@spfn/auth 0.2.0-beta.6 → 0.2.0-beta.60

package/dist/{dto-Bb2qFUO6.d.ts → authenticate-B_HkYBzq.d.ts}

@@ -1,51 +1,89 @@
+import * as _spfn_core_route from '@spfn/core/route';
+import { K as KeyAlgorithmType, d as SocialProvider } from './types-B1CzVZkU.js';
 import * as _sinclair_typebox from '@sinclair/typebox';
 import { Static } from '@sinclair/typebox';
-import * as _spfn_core_route from '@spfn/core/route';
 import { User } from '@spfn/auth/server';
 
 /**
- * @spfn/auth - Shared Types
- *
- * Common types and constants used across the auth package
- */
-/**
- * Supported JWT signature algorithms
- *
- * - ES256: ECDSA with P-256 and SHA-256 (recommended, smaller keys)
- * - RS256: RSA with SHA-256 (fallback, larger keys)
- */
-declare const KEY_ALGORITHM: readonly ["ES256", "RS256"];
-/**
- * Key algorithm type derived from the const array
- */
-type KeyAlgorithmType = typeof KEY_ALGORITHM[number];
-/**
- * Invitation status enum values
- * Single source of truth for all invitation statuses
- */
-declare const INVITATION_STATUSES: readonly ["pending", "accepted", "expired", "cancelled"];
-/**
- * Invitation status type derived from the const array
- */
-type InvitationStatus = typeof INVITATION_STATUSES[number];
-/**
- * User status enum values
- * Single source of truth for all user statuses
- */
-declare const USER_STATUSES: readonly ["active", "inactive", "suspended"];
-/**
- * User status type derived from the const array
+ * Role information for client/API responses
  */
-type UserStatus = typeof USER_STATUSES[number];
+interface Role {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    priority: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
 /**
- * Social provider enum values
- * Single source of truth for supported OAuth providers
+ * Permission information for client/API responses
  */
-declare const SOCIAL_PROVIDERS: readonly ["google", "github", "kakao", "naver"];
+interface Permission {
+    id: number;
+    name: string;
+    displayName: string;
+    description: string | null;
+    category: string | null;
+    isBuiltin: boolean;
+    isSystem: boolean;
+    isActive: boolean;
+    metadata: Record<string, any> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface AuthSession {
+    userId: number;
+    publicId: string;
+    email: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    hasPassword: boolean;
+    role: Role;
+    permissions: Permission[];
+}
+interface ProfileInfo {
+    profileId: number;
+    displayName: string | null;
+    firstName: string | null;
+    lastName: string | null;
+    avatarUrl: string | null;
+    bio: string | null;
+    locale: string;
+    timezone: string;
+    website: string | null;
+    location: string | null;
+    company: string | null;
+    jobTitle: string | null;
+    metadata: Record<string, any> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
 /**
- * Social provider type derived from the const array
+ * User Profile Response
+ *
+ * Complete user data including:
+ * - User fields at top level (userId, email, etc.)
+ * - Profile data as nested field (optional)
+ *
+ * Excludes:
+ * - Role and permissions (use auth session API)
  */
-type SocialProvider = typeof SOCIAL_PROVIDERS[number];
+interface UserProfile {
+    userId: number;
+    publicId: string;
+    email: string | null;
+    username: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    lastLoginAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date;
+    profile: ProfileInfo | null;
+}
 
 /**
  * @spfn/auth - Auth Service
@@ -71,9 +109,11 @@ interface RegisterParams {
     keyId: string;
     fingerprint: string;
     algorithm?: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
 }
 interface RegisterResult {
     userId: string;
+    publicId: string;
     email?: string;
     phone?: string;
 }
@@ -89,6 +129,7 @@ interface LoginParams {
 }
 interface LoginResult {
     userId: string;
+    publicId: string;
     email?: string;
     phone?: string;
     passwordChangeRequired: boolean;
@@ -99,7 +140,7 @@ interface LogoutParams {
 }
 interface ChangePasswordParams {
     userId: number;
-    currentPassword: string;
+    currentPassword?: string;
     newPassword: string;
     passwordHash?: string;
 }
@@ -299,6 +340,98 @@ interface AuthInitOptions {
     sessionTtl?: string | number;
 }
 
+/**
+ * One-Time Token Service
+ *
+ * Issues and verifies one-time tokens for direct API access.
+ */
+interface IssueOneTimeTokenResult {
+    token: string;
+    expiresAt: string;
+}
+/**
+ * Issue a one-time token for the authenticated user
+ *
+ * @param userId - Authenticated user's ID
+ * @returns Token string and ISO expiration timestamp
+ */
+declare function issueOneTimeTokenService(userId: string): Promise<IssueOneTimeTokenResult>;
+/**
+ * Verify and consume a one-time token
+ *
+ * @param token - The one-time token to verify
+ * @returns userId if valid, null if invalid/expired/consumed
+ */
+declare function verifyOneTimeTokenService(token: string): Promise<string | null>;
+
+/**
+ * @spfn/auth - OAuth Service
+ *
+ * OAuth 인증 비즈니스 로직
+ * - Google OAuth Authorization Code Flow
+ * - 소셜 계정 연결/생성
+ * - publicKey는 state에서 추출하여 등록
+ */
+
+interface OAuthStartParams {
+    provider: SocialProvider;
+    returnUrl: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
+}
+interface OAuthStartResult {
+    authUrl: string;
+}
+interface OAuthCallbackParams {
+    provider: SocialProvider;
+    code: string;
+    state: string;
+}
+interface OAuthCallbackResult {
+    redirectUrl: string;
+    userId: string;
+    keyId: string;
+    isNewUser: boolean;
+}
+/**
+ * OAuth 로그인 시작 - Provider 로그인 페이지로 리다이렉트할 URL 생성
+ *
+ * Next.js에서 키쌍을 생성한 후, publicKey를 state에 포함하여 호출
+ */
+declare function oauthStartService(params: OAuthStartParams): Promise<OAuthStartResult>;
+/**
+ * OAuth 콜백 처리 - Code를 Token으로 교환하고 사용자 생성/연결
+ *
+ * state에서 publicKey를 추출하여 서버에 등록
+ * Next.js는 반환된 userId, keyId로 세션을 구성
+ */
+declare function oauthCallbackService(params: OAuthCallbackParams): Promise<OAuthCallbackResult>;
+/**
+ * OAuth 에러 리다이렉트 URL 생성
+ */
+declare function buildOAuthErrorUrl(error: string): string;
+/**
+ * OAuth provider가 활성화되어 있는지 확인
+ */
+declare function isOAuthProviderEnabled(provider: SocialProvider): boolean;
+/**
+ * 활성화된 모든 OAuth provider 목록
+ */
+declare function getEnabledOAuthProviders(): SocialProvider[];
+/**
+ * Google access token 조회 (만료 시 자동 리프레시)
+ *
+ * 저장된 토큰이 만료 임박(5분 이내) 또는 만료 상태이면
+ * refresh token으로 자동 갱신 후 DB 업데이트하여 유효한 토큰 반환.
+ *
+ * @param userId - 사용자 ID
+ * @returns 유효한 Google access token
+ */
+declare function getGoogleAccessToken(userId: number): Promise<string>;
+
 /**
  * @spfn/auth - Main Router
  *
@@ -310,29 +443,151 @@ interface AuthInitOptions {
  *
  * Routes:
  * - Auth: /_auth/exists, /_auth/codes, /_auth/login, /_auth/logout, etc.
+ * - OAuth: /_auth/oauth/google, /_auth/oauth/google/callback, etc.
  * - Invitations: /_auth/invitations/*
  * - Users: /_auth/users/*
+ * - Admin: /_auth/admin/* (superadmin only)
  */
 declare const mainAuthRouter: _spfn_core_route.Router<{
-    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
-    updateUserProfile: _spfn_core_route.RouteDef<{
+    checkAccountExists: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            phone: _sinclair_typebox.TString;
+        }>]>;
+    }, {}, CheckAccountExistsResult>;
+    sendVerificationCode: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
         }>;
-    }, {}, ProfileInfo>;
+    }, {}, SendVerificationCodeResult>;
+    verifyCode: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            target: _sinclair_typebox.TString;
+            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
+            code: _sinclair_typebox.TString;
+            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+        }>;
+    }, {}, {
+        valid: boolean;
+        verificationToken: string;
+    }>;
+    register: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            verificationToken: _sinclair_typebox.TString;
+            password: _sinclair_typebox.TString;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TUnknown>>;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RegisterResult>;
+    login: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            password: _sinclair_typebox.TString;
+        }>;
+    }, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, LoginResult>;
+    logout: _spfn_core_route.RouteDef<{}, {}, void>;
+    rotateKey: _spfn_core_route.RouteDef<{}, {
+        body: _sinclair_typebox.TObject<{
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+        }>;
+    }, RotateKeyResult>;
+    changePassword: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            currentPassword: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            newPassword: _sinclair_typebox.TString;
+        }>;
+    }, {}, void>;
+    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+        role: {
+            id: number;
+            name: string;
+            displayName: string;
+            priority: number;
+        };
+        permissions: {
+            id: number;
+            name: string;
+            displayName: string;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        }[];
+        userId: number;
+        publicId: string;
+        email: string | null;
+        emailVerified: boolean;
+        phoneVerified: boolean;
+        hasPassword: boolean;
+    }>;
+    issueOneTimeToken: _spfn_core_route.RouteDef<{}, {}, IssueOneTimeTokenResult>;
+    oauthGoogleStart: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            state: _sinclair_typebox.TString;
+        }>;
+    }, {}, Response>;
+    oauthGoogleCallback: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            code: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            error: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            error_description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, Response>;
+    oauthStart: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver">[]>;
+            returnUrl: _sinclair_typebox.TString;
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TUnknown>>;
+        }>;
+    }, {}, OAuthStartResult>;
+    oauthProviders: _spfn_core_route.RouteDef<{}, {}, {
+        providers: ("google" | "github" | "kakao" | "naver")[];
+    }>;
+    getGoogleOAuthUrl: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            state: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        authUrl: string;
+    }>;
+    oauthFinalize: _spfn_core_route.RouteDef<{
+        body: _sinclair_typebox.TObject<{
+            userId: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>;
+    }, {}, {
+        success: boolean;
+        userId: string;
+        keyId: string;
+        returnUrl: string;
+    }>;
     getInvitation: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
             token: _sinclair_typebox.TString;
@@ -367,6 +622,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             email: _sinclair_typebox.TString;
             roleId: _sinclair_typebox.TNumber;
             expiresInDays: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            expiresAt: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
             metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TAny>;
         }>;
     }, {}, {
@@ -433,97 +689,138 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
             id: _sinclair_typebox.TNumber;
         }>;
     }, {}, void>;
-    checkAccountExists: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TString;
-        }>, _sinclair_typebox.TObject<{
-            phone: _sinclair_typebox.TString;
-        }>]>;
-    }, {}, CheckAccountExistsResult>;
-    sendVerificationCode: _spfn_core_route.RouteDef<{
+    getUserProfile: _spfn_core_route.RouteDef<{}, {}, UserProfile>;
+    updateUserProfile: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            target: _sinclair_typebox.TString;
-            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
-            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            firstName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            lastName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            avatarUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            bio: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            locale: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            timezone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            dateOfBirth: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            gender: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            website: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            location: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            company: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            jobTitle: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TAny>>;
         }>;
-    }, {}, SendVerificationCodeResult>;
-    verifyCode: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{
-            target: _sinclair_typebox.TString;
-            targetType: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">]>;
-            code: _sinclair_typebox.TString;
-            purpose: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"registration">, _sinclair_typebox.TLiteral<"login">, _sinclair_typebox.TLiteral<"password_reset">, _sinclair_typebox.TLiteral<"email_change">, _sinclair_typebox.TLiteral<"phone_change">]>;
+    }, {}, ProfileInfo>;
+    checkUsername: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            username: _sinclair_typebox.TString;
         }>;
     }, {}, {
-        valid: boolean;
-        verificationToken: string;
+        available: boolean;
     }>;
-    register: _spfn_core_route.RouteDef<{
+    updateUsername: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            verificationToken: _sinclair_typebox.TString;
-            password: _sinclair_typebox.TString;
+            username: _sinclair_typebox.TUnion<[_sinclair_typebox.TString, _sinclair_typebox.TNull]>;
         }>;
-    }, {
-        body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
-        }>;
-    }, RegisterResult>;
-    login: _spfn_core_route.RouteDef<{
+    }, {}, {
+        createdAt: Date;
+        updatedAt: Date;
+        id: number;
+        publicId: string;
+        email: string | null;
+        phone: string | null;
+        username: string | null;
+        passwordHash: string | null;
+        passwordChangeRequired: boolean;
+        roleId: number;
+        status: "active" | "inactive" | "suspended";
+        emailVerifiedAt: Date | null;
+        phoneVerifiedAt: Date | null;
+        lastLoginAt: Date | null;
+    }>;
+    updateLocale: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            email: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            phone: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-            password: _sinclair_typebox.TString;
+            locale: _sinclair_typebox.TString;
         }>;
-    }, {
-        body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
-            oldKeyId: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
-        }>;
-    }, LoginResult>;
-    logout: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{}>;
-    }, {}, void>;
-    rotateKey: _spfn_core_route.RouteDef<{
-        body: _sinclair_typebox.TObject<{}>;
-    }, {
-        body: _sinclair_typebox.TObject<{
-            publicKey: _sinclair_typebox.TString;
-            keyId: _sinclair_typebox.TString;
-            fingerprint: _sinclair_typebox.TString;
-            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+    }, {}, {
+        locale: string;
+    }>;
+    listRoles: _spfn_core_route.RouteDef<{
+        query: _sinclair_typebox.TObject<{
+            includeInactive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
         }>;
-    }, RotateKeyResult>;
-    changePassword: _spfn_core_route.RouteDef<{
+    }, {}, {
+        roles: {
+            description: string | null;
+            id: number;
+            name: string;
+            displayName: string;
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
+            priority: number;
+            createdAt: Date;
+            updatedAt: Date;
+        }[];
+    }>;
+    createAdminRole: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            currentPassword: _sinclair_typebox.TString;
-            newPassword: _sinclair_typebox.TString;
+            name: _sinclair_typebox.TString;
+            displayName: _sinclair_typebox.TString;
+            description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            permissionIds: _sinclair_typebox.TOptional<_sinclair_typebox.TArray<_sinclair_typebox.TNumber>>;
         }>;
-    }, {}, void>;
-    getAuthSession: _spfn_core_route.RouteDef<{}, {}, {
+    }, {}, {
         role: {
+            description: string | null;
             id: number;
             name: string;
             displayName: string;
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
             priority: number;
+            createdAt: Date;
+            updatedAt: Date;
         };
-        permissions: {
+    }>;
+    updateAdminRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+        body: _sinclair_typebox.TObject<{
+            displayName: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            description: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            priority: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            isActive: _sinclair_typebox.TOptional<_sinclair_typebox.TBoolean>;
+        }>;
+    }, {}, {
+        role: {
+            description: string | null;
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
-        }[];
+            isBuiltin: boolean;
+            isSystem: boolean;
+            isActive: boolean;
+            priority: number;
+            createdAt: Date;
+            updatedAt: Date;
+        };
+    }>;
+    deleteAdminRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            id: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, void>;
+    updateUserRole: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            userId: _sinclair_typebox.TNumber;
+        }>;
+        body: _sinclair_typebox.TObject<{
+            roleId: _sinclair_typebox.TNumber;
+        }>;
+    }, {}, {
         userId: number;
-        email: string | null;
-        emailVerified: boolean;
-        phoneVerified: boolean;
+        roleId: number;
     }>;
 }>;
 
@@ -531,6 +828,8 @@ interface AuthContext {
     user: User;
     userId: string;
     keyId: string;
+    role: string | null;
+    locale: string;
 }
 declare module 'hono' {
     interface ContextVariableMap {
@@ -568,82 +867,33 @@ declare module 'hono' {
  * ```
  */
 declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
-
-/**
- * Role information for client/API responses
- */
-interface Role {
-    id: number;
-    name: string;
-    displayName: string;
-    description: string | null;
-    isBuiltin: boolean;
-    isSystem: boolean;
-    isActive: boolean;
-    priority: number;
-    createdAt: Date;
-    updatedAt: Date;
-}
-/**
- * Permission information for client/API responses
- */
-interface Permission {
-    id: number;
-    name: string;
-    displayName: string;
-    description: string | null;
-    category: string | null;
-    isBuiltin: boolean;
-    isSystem: boolean;
-    isActive: boolean;
-    metadata: Record<string, any> | null;
-    createdAt: Date;
-    updatedAt: Date;
-}
-interface AuthSession {
-    userId: number;
-    email: string | null;
-    emailVerified: boolean;
-    phoneVerified: boolean;
-    role: Role;
-    permissions: Permission[];
-}
-interface ProfileInfo {
-    profileId: number;
-    displayName: string;
-    firstName: string | null;
-    lastName: string | null;
-    avatarUrl: string | null;
-    bio: string | null;
-    locale: string;
-    timezone: string;
-    website: string | null;
-    location: string | null;
-    company: string | null;
-    jobTitle: string | null;
-    metadata: Record<string, any> | null;
-    createdAt: Date;
-    updatedAt: Date;
-}
 /**
- * User Profile Response
+ * Optional authentication middleware
  *
- * Complete user data including:
- * - User fields at top level (userId, email, etc.)
- * - Profile data as nested field (optional)
+ * Same as `authenticate` but does NOT reject unauthenticated requests.
+ * - No token → continues without auth context
+ * - Invalid token → continues without auth context
+ * - Valid token → sets auth context normally
  *
- * Excludes:
- * - Role and permissions (use auth session API)
+ * Auto-skips the global 'auth' middleware when used at route level.
+ *
+ * @example
+ * ```typescript
+ * // No need for .skip(['auth']) — handled automatically
+ * export const getProducts = route.get('/products')
+ *   .use([optionalAuth])
+ *   .handler(async (c) => {
+ *     const auth = getOptionalAuth(c);  // AuthContext | undefined
+ *
+ *     if (auth)
+ *     {
+ *       return getPersonalizedProducts(auth.userId);
+ *     }
+ *
+ *     return getPublicProducts();
+ *   });
+ * ```
  */
-interface UserProfile {
-    userId: number;
-    email: string | null;
-    emailVerified: boolean;
-    phoneVerified: boolean;
-    lastLoginAt: Date | null;
-    createdAt: Date;
-    updatedAt: Date;
-    profile: ProfileInfo | null;
-}
+declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { VerificationPurposeSchema as $, type AuthSession as A, type ChangePasswordParams as B, type CheckAccountExistsResult as C, sendVerificationCodeService as D, verifyCodeService as E, type SendVerificationCodeParams as F, type VerifyCodeParams as G, type VerifyCodeResult as H, INVITATION_STATUSES as I, registerPublicKeyService as J, KEY_ALGORITHM as K, type LoginResult as L, rotateKeyService as M, revokeKeyService as N, type RegisterPublicKeyParams as O, type PermissionConfig as P, type RotateKeyParams as Q, type RoleConfig as R, type SendVerificationCodeResult as S, type RevokeKeyParams as T, type UserProfile as U, type VerificationTargetType as V, authenticate as W, EmailSchema as X, PhoneSchema as Y, PasswordSchema as Z, TargetTypeSchema as _, type ProfileInfo as a, type RegisterResult as b, type RotateKeyResult as c, USER_STATUSES as d, SOCIAL_PROVIDERS as e, type VerificationPurpose as f, VERIFICATION_TARGET_TYPES as g, VERIFICATION_PURPOSES as h, PERMISSION_CATEGORIES as i, type PermissionCategory as j, type AuthInitOptions as k, type KeyAlgorithmType as l, mainAuthRouter as m, type InvitationStatus as n, type UserStatus as o, type SocialProvider as p, type AuthContext as q, checkAccountExistsService as r, registerService as s, loginService as t, logoutService as u, changePasswordService as v, type CheckAccountExistsParams as w, type RegisterParams as x, type LoginParams as y, type LogoutParams as z };
+export { authenticate as $, type AuthSession as A, registerPublicKeyService as B, type CheckAccountExistsResult as C, rotateKeyService as D, revokeKeyService as E, type RegisterPublicKeyParams as F, type RotateKeyParams as G, type RevokeKeyParams as H, type IssueOneTimeTokenResult as I, issueOneTimeTokenService as J, verifyOneTimeTokenService as K, type LoginResult as L, oauthStartService as M, oauthCallbackService as N, type OAuthStartResult as O, type PermissionConfig as P, buildOAuthErrorUrl as Q, type RoleConfig as R, type SendVerificationCodeResult as S, isOAuthProviderEnabled as T, type UserProfile as U, type VerificationTargetType as V, getEnabledOAuthProviders as W, getGoogleAccessToken as X, type OAuthStartParams as Y, type OAuthCallbackParams as Z, type OAuthCallbackResult as _, type RegisterResult as a, optionalAuth as a0, EmailSchema as a1, PhoneSchema as a2, PasswordSchema as a3, TargetTypeSchema as a4, VerificationPurposeSchema as a5, type RotateKeyResult as b, type ProfileInfo as c, type VerificationPurpose as d, VERIFICATION_TARGET_TYPES as e, VERIFICATION_PURPOSES as f, PERMISSION_CATEGORIES as g, type PermissionCategory as h, type AuthInitOptions as i, type AuthContext as j, checkAccountExistsService as k, loginService as l, mainAuthRouter as m, logoutService as n, changePasswordService as o, type CheckAccountExistsParams as p, type RegisterParams as q, registerService as r, type LoginParams as s, type LogoutParams as t, type ChangePasswordParams as u, sendVerificationCodeService as v, verifyCodeService as w, type SendVerificationCodeParams as x, type VerifyCodeParams as y, type VerifyCodeResult as z };