@spfn/auth 0.2.0-beta.6 → 0.2.0-beta.60

package/dist/nextjs/api.js

@@ -1,9 +1,265 @@
 // src/nextjs/api.ts
 import { registerInterceptors } from "@spfn/core/nextjs/server";
 
+// src/server/lib/crypto.ts
+import crypto2 from "crypto";
+import jwt from "jsonwebtoken";
+function generateKeyPairES256() {
+  const keyId = crypto2.randomUUID();
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ec", {
+    namedCurve: "P-256",
+    // ES256
+    publicKeyEncoding: {
+      type: "spki",
+      format: "der"
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format: "der"
+    }
+  });
+  const privateKeyB64 = privateKey.toString("base64");
+  const publicKeyB64 = publicKey.toString("base64");
+  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
+  return {
+    privateKey: privateKeyB64,
+    publicKey: publicKeyB64,
+    keyId,
+    fingerprint,
+    algorithm: "ES256"
+  };
+}
+function generateKeyPairRS256() {
+  const keyId = crypto2.randomUUID();
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: {
+      type: "spki",
+      format: "der"
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format: "der"
+    }
+  });
+  const privateKeyB64 = privateKey.toString("base64");
+  const publicKeyB64 = publicKey.toString("base64");
+  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
+  return {
+    privateKey: privateKeyB64,
+    publicKey: publicKeyB64,
+    keyId,
+    fingerprint,
+    algorithm: "RS256"
+  };
+}
+function generateKeyPair(algorithm = "ES256") {
+  return algorithm === "ES256" ? generateKeyPairES256() : generateKeyPairRS256();
+}
+function generateClientToken(payload, privateKeyB64, algorithm, options) {
+  try {
+    const privateKeyDER = Buffer.from(privateKeyB64, "base64");
+    const privateKeyObject = crypto2.createPrivateKey({
+      key: privateKeyDER,
+      format: "der",
+      type: "pkcs8"
+    });
+    const privateKeyPEM = privateKeyObject.export({
+      type: "pkcs8",
+      format: "pem"
+    });
+    const signOptions = {
+      algorithm,
+      issuer: options?.issuer || "spfn-client",
+      expiresIn: options?.expiresIn ?? "15m"
+      // Default to 15 minutes
+    };
+    return jwt.sign(payload, privateKeyPEM, signOptions);
+  } catch (error) {
+    throw new Error(
+      `Failed to generate client token: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// src/server/lib/session.ts
+import * as jose from "jose";
+import { env } from "@spfn/auth/config";
+import { env as coreEnv } from "@spfn/core/config";
+
+// src/server/logger.ts
+import { logger as rootLogger } from "@spfn/core/logger";
+var authLogger = {
+  plugin: rootLogger.child("@spfn/auth:plugin"),
+  middleware: rootLogger.child("@spfn/auth:middleware"),
+  interceptor: {
+    general: rootLogger.child("@spfn/auth:interceptor:general"),
+    login: rootLogger.child("@spfn/auth:interceptor:login"),
+    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation"),
+    oauth: rootLogger.child("@spfn/auth:interceptor:oauth")
+  },
+  session: rootLogger.child("@spfn/auth:session"),
+  service: rootLogger.child("@spfn/auth:service"),
+  setup: rootLogger.child("@spfn/auth:setup"),
+  email: rootLogger.child("@spfn/auth:email"),
+  sms: rootLogger.child("@spfn/auth:sms")
+};
+
+// src/server/lib/session.ts
+async function getSessionSecretKey() {
+  const secret = env.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(secret);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+async function getSecretFingerprint() {
+  const key = await getSessionSecretKey();
+  const hash = await crypto.subtle.digest("SHA-256", key.buffer);
+  const hex = Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return hex.slice(0, 8);
+}
+async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
+  const secret = await getSessionSecretKey();
+  const result = await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  if (coreEnv.NODE_ENV !== "production") {
+    const fingerprint = await getSecretFingerprint();
+    authLogger.session.debug(`Sealed session`, {
+      secretFingerprint: fingerprint,
+      resultLength: result.length,
+      resultPrefix: result.slice(0, 20)
+    });
+  }
+  return result;
+}
+async function unsealSession(jwt2) {
+  try {
+    const secret = await getSessionSecretKey();
+    const { payload } = await jose.jwtDecrypt(jwt2, secret, {
+      issuer: "spfn-auth",
+      audience: "spfn-client"
+    });
+    return payload.data;
+  } catch (err) {
+    if (err instanceof jose.errors.JWTExpired) {
+      throw new Error("Session expired");
+    }
+    if (err instanceof jose.errors.JWEDecryptionFailed) {
+      if (coreEnv.NODE_ENV !== "production") {
+        const fingerprint = await getSecretFingerprint();
+        authLogger.session.warn(`JWE decryption failed`, {
+          secretFingerprint: fingerprint,
+          jwtLength: jwt2.length,
+          jwtPrefix: jwt2.slice(0, 20),
+          jwtSuffix: jwt2.slice(-10)
+        });
+      }
+      throw new Error("Invalid session");
+    }
+    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+      throw new Error("Session validation failed");
+    }
+    throw new Error("Failed to unseal session");
+  }
+}
+async function getSessionInfo(jwt2) {
+  const secret = await getSessionSecretKey();
+  try {
+    const { payload } = await jose.jwtDecrypt(jwt2, secret);
+    return {
+      issuedAt: new Date(payload.iat * 1e3),
+      expiresAt: new Date(payload.exp * 1e3),
+      issuer: payload.iss || "",
+      audience: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud || ""
+    };
+  } catch (err) {
+    if (coreEnv.NODE_ENV !== "production") {
+      authLogger.session.warn("Failed to get session info:", err instanceof Error ? err.message : "Unknown error");
+    }
+    return null;
+  }
+}
+async function shouldRefreshSession(jwt2, thresholdHours = 24) {
+  const info = await getSessionInfo(jwt2);
+  if (!info) {
+    return true;
+  }
+  const hoursRemaining = (info.expiresAt.getTime() - Date.now()) / (1e3 * 60 * 60);
+  return hoursRemaining < thresholdHours;
+}
+
+// src/server/lib/config.ts
+import { env as env2 } from "@spfn/auth/config";
+function getCookieSuffix() {
+  const port = process.env.PORT;
+  return port ? `_${port}` : "";
+}
+var COOKIE_NAMES = {
+  /** Encrypted session data (userId, privateKey, keyId, algorithm) */
+  get SESSION() {
+    return `spfn_session${getCookieSuffix()}`;
+  },
+  /** Current key ID (for key rotation) */
+  get SESSION_KEY_ID() {
+    return `spfn_session_key_id${getCookieSuffix()}`;
+  },
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  get OAUTH_PENDING() {
+    return `spfn_oauth_pending${getCookieSuffix()}`;
+  }
+};
+function parseDuration(duration) {
+  if (typeof duration === "number") {
+    return duration;
+  }
+  const match = duration.match(/^(\d+)([dhms]?)$/);
+  if (!match) {
+    throw new Error(`Invalid duration format: ${duration}. Use format like '30d', '12h', '45m', '3600s', or plain number.`);
+  }
+  const value = parseInt(match[1], 10);
+  const unit = match[2] || "s";
+  switch (unit) {
+    case "d":
+      return value * 24 * 60 * 60;
+    case "h":
+      return value * 60 * 60;
+    case "m":
+      return value * 60;
+    case "s":
+      return value;
+    default:
+      throw new Error(`Unknown duration unit: ${unit}`);
+  }
+}
+var globalConfig = {
+  sessionTtl: "7d"
+  // Default: 7 days
+};
+function getSessionTtl(override) {
+  if (override !== void 0) {
+    return parseDuration(override);
+  }
+  if (globalConfig.sessionTtl !== void 0) {
+    return parseDuration(globalConfig.sessionTtl);
+  }
+  const envTtl = env2.SPFN_AUTH_SESSION_TTL;
+  if (envTtl) {
+    return parseDuration(envTtl);
+  }
+  return 7 * 24 * 60 * 60;
+}
+
+// src/nextjs/interceptors/cookie-options.ts
+function resolveSecure() {
+  const override = process.env.SPFN_AUTH_COOKIE_SECURE;
+  if (override !== void 0) {
+    return override === "true";
+  }
+  return process.env.NODE_ENV === "production";
+}
+var cookieSecure = resolveSecure();
+
 // src/nextjs/interceptors/login-register.ts
-import { generateKeyPair, sealSession, getSessionTtl, COOKIE_NAMES, authLogger } from "@spfn/auth/server";
-import { env } from "@spfn/core/config";
 var loginRegisterInterceptor = {
   pathPattern: /^\/_auth\/(login|register)$/,
   method: "POST",
@@ -54,7 +310,7 @@ var loginRegisterInterceptor = {
         value: sealed,
         options: {
           httpOnly: true,
-          secure: env.NODE_ENV === "production",
+          secure: cookieSecure,
           sameSite: "strict",
           maxAge: ttl,
           path: "/"
@@ -65,7 +321,7 @@ var loginRegisterInterceptor = {
         value: ctx.metadata.keyId,
         options: {
           httpOnly: true,
-          secure: env.NODE_ENV === "production",
+          secure: cookieSecure,
           sameSite: "strict",
           maxAge: ttl,
           path: "/"
@@ -80,8 +336,6 @@ var loginRegisterInterceptor = {
 };
 
 // src/nextjs/interceptors/general-auth.ts
-import { unsealSession, sealSession as sealSession2, shouldRefreshSession, generateClientToken, getSessionTtl as getSessionTtl2, COOKIE_NAMES as COOKIE_NAMES2, authLogger as authLogger2 } from "@spfn/auth/server";
-import { env as env2 } from "@spfn/core/config";
 function requiresAuth(path) {
   const publicPaths = [
     /^\/_auth\/login$/,
@@ -101,37 +355,39 @@ var generalAuthInterceptor = {
   method: ["GET", "POST", "PUT", "PATCH", "DELETE"],
   request: async (ctx, next) => {
     if (!requiresAuth(ctx.path)) {
-      authLogger2.interceptor.general.debug(`Public path, skipping auth: ${ctx.path}`);
+      authLogger.interceptor.general.debug(`Public path, skipping auth: ${ctx.path}`);
       await next();
       return;
     }
     const cookieNames = Array.from(ctx.cookies.keys());
-    authLogger2.interceptor.general.debug("Available cookies:", {
+    authLogger.interceptor.general.debug("Available cookies:", {
       cookieNames,
       totalCount: cookieNames.length,
-      lookingFor: COOKIE_NAMES2.SESSION
+      lookingFor: COOKIE_NAMES.SESSION
     });
-    const sessionCookie = ctx.cookies.get(COOKIE_NAMES2.SESSION);
-    authLogger2.interceptor.general.debug("Request", {
+    const sessionCookie = ctx.cookies.get(COOKIE_NAMES.SESSION);
+    authLogger.interceptor.general.debug("Request", {
       method: ctx.method,
       path: ctx.path,
       hasSession: !!sessionCookie,
-      sessionCookieValue: sessionCookie ? "***EXISTS***" : "NOT_FOUND"
+      sessionLength: sessionCookie?.length ?? 0,
+      sessionPrefix: sessionCookie?.slice(0, 20) ?? "",
+      sessionSuffix: sessionCookie?.slice(-10) ?? ""
     });
     if (!sessionCookie) {
-      authLogger2.interceptor.general.debug("No session cookie, proceeding without auth");
+      authLogger.interceptor.general.debug("No session cookie, proceeding without auth");
       await next();
       return;
     }
     try {
       const session = await unsealSession(sessionCookie);
-      authLogger2.interceptor.general.debug("Session valid", {
+      authLogger.interceptor.general.debug("Session valid", {
         userId: session.userId,
         keyId: session.keyId
       });
       const needsRefresh = await shouldRefreshSession(sessionCookie, 24);
       if (needsRefresh) {
-        authLogger2.interceptor.general.debug("Session needs refresh (within 24h of expiry)");
+        authLogger.interceptor.general.debug("Session needs refresh (within 24h of expiry)");
         ctx.metadata.refreshSession = true;
         ctx.metadata.sessionData = session;
       }
@@ -145,28 +401,49 @@ var generalAuthInterceptor = {
         session.algorithm,
         { expiresIn: "15m" }
       );
-      authLogger2.interceptor.general.debug("Generated JWT token (expires in 15m)");
+      authLogger.interceptor.general.debug("Generated JWT token (expires in 15m)");
       ctx.headers["Authorization"] = `Bearer ${token}`;
       ctx.headers["X-Key-Id"] = session.keyId;
       ctx.metadata.userId = session.userId;
       ctx.metadata.sessionValid = true;
     } catch (error) {
       const err = error;
-      if (err.message.includes("expired") || err.message.includes("invalid")) {
-        authLogger2.interceptor.general.warn("Session expired or invalid", { message: err.message });
-        authLogger2.interceptor.general.debug("Marking session for cleanup");
+      const msg = err.message.toLowerCase();
+      if (msg.includes("expired") || msg.includes("invalid")) {
+        authLogger.interceptor.general.warn("Session expired or invalid", {
+          message: err.message,
+          cookieLength: sessionCookie.length,
+          cookiePrefix: sessionCookie.slice(0, 20),
+          cookieSuffix: sessionCookie.slice(-10)
+        });
+        authLogger.interceptor.general.debug("Marking session for cleanup");
         ctx.metadata.clearSession = true;
         ctx.metadata.sessionValid = false;
       } else {
-        authLogger2.interceptor.general.error("Failed to process session", err);
+        authLogger.interceptor.general.error("Failed to process session", err);
       }
     }
     await next();
   },
   response: async (ctx, next) => {
+    if (ctx.response.status === 401 && ctx.metadata.sessionValid) {
+      authLogger.interceptor.general.warn("Backend returned 401, clearing session");
+      ctx.setCookies.push({
+        name: COOKIE_NAMES.SESSION,
+        value: "",
+        options: { maxAge: 0, path: "/" }
+      });
+      ctx.setCookies.push({
+        name: COOKIE_NAMES.SESSION_KEY_ID,
+        value: "",
+        options: { maxAge: 0, path: "/" }
+      });
+      await next();
+      return;
+    }
     if (ctx.metadata.clearSession) {
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: "",
         options: {
           maxAge: 0,
@@ -174,7 +451,7 @@ var generalAuthInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: "",
         options: {
           maxAge: 0,
@@ -184,38 +461,42 @@ var generalAuthInterceptor = {
     } else if (ctx.metadata.refreshSession && ctx.response.status === 200) {
       try {
         const sessionData = ctx.metadata.sessionData;
-        const ttl = getSessionTtl2();
-        const sealed = await sealSession2(sessionData, ttl);
+        const ttl = getSessionTtl();
+        const sealed = await sealSession(sessionData, ttl);
         ctx.setCookies.push({
-          name: COOKIE_NAMES2.SESSION,
+          name: COOKIE_NAMES.SESSION,
           value: sealed,
           options: {
             httpOnly: true,
-            secure: env2.NODE_ENV === "production",
+            secure: cookieSecure,
             sameSite: "strict",
             maxAge: ttl,
             path: "/"
           }
         });
         ctx.setCookies.push({
-          name: COOKIE_NAMES2.SESSION_KEY_ID,
+          name: COOKIE_NAMES.SESSION_KEY_ID,
           value: sessionData.keyId,
           options: {
             httpOnly: true,
-            secure: process.env.NODE_ENV === "production",
+            secure: cookieSecure,
             sameSite: "strict",
             maxAge: ttl,
             path: "/"
           }
         });
-        authLogger2.interceptor.general.info("Session refreshed", { userId: sessionData.userId });
+        authLogger.interceptor.general.info("Session refreshed", {
+          userId: sessionData.userId,
+          sealedLength: sealed.length,
+          sealedPrefix: sealed.slice(0, 20)
+        });
       } catch (error) {
         const err = error;
-        authLogger2.interceptor.general.error("Failed to refresh session", err);
+        authLogger.interceptor.general.error("Failed to refresh session", err);
       }
-    } else if (ctx.path === "/_auth/logout" && ctx.response.status === 200) {
+    } else if (ctx.path === "/_auth/logout" && ctx.response.ok) {
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: "",
         options: {
           maxAge: 0,
@@ -223,7 +504,7 @@ var generalAuthInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: "",
         options: {
           maxAge: 0,
@@ -236,19 +517,18 @@ var generalAuthInterceptor = {
 };
 
 // src/nextjs/interceptors/key-rotation.ts
-import { generateKeyPair as generateKeyPair2, unsealSession as unsealSession2, sealSession as sealSession3, generateClientToken as generateClientToken2, getSessionTtl as getSessionTtl3, COOKIE_NAMES as COOKIE_NAMES3, authLogger as authLogger3 } from "@spfn/auth/server";
 var keyRotationInterceptor = {
   pathPattern: "/_auth/keys/rotate",
   method: "POST",
   request: async (ctx, next) => {
-    const sessionCookie = ctx.cookies.get(COOKIE_NAMES3.SESSION);
+    const sessionCookie = ctx.cookies.get(COOKIE_NAMES.SESSION);
     if (!sessionCookie) {
       await next();
       return;
     }
     try {
-      const currentSession = await unsealSession2(sessionCookie);
-      const newKeyPair = generateKeyPair2("ES256");
+      const currentSession = await unsealSession(sessionCookie);
+      const newKeyPair = generateKeyPair("ES256");
       if (!ctx.body) {
         ctx.body = {};
       }
@@ -261,7 +541,7 @@ var keyRotationInterceptor = {
       console.log("publicKey:", newKeyPair.publicKey);
       console.log("keyId:", newKeyPair.keyId);
       console.log("fingerprint:", newKeyPair.fingerprint);
-      const token = generateClientToken2(
+      const token = generateClientToken(
         {
           userId: currentSession.userId,
           keyId: currentSession.keyId,
@@ -280,7 +560,7 @@ var keyRotationInterceptor = {
       ctx.metadata.userId = currentSession.userId;
     } catch (error) {
       const err = error;
-      authLogger3.interceptor.keyRotation.error("Failed to prepare key rotation", err);
+      authLogger.interceptor.keyRotation.error("Failed to prepare key rotation", err);
     }
     await next();
   },
@@ -290,44 +570,262 @@ var keyRotationInterceptor = {
       return;
     }
     if (!ctx.metadata.newPrivateKey || !ctx.metadata.userId) {
-      authLogger3.interceptor.keyRotation.error("Missing key rotation metadata");
+      authLogger.interceptor.keyRotation.error("Missing key rotation metadata");
       await next();
       return;
     }
     try {
-      const ttl = getSessionTtl3();
+      const ttl = getSessionTtl();
       const newSessionData = {
         userId: ctx.metadata.userId,
         privateKey: ctx.metadata.newPrivateKey,
         keyId: ctx.metadata.newKeyId,
         algorithm: ctx.metadata.newAlgorithm
       };
-      const sealed = await sealSession3(newSessionData, ttl);
+      const sealed = await sealSession(newSessionData, ttl);
       ctx.setCookies.push({
-        name: COOKIE_NAMES3.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: sealed,
         options: {
           httpOnly: true,
-          secure: process.env.NODE_ENV === "production",
+          secure: cookieSecure,
           sameSite: "strict",
           maxAge: ttl,
           path: "/"
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES3.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: ctx.metadata.newKeyId,
         options: {
           httpOnly: true,
-          secure: process.env.NODE_ENV === "production",
+          secure: cookieSecure,
+          sameSite: "strict",
+          maxAge: ttl,
+          path: "/"
+        }
+      });
+    } catch (error) {
+      const err = error;
+      authLogger.interceptor.keyRotation.error("Failed to update session after rotation", err);
+    }
+    await next();
+  }
+};
+
+// src/server/lib/oauth/state.ts
+import * as jose2 from "jose";
+import { env as env3 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env3.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm,
+    metadata: params.metadata
+  };
+  const jwe = await new jose2.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
+
+// src/nextjs/session-helpers.ts
+import * as jose3 from "jose";
+import { cookies } from "next/headers.js";
+import { env as env4 } from "@spfn/auth/config";
+import { logger } from "@spfn/core/logger";
+async function getPendingSessionKey() {
+  const secret = env4.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-pending:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+async function sealPendingSession(data, ttl = 600) {
+  const key = await getPendingSessionKey();
+  return await new jose3.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-oauth").encrypt(key);
+}
+async function unsealPendingSession(jwt2) {
+  const key = await getPendingSessionKey();
+  const { payload } = await jose3.jwtDecrypt(jwt2, key, {
+    issuer: "spfn-auth",
+    audience: "spfn-oauth"
+  });
+  return payload.data;
+}
+
+// src/nextjs/interceptors/oauth.ts
+var oauthUrlInterceptor = {
+  pathPattern: /^\/_auth\/oauth\/\w+\/url$/,
+  method: "POST",
+  request: async (ctx, next) => {
+    const provider = ctx.path.split("/")[3];
+    const returnUrl = ctx.body?.returnUrl || "/";
+    const keyPair = generateKeyPair("ES256");
+    const state = await createOAuthState({
+      provider,
+      returnUrl,
+      publicKey: keyPair.publicKey,
+      keyId: keyPair.keyId,
+      fingerprint: keyPair.fingerprint,
+      algorithm: keyPair.algorithm
+    });
+    if (!ctx.body) {
+      ctx.body = {};
+    }
+    ctx.body.state = state;
+    ctx.metadata.pendingSession = {
+      privateKey: keyPair.privateKey,
+      keyId: keyPair.keyId,
+      algorithm: keyPair.algorithm
+    };
+    authLogger.interceptor.oauth?.debug?.("OAuth state created", {
+      provider,
+      keyId: keyPair.keyId
+    });
+    await next();
+  },
+  response: async (ctx, next) => {
+    if (ctx.response.ok && ctx.metadata.pendingSession) {
+      try {
+        const sealed = await sealPendingSession(ctx.metadata.pendingSession);
+        ctx.setCookies.push({
+          name: COOKIE_NAMES.OAUTH_PENDING,
+          value: sealed,
+          options: {
+            httpOnly: true,
+            secure: cookieSecure,
+            sameSite: "lax",
+            // OAuth 리다이렉트 허용
+            maxAge: 600,
+            // 10분
+            path: "/"
+          }
+        });
+        authLogger.interceptor.oauth?.debug?.("Pending session cookie set", {
+          keyId: ctx.metadata.pendingSession.keyId
+        });
+      } catch (error) {
+        const err = error;
+        authLogger.interceptor.oauth?.error?.("Failed to set pending session", err);
+      }
+    }
+    await next();
+  }
+};
+function setFinalizeError(ctx, message) {
+  ctx.response.ok = false;
+  ctx.response.status = 401;
+  ctx.response.statusText = "Unauthorized";
+  ctx.response.body = { success: false, message };
+  ctx.setCookies.push({
+    name: COOKIE_NAMES.OAUTH_PENDING,
+    value: "",
+    options: {
+      httpOnly: true,
+      secure: cookieSecure,
+      sameSite: "lax",
+      maxAge: 0,
+      path: "/"
+    }
+  });
+}
+var oauthFinalizeInterceptor = {
+  pathPattern: /^\/_auth\/oauth\/finalize$/,
+  method: "POST",
+  response: async (ctx, next) => {
+    if (!ctx.response.ok) {
+      await next();
+      return;
+    }
+    const pendingCookie = ctx.cookies.get(COOKIE_NAMES.OAUTH_PENDING);
+    if (!pendingCookie) {
+      authLogger.interceptor.oauth?.warn?.("No pending session cookie found");
+      setFinalizeError(ctx, "OAuth session expired. Please try again.");
+      await next();
+      return;
+    }
+    try {
+      const pendingSession = await unsealPendingSession(pendingCookie);
+      const { userId, keyId } = ctx.response.body || {};
+      if (!userId || !keyId) {
+        authLogger.interceptor.oauth?.error?.("Missing userId or keyId in response");
+        setFinalizeError(ctx, "OAuth finalize failed: missing credentials");
+        await next();
+        return;
+      }
+      if (pendingSession.keyId !== keyId) {
+        authLogger.interceptor.oauth?.error?.("KeyId mismatch", {
+          expected: pendingSession.keyId,
+          received: keyId
+        });
+        setFinalizeError(ctx, "OAuth session mismatch. Please try again.");
+        await next();
+        return;
+      }
+      const ttl = getSessionTtl();
+      const sessionToken = await sealSession({
+        userId,
+        privateKey: pendingSession.privateKey,
+        keyId: pendingSession.keyId,
+        algorithm: pendingSession.algorithm
+      }, ttl);
+      ctx.setCookies.push({
+        name: COOKIE_NAMES.SESSION,
+        value: sessionToken,
+        options: {
+          httpOnly: true,
+          secure: cookieSecure,
+          sameSite: "strict",
+          maxAge: ttl,
+          path: "/"
+        }
+      });
+      ctx.setCookies.push({
+        name: COOKIE_NAMES.SESSION_KEY_ID,
+        value: keyId,
+        options: {
+          httpOnly: true,
+          secure: cookieSecure,
           sameSite: "strict",
           maxAge: ttl,
           path: "/"
         }
       });
+      ctx.setCookies.push({
+        name: COOKIE_NAMES.OAUTH_PENDING,
+        value: "",
+        options: {
+          httpOnly: true,
+          secure: cookieSecure,
+          sameSite: "lax",
+          maxAge: 0,
+          path: "/"
+        }
+      });
+      authLogger.interceptor.oauth?.debug?.("OAuth session finalized", {
+        userId,
+        keyId
+      });
     } catch (error) {
       const err = error;
-      authLogger3.interceptor.keyRotation.error("Failed to update session after rotation", err);
+      authLogger.interceptor.oauth?.error?.("Failed to finalize OAuth session", err);
+      setFinalizeError(ctx, err.message);
     }
     await next();
   }
@@ -337,6 +835,8 @@ var keyRotationInterceptor = {
 var authInterceptors = [
   loginRegisterInterceptor,
   keyRotationInterceptor,
+  oauthUrlInterceptor,
+  oauthFinalizeInterceptor,
   generalAuthInterceptor
 ];