [...allMappings[key]].sort();
+      return acc;
+    }, {})
+  });
+  return createHash("sha256").update(payload).digest("hex");
+}
+function collectMappings(options) {
+  const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
+  if (options.rolePermissions) {
+    for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
+      if (allMappings[roleName]) {
+        allMappings[roleName] = [
+          .../* @__PURE__ */ new Set([...allMappings[roleName], ...permNames])
+        ];
+      } else {
+        allMappings[roleName] = permNames;
+      }
+    }
+  }
+  return allMappings;
+}
 async function initializeAuth(options = {}) {
   authLogger.service.info("\u{1F510} Initializing RBAC system...");
   if (options.sessionTtl !== void 0) {
@@ -7411,100 +7517,100 @@ async function initializeAuth(options = {}) {
     ...Object.values(BUILTIN_ROLES),
     ...options.roles || []
   ];
-  for (const roleConfig of allRoles) {
-    await upsertRole(roleConfig);
-  }
   const allPermissions = [
     ...Object.values(BUILTIN_PERMISSIONS),
     ...options.permissions || []
   ];
-  for (const permConfig of allPermissions) {
-    await upsertPermission(permConfig);
-  }
-  const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
-  if (options.rolePermissions) {
-    for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
-      if (allMappings[roleName]) {
-        allMappings[roleName] = [
-          .../* @__PURE__ */ new Set([...allMappings[roleName], ...permNames])
-        ];
-      } else {
-        allMappings[roleName] = permNames;
-      }
-    }
-  }
-  for (const [roleName, permNames] of Object.entries(allMappings)) {
-    await assignPermissionsToRole(roleName, permNames);
+  const allMappings = collectMappings(options);
+  const configHash = computeConfigHash(allRoles, allPermissions, allMappings);
+  const storedHash = await authMetadataRepository.get(RBAC_HASH_KEY);
+  if (storedHash === configHash) {
+    authLogger.service.info("\u2705 RBAC config unchanged, skipping initialization");
+    return;
   }
+  authLogger.service.info("\u{1F504} RBAC config changed, applying updates...");
+  const existingRoles = await rolesRepository.findAll();
+  const existingPermissions = await permissionsRepository.findAll();
+  const rolesByName = new Map(existingRoles.map((r) => [r.name, r]));
+  const permsByName = new Map(existingPermissions.map((p) => [p.name, p]));
+  await syncRoles(allRoles, rolesByName);
+  await syncPermissions(allPermissions, permsByName);
+  const updatedRoles = await rolesRepository.findAll();
+  const updatedPermissions = await permissionsRepository.findAll();
+  const updatedRolesByName = new Map(updatedRoles.map((r) => [r.name, r]));
+  const updatedPermsByName = new Map(updatedPermissions.map((p) => [p.name, p]));
+  await syncMappings(allMappings, updatedRolesByName, updatedPermsByName);
+  await authMetadataRepository.set(RBAC_HASH_KEY, configHash);
   authLogger.service.info("\u2705 RBAC initialization complete");
   authLogger.service.info(`\u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
   authLogger.service.info("\u{1F512} Built-in roles: user, admin, superadmin");
 }
-async function upsertRole(config) {
-  const existing = await rolesRepository.findByName(config.name);
-  if (!existing) {
-    await rolesRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      priority: config.priority ?? 10,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true
-    });
-    authLogger.service.info(`  \u2705 Created role: ${config.name}`);
-  } else {
-    const updateData = {
-      displayName: config.displayName,
-      description: config.description || null
-    };
-    if (!existing.isBuiltin) {
-      updateData.priority = config.priority ?? existing.priority;
+async function syncRoles(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await rolesRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        priority: config.priority ?? 10,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true
+      });
+      authLogger.service.info(`  \u2705 Created role: ${config.name}`);
+    } else {
+      const updateData = {
+        displayName: config.displayName,
+        description: config.description || null
+      };
+      if (!existing.isBuiltin) {
+        updateData.priority = config.priority ?? existing.priority;
+      }
+      await rolesRepository.updateById(existing.id, updateData);
     }
-    await rolesRepository.updateById(existing.id, updateData);
-  }
-}
-async function upsertPermission(config) {
-  const existing = await permissionsRepository.findByName(config.name);
-  if (!existing) {
-    await permissionsRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true,
-      metadata: null
-    });
-    authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
-  } else {
-    await permissionsRepository.updateById(existing.id, {
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null
-    });
   }
 }
-async function assignPermissionsToRole(roleName, permissionNames) {
-  const role = await rolesRepository.findByName(roleName);
-  if (!role) {
-    authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
-    return;
-  }
-  const perms = await permissionsRepository.findByNames(permissionNames);
-  if (perms.length === 0) {
-    authLogger.service.warn(`  \u26A0\uFE0F  No permissions found for role: ${roleName}`);
-    return;
+async function syncPermissions(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await permissionsRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true,
+        metadata: null
+      });
+      authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
+    } else {
+      await permissionsRepository.updateById(existing.id, {
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null
+      });
+    }
   }
-  const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
-  const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
-  const newMappings = perms.filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
-    roleId: role.id,
-    permissionId: perm.id
-  }));
-  if (newMappings.length > 0) {
-    await rolePermissionsRepository.createMany(newMappings);
+}
+async function syncMappings(allMappings, rolesByName, permsByName) {
+  for (const [roleName, permNames] of Object.entries(allMappings)) {
+    const role = rolesByName.get(roleName);
+    if (!role) {
+      authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
+      continue;
+    }
+    const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
+    const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
+    const newMappings = permNames.map((name) => permsByName.get(name)).filter((perm) => perm != null).filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
+      roleId: role.id,
+      permissionId: perm.id
+    }));
+    if (newMappings.length > 0) {
+      await rolePermissionsRepository.createMany(newMappings);
+    }
   }
 }
@@ -7770,6 +7876,7 @@ async function getAuthSessionService(userId) {
   ]);
   return {
     userId: user.userId,
+    publicId: user.publicId,
     email: user.email,
     emailVerified: user.isEmailVerified,
     phoneVerified: user.isPhoneVerified,
@@ -7787,6 +7894,7 @@ async function getUserProfileService(userId) {
   ]);
   return {
     userId: user.userId,
+    publicId: user.publicId,
     email: user.email,
     username: user.username,
     emailVerified: user.isEmailVerified,
@@ -9471,6 +9579,7 @@ function createAuthLifecycle(options = {}) {
   };
 }
 export {
+  AuthMetadataRepository,
   AuthProviderSchema,
   COOKIE_NAMES,
   EmailSchema,
@@ -9498,6 +9607,8 @@ export {
   addPermissionToRole,
   authLogger,
   authLoginEvent,
+  authMetadata,
+  authMetadataRepository,
   authRegisterEvent,
   mainAuthRouter as authRouter,
   authSchema,