npm - @spfn/auth - Versions diffs - 0.2.0-beta.61 → 0.2.0-beta.64 - Mend

@spfn/auth 0.2.0-beta.61 → 0.2.0-beta.64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +59 -1
package/dist/{authenticate-B_HkYBzq.d.ts → authenticate-mfVRzeIK.d.ts} +126 -7
package/dist/index.d.ts +36 -6
package/dist/index.js +4 -1
package/dist/index.js.map +1 -1
package/dist/nextjs/server.d.ts +2 -2
package/dist/server.d.ts +194 -181
package/dist/server.js +200 -70
package/dist/server.js.map +1 -1
package/dist/{session-Dbvz9Sdp.d.ts → session-2CyIVxMY.d.ts} +1 -1
package/dist/{types-B1CzVZkU.d.ts → types-B4auHIax.d.ts} +1 -1
package/package.json +3 -3

package/dist/server.js CHANGED Viewed

@@ -4501,7 +4501,7 @@ var init_types = __esm({
     KEY_ALGORITHM = ["ES256", "RS256"];
     INVITATION_STATUSES = ["pending", "accepted", "expired", "cancelled"];
     USER_STATUSES = ["active", "inactive", "suspended"];
-    SOCIAL_PROVIDERS = ["google", "github", "kakao", "naver"];
+    SOCIAL_PROVIDERS = ["google", "github", "kakao", "naver", "superself"];
   }
 });
@@ -7211,11 +7211,12 @@ async function updateUsernameService(userId, username) {
 // src/server/events/index.ts
 init_esm();
+init_types();
 import { defineEvent } from "@spfn/core/event";
 var AuthProviderSchema = Type.Union([
   Type.Literal("email"),
   Type.Literal("phone"),
-  Type.Literal("google")
+  ...SOCIAL_PROVIDERS.map((p) => Type.Literal(p))
 ]);
 var authLoginEvent = defineEvent(
   "auth.login",
@@ -8161,30 +8162,88 @@ async function verifyOAuthState(encryptedState) {
   return payload.state;
 }
+// src/server/lib/oauth/provider.ts
+var registry = /* @__PURE__ */ new Map();
+function registerOAuthProvider(provider) {
+  registry.set(provider.id, provider);
+}
+function getOAuthProvider(id11) {
+  return registry.get(id11);
+}
+function getRegisteredProviders() {
+  return [...registry.values()];
+}
+// src/server/lib/oauth/google-provider.ts
+var googleProvider = {
+  id: "google",
+  isEnabled: isGoogleOAuthEnabled,
+  getAuthUrl: getGoogleAuthUrl,
+  async exchangeCodeForTokens(code) {
+    const tokens = await exchangeCodeForTokens(code);
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresIn: tokens.expires_in
+    };
+  },
+  async getUserInfo(accessToken) {
+    const user = await getGoogleUserInfo(accessToken);
+    return {
+      providerUserId: user.id,
+      email: user.email ?? null,
+      emailVerified: user.verified_email,
+      name: user.name,
+      avatar: user.picture
+    };
+  },
+  async refreshTokens(refreshToken) {
+    const tokens = await refreshAccessToken(refreshToken);
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresIn: tokens.expires_in
+    };
+  }
+};
+registerOAuthProvider(googleProvider);
 // src/server/services/oauth.service.ts
-async function oauthStartService(params) {
-  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm, metadata } = params;
-  if (provider === "google") {
-    if (!isGoogleOAuthEnabled()) {
-      throw new ValidationError3({
-        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
-      });
-    }
-    const state = await createOAuthState({
-      provider: "google",
-      returnUrl,
-      publicKey,
-      keyId,
-      fingerprint,
-      algorithm,
-      metadata
+function requireEnabledProvider(provider) {
+  const oauthProvider = getOAuthProvider(provider);
+  if (!oauthProvider) {
+    throw new ValidationError3({
+      message: `Unsupported OAuth provider: ${provider}. No provider is registered for this id.`
     });
-    const authUrl = getGoogleAuthUrl(state);
-    return { authUrl };
   }
-  throw new ValidationError3({
-    message: `Unsupported OAuth provider: ${provider}`
+  if (!oauthProvider.isEnabled()) {
+    throw new ValidationError3({
+      message: `OAuth provider '${provider}' is registered but not configured. Check its required environment variables.`
+    });
+  }
+  return oauthProvider;
+}
+function tokenExpiryDate(expiresIn) {
+  if (!Number.isFinite(expiresIn)) {
+    throw new ValidationError3({
+      message: `Invalid token expiry returned from OAuth provider: ${expiresIn}`
+    });
+  }
+  return new Date(Date.now() + expiresIn * 1e3);
+}
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm, metadata } = params;
+  const oauthProvider = requireEnabledProvider(provider);
+  const state = await createOAuthState({
+    provider,
+    returnUrl,
+    publicKey,
+    keyId,
+    fingerprint,
+    algorithm,
+    metadata
   });
+  return { authUrl: oauthProvider.getAuthUrl(state) };
 }
 async function oauthCallbackService(params) {
   const { provider, code, state } = params;
@@ -8194,31 +8253,24 @@ async function oauthCallbackService(params) {
       message: "OAuth state provider mismatch"
     });
   }
-  if (provider === "google") {
-    return handleGoogleCallback(code, stateData);
-  }
-  throw new ValidationError3({
-    message: `Unsupported OAuth provider: ${provider}`
-  });
-}
-async function handleGoogleCallback(code, stateData) {
-  const tokens = await exchangeCodeForTokens(code);
-  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const oauthProvider = requireEnabledProvider(provider);
+  const tokens = await oauthProvider.exchangeCodeForTokens(code);
+  const identity = await oauthProvider.getUserInfo(tokens.accessToken);
   const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
-    "google",
-    googleUser.id
+    provider,
+    identity.providerUserId
   );
   let userId;
   let isNewUser = false;
   if (existingSocialAccount) {
     userId = existingSocialAccount.userId;
     await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
-      accessToken: tokens.access_token,
-      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
-      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: tokenExpiryDate(tokens.expiresIn)
     });
   } else {
-    const result = await createOrLinkUser(googleUser, tokens);
+    const result = await createOrLinkUser(provider, identity, tokens);
     userId = result.userId;
     isNewUser = result.isNewUser;
   }
@@ -8242,7 +8294,7 @@ async function handleGoogleCallback(code, stateData) {
   const user = await usersRepository.findById(userId);
   const eventPayload = {
     userId: String(userId),
-    provider: "google",
+    provider,
     email: user?.email || void 0,
     phone: user?.phone || void 0,
     metadata: stateData.metadata
@@ -8259,14 +8311,14 @@ async function handleGoogleCallback(code, stateData) {
     isNewUser
   };
 }
-async function createOrLinkUser(googleUser, tokens) {
-  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+async function createOrLinkUser(provider, identity, tokens) {
+  const existingUser = identity.email ? await usersRepository.findByEmail(identity.email) : null;
   let userId;
   let isNewUser = false;
   if (existingUser) {
-    if (!googleUser.verified_email) {
+    if (!identity.emailVerified) {
       throw new ValidationError3({
-        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+        message: "Cannot link to existing account with unverified email. Please verify your email with the provider first."
       });
     }
     userId = existingUser.id;
@@ -8282,26 +8334,26 @@ async function createOrLinkUser(googleUser, tokens) {
       throw new Error("Default user role not found. Run initializeAuth() first.");
     }
     const newUser = await usersRepository.create({
-      email: googleUser.verified_email ? googleUser.email : null,
+      email: identity.emailVerified ? identity.email : null,
       phone: null,
       passwordHash: null,
       // OAuth 사용자는 비밀번호 없음
       passwordChangeRequired: false,
       roleId: userRole.id,
       status: "active",
-      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+      emailVerifiedAt: identity.emailVerified ? /* @__PURE__ */ new Date() : null
     });
     userId = newUser.id;
     isNewUser = true;
   }
   await socialAccountsRepository.create({
     userId,
-    provider: "google",
-    providerUserId: googleUser.id,
-    providerEmail: googleUser.email,
-    accessToken: tokens.access_token,
-    refreshToken: tokens.refresh_token ?? null,
-    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    provider,
+    providerUserId: identity.providerUserId,
+    providerEmail: identity.email,
+    accessToken: tokens.accessToken,
+    refreshToken: tokens.refreshToken ?? null,
+    tokenExpiresAt: tokenExpiryDate(tokens.expiresIn)
   });
   return { userId, isNewUser };
 }
@@ -8320,23 +8372,10 @@ function buildOAuthErrorUrl(error) {
   return errorUrl.replace("{error}", encodeURIComponent(error));
 }
 function isOAuthProviderEnabled(provider) {
-  switch (provider) {
-    case "google":
-      return isGoogleOAuthEnabled();
-    case "github":
-    case "kakao":
-    case "naver":
-      return false;
-    default:
-      return false;
-  }
+  return getOAuthProvider(provider)?.isEnabled() ?? false;
 }
 function getEnabledOAuthProviders() {
-  const providers = [];
-  if (isGoogleOAuthEnabled()) {
-    providers.push("google");
-  }
-  return providers;
+  return getRegisteredProviders().filter((p) => p.isEnabled()).map((p) => p.id);
 }
 var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
 async function getGoogleAccessToken(userId) {
@@ -8359,7 +8398,7 @@ async function getGoogleAccessToken(userId) {
   await socialAccountsRepository.updateTokens(account.id, {
     accessToken: tokens.access_token,
     refreshToken: tokens.refresh_token ?? account.refreshToken,
-    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    tokenExpiresAt: tokenExpiryDate(tokens.expires_in)
   });
   return tokens.access_token;
 }
@@ -9119,7 +9158,13 @@ var userRouter = defineRouter3({
 init_esm();
 init_types();
 import { Transactional as Transactional2 } from "@spfn/core/db";
+import { ValidationError as ValidationError4 } from "@spfn/core/errors";
 import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var providerParams = Type.Object({
+  provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+    description: "OAuth provider id (google, github, kakao, naver, superself)"
+  })
+});
 var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
   query: Type.Object({
     state: Type.String({
@@ -9216,10 +9261,12 @@ var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
 }).skip(["auth"]).handler(async (c) => {
   const { body } = await c.data();
   if (!isGoogleOAuthEnabled()) {
-    throw new Error("Google OAuth is not configured");
+    throw new ValidationError4({ message: "Google OAuth is not configured" });
   }
   if (!body.state) {
-    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+    throw new ValidationError4({
+      message: "OAuth state is required. Ensure the OAuth interceptor is configured."
+    });
   }
   return { authUrl: getGoogleAuthUrl(body.state) };
 });
@@ -9238,13 +9285,88 @@ var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
     returnUrl: body.returnUrl || "/"
   };
 });
+var oauthProviderStart = route4.get("/_auth/oauth/:provider").input({
+  params: providerParams,
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { params, query } = await c.data();
+  const provider = getOAuthProvider(params.provider);
+  if (!provider?.isEnabled()) {
+    return c.redirect(buildOAuthErrorUrl(`OAuth provider '${params.provider}' is not configured`));
+  }
+  return c.redirect(provider.getAuthUrl(query.state));
+});
+var oauthProviderCallback = route4.get("/_auth/oauth/:provider/callback").input({
+  params: providerParams,
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from provider"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from provider"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from provider"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { params, query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: params.provider,
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var getProviderOAuthUrl = route4.post("/_auth/oauth/:provider/url").input({
+  params: providerParams,
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { params, body } = await c.data();
+  const provider = requireEnabledProvider(params.provider);
+  if (!body.state) {
+    throw new ValidationError4({
+      message: "OAuth state is required. Ensure the OAuth interceptor is configured."
+    });
+  }
+  return { authUrl: provider.getAuthUrl(body.state) };
+});
 var oauthRouter = defineRouter4({
   oauthGoogleStart,
   oauthGoogleCallback,
   oauthStart,
   oauthProviders,
   getGoogleOAuthUrl,
-  oauthFinalize
+  oauthFinalize,
+  oauthProviderStart,
+  oauthProviderCallback,
+  getProviderOAuthUrl
 });
 // src/server/routes/admin/index.ts
@@ -9364,6 +9486,9 @@ var mainAuthRouter = defineRouter5({
   oauthProviders,
   getGoogleOAuthUrl,
   oauthFinalize,
+  oauthProviderStart,
+  oauthProviderCallback,
+  getProviderOAuthUrl,
   // Invitation routes
   getInvitation,
   acceptInvitation: acceptInvitation2,
@@ -9788,8 +9913,10 @@ export {
   getKeyId,
   getKeySize,
   getLocale,
+  getOAuthProvider,
   getOneTimeTokenManager,
   getOptionalAuth,
+  getRegisteredProviders,
   getRole,
   getRoleByName,
   getRolePermissions,
@@ -9803,6 +9930,7 @@ export {
   getUserPermissions,
   getUserProfileService,
   getUserRole,
+  googleProvider,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
@@ -9829,10 +9957,12 @@ export {
   permissions,
   permissionsRepository,
   refreshAccessToken,
+  registerOAuthProvider,
   registerPublicKeyService,
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
+  requireEnabledProvider,
   requirePermissions,
   requireRole,
   resendInvitation,