@spfn/auth 0.2.0-beta.46 → 0.2.0-beta.48

package/README.md

@@ -77,72 +77,95 @@ export default defineServerConfig()
     .build();
 ```
 
-#### Register Router in `router.ts`
+#### Register Router and Global Middleware in `router.ts`
 
 ```typescript
 import { defineRouter } from '@spfn/core/route';
-import { authRouter } from '@spfn/auth/server';
+import { authRouter, authenticate } from '@spfn/auth/server';
+import { getHealth } from './routes/health';
+import { createOrder } from './routes/orders';
 
 export const appRouter = defineRouter({
-    // Auth routes (fixed namespace)
-    auth: authRouter,
-
+    getHealth,
+    createOrder,
     // ... your other routes
-});
+})
+.packages([authRouter])    // Auth routes (/_auth/* namespace)
+.use([authenticate]);      // Global auth middleware on all routes
+
+export type AppRouter = typeof appRouter;
 ```
 
-### 3. Configure Client (Next.js)
+> **Important:** Public routes must explicitly skip auth with `.skip(['auth'])`.
+> See the [Authentication Guide](https://spfn.dev/docs/guides/authentication) for details.
 
-#### Option A: Use the built-in `authApi` (Recommended)
+### 3. Configure Next.js Interceptor
+
+Register the auth interceptor in your RPC proxy route. This handles session cookies, JWT signing, and key management automatically.
 
 ```typescript
-import { authApi } from '@spfn/auth';
+// app/api/rpc/[routeName]/route.ts
+import '@spfn/auth/nextjs/api';  // Must be first! Registers auth interceptor
+import { appRouter } from '@/server/router';
+import { createRpcProxy } from '@spfn/core/nextjs/server';
 
-// Type-safe API calls for auth routes
-const session = await authApi.getAuthSession.call({});
+export const { GET, POST } = createRpcProxy({ router: appRouter });
 ```
 
-#### Option B: Register Error Registry in Custom API Client
+Your API client needs no auth-specific configuration:
 
 ```typescript
+// src/lib/api-client.ts
 import { createApi } from '@spfn/core/nextjs';
 import type { AppRouter } from '@/server/router';
-import { authErrorRegistry } from "@spfn/auth/errors";
-import { appMetadata } from '@/server/router.metadata';
-import { errorRegistry } from "@spfn/core/errors";
 
-export const api = createApi<AppRouter>({
-    metadata: appMetadata,
-    errorRegistry: errorRegistry.concat(authErrorRegistry),
-});
+export const api = createApi<AppRouter>();
+```
+
+The built-in `authApi` is also available for auth-only calls:
+
+```typescript
+import { authApi } from '@spfn/auth';
+const session = await authApi.getAuthSession.call({});
 ```
 
 ### 4. Environment Variables
 
+Auth requires variables in **two separate files**: `.env.server` (SPFN backend) and `.env.local` (Next.js).
+
+#### `.env.server` (SPFN Backend)
+
 ```bash
 # Required
-SPFN_AUTH_JWT_SECRET=your-secret-key
+DATABASE_URL=postgresql://user:pass@localhost:5432/myapp_dev
 SPFN_AUTH_VERIFICATION_TOKEN_SECRET=your-verification-secret
-DATABASE_URL=postgresql://...
 
-# Next.js (required)
-SPFN_AUTH_SESSION_SECRET=your-32-char-secret
+# Admin account (required — at least one format)
+SPFN_AUTH_ADMIN_ACCOUNTS='[{"email":"admin@example.com","password":"Admin!@34","role":"superadmin"}]'
 
 # Optional
+SPFN_AUTH_JWT_SECRET=your-jwt-secret
 SPFN_AUTH_JWT_EXPIRES_IN=7d
 SPFN_AUTH_BCRYPT_SALT_ROUNDS=10
 SPFN_AUTH_SESSION_TTL=7d
 
-# Google OAuth
+# Google OAuth (optional)
 SPFN_AUTH_GOOGLE_CLIENT_ID=123456789-abc.apps.googleusercontent.com
 SPFN_AUTH_GOOGLE_CLIENT_SECRET=GOCSPX-...
-SPFN_APP_URL=http://localhost:3000
+```
+
+#### `.env.local` (Next.js)
 
-# Google OAuth (Optional)
-SPFN_AUTH_GOOGLE_SCOPES=email,profile,https://www.googleapis.com/auth/gmail.readonly
-SPFN_AUTH_GOOGLE_REDIRECT_URI=http://localhost:8790/_auth/oauth/google/callback
-SPFN_AUTH_OAUTH_SUCCESS_URL=/auth/callback
-SPFN_AUTH_OAUTH_ERROR_URL=http://localhost:3000/auth/error?error={error}
+```bash
+# Required
+DATABASE_URL=postgresql://user:pass@localhost:5432/myapp_dev
+SPFN_API_URL=http://localhost:8790
+
+# Required for session cookies (minimum 32 characters)
+SPFN_AUTH_SESSION_SECRET=my-super-secret-session-key-at-least-32-chars-long
+
+# Optional
+SPFN_AUTH_SESSION_TTL=7d
 
 # Email/SMS — configure via @spfn/notification
 # See @spfn/notification README for AWS SES/SNS settings

package/dist/{authenticate-CRDUKQbi.d.ts → authenticate-eucncHxN.d.ts}

@@ -382,6 +382,30 @@ interface AuthInitOptions {
     sessionTtl?: string | number;
 }
 
+/**
+ * One-Time Token Service
+ *
+ * Issues and verifies one-time tokens for direct API access.
+ */
+interface IssueOneTimeTokenResult {
+    token: string;
+    expiresAt: string;
+}
+/**
+ * Issue a one-time token for the authenticated user
+ *
+ * @param userId - Authenticated user's ID
+ * @returns Token string and ISO expiration timestamp
+ */
+declare function issueOneTimeTokenService(userId: string): Promise<IssueOneTimeTokenResult>;
+/**
+ * Verify and consume a one-time token
+ *
+ * @param token - The one-time token to verify
+ * @returns userId if valid, null if invalid/expired/consumed
+ */
+declare function verifyOneTimeTokenService(token: string): Promise<string | null>;
+
 /**
  * @spfn/auth - OAuth Service
  *
@@ -557,6 +581,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
         emailVerified: boolean;
         phoneVerified: boolean;
     }>;
+    issueOneTimeToken: _spfn_core_route.RouteDef<{}, {}, IssueOneTimeTokenResult>;
     oauthGoogleStart: _spfn_core_route.RouteDef<{
         query: _sinclair_typebox.TObject<{
             state: _sinclair_typebox.TString;
@@ -912,4 +937,4 @@ declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
  */
 declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { getEnabledOAuthProviders as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, type RegisterPublicKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RotateKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RevokeKeyParams as W, oauthStartService as X, oauthCallbackService as Y, buildOAuthErrorUrl as Z, isOAuthProviderEnabled as _, type RegisterResult as a, getGoogleAccessToken as a0, type OAuthStartParams as a1, type OAuthCallbackParams as a2, type OAuthCallbackResult as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type RotateKeyResult as b, type ProfileInfo as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
+export { oauthCallbackService as $, type AuthSession as A, type LogoutParams as B, type CheckAccountExistsResult as C, type ChangePasswordParams as D, sendVerificationCodeService as E, verifyCodeService as F, type SendVerificationCodeParams as G, type VerifyCodeParams as H, type IssueOneTimeTokenResult as I, type VerifyCodeResult as J, KEY_ALGORITHM as K, type LoginResult as L, registerPublicKeyService as M, rotateKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, revokeKeyService as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RegisterPublicKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RotateKeyParams as W, type RevokeKeyParams as X, issueOneTimeTokenService as Y, verifyOneTimeTokenService as Z, oauthStartService as _, type RegisterResult as a, buildOAuthErrorUrl as a0, isOAuthProviderEnabled as a1, getEnabledOAuthProviders as a2, getGoogleAccessToken as a3, type OAuthStartParams as a4, type OAuthCallbackParams as a5, type OAuthCallbackResult as a6, authenticate as a7, optionalAuth as a8, EmailSchema as a9, PhoneSchema as aa, PasswordSchema as ab, TargetTypeSchema as ac, VerificationPurposeSchema as ad, type RotateKeyResult as b, type ProfileInfo as c, INVITATION_STATUSES as d, USER_STATUSES as e, SOCIAL_PROVIDERS as f, type VerificationPurpose as g, VERIFICATION_TARGET_TYPES as h, VERIFICATION_PURPOSES as i, PERMISSION_CATEGORIES as j, type PermissionCategory as k, type AuthInitOptions as l, mainAuthRouter as m, type KeyAlgorithmType as n, type InvitationStatus as o, type UserStatus as p, type SocialProvider as q, type AuthContext as r, checkAccountExistsService as s, registerService as t, loginService as u, logoutService as v, changePasswordService as w, type CheckAccountExistsParams as x, type RegisterParams as y, type LoginParams as z };

package/dist/config.d.ts

@@ -70,6 +70,16 @@ declare const authEnvSchema: {
     } & {
         key: "SPFN_AUTH_JWT_EXPIRES_IN";
     };
+    SPFN_AUTH_COOKIE_SECURE: {
+        description: string;
+        required: boolean;
+        nextjs: boolean;
+        examples: boolean[];
+        type: "boolean";
+        validator: (value: string) => boolean;
+    } & {
+        key: "SPFN_AUTH_COOKIE_SECURE";
+    };
     SPFN_AUTH_BCRYPT_SALT_ROUNDS: {
         key: string;
         description: string;
@@ -316,6 +326,16 @@ declare const env: _spfn_core_env.InferEnvType<{
     } & {
         key: "SPFN_AUTH_JWT_EXPIRES_IN";
     };
+    SPFN_AUTH_COOKIE_SECURE: {
+        description: string;
+        required: boolean;
+        nextjs: boolean;
+        examples: boolean[];
+        type: "boolean";
+        validator: (value: string) => boolean;
+    } & {
+        key: "SPFN_AUTH_COOKIE_SECURE";
+    };
     SPFN_AUTH_BCRYPT_SALT_ROUNDS: {
         key: string;
         description: string;

package/dist/config.js

@@ -6,6 +6,7 @@ import {
   defineEnvSchema,
   envString,
   envNumber,
+  envBoolean,
   createSecureSecretParser,
   createPasswordParser
 } from "@spfn/core/env";
@@ -67,6 +68,14 @@ var authEnvSchema = defineEnvSchema({
   // ============================================================================
   // Security Configuration
   // ============================================================================
+  SPFN_AUTH_COOKIE_SECURE: {
+    ...envBoolean({
+      description: 'Override cookie Secure flag. Defaults to NODE_ENV === "production". Set to false for HTTP-only environments (e.g. bastion over plain HTTP).',
+      required: false,
+      nextjs: true,
+      examples: [true, false]
+    })
+  },
   SPFN_AUTH_BCRYPT_SALT_ROUNDS: {
     ...envNumber({
       description: "Bcrypt salt rounds (cost factor, higher = more secure but slower)",

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/config/index.ts","../src/config/schema.ts"],"sourcesContent":["/**\n * Core Package Configuration\n *\n * @example\n * ```typescript\n * import { registry } from '@spfn/core/config';\n *\n * const env = registry.validate();\n * console.log(env.DB_POOL_MAX);\n * ```\n *\n * @module config\n */\n\nimport { createEnvRegistry } from '@spfn/core/env';\nimport { authEnvSchema } from './schema';\n\nexport { authEnvSchema as envSchema } from './schema';\n\n/**\n * Environment registry\n */\nconst registry = createEnvRegistry(authEnvSchema);\nexport const env = registry.validate();","/**\n * Auth Environment Variable Schema\n *\n * Centralized schema definition for all environment variables used in @spfn/auth.\n * This provides type safety, validation, and documentation for Auth configuration.\n *\n * @module config/schema\n */\n\nimport {\n    defineEnvSchema,\n    envString,\n    envNumber,\n    createSecureSecretParser,\n    createPasswordParser,\n} from '@spfn/core/env';\n\n/**\n * Auth environment variable schema\n *\n * Defines all Auth environment variables with:\n * - Type information\n * - Default values\n * - Validation rules\n * - Documentation\n *\n * @example\n * ```typescript\n * import { authEnvSchema } from '@spfn/auth/config';\n *\n * // Access schema information\n * console.log(authEnvSchema.SPFN_AUTH_SESSION_SECRET.description);\n * console.log(authEnvSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);\n * ```\n */\nexport const authEnvSchema = defineEnvSchema({\n    // ============================================================================\n    // Session Configuration\n    // ============================================================================\n    SPFN_AUTH_SESSION_SECRET: {\n        ...envString({\n            description: 'Session encryption secret (minimum 32 characters for AES-256)',\n            required: true,\n            fallbackKeys: ['SESSION_SECRET'],\n            validator: createSecureSecretParser({\n                minLength: 32,\n                minUniqueChars: 16,\n                minEntropy: 3.5,\n            }),\n            sensitive: true,\n            nextjs: true, // Required for Next.js RSC session validation\n            examples: [\n                'my-super-secret-session-key-at-least-32-chars-long',\n                'use-a-cryptographically-secure-random-string-here',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_SESSION_TTL: {\n        ...envString({\n            description: 'Session TTL (time to live) - supports duration strings like \\'7d\\', \\'12h\\', \\'45m\\'',\n            default: '7d',\n            required: false,\n            nextjs: true, // May be needed for session validation in Next.js RSC\n            examples: ['7d', '30d', '12h', '45m', '3600'],\n        }),\n    },\n\n    // ============================================================================\n    // JWT Configuration\n    // ============================================================================\n    SPFN_AUTH_JWT_SECRET: {\n        ...envString({\n            description: 'JWT signing secret for server-signed tokens (legacy mode)',\n            default: 'dev-secret-key-change-in-production',\n            required: false,\n            examples: [\n                'your-jwt-secret-key-here',\n                'use-different-from-session-secret',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_JWT_EXPIRES_IN: {\n        ...envString({\n            description: 'JWT token expiration time (e.g., \\'7d\\', \\'24h\\', \\'1h\\')',\n            default: '7d',\n            required: false,\n            examples: ['7d', '24h', '1h', '30m'],\n        }),\n    },\n\n    // ============================================================================\n    // Security Configuration\n    // ============================================================================\n    SPFN_AUTH_BCRYPT_SALT_ROUNDS: {\n        ...envNumber({\n            description: 'Bcrypt salt rounds (cost factor, higher = more secure but slower)',\n            default: 10,\n            required: false,\n            examples: [10, 12, 14],\n        }),\n        key: 'SPFN_AUTH_BCRYPT_SALT_ROUNDS',\n    },\n\n    SPFN_AUTH_VERIFICATION_TOKEN_SECRET: {\n        ...envString({\n            description: 'Verification token secret for email verification, password reset, etc.',\n            required: true,\n            examples: [\n                'your-verification-token-secret',\n                'can-be-different-from-jwt-secret',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // Admin Account Configuration\n    // ============================================================================\n    SPFN_AUTH_ADMIN_ACCOUNTS: {\n        ...envString({\n            description: 'JSON array of admin accounts (recommended for multiple admins)',\n            required: false,\n            examples: [\n                '[{\"email\":\"admin@example.com\",\"password\":\"secure-pass\",\"role\":\"admin\"}]',\n                '[{\"email\":\"super@example.com\",\"password\":\"pass1\",\"role\":\"superadmin\"},{\"email\":\"admin@example.com\",\"password\":\"pass2\",\"role\":\"admin\"}]',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAILS: {\n        ...envString({\n            description: 'Comma-separated list of admin emails (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin@example.com,user@example.com',\n                'super@example.com,admin@example.com,user@example.com',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORDS: {\n        ...envString({\n            description: 'Comma-separated list of admin passwords (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin-pass,user-pass',\n                'super-pass,admin-pass,user-pass',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_ROLES: {\n        ...envString({\n            description: 'Comma-separated list of admin roles (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin,user',\n                'superadmin,admin,user',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAIL: {\n        ...envString({\n            description: 'Single admin email (simplest format)',\n            required: false,\n            examples: ['admin@example.com'],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORD: {\n        ...envString({\n            description: 'Single admin password (simplest format)',\n            required: false,\n            validator: createPasswordParser({\n                minLength: 8,\n                requireUppercase: true,\n                requireLowercase: true,\n                requireNumber: true,\n                requireSpecial: true,\n            }),\n            sensitive: true,\n            examples: ['SecureAdmin123!'],\n        }),\n    },\n\n    // ============================================================================\n    // Username Configuration\n    // ============================================================================\n    SPFN_AUTH_RESERVED_USERNAMES: {\n        ...envString({\n            description: 'Comma-separated list of reserved usernames that cannot be registered',\n            required: false,\n            default: 'admin,root,system,support,help,moderator,superadmin',\n            examples: [\n                'admin,root,system,support,help',\n                'admin,root,system,support,help,moderator,superadmin,operator',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MIN_LENGTH: {\n        ...envNumber({\n            description: 'Minimum username length',\n            default: 3,\n            required: false,\n            examples: [2, 3, 4],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MAX_LENGTH: {\n        ...envNumber({\n            description: 'Maximum username length',\n            default: 30,\n            required: false,\n            examples: [20, 30, 50],\n        }),\n    },\n\n    // ============================================================================\n    // API Configuration\n    // ============================================================================\n    SPFN_API_URL: {\n        ...envString({\n            description: 'Internal API URL for server-to-server communication',\n            default: 'http://localhost:8790',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_API_URL: {\n        ...envString({\n            description: 'Public-facing API URL used for browser-facing redirects (e.g. OAuth callback). Falls back to SPFN_API_URL if not set.',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    SPFN_APP_URL: {\n        ...envString({\n            description: 'Next.js application URL (internal). Used for server-to-server communication.',\n            default: 'http://localhost:3000',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_APP_URL: {\n        ...envString({\n            description: 'Public-facing Next.js app URL for browser redirects (e.g. OAuth redirect). Falls back to SPFN_APP_URL if not set.',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // OAuth Configuration - Google\n    // ============================================================================\n    SPFN_AUTH_GOOGLE_CLIENT_ID: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client ID. When set, Google OAuth routes are automatically enabled.',\n            required: false,\n            examples: ['123456789-abc123.apps.googleusercontent.com'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_CLIENT_SECRET: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client Secret',\n            required: false,\n            sensitive: true,\n            examples: ['GOCSPX-abcdefghijklmnop'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_SCOPES: {\n        ...envString({\n            description: 'Comma-separated Google OAuth scopes. Defaults to \"email,profile\" if not set.',\n            required: false,\n            examples: [\n                'email,profile',\n                'email,profile,https://www.googleapis.com/auth/gmail.readonly',\n                'email,profile,https://www.googleapis.com/auth/calendar.readonly',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_REDIRECT_URI: {\n        ...envString({\n            description: 'Google OAuth callback URL. Defaults to {NEXT_PUBLIC_SPFN_API_URL || SPFN_API_URL}/_auth/oauth/google/callback',\n            required: false,\n            examples: [\n                'https://api.example.com/_auth/oauth/google/callback',\n                'http://localhost:8790/_auth/oauth/google/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_SUCCESS_URL: {\n        ...envString({\n            description: 'OAuth callback page URL. This page should use OAuthCallback component to finalize session.',\n            required: false,\n            default: '/auth/callback',\n            examples: [\n                '/auth/callback',\n                'https://app.example.com/auth/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_ERROR_URL: {\n        ...envString({\n            description: 'URL to redirect after OAuth error. Use {error} placeholder for error message.',\n            required: false,\n            default: '/auth/error?error={error}',\n            examples: [\n                'https://app.example.com/auth/error?error={error}',\n                'http://localhost:3000/auth/error?error={error}',\n            ],\n        }),\n    },\n});"],"mappings":";AAcA,SAAS,yBAAyB;;;ACLlC;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAoBA,IAAM,gBAAgB,gBAAgB;AAAA;AAAA;AAAA;AAAA,EAIzC,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,cAAc,CAAC,gBAAgB;AAAA,MAC/B,WAAW,yBAAyB;AAAA,QAChC,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,YAAY;AAAA,MAChB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,QAAQ;AAAA;AAAA,MACR,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,QAAQ;AAAA;AAAA,MACR,UAAU,CAAC,MAAM,OAAO,OAAO,OAAO,MAAM;AAAA,IAChD,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB;AAAA,IAClB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,MAAM,OAAO,MAAM,KAAK;AAAA,IACvC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,IACD,KAAK;AAAA,EACT;AAAA,EAEA,qCAAqC;AAAA,IACjC,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,wBAAwB;AAAA,IACpB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,mBAAmB;AAAA,IAClC,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW,qBAAqB;AAAA,QAC5B,WAAW;AAAA,QACX,kBAAkB;AAAA,QAClB,kBAAkB;AAAA,QAClB,eAAe;AAAA,QACf,gBAAgB;AAAA,MACpB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,UAAU,CAAC,iBAAiB;AAAA,IAChC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,GAAG,GAAG,CAAC;AAAA,IACtB,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,4BAA4B;AAAA,IACxB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,6CAA6C;AAAA,IAC5D,CAAC;AAAA,EACL;AAAA,EAEA,gCAAgC;AAAA,IAC5B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW;AAAA,MACX,UAAU,CAAC,yBAAyB;AAAA,IACxC,CAAC;AAAA,EACL;AAAA,EAEA,yBAAyB;AAAA,IACrB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,6BAA6B;AAAA,IACzB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AACJ,CAAC;;;ADzTD,IAAM,WAAW,kBAAkB,aAAa;AACzC,IAAM,MAAM,SAAS,SAAS;","names":[]}
+{"version":3,"sources":["../src/config/index.ts","../src/config/schema.ts"],"sourcesContent":["/**\n * Core Package Configuration\n *\n * @example\n * ```typescript\n * import { registry } from '@spfn/core/config';\n *\n * const env = registry.validate();\n * console.log(env.DB_POOL_MAX);\n * ```\n *\n * @module config\n */\n\nimport { createEnvRegistry } from '@spfn/core/env';\nimport { authEnvSchema } from './schema';\n\nexport { authEnvSchema as envSchema } from './schema';\n\n/**\n * Environment registry\n */\nconst registry = createEnvRegistry(authEnvSchema);\nexport const env = registry.validate();","/**\n * Auth Environment Variable Schema\n *\n * Centralized schema definition for all environment variables used in @spfn/auth.\n * This provides type safety, validation, and documentation for Auth configuration.\n *\n * @module config/schema\n */\n\nimport {\n    defineEnvSchema,\n    envString,\n    envNumber,\n    envBoolean,\n    createSecureSecretParser,\n    createPasswordParser,\n} from '@spfn/core/env';\n\n/**\n * Auth environment variable schema\n *\n * Defines all Auth environment variables with:\n * - Type information\n * - Default values\n * - Validation rules\n * - Documentation\n *\n * @example\n * ```typescript\n * import { authEnvSchema } from '@spfn/auth/config';\n *\n * // Access schema information\n * console.log(authEnvSchema.SPFN_AUTH_SESSION_SECRET.description);\n * console.log(authEnvSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);\n * ```\n */\nexport const authEnvSchema = defineEnvSchema({\n    // ============================================================================\n    // Session Configuration\n    // ============================================================================\n    SPFN_AUTH_SESSION_SECRET: {\n        ...envString({\n            description: 'Session encryption secret (minimum 32 characters for AES-256)',\n            required: true,\n            fallbackKeys: ['SESSION_SECRET'],\n            validator: createSecureSecretParser({\n                minLength: 32,\n                minUniqueChars: 16,\n                minEntropy: 3.5,\n            }),\n            sensitive: true,\n            nextjs: true, // Required for Next.js RSC session validation\n            examples: [\n                'my-super-secret-session-key-at-least-32-chars-long',\n                'use-a-cryptographically-secure-random-string-here',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_SESSION_TTL: {\n        ...envString({\n            description: 'Session TTL (time to live) - supports duration strings like \\'7d\\', \\'12h\\', \\'45m\\'',\n            default: '7d',\n            required: false,\n            nextjs: true, // May be needed for session validation in Next.js RSC\n            examples: ['7d', '30d', '12h', '45m', '3600'],\n        }),\n    },\n\n    // ============================================================================\n    // JWT Configuration\n    // ============================================================================\n    SPFN_AUTH_JWT_SECRET: {\n        ...envString({\n            description: 'JWT signing secret for server-signed tokens (legacy mode)',\n            default: 'dev-secret-key-change-in-production',\n            required: false,\n            examples: [\n                'your-jwt-secret-key-here',\n                'use-different-from-session-secret',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_JWT_EXPIRES_IN: {\n        ...envString({\n            description: 'JWT token expiration time (e.g., \\'7d\\', \\'24h\\', \\'1h\\')',\n            default: '7d',\n            required: false,\n            examples: ['7d', '24h', '1h', '30m'],\n        }),\n    },\n\n    // ============================================================================\n    // Security Configuration\n    // ============================================================================\n    SPFN_AUTH_COOKIE_SECURE: {\n        ...envBoolean({\n            description: 'Override cookie Secure flag. Defaults to NODE_ENV === \"production\". Set to false for HTTP-only environments (e.g. bastion over plain HTTP).',\n            required: false,\n            nextjs: true,\n            examples: [true, false],\n        }),\n    },\n\n    SPFN_AUTH_BCRYPT_SALT_ROUNDS: {\n        ...envNumber({\n            description: 'Bcrypt salt rounds (cost factor, higher = more secure but slower)',\n            default: 10,\n            required: false,\n            examples: [10, 12, 14],\n        }),\n        key: 'SPFN_AUTH_BCRYPT_SALT_ROUNDS',\n    },\n\n    SPFN_AUTH_VERIFICATION_TOKEN_SECRET: {\n        ...envString({\n            description: 'Verification token secret for email verification, password reset, etc.',\n            required: true,\n            examples: [\n                'your-verification-token-secret',\n                'can-be-different-from-jwt-secret',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // Admin Account Configuration\n    // ============================================================================\n    SPFN_AUTH_ADMIN_ACCOUNTS: {\n        ...envString({\n            description: 'JSON array of admin accounts (recommended for multiple admins)',\n            required: false,\n            examples: [\n                '[{\"email\":\"admin@example.com\",\"password\":\"secure-pass\",\"role\":\"admin\"}]',\n                '[{\"email\":\"super@example.com\",\"password\":\"pass1\",\"role\":\"superadmin\"},{\"email\":\"admin@example.com\",\"password\":\"pass2\",\"role\":\"admin\"}]',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAILS: {\n        ...envString({\n            description: 'Comma-separated list of admin emails (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin@example.com,user@example.com',\n                'super@example.com,admin@example.com,user@example.com',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORDS: {\n        ...envString({\n            description: 'Comma-separated list of admin passwords (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin-pass,user-pass',\n                'super-pass,admin-pass,user-pass',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_ROLES: {\n        ...envString({\n            description: 'Comma-separated list of admin roles (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin,user',\n                'superadmin,admin,user',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAIL: {\n        ...envString({\n            description: 'Single admin email (simplest format)',\n            required: false,\n            examples: ['admin@example.com'],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORD: {\n        ...envString({\n            description: 'Single admin password (simplest format)',\n            required: false,\n            validator: createPasswordParser({\n                minLength: 8,\n                requireUppercase: true,\n                requireLowercase: true,\n                requireNumber: true,\n                requireSpecial: true,\n            }),\n            sensitive: true,\n            examples: ['SecureAdmin123!'],\n        }),\n    },\n\n    // ============================================================================\n    // Username Configuration\n    // ============================================================================\n    SPFN_AUTH_RESERVED_USERNAMES: {\n        ...envString({\n            description: 'Comma-separated list of reserved usernames that cannot be registered',\n            required: false,\n            default: 'admin,root,system,support,help,moderator,superadmin',\n            examples: [\n                'admin,root,system,support,help',\n                'admin,root,system,support,help,moderator,superadmin,operator',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MIN_LENGTH: {\n        ...envNumber({\n            description: 'Minimum username length',\n            default: 3,\n            required: false,\n            examples: [2, 3, 4],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MAX_LENGTH: {\n        ...envNumber({\n            description: 'Maximum username length',\n            default: 30,\n            required: false,\n            examples: [20, 30, 50],\n        }),\n    },\n\n    // ============================================================================\n    // API Configuration\n    // ============================================================================\n    SPFN_API_URL: {\n        ...envString({\n            description: 'Internal API URL for server-to-server communication',\n            default: 'http://localhost:8790',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_API_URL: {\n        ...envString({\n            description: 'Public-facing API URL used for browser-facing redirects (e.g. OAuth callback). Falls back to SPFN_API_URL if not set.',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    SPFN_APP_URL: {\n        ...envString({\n            description: 'Next.js application URL (internal). Used for server-to-server communication.',\n            default: 'http://localhost:3000',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_APP_URL: {\n        ...envString({\n            description: 'Public-facing Next.js app URL for browser redirects (e.g. OAuth redirect). Falls back to SPFN_APP_URL if not set.',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // OAuth Configuration - Google\n    // ============================================================================\n    SPFN_AUTH_GOOGLE_CLIENT_ID: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client ID. When set, Google OAuth routes are automatically enabled.',\n            required: false,\n            examples: ['123456789-abc123.apps.googleusercontent.com'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_CLIENT_SECRET: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client Secret',\n            required: false,\n            sensitive: true,\n            examples: ['GOCSPX-abcdefghijklmnop'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_SCOPES: {\n        ...envString({\n            description: 'Comma-separated Google OAuth scopes. Defaults to \"email,profile\" if not set.',\n            required: false,\n            examples: [\n                'email,profile',\n                'email,profile,https://www.googleapis.com/auth/gmail.readonly',\n                'email,profile,https://www.googleapis.com/auth/calendar.readonly',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_REDIRECT_URI: {\n        ...envString({\n            description: 'Google OAuth callback URL. Defaults to {NEXT_PUBLIC_SPFN_API_URL || SPFN_API_URL}/_auth/oauth/google/callback',\n            required: false,\n            examples: [\n                'https://api.example.com/_auth/oauth/google/callback',\n                'http://localhost:8790/_auth/oauth/google/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_SUCCESS_URL: {\n        ...envString({\n            description: 'OAuth callback page URL. This page should use OAuthCallback component to finalize session.',\n            required: false,\n            default: '/auth/callback',\n            examples: [\n                '/auth/callback',\n                'https://app.example.com/auth/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_ERROR_URL: {\n        ...envString({\n            description: 'URL to redirect after OAuth error. Use {error} placeholder for error message.',\n            required: false,\n            default: '/auth/error?error={error}',\n            examples: [\n                'https://app.example.com/auth/error?error={error}',\n                'http://localhost:3000/auth/error?error={error}',\n            ],\n        }),\n    },\n});"],"mappings":";AAcA,SAAS,yBAAyB;;;ACLlC;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAoBA,IAAM,gBAAgB,gBAAgB;AAAA;AAAA;AAAA;AAAA,EAIzC,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,cAAc,CAAC,gBAAgB;AAAA,MAC/B,WAAW,yBAAyB;AAAA,QAChC,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,YAAY;AAAA,MAChB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,QAAQ;AAAA;AAAA,MACR,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,QAAQ;AAAA;AAAA,MACR,UAAU,CAAC,MAAM,OAAO,OAAO,OAAO,MAAM;AAAA,IAChD,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB;AAAA,IAClB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,MAAM,OAAO,MAAM,KAAK;AAAA,IACvC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,yBAAyB;AAAA,IACrB,GAAG,WAAW;AAAA,MACV,aAAa;AAAA,MACb,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU,CAAC,MAAM,KAAK;AAAA,IAC1B,CAAC;AAAA,EACL;AAAA,EAEA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,IACD,KAAK;AAAA,EACT;AAAA,EAEA,qCAAqC;AAAA,IACjC,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,wBAAwB;AAAA,IACpB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,mBAAmB;AAAA,IAClC,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW,qBAAqB;AAAA,QAC5B,WAAW;AAAA,QACX,kBAAkB;AAAA,QAClB,kBAAkB;AAAA,QAClB,eAAe;AAAA,QACf,gBAAgB;AAAA,MACpB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,UAAU,CAAC,iBAAiB;AAAA,IAChC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,GAAG,GAAG,CAAC;AAAA,IACtB,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,4BAA4B;AAAA,IACxB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,6CAA6C;AAAA,IAC5D,CAAC;AAAA,EACL;AAAA,EAEA,gCAAgC;AAAA,IAC5B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW;AAAA,MACX,UAAU,CAAC,yBAAyB;AAAA,IACxC,CAAC;AAAA,EACL;AAAA,EAEA,yBAAyB;AAAA,IACrB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,6BAA6B;AAAA,IACzB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AACJ,CAAC;;;ADnUD,IAAM,WAAW,kBAAkB,aAAa;AACzC,IAAM,MAAM,SAAS,SAAS;","names":[]}

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import * as _spfn_core_nextjs from '@spfn/core/nextjs';
-import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-CRDUKQbi.js';
-export { k as AuthInitOptions, A as AuthSession, I as INVITATION_STATUSES, n as InvitationStatus, K as KEY_ALGORITHM, l as KeyAlgorithmType, i as PERMISSION_CATEGORIES, j as PermissionCategory, e as SOCIAL_PROVIDERS, p as SocialProvider, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, f as VerificationPurpose, V as VerificationTargetType } from './authenticate-CRDUKQbi.js';
+import { R as RoleConfig, P as PermissionConfig, C as CheckAccountExistsResult, S as SendVerificationCodeResult, a as RegisterResult, L as LoginResult, b as RotateKeyResult, I as IssueOneTimeTokenResult, O as OAuthStartResult, U as UserProfile, c as ProfileInfo, m as mainAuthRouter } from './authenticate-eucncHxN.js';
+export { l as AuthInitOptions, A as AuthSession, d as INVITATION_STATUSES, o as InvitationStatus, K as KEY_ALGORITHM, n as KeyAlgorithmType, j as PERMISSION_CATEGORIES, k as PermissionCategory, f as SOCIAL_PROVIDERS, q as SocialProvider, e as USER_STATUSES, p as UserStatus, i as VERIFICATION_PURPOSES, h as VERIFICATION_TARGET_TYPES, g as VerificationPurpose, V as VerificationTargetType } from './authenticate-eucncHxN.js';
 import * as _spfn_core_route from '@spfn/core/route';
 import { HttpMethod } from '@spfn/core/route';
 import * as _sinclair_typebox from '@sinclair/typebox';
@@ -177,6 +177,7 @@ declare const authApi: _spfn_core_nextjs.Client<_spfn_core_route.Router<{
         emailVerified: boolean;
         phoneVerified: boolean;
     }>;
+    issueOneTimeToken: _spfn_core_route.RouteDef<{}, {}, IssueOneTimeTokenResult>;
     oauthGoogleStart: _spfn_core_route.RouteDef<{
         query: _sinclair_typebox.TObject<{
             state: _sinclair_typebox.TString;

package/dist/index.js

@@ -172,6 +172,7 @@ var routeMap = {
   rotateKey: { method: "POST", path: "/_auth/keys/rotate" },
   changePassword: { method: "PUT", path: "/_auth/password" },
   getAuthSession: { method: "GET", path: "/_auth/session" },
+  issueOneTimeToken: { method: "POST", path: "/_auth/tokens" },
   getInvitation: { method: "GET", path: "/_auth/invitations/:token" },
   acceptInvitation: { method: "POST", path: "/_auth/invitations/accept" },
   createInvitation: { method: "POST", path: "/_auth/invitations" },