@spfn/auth 0.2.0-beta.5 → 0.2.0-beta.50

package/dist/{dto-Bb2qFUO6.d.ts → authenticate-eucncHxN.d.ts}

@@ -1,8 +1,88 @@
+import * as _spfn_core_route from '@spfn/core/route';
 import * as _sinclair_typebox from '@sinclair/typebox';
 import { Static } from '@sinclair/typebox';
-import * as _spfn_core_route from '@spfn/core/route';
 import { User } from '@spfn/auth/server';
 
+/**
+ * Role information for client/API responses
+ */
+interface Role {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    priority: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Permission information for client/API responses
+ */
+interface Permission {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    category: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    metadata: Record<string, any> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface AuthSession {
+    userId: number;
+    publicId: string;
+    email: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    role: Role;
+    permissions: Permission[];
+}
+interface ProfileInfo {
+    profileId: number;
+    displayName: string | null;
+    firstName: string | null;
+    lastName: string | null;
+    avatarUrl: string | null;
+    bio: string | null;
+    locale: string;
+    timezone: string;
+    website: string | null;
+    location: string | null;
+    company: string | null;
+    jobTitle: string | null;
+    metadata: Record<string, any> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * User Profile Response
+ *
+ * Complete user data including:
+ * - User fields at top level (userId, email, etc.)
+ * - Profile data as nested field (optional)
+ *
+ * Excludes:
+ * - Role and permissions (use auth session API)
+ */
+interface UserProfile {
+    userId: number;
+    publicId: string;
+    email: string | null;
+    username: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    lastLoginAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date;
+    profile: ProfileInfo | null;
+}
+
 /**
  * @spfn/auth - Shared Types
  *
@@ -71,9 +151,11 @@ interface RegisterParams {
     keyId: string;
     fingerprint: string;
     algorithm?: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
 }
 interface RegisterResult {
     userId: string;
+    publicId: string;
     email?: string;
     phone?: string;
 }
@@ -89,6 +171,7 @@ interface LoginParams {
 }
 interface LoginResult {
     userId: string;
+    publicId: string;
     email?: string;
     phone?: string;
     passwordChangeRequired: boolean;
@@ -299,6 +382,98 @@ interface AuthInitOptions {
     sessionTtl?: string | number;
 }
 
+/**
+ * One-Time Token Service
+ *
+ * Issues and verifies one-time tokens for direct API access.
+ */
+interface IssueOneTimeTokenResult {
+    token: string;
+    expiresAt: string;
+}
+/**
+ * Issue a one-time token for the authenticated user
+ *
+ * @param userId - Authenticated user's ID
+ * @returns Token string and ISO expiration timestamp
+ */
+declare function issueOneTimeTokenService(userId: string): Promise<IssueOneTimeTokenResult>;
+/**
+ * Verify and consume a one-time token
+ *
+ * @param token - The one-time token to verify
+ * @returns userId if valid, null if invalid/expired/consumed
+ */
+declare function verifyOneTimeTokenService(token: string): Promise<string | null>;
+
+/**
+ * @spfn/auth - OAuth Service
+ *
+ * OAuth 인증 비즈니스 로직
+ * - Google OAuth Authorization Code Flow
+ * - 소셜 계정 연결/생성
+ * - publicKey는 state에서 추출하여 등록
+ */
+
+interface OAuthStartParams {
+    provider: SocialProvider;
+    returnUrl: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
+}
+interface OAuthStartResult {
+    authUrl: string;
+}
+interface OAuthCallbackParams {
+    provider: SocialProvider;
+    code: string;
+    state: string;
+}
+interface OAuthCallbackResult {
+    redirectUrl: string;
+    userId: string;
+    keyId: string;
+    isNewUser: boolean;
+}
+/**
+ * OAuth 로그인 시작 - Provider 로그인 페이지로 리다이렉트할 URL 생성
+ *
+ * Next.js에서 키쌍을 생성한 후, publicKey를 state에 포함하여 호출
+ */
+declare function oauthStartService(params: OAuthStartParams): Promise<OAuthStartResult>;
+/**
+ * OAuth 콜백 처리 - Code를 Token으로 교환하고 사용자 생성/연결
+ *
+ * state에서 publicKey를 추출하여 서버에 등록
+ * Next.js는 반환된 userId, keyId로 세션을 구성
+ */
+declare function oauthCallbackService(params: OAuthCallbackParams): Promise<OAuthCallbackResult>;
+/**
+ * OAuth 에러 리다이렉트 URL 생성
+ */
+declare function buildOAuthErrorUrl(error: string): string;
+/**
+ * OAuth provider가 활성화되어 있는지 확인
+ */
+declare function isOAuthProviderEnabled(provider: SocialProvider): boolean;
+/**
+ * 활성화된 모든 OAuth provider 목록
+ */
+declare function getEnabledOAuthProviders(): SocialProvider[];
+/**
+ * Google access token 조회 (만료 시 자동 리프레시)
+ *
+ * 저장된 토큰이 만료 임박(5분 이내) 또는 만료 상태이면
+ * refresh token으로 자동 갱신 후 DB 업데이트하여 유효한 토큰 반환.
+ *
+ * @param userId - 사용자 ID
+ * @returns 유효한 Google access token
+ */
+declare function getGoogleAccessToken(userId: number): Promise<string>;
+
 /**
  * @spfn/auth - Main Router
  *
@@ -310,29 +485,150 @@ interface AuthInitOptions {
  *
  * Routes:
  * - Auth: /_auth/exists, /_auth/codes, /_auth/login, /_auth/logout, etc.
+ * - OAuth: /_auth/oauth/google, /_auth/oauth/google/callback, etc.
  * - Invitations: /_auth/invitations/*
  * - Users: /_auth/users/*
+ * - Admin: /_auth/admin/* (superadmin only)
  */
 declare const mainAuthRouter: _spfn_core_route.Router<{
-    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
-    updateUserProfile: _spfn_core_route.RouteDef<{
+    checkAccountExists: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            phone: _sinclair_typebox.TString;
+        }>]>;
+    }, {}, CheckAccountExistsResult>;
+    sendVerificationCode: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
         }>;
-    }, {}, ProfileInfo>;
+    }, {}, SendVerificationCodeResult>;
+    verifyCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            code: _sinclair_typebox.TString;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, {
+        valid: boolean;
+        verificationToken: string;
+    }>;
+    register: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            verificationToken: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TUnknown>>;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RegisterResult>;
+    login: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, LoginResult>;
+    logout: _spfn_core_route.RouteDef<{}, {}, void>;
+    rotateKey: _spfn_core_route.RouteDef<{}, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RotateKeyResult>;
+    changePassword: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            currentPassword: _sinclair_typebox.TString;
+            newPassword: _sinclair_typebox.TString;
+        }>;
+    }, {}, void>;
+    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+        role: {
+            id: number;
+            name: string;
+            displayName: string;
+            priority: number;
+        };
+        permissions: {
+            id: number;
+            name: string;
+            displayName: string;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        }[];
+        userId: number;
+        publicId: string;
+        email: string | null;
+        emailVerified: boolean;
+        phoneVerified: boolean;
+    }>;
+    issueOneTimeToken: _spfn_core_route.RouteDef<{}, {}, IssueOneTimeTokenResult>;
+    oauthGoogleStart: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            state: _sinclair_typebox.TString;
+        }>;
+    }, {}, Response>;
+    oauthGoogleCallback: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            code: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            error: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            error_description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, Response>;
+    oauthStart: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver">[]>;
+            returnUrl: _sinclair_typebox.TString;
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TUnknown>>;
+        }>;
+    }, {}, OAuthStartResult>;
+    oauthProviders: _spfn_core_route.RouteDef<{}, {}, {
+        providers: ("google" | "github" | "kakao" | "naver")[];
+    }>;
+    getGoogleOAuthUrl: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        authUrl: string;
+    }>;
+    oauthFinalize: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            userId: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        success: boolean;
+        userId: string;
+        keyId: string;
+        returnUrl: string;
+    }>;
     getInvitation: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
             token: _sinclair_typebox.TString;
@@ -367,6 +663,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             email: _sinclair_typebox.TString;
             roleId: _sinclair_typebox.TNumber;
             expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            expiresAt: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
             metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TAny>;
         }>;
     }, {}, {
@@ -433,97 +730,138 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             id: _sinclair_typebox.TNumber;
         }>;
     }, {}, void>;
-    checkAccountExists: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TString;
-        }>, _sinclair_typebox.TObject<{
-            phone: _sinclair_typebox.TString;
-        }>]>;
-    }, {}, CheckAccountExistsResult>;
-    sendVerificationCode: _spfn_core_route.RouteDef<{
+    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
+    updateUserProfile: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            target: _sinclair_typebox.TString;
-            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
-            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
         }>;
-    }, {}, SendVerificationCodeResult>;
-    verifyCode: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{
-            target: _sinclair_typebox.TString;
-            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
-            code: _sinclair_typebox.TString;
-            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+    }, {}, ProfileInfo>;
+    checkUsername: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            username: _sinclair_typebox.TString;
         }>;
     }, {}, {
-        valid: boolean;
-        verificationToken: string;
+        available: boolean;
     }>;
-    register: _spfn_core_route.RouteDef<{
+    updateUsername: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            verificationToken: _sinclair_typebox.TString;
-            password: _sinclair_typebox.TString;
-        }>;
-    }, {
-        body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
-        }>;
-    }, RegisterResult>;
-    login: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            password: _sinclair_typebox.TString;
+            username: _sinclair_typebox.TUnion<[_sinclair_typebox.TString, _sinclair_typebox.TNull]>;
         }>;
-    }, {
+    }, {}, {
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        publicId: string;
+        email: string | null;
+        phone: string | null;
+        username: string | null;
+        passwordHash: string | null;
+        passwordChangeRequired: boolean;
+        roleId: number;
+        status: "active" | "inactive" | "suspended";
+        emailVerifiedAt: Date | null;
+        phoneVerifiedAt: Date | null;
+        lastLoginAt: Date | null;
+    }>;
+    updateLocale: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
-            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            locale: _sinclair_typebox.TString;
         }>;
-    }, LoginResult>;
-    logout: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{}>;
-    }, {}, void>;
-    rotateKey: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{}>;
-    }, {
-        body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+    }, {}, {
+        locale: string;
+    }>;
+    listRoles: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            includeInactive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
         }>;
-    }, RotateKeyResult>;
-    changePassword: _spfn_core_route.RouteDef<{
+    }, {}, {
+        roles: {
+            description: string | null;
+            id: number;
+            name: string;
+            displayName: string;
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
+            priority: number;
+            createdAt: Date;
+            updatedAt: Date;
+        }[];
+    }>;
+    createAdminRole: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            currentPassword: _sinclair_typebox.TString;
-            newPassword: _sinclair_typebox.TString;
+            name: _sinclair_typebox.TString;
+            displayName: _sinclair_typebox.TString;
+            description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            permissionIds: _sinclair_typebox.TOptional<_sinclair_typebox.TArray<_sinclair_typebox.TNumber>>;
         }>;
-    }, {}, void>;
-    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+    }, {}, {
         role: {
+            description: string | null;
             id: number;
             name: string;
             displayName: string;
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
             priority: number;
+            createdAt: Date;
+            updatedAt: Date;
         };
-        permissions: {
+    }>;
+    updateAdminRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+        body: _sinclair_typebox.TObject<{
+            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            isActive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
+        }>;
+    }, {}, {
+        role: {
+            description: string | null;
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
-        }[];
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
+            priority: number;
+            createdAt: Date;
+            updatedAt: Date;
+        };
+    }>;
+    deleteAdminRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, void>;
+    updateUserRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            userId: _sinclair_typebox.TNumber;
+        }>;
+        body: _sinclair_typebox.TObject<{
+            roleId: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, {
         userId: number;
-        email: string | null;
-        emailVerified: boolean;
-        phoneVerified: boolean;
+        roleId: number;
     }>;
 }>;
 
@@ -531,6 +869,8 @@ interface AuthContext {
     user: User;
     userId: string;
     keyId: string;
+    role: string | null;
+    locale: string;
 }
 declare module 'hono' {
     interface ContextVariableMap {
@@ -568,82 +908,33 @@ declare module 'hono' {
  * ```
  */
 declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
-
-/**
- * Role information for client/API responses
- */
-interface Role {
-    id: number;
-    name: string;
-    displayName: string;
-    description: string | null;
-    isBuiltin: boolean;
-    isSystem: boolean;
-    isActive: boolean;
-    priority: number;
-    createdAt: Date;
-    updatedAt: Date;
-}
 /**
- * Permission information for client/API responses
- */
-interface Permission {
-    id: number;
-    name: string;
-    displayName: string;
-    description: string | null;
-    category: string | null;
-    isBuiltin: boolean;
-    isSystem: boolean;
-    isActive: boolean;
-    metadata: Record<string, any> | null;
-    createdAt: Date;
-    updatedAt: Date;
-}
-interface AuthSession {
-    userId: number;
-    email: string | null;
-    emailVerified: boolean;
-    phoneVerified: boolean;
-    role: Role;
-    permissions: Permission[];
-}
-interface ProfileInfo {
-    profileId: number;
-    displayName: string;
-    firstName: string | null;
-    lastName: string | null;
-    avatarUrl: string | null;
-    bio: string | null;
-    locale: string;
-    timezone: string;
-    website: string | null;
-    location: string | null;
-    company: string | null;
-    jobTitle: string | null;
-    metadata: Record<string, any> | null;
-    createdAt: Date;
-    updatedAt: Date;
-}
-/**
- * User Profile Response
+ * Optional authentication middleware
  *
- * Complete user data including:
- * - User fields at top level (userId, email, etc.)
- * - Profile data as nested field (optional)
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
+ * - No token → continues without auth context
+ * - Invalid token → continues without auth context
+ * - Valid token → sets auth context normally
  *
- * Excludes:
- * - Role and permissions (use auth session API)
+ * Auto-skips the global 'auth' middleware when used at route level.
+ *
+ * @example
+ * ```typescript
+ * // No need for .skip(['auth']) — handled automatically
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);  // AuthContext | undefined
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
  */
-interface UserProfile {
-    userId: number;
-    email: string | null;
-    emailVerified: boolean;
-    phoneVerified: boolean;
-    lastLoginAt: Date | null;
-    createdAt: Date;
-    updatedAt: Date;
-    profile: ProfileInfo | null;
-}
+declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { VerificationPurposeSchema as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type RegisterPublicKeyParams as O, type PermissionConfig as P, type RotateKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RevokeKeyParams as T, type UserProfile as U, type VerificationTargetType as V, authenticate as W, EmailSchema as X, PhoneSchema as Y, PasswordSchema as Z, TargetTypeSchema as _, type ProfileInfo as a, type RegisterResult as b, type RotateKeyResult as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
+export { oauthCallbackService as $, type AuthSession as A, type LogoutParams as B, type CheckAccountExistsResult as C, type ChangePasswordParams as D, sendVerificationCodeService as E, verifyCodeService as F, type SendVerificationCodeParams as G, type VerifyCodeParams as H, type IssueOneTimeTokenResult as I, type VerifyCodeResult as J, KEY_ALGORITHM as K, type LoginResult as L, registerPublicKeyService as M, rotateKeyService as N, type OAuthStartResult as O, type PermissionConfig as P, revokeKeyService as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RegisterPublicKeyParams as T, type UserProfile as U, type VerificationTargetType as V, type RotateKeyParams as W, type RevokeKeyParams as X, issueOneTimeTokenService as Y, verifyOneTimeTokenService as Z, oauthStartService as _, type RegisterResult as a, buildOAuthErrorUrl as a0, isOAuthProviderEnabled as a1, getEnabledOAuthProviders as a2, getGoogleAccessToken as a3, type OAuthStartParams as a4, type OAuthCallbackParams as a5, type OAuthCallbackResult as a6, authenticate as a7, optionalAuth as a8, EmailSchema as a9, PhoneSchema as aa, PasswordSchema as ab, TargetTypeSchema as ac, VerificationPurposeSchema as ad, type RotateKeyResult as b, type ProfileInfo as c, INVITATION_STATUSES as d, USER_STATUSES as e, SOCIAL_PROVIDERS as f, type VerificationPurpose as g, VERIFICATION_TARGET_TYPES as h, VERIFICATION_PURPOSES as i, PERMISSION_CATEGORIES as j, type PermissionCategory as k, type AuthInitOptions as l, mainAuthRouter as m, type KeyAlgorithmType as n, type InvitationStatus as o, type UserStatus as p, type SocialProvider as q, type AuthContext as r, checkAccountExistsService as s, registerService as t, loginService as u, logoutService as v, changePasswordService as w, type CheckAccountExistsParams as x, type RegisterParams as y, type LoginParams as z };