npm - @spfn/auth - Versions diffs - 0.2.0-beta.60 → 0.2.0-beta.62 - Mend

@spfn/auth 0.2.0-beta.60 → 0.2.0-beta.62

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +59 -1
package/dist/{authenticate-B_HkYBzq.d.ts → authenticate-DcOkuB7d.d.ts} +5 -5
package/dist/index.d.ts +5 -5
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/nextjs/api.js +13 -8
package/dist/nextjs/api.js.map +1 -1
package/dist/nextjs/server.d.ts +2 -2
package/dist/server.d.ts +113 -18
package/dist/server.js +110 -67
package/dist/server.js.map +1 -1
package/dist/{session-Dbvz9Sdp.d.ts → session-2CyIVxMY.d.ts} +1 -1
package/dist/{types-B1CzVZkU.d.ts → types-B4auHIax.d.ts} +1 -1
package/package.json +3 -3

package/dist/server.d.ts CHANGED Viewed

@@ -1,14 +1,14 @@
-import { i as AuthInitOptions, d as VerificationPurpose, h as PermissionCategory, j as AuthContext } from './authenticate-B_HkYBzq.js';
-export { u as ChangePasswordParams, p as CheckAccountExistsParams, C as CheckAccountExistsResult, a1 as EmailSchema, I as IssueOneTimeTokenResult, s as LoginParams, L as LoginResult, t as LogoutParams, Z as OAuthCallbackParams, _ as OAuthCallbackResult, Y as OAuthStartParams, O as OAuthStartResult, a3 as PasswordSchema, a2 as PhoneSchema, q as RegisterParams, F as RegisterPublicKeyParams, a as RegisterResult, H as RevokeKeyParams, G as RotateKeyParams, b as RotateKeyResult, x as SendVerificationCodeParams, S as SendVerificationCodeResult, a4 as TargetTypeSchema, f as VERIFICATION_PURPOSES, e as VERIFICATION_TARGET_TYPES, a5 as VerificationPurposeSchema, V as VerificationTargetType, y as VerifyCodeParams, z as VerifyCodeResult, m as authRouter, $ as authenticate, Q as buildOAuthErrorUrl, o as changePasswordService, k as checkAccountExistsService, W as getEnabledOAuthProviders, X as getGoogleAccessToken, T as isOAuthProviderEnabled, J as issueOneTimeTokenService, l as loginService, n as logoutService, N as oauthCallbackService, M as oauthStartService, a0 as optionalAuth, B as registerPublicKeyService, r as registerService, E as revokeKeyService, D as rotateKeyService, v as sendVerificationCodeService, w as verifyCodeService, K as verifyOneTimeTokenService } from './authenticate-B_HkYBzq.js';
+import { i as AuthInitOptions, d as VerificationPurpose, h as PermissionCategory, j as AuthContext } from './authenticate-DcOkuB7d.js';
+export { u as ChangePasswordParams, p as CheckAccountExistsParams, C as CheckAccountExistsResult, a1 as EmailSchema, I as IssueOneTimeTokenResult, s as LoginParams, L as LoginResult, t as LogoutParams, Z as OAuthCallbackParams, _ as OAuthCallbackResult, Y as OAuthStartParams, O as OAuthStartResult, a3 as PasswordSchema, a2 as PhoneSchema, q as RegisterParams, F as RegisterPublicKeyParams, a as RegisterResult, H as RevokeKeyParams, G as RotateKeyParams, b as RotateKeyResult, x as SendVerificationCodeParams, S as SendVerificationCodeResult, a4 as TargetTypeSchema, f as VERIFICATION_PURPOSES, e as VERIFICATION_TARGET_TYPES, a5 as VerificationPurposeSchema, V as VerificationTargetType, y as VerifyCodeParams, z as VerifyCodeResult, m as authRouter, $ as authenticate, Q as buildOAuthErrorUrl, o as changePasswordService, k as checkAccountExistsService, W as getEnabledOAuthProviders, X as getGoogleAccessToken, T as isOAuthProviderEnabled, J as issueOneTimeTokenService, l as loginService, n as logoutService, N as oauthCallbackService, M as oauthStartService, a0 as optionalAuth, B as registerPublicKeyService, r as registerService, E as revokeKeyService, D as rotateKeyService, v as sendVerificationCodeService, w as verifyCodeService, K as verifyOneTimeTokenService } from './authenticate-DcOkuB7d.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
-import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-B1CzVZkU.js';
-export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-B1CzVZkU.js';
+import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-B4auHIax.js';
+export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-B4auHIax.js';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
 import { Context } from 'hono';
 import * as _spfn_core_route from '@spfn/core/route';
 import { Algorithm } from 'jsonwebtoken';
-export { S as SessionData, g as getSessionInfo, s as sealSession, a as shouldRefreshSession, u as unsealSession } from './session-Dbvz9Sdp.js';
+export { S as SessionData, g as getSessionInfo, s as sealSession, a as shouldRefreshSession, u as unsealSession } from './session-2CyIVxMY.js';
 import { SSETokenStore, SSETokenManager } from '@spfn/core/event/sse';
 import * as _spfn_core_logger from '@spfn/core/logger';
 import * as _spfn_core_event from '@spfn/core/event';
@@ -2063,14 +2063,14 @@ declare const userSocialAccounts: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "user_social_accounts";
             dataType: "string";
             columnType: "PgText";
-            data: "google" | "github" | "kakao" | "naver";
+            data: "google" | "github" | "kakao" | "naver" | "superself";
             driverParam: string;
             notNull: true;
             hasDefault: false;
             isPrimaryKey: false;
             isAutoincrement: false;
             hasRuntimeDefault: false;
-            enumValues: ["google", "github", "kakao", "naver"] & [string, ...string[]];
+            enumValues: ["google", "github", "kakao", "naver", "superself"] & [string, ...string[]];
             baseColumn: never;
             identity: undefined;
             generated: undefined;
@@ -4412,7 +4412,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         updatedAt: Date;
         id: number;
         userId: number;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4428,7 +4428,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         updatedAt: Date;
         id: number;
         userId: number;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4444,7 +4444,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         updatedAt: Date;
         id: number;
         userId: number;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4460,7 +4460,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4480,7 +4480,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         updatedAt: Date;
         id: number;
         userId: number;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4496,7 +4496,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4512,7 +4512,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver";
+        provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -5291,6 +5291,99 @@ declare function createOAuthState(params: CreateOAuthStateParams): Promise<strin
  */
 declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
+/**
+ * OAuth Provider 추상화
+ *
+ * Provider별로 하드코딩된 분기를 제거하기 위한 공통 인터페이스와 registry.
+ * - 내장 provider(google)는 패키지 로드 시점에 자기 등록(dogfood)
+ * - 외부 패키지(@superself/auth 등)는 registerOAuthProvider()로 런타임 등록
+ *
+ * @spfn/auth는 토큰 issuer가 아니라 소비(client) 측이므로,
+ * 이 추상화는 "authorize URL 생성 → code 교환 → 사용자 정보 정규화"까지만 다룬다.
+ */
+/**
+ * Provider 사용자 정보를 공통 형태로 정규화한 신원
+ *
+ * provider별 응답 형태(snake_case 등)를 service에 노출하지 않기 위한 경계.
+ */
+interface NormalizedIdentity {
+    providerUserId: string;
+    email: string | null;
+    emailVerified: boolean;
+    name?: string;
+    avatar?: string;
+}
+/**
+ * 정규화된 OAuth 토큰 응답
+ *
+ * @property expiresIn - access token 만료까지 남은 초(seconds)
+ */
+interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn: number;
+}
+/**
+ * OAuth provider 구현 인터페이스
+ *
+ * google, superself 등 모든 provider가 이 형태를 만족해야 registry에 등록된다.
+ */
+interface OAuthProvider {
+    id: SocialProvider;
+    /**
+     * provider가 사용 가능한 상태인지(필수 env 등) 확인
+     */
+    isEnabled(): boolean;
+    /**
+     * provider 로그인 페이지로 보낼 authorization URL 생성
+     *
+     * @param state - CSRF 방지용 암호화 state
+     * @param scopes - 요청할 scope (미지정 시 provider 기본값)
+     */
+    getAuthUrl(state: string, scopes?: string[]): string;
+    /**
+     * authorization code를 토큰으로 교환
+     */
+    exchangeCodeForTokens(code: string): Promise<OAuthTokens>;
+    /**
+     * access token으로 사용자 정보를 조회하고 공통 형태로 정규화
+     */
+    getUserInfo(accessToken: string): Promise<NormalizedIdentity>;
+    /**
+     * refresh token으로 access token 갱신 (provider가 지원하는 경우)
+     *
+     * 저장된 provider 토큰을 이후 API 호출에 재사용할 때 사용한다.
+     * 미구현 provider는 갱신 불가로 간주한다.
+     */
+    refreshTokens?(refreshToken: string): Promise<OAuthTokens>;
+}
+/**
+ * OAuth provider 등록 (public)
+ *
+ * 동일 id로 다시 등록하면 덮어쓴다(외부 패키지의 override 허용).
+ */
+declare function registerOAuthProvider(provider: OAuthProvider): void;
+/**
+ * 등록된 provider 조회. 미등록이면 undefined.
+ */
+declare function getOAuthProvider(id: SocialProvider): OAuthProvider | undefined;
+/**
+ * 등록된 모든 provider 목록
+ */
+declare function getRegisteredProviders(): OAuthProvider[];
+/**
+ * Google OAuthProvider 구현
+ *
+ * 기존 google.ts의 함수를 OAuthProvider 인터페이스로 래핑한다.
+ * google.ts 자체는 그대로 유지(테스트·google 전용 route가 직접 의존).
+ *
+ * 이 모듈을 import 하는 것만으로 google provider가 registry에 자기 등록된다.
+ */
+declare const googleProvider: OAuthProvider;
 /**
  * One-Time Token Manager
  *
@@ -5483,8 +5576,10 @@ declare function createAuthLifecycle(options?: AuthLifecycleOptions): AuthLifecy
  */
 /**
  * Auth provider type
+ *
+ * 직접 인증(email/phone) + 등록 가능한 모든 소셜 provider(SOCIAL_PROVIDERS).
  */
-declare const AuthProviderSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">, _sinclair_typebox.TLiteral<"google">]>;
+declare const AuthProviderSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">, ..._sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]]>;
 /**
  * auth.login - 로그인 성공 이벤트
  *
@@ -5503,7 +5598,7 @@ declare const authLoginEvent: _spfn_core_event.EventDef<{
     email?: string | undefined;
     phone?: string | undefined;
     userId: string;
-    provider: "email" | "phone" | "google";
+    provider: "email" | "phone" | "google" | "github" | "kakao" | "naver" | "superself";
 }>;
 /**
  * auth.register - 회원가입 성공 이벤트
@@ -5526,7 +5621,7 @@ declare const authRegisterEvent: _spfn_core_event.EventDef<{
         [x: string]: unknown;
     } | undefined;
     userId: string;
-    provider: "email" | "phone" | "google";
+    provider: "email" | "phone" | "google" | "github" | "kakao" | "naver" | "superself";
 }>;
 /**
  * auth.invitation.created - 초대 생성 이벤트
@@ -5591,4 +5686,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
 type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
 type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type NormalizedIdentity, type OAuthProvider, type OAuthState, type OAuthTokens, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOAuthProvider, getOneTimeTokenManager, getOptionalAuth, getRegisteredProviders, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, registerOAuthProvider, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js CHANGED Viewed

@@ -4501,7 +4501,7 @@ var init_types = __esm({
     KEY_ALGORITHM = ["ES256", "RS256"];
     INVITATION_STATUSES = ["pending", "accepted", "expired", "cancelled"];
     USER_STATUSES = ["active", "inactive", "suspended"];
-    SOCIAL_PROVIDERS = ["google", "github", "kakao", "naver"];
+    SOCIAL_PROVIDERS = ["google", "github", "kakao", "naver", "superself"];
   }
 });
@@ -7211,11 +7211,12 @@ async function updateUsernameService(userId, username) {
 // src/server/events/index.ts
 init_esm();
+init_types();
 import { defineEvent } from "@spfn/core/event";
 var AuthProviderSchema = Type.Union([
   Type.Literal("email"),
   Type.Literal("phone"),
-  Type.Literal("google")
+  ...SOCIAL_PROVIDERS.map((p) => Type.Literal(p))
 ]);
 var authLoginEvent = defineEvent(
   "auth.login",
@@ -8161,30 +8162,88 @@ async function verifyOAuthState(encryptedState) {
   return payload.state;
 }
+// src/server/lib/oauth/provider.ts
+var registry = /* @__PURE__ */ new Map();
+function registerOAuthProvider(provider) {
+  registry.set(provider.id, provider);
+}
+function getOAuthProvider(id11) {
+  return registry.get(id11);
+}
+function getRegisteredProviders() {
+  return [...registry.values()];
+}
+// src/server/lib/oauth/google-provider.ts
+var googleProvider = {
+  id: "google",
+  isEnabled: isGoogleOAuthEnabled,
+  getAuthUrl: getGoogleAuthUrl,
+  async exchangeCodeForTokens(code) {
+    const tokens = await exchangeCodeForTokens(code);
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresIn: tokens.expires_in
+    };
+  },
+  async getUserInfo(accessToken) {
+    const user = await getGoogleUserInfo(accessToken);
+    return {
+      providerUserId: user.id,
+      email: user.email ?? null,
+      emailVerified: user.verified_email,
+      name: user.name,
+      avatar: user.picture
+    };
+  },
+  async refreshTokens(refreshToken) {
+    const tokens = await refreshAccessToken(refreshToken);
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresIn: tokens.expires_in
+    };
+  }
+};
+registerOAuthProvider(googleProvider);
 // src/server/services/oauth.service.ts
-async function oauthStartService(params) {
-  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm, metadata } = params;
-  if (provider === "google") {
-    if (!isGoogleOAuthEnabled()) {
-      throw new ValidationError3({
-        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
-      });
-    }
-    const state = await createOAuthState({
-      provider: "google",
-      returnUrl,
-      publicKey,
-      keyId,
-      fingerprint,
-      algorithm,
-      metadata
+function requireEnabledProvider(provider) {
+  const oauthProvider = getOAuthProvider(provider);
+  if (!oauthProvider) {
+    throw new ValidationError3({
+      message: `Unsupported OAuth provider: ${provider}. No provider is registered for this id.`
+    });
+  }
+  if (!oauthProvider.isEnabled()) {
+    throw new ValidationError3({
+      message: `OAuth provider '${provider}' is registered but not configured. Check its required environment variables.`
     });
-    const authUrl = getGoogleAuthUrl(state);
-    return { authUrl };
   }
-  throw new ValidationError3({
-    message: `Unsupported OAuth provider: ${provider}`
+  return oauthProvider;
+}
+function tokenExpiryDate(expiresIn) {
+  if (!Number.isFinite(expiresIn)) {
+    throw new ValidationError3({
+      message: `Invalid token expiry returned from OAuth provider: ${expiresIn}`
+    });
+  }
+  return new Date(Date.now() + expiresIn * 1e3);
+}
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm, metadata } = params;
+  const oauthProvider = requireEnabledProvider(provider);
+  const state = await createOAuthState({
+    provider,
+    returnUrl,
+    publicKey,
+    keyId,
+    fingerprint,
+    algorithm,
+    metadata
   });
+  return { authUrl: oauthProvider.getAuthUrl(state) };
 }
 async function oauthCallbackService(params) {
   const { provider, code, state } = params;
@@ -8194,31 +8253,24 @@ async function oauthCallbackService(params) {
       message: "OAuth state provider mismatch"
     });
   }
-  if (provider === "google") {
-    return handleGoogleCallback(code, stateData);
-  }
-  throw new ValidationError3({
-    message: `Unsupported OAuth provider: ${provider}`
-  });
-}
-async function handleGoogleCallback(code, stateData) {
-  const tokens = await exchangeCodeForTokens(code);
-  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const oauthProvider = requireEnabledProvider(provider);
+  const tokens = await oauthProvider.exchangeCodeForTokens(code);
+  const identity = await oauthProvider.getUserInfo(tokens.accessToken);
   const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
-    "google",
-    googleUser.id
+    provider,
+    identity.providerUserId
   );
   let userId;
   let isNewUser = false;
   if (existingSocialAccount) {
     userId = existingSocialAccount.userId;
     await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
-      accessToken: tokens.access_token,
-      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
-      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: tokenExpiryDate(tokens.expiresIn)
     });
   } else {
-    const result = await createOrLinkUser(googleUser, tokens);
+    const result = await createOrLinkUser(provider, identity, tokens);
     userId = result.userId;
     isNewUser = result.isNewUser;
   }
@@ -8242,7 +8294,7 @@ async function handleGoogleCallback(code, stateData) {
   const user = await usersRepository.findById(userId);
   const eventPayload = {
     userId: String(userId),
-    provider: "google",
+    provider,
     email: user?.email || void 0,
     phone: user?.phone || void 0,
     metadata: stateData.metadata
@@ -8259,14 +8311,14 @@ async function handleGoogleCallback(code, stateData) {
     isNewUser
   };
 }
-async function createOrLinkUser(googleUser, tokens) {
-  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+async function createOrLinkUser(provider, identity, tokens) {
+  const existingUser = identity.email ? await usersRepository.findByEmail(identity.email) : null;
   let userId;
   let isNewUser = false;
   if (existingUser) {
-    if (!googleUser.verified_email) {
+    if (!identity.emailVerified) {
       throw new ValidationError3({
-        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+        message: "Cannot link to existing account with unverified email. Please verify your email with the provider first."
       });
     }
     userId = existingUser.id;
@@ -8282,26 +8334,26 @@ async function createOrLinkUser(googleUser, tokens) {
       throw new Error("Default user role not found. Run initializeAuth() first.");
     }
     const newUser = await usersRepository.create({
-      email: googleUser.verified_email ? googleUser.email : null,
+      email: identity.emailVerified ? identity.email : null,
       phone: null,
       passwordHash: null,
       // OAuth 사용자는 비밀번호 없음
       passwordChangeRequired: false,
       roleId: userRole.id,
       status: "active",
-      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+      emailVerifiedAt: identity.emailVerified ? /* @__PURE__ */ new Date() : null
     });
     userId = newUser.id;
     isNewUser = true;
   }
   await socialAccountsRepository.create({
     userId,
-    provider: "google",
-    providerUserId: googleUser.id,
-    providerEmail: googleUser.email,
-    accessToken: tokens.access_token,
-    refreshToken: tokens.refresh_token ?? null,
-    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    provider,
+    providerUserId: identity.providerUserId,
+    providerEmail: identity.email,
+    accessToken: tokens.accessToken,
+    refreshToken: tokens.refreshToken ?? null,
+    tokenExpiresAt: tokenExpiryDate(tokens.expiresIn)
   });
   return { userId, isNewUser };
 }
@@ -8320,23 +8372,10 @@ function buildOAuthErrorUrl(error) {
   return errorUrl.replace("{error}", encodeURIComponent(error));
 }
 function isOAuthProviderEnabled(provider) {
-  switch (provider) {
-    case "google":
-      return isGoogleOAuthEnabled();
-    case "github":
-    case "kakao":
-    case "naver":
-      return false;
-    default:
-      return false;
-  }
+  return getOAuthProvider(provider)?.isEnabled() ?? false;
 }
 function getEnabledOAuthProviders() {
-  const providers = [];
-  if (isGoogleOAuthEnabled()) {
-    providers.push("google");
-  }
-  return providers;
+  return getRegisteredProviders().filter((p) => p.isEnabled()).map((p) => p.id);
 }
 var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
 async function getGoogleAccessToken(userId) {
@@ -8359,7 +8398,7 @@ async function getGoogleAccessToken(userId) {
   await socialAccountsRepository.updateTokens(account.id, {
     accessToken: tokens.access_token,
     refreshToken: tokens.refresh_token ?? account.refreshToken,
-    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    tokenExpiresAt: tokenExpiryDate(tokens.expires_in)
   });
   return tokens.access_token;
 }
@@ -9788,8 +9827,10 @@ export {
   getKeyId,
   getKeySize,
   getLocale,
+  getOAuthProvider,
   getOneTimeTokenManager,
   getOptionalAuth,
+  getRegisteredProviders,
   getRole,
   getRoleByName,
   getRolePermissions,
@@ -9803,6 +9844,7 @@ export {
   getUserPermissions,
   getUserProfileService,
   getUserRole,
+  googleProvider,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
@@ -9829,6 +9871,7 @@ export {
   permissions,
   permissionsRepository,
   refreshAccessToken,
+  registerOAuthProvider,
   registerPublicKeyService,
   registerService,
   removePermissionFromRole,