npm - @spfn/auth - Versions diffs - 0.2.0-beta.44 → 0.2.0-beta.45 - Mend

@spfn/auth 0.2.0-beta.44 → 0.2.0-beta.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/server.d.ts +90 -2
package/dist/server.js +176 -85
package/dist/server.js.map +1 -1
package/migrations/0004_concerned_rawhide_kid.sql +5 -0
package/migrations/meta/0004_snapshot.json +1721 -0
package/migrations/meta/_journal.json +7 -0
package/package.json +1 -1

package/dist/server.d.ts CHANGED Viewed

@@ -378,12 +378,14 @@ declare function updateUsernameService(userId: string | number | bigint, usernam
  * @spfn/auth - RBAC Initialization Service
  *
  * Initialize roles, permissions, and their mappings
+ * Uses hash-based change detection to skip unnecessary DB operations
  */
 /**
  * Initialize auth package with RBAC system
  *
- * Creates built-in roles, permissions, and custom configurations
+ * Creates built-in roles, permissions, and custom configurations.
+ * Uses hash-based change detection - skips DB operations when config is unchanged.
  *
  * @param options - Initialization options
  *
@@ -2821,6 +2823,73 @@ declare const userPermissions: drizzle_orm_pg_core.PgTableWithColumns<{
 type UserPermission = typeof userPermissions.$inferSelect;
 type NewUserPermission = typeof userPermissions.$inferInsert;
+/**
+ * @spfn/auth - Auth Metadata Entity
+ *
+ * Key-value store for auth system metadata
+ * Used for storing RBAC config hash and other system-level settings
+ */
+declare const authMetadata: drizzle_orm_pg_core.PgTableWithColumns<{
+    name: "auth_metadata";
+    schema: string;
+    columns: {
+        key: drizzle_orm_pg_core.PgColumn<{
+            name: "key";
+            tableName: "auth_metadata";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        value: drizzle_orm_pg_core.PgColumn<{
+            name: "value";
+            tableName: "auth_metadata";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        updatedAt: drizzle_orm_pg_core.PgColumn<{
+            name: "updated_at";
+            tableName: "auth_metadata";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+type AuthMetadataEntity = typeof authMetadata.$inferSelect;
+type NewAuthMetadataEntity = typeof authMetadata.$inferInsert;
 /**
  * Users Repository
  *
@@ -4447,6 +4516,25 @@ declare class SocialAccountsRepository extends BaseRepository {
 }
 declare const socialAccountsRepository: SocialAccountsRepository;
+/**
+ * Auth Metadata Repository
+ *
+ * Key-value 기반 시스템 메타데이터 저장소
+ * RBAC 설정 해시 등 시스템 설정값 관리
+ */
+declare class AuthMetadataRepository extends BaseRepository {
+    /**
+     * 키로 값 조회
+     */
+    get(key: string): Promise<string | null>;
+    /**
+     * 키-값 저장 (upsert)
+     */
+    set(key: string, value: string): Promise<void>;
+}
+declare const authMetadataRepository: AuthMetadataRepository;
 /**
  * @spfn/auth - Password Helpers
  *
@@ -5434,4 +5522,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
 type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
 type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLoginPayload, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js CHANGED Viewed

@@ -5299,6 +5299,27 @@ var init_user_permissions = __esm({
   }
 });
+// src/server/entities/auth-metadata.ts
+import { text as text10, timestamp } from "drizzle-orm/pg-core";
+var authMetadata;
+var init_auth_metadata = __esm({
+  "src/server/entities/auth-metadata.ts"() {
+    "use strict";
+    init_schema4();
+    authMetadata = authSchema.table(
+      "auth_metadata",
+      {
+        // Metadata key (primary key)
+        key: text10("key").primaryKey(),
+        // Metadata value
+        value: text10("value").notNull(),
+        // Last updated timestamp
+        updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+      }
+    );
+  }
+});
 // src/server/entities/index.ts
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
@@ -5314,6 +5335,7 @@ var init_entities = __esm({
     init_permissions();
     init_role_permissions();
     init_user_permissions();
+    init_auth_metadata();
   }
 });
@@ -6315,16 +6337,16 @@ var init_invitations_repository = __esm({
       /**
        * 초대 상태 업데이트
        */
-      async updateStatus(id11, status, timestamp) {
+      async updateStatus(id11, status, timestamp2) {
         const updates = {
           status,
           updatedAt: /* @__PURE__ */ new Date()
         };
-        if (timestamp) {
+        if (timestamp2) {
           if (status === "accepted") {
-            updates.acceptedAt = timestamp;
+            updates.acceptedAt = timestamp2;
           } else if (status === "cancelled") {
-            updates.cancelledAt = timestamp;
+            updates.cancelledAt = timestamp2;
           }
         }
         const result = await this.db.update(userInvitations).set(updates).where(eq9(userInvitations.id, id11)).returning();
@@ -6558,6 +6580,43 @@ var init_social_accounts_repository = __esm({
   }
 });
+// src/server/repositories/auth-metadata.repository.ts
+import { BaseRepository as BaseRepository11 } from "@spfn/core/db";
+import { eq as eq11 } from "drizzle-orm";
+var AuthMetadataRepository, authMetadataRepository;
+var init_auth_metadata_repository = __esm({
+  "src/server/repositories/auth-metadata.repository.ts"() {
+    "use strict";
+    init_auth_metadata();
+    AuthMetadataRepository = class extends BaseRepository11 {
+      /**
+       * 키로 값 조회
+       */
+      async get(key) {
+        const result = await this.readDb.select().from(authMetadata).where(eq11(authMetadata.key, key)).limit(1);
+        return result[0]?.value ?? null;
+      }
+      /**
+       * 키-값 저장 (upsert)
+       */
+      async set(key, value) {
+        await this.db.insert(authMetadata).values({
+          key,
+          value,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).onConflictDoUpdate({
+          target: authMetadata.key,
+          set: {
+            value,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        });
+      }
+    };
+    authMetadataRepository = new AuthMetadataRepository();
+  }
+});
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6572,6 +6631,7 @@ var init_repositories = __esm({
     init_user_profiles_repository();
     init_invitations_repository();
     init_social_accounts_repository();
+    init_auth_metadata_repository();
   }
 });
@@ -7355,6 +7415,7 @@ async function changePasswordService(params) {
 // src/server/services/rbac.service.ts
 init_repositories();
 init_rbac();
+import { createHash } from "crypto";
 // src/server/lib/config.ts
 import { env as env5 } from "@spfn/auth/config";
@@ -7417,6 +7478,33 @@ function getSessionTtl(override) {
 }
 // src/server/services/rbac.service.ts
+var RBAC_HASH_KEY = "rbac_config_hash";
+function computeConfigHash(allRoles, allPermissions, allMappings) {
+  const payload = JSON.stringify({
+    roles: allRoles.map((r) => ({ name: r.name, displayName: r.displayName, description: r.description, priority: r.priority, isSystem: r.isSystem, isBuiltin: r.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    permissions: allPermissions.map((p) => ({ name: p.name, displayName: p.displayName, description: p.description, category: p.category, isSystem: p.isSystem, isBuiltin: p.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    mappings: Object.keys(allMappings).sort().reduce((acc, key) => {
+      acc[key] = [...allMappings[key]].sort();
+      return acc;
+    }, {})
+  });
+  return createHash("sha256").update(payload).digest("hex");
+}
+function collectMappings(options) {
+  const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
+  if (options.rolePermissions) {
+    for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
+      if (allMappings[roleName]) {
+        allMappings[roleName] = [
+          .../* @__PURE__ */ new Set([...allMappings[roleName], ...permNames])
+        ];
+      } else {
+        allMappings[roleName] = permNames;
+      }
+    }
+  }
+  return allMappings;
+}
 async function initializeAuth(options = {}) {
   authLogger.service.info("\u{1F510} Initializing RBAC system...");
   if (options.sessionTtl !== void 0) {
@@ -7429,100 +7517,100 @@ async function initializeAuth(options = {}) {
     ...Object.values(BUILTIN_ROLES),
     ...options.roles || []
   ];
-  for (const roleConfig of allRoles) {
-    await upsertRole(roleConfig);
-  }
   const allPermissions = [
     ...Object.values(BUILTIN_PERMISSIONS),
     ...options.permissions || []
   ];
-  for (const permConfig of allPermissions) {
-    await upsertPermission(permConfig);
-  }
-  const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
-  if (options.rolePermissions) {
-    for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
-      if (allMappings[roleName]) {
-        allMappings[roleName] = [
-          .../* @__PURE__ */ new Set([...allMappings[roleName], ...permNames])
-        ];
-      } else {
-        allMappings[roleName] = permNames;
-      }
-    }
-  }
-  for (const [roleName, permNames] of Object.entries(allMappings)) {
-    await assignPermissionsToRole(roleName, permNames);
+  const allMappings = collectMappings(options);
+  const configHash = computeConfigHash(allRoles, allPermissions, allMappings);
+  const storedHash = await authMetadataRepository.get(RBAC_HASH_KEY);
+  if (storedHash === configHash) {
+    authLogger.service.info("\u2705 RBAC config unchanged, skipping initialization");
+    return;
   }
+  authLogger.service.info("\u{1F504} RBAC config changed, applying updates...");
+  const existingRoles = await rolesRepository.findAll();
+  const existingPermissions = await permissionsRepository.findAll();
+  const rolesByName = new Map(existingRoles.map((r) => [r.name, r]));
+  const permsByName = new Map(existingPermissions.map((p) => [p.name, p]));
+  await syncRoles(allRoles, rolesByName);
+  await syncPermissions(allPermissions, permsByName);
+  const updatedRoles = await rolesRepository.findAll();
+  const updatedPermissions = await permissionsRepository.findAll();
+  const updatedRolesByName = new Map(updatedRoles.map((r) => [r.name, r]));
+  const updatedPermsByName = new Map(updatedPermissions.map((p) => [p.name, p]));
+  await syncMappings(allMappings, updatedRolesByName, updatedPermsByName);
+  await authMetadataRepository.set(RBAC_HASH_KEY, configHash);
   authLogger.service.info("\u2705 RBAC initialization complete");
   authLogger.service.info(`\u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
   authLogger.service.info("\u{1F512} Built-in roles: user, admin, superadmin");
 }
-async function upsertRole(config) {
-  const existing = await rolesRepository.findByName(config.name);
-  if (!existing) {
-    await rolesRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      priority: config.priority ?? 10,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true
-    });
-    authLogger.service.info(`  \u2705 Created role: ${config.name}`);
-  } else {
-    const updateData = {
-      displayName: config.displayName,
-      description: config.description || null
-    };
-    if (!existing.isBuiltin) {
-      updateData.priority = config.priority ?? existing.priority;
+async function syncRoles(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await rolesRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        priority: config.priority ?? 10,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true
+      });
+      authLogger.service.info(`  \u2705 Created role: ${config.name}`);
+    } else {
+      const updateData = {
+        displayName: config.displayName,
+        description: config.description || null
+      };
+      if (!existing.isBuiltin) {
+        updateData.priority = config.priority ?? existing.priority;
+      }
+      await rolesRepository.updateById(existing.id, updateData);
     }
-    await rolesRepository.updateById(existing.id, updateData);
-  }
-}
-async function upsertPermission(config) {
-  const existing = await permissionsRepository.findByName(config.name);
-  if (!existing) {
-    await permissionsRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true,
-      metadata: null
-    });
-    authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
-  } else {
-    await permissionsRepository.updateById(existing.id, {
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null
-    });
   }
 }
-async function assignPermissionsToRole(roleName, permissionNames) {
-  const role = await rolesRepository.findByName(roleName);
-  if (!role) {
-    authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
-    return;
-  }
-  const perms = await permissionsRepository.findByNames(permissionNames);
-  if (perms.length === 0) {
-    authLogger.service.warn(`  \u26A0\uFE0F  No permissions found for role: ${roleName}`);
-    return;
+async function syncPermissions(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await permissionsRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true,
+        metadata: null
+      });
+      authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
+    } else {
+      await permissionsRepository.updateById(existing.id, {
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null
+      });
+    }
   }
-  const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
-  const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
-  const newMappings = perms.filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
-    roleId: role.id,
-    permissionId: perm.id
-  }));
-  if (newMappings.length > 0) {
-    await rolePermissionsRepository.createMany(newMappings);
+}
+async function syncMappings(allMappings, rolesByName, permsByName) {
+  for (const [roleName, permNames] of Object.entries(allMappings)) {
+    const role = rolesByName.get(roleName);
+    if (!role) {
+      authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
+      continue;
+    }
+    const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
+    const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
+    const newMappings = permNames.map((name) => permsByName.get(name)).filter((perm) => perm != null).filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
+      roleId: role.id,
+      permissionId: perm.id
+    }));
+    if (newMappings.length > 0) {
+      await rolePermissionsRepository.createMany(newMappings);
+    }
   }
 }
@@ -9491,6 +9579,7 @@ function createAuthLifecycle(options = {}) {
   };
 }
 export {
+  AuthMetadataRepository,
   AuthProviderSchema,
   COOKIE_NAMES,
   EmailSchema,
@@ -9518,6 +9607,8 @@ export {
   addPermissionToRole,
   authLogger,
   authLoginEvent,
+  authMetadata,
+  authMetadataRepository,
   authRegisterEvent,
   mainAuthRouter as authRouter,
   authSchema,