npm - @spfn/auth - Versions diffs - 0.2.0-beta.62 → 0.2.0-beta.65 - Mend

@spfn/auth 0.2.0-beta.62 → 0.2.0-beta.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/{authenticate-DcOkuB7d.d.ts → authenticate-mfVRzeIK.d.ts} +121 -2
package/dist/index.d.ts +33 -3
package/dist/index.js +3 -0
package/dist/index.js.map +1 -1
package/dist/server.d.ts +209 -283
package/dist/server.js +218 -50
package/dist/server.js.map +1 -1
package/package.json +1 -1

package/dist/server.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { i as AuthInitOptions, d as VerificationPurpose, h as PermissionCategory, j as AuthContext } from './authenticate-DcOkuB7d.js';
-export { u as ChangePasswordParams, p as CheckAccountExistsParams, C as CheckAccountExistsResult, a1 as EmailSchema, I as IssueOneTimeTokenResult, s as LoginParams, L as LoginResult, t as LogoutParams, Z as OAuthCallbackParams, _ as OAuthCallbackResult, Y as OAuthStartParams, O as OAuthStartResult, a3 as PasswordSchema, a2 as PhoneSchema, q as RegisterParams, F as RegisterPublicKeyParams, a as RegisterResult, H as RevokeKeyParams, G as RotateKeyParams, b as RotateKeyResult, x as SendVerificationCodeParams, S as SendVerificationCodeResult, a4 as TargetTypeSchema, f as VERIFICATION_PURPOSES, e as VERIFICATION_TARGET_TYPES, a5 as VerificationPurposeSchema, V as VerificationTargetType, y as VerifyCodeParams, z as VerifyCodeResult, m as authRouter, $ as authenticate, Q as buildOAuthErrorUrl, o as changePasswordService, k as checkAccountExistsService, W as getEnabledOAuthProviders, X as getGoogleAccessToken, T as isOAuthProviderEnabled, J as issueOneTimeTokenService, l as loginService, n as logoutService, N as oauthCallbackService, M as oauthStartService, a0 as optionalAuth, B as registerPublicKeyService, r as registerService, E as revokeKeyService, D as rotateKeyService, v as sendVerificationCodeService, w as verifyCodeService, K as verifyOneTimeTokenService } from './authenticate-DcOkuB7d.js';
+import { i as AuthInitOptions, j as OAuthProvider, d as VerificationPurpose, h as PermissionCategory, k as AuthContext } from './authenticate-mfVRzeIK.js';
+export { v as ChangePasswordParams, q as CheckAccountExistsParams, C as CheckAccountExistsResult, a3 as EmailSchema, I as IssueOneTimeTokenResult, t as LoginParams, L as LoginResult, u as LogoutParams, a8 as NormalizedIdentity, $ as OAuthCallbackParams, a0 as OAuthCallbackResult, _ as OAuthStartParams, O as OAuthStartResult, a9 as OAuthTokens, a5 as PasswordSchema, a4 as PhoneSchema, s as RegisterParams, G as RegisterPublicKeyParams, a as RegisterResult, J as RevokeKeyParams, H as RotateKeyParams, b as RotateKeyResult, y as SendVerificationCodeParams, S as SendVerificationCodeResult, a6 as TargetTypeSchema, f as VERIFICATION_PURPOSES, e as VERIFICATION_TARGET_TYPES, a7 as VerificationPurposeSchema, V as VerificationTargetType, z as VerifyCodeParams, B as VerifyCodeResult, m as authRouter, a1 as authenticate, T as buildOAuthErrorUrl, p as changePasswordService, l as checkAccountExistsService, Y as getEnabledOAuthProviders, Z as getGoogleAccessToken, ab as getOAuthProvider, ac as getRegisteredProviders, W as isOAuthProviderEnabled, K as issueOneTimeTokenService, n as loginService, o as logoutService, Q as oauthCallbackService, N as oauthStartService, a2 as optionalAuth, aa as registerOAuthProvider, D as registerPublicKeyService, r as registerService, X as requireEnabledProvider, F as revokeKeyService, E as rotateKeyService, w as sendVerificationCodeService, x as verifyCodeService, M as verifyOneTimeTokenService } from './authenticate-mfVRzeIK.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-B4auHIax.js';
 export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-B4auHIax.js';
@@ -1333,7 +1333,7 @@ declare function getAuthSessionService(userId: string | number | bigint): Promis
         id: number;
         name: string;
         displayName: string;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
     }[];
     userId: number;
     publicId: string;
@@ -1416,6 +1416,127 @@ declare function updateLocaleService(userId: string | number | bigint, locale: s
  */
 declare function updateUserProfileService(userId: string | number | bigint, params: UpdateProfileParams): Promise<ProfileInfo>;
+/**
+ * Google OAuth 2.0 Client
+ *
+ * Authorization Code Flow 구현
+ * - getGoogleAuthUrl: Google 로그인 URL 생성
+ * - exchangeCodeForTokens: Code를 Token으로 교환
+ * - getGoogleUserInfo: 사용자 정보 조회
+ */
+interface GoogleTokenResponse {
+    access_token: string;
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+    token_type: string;
+    id_token?: string;
+}
+interface GoogleUserInfo {
+    id: string;
+    email: string;
+    verified_email: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    locale?: string;
+}
+/**
+ * Google OAuth가 활성화되어 있는지 확인
+ */
+declare function isGoogleOAuthEnabled(): boolean;
+/**
+ * Google OAuth 설정 가져오기
+ */
+declare function getGoogleOAuthConfig(): {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+};
+/**
+ * Google 로그인 URL 생성
+ *
+ * @param state - CSRF 방지용 state 파라미터 (암호화된 returnUrl + nonce 포함)
+ * @param scopes - 요청할 OAuth scopes (기본: env 또는 email, profile)
+ */
+declare function getGoogleAuthUrl(state: string, scopes?: string[]): string;
+/**
+ * Authorization Code를 Token으로 교환
+ *
+ * @param code - Google에서 받은 authorization code
+ */
+declare function exchangeCodeForTokens(code: string): Promise<GoogleTokenResponse>;
+/**
+ * Access Token으로 Google 사용자 정보 조회
+ *
+ * @param accessToken - Google access token
+ */
+declare function getGoogleUserInfo(accessToken: string): Promise<GoogleUserInfo>;
+/**
+ * Refresh Token으로 새 Access Token 획득
+ *
+ * @param refreshToken - Google refresh token
+ */
+declare function refreshAccessToken(refreshToken: string): Promise<GoogleTokenResponse>;
+/**
+ * OAuth State Management
+ *
+ * CSRF 방지를 위한 state 파라미터 암호화/복호화
+ * - returnUrl: OAuth 성공 후 리다이렉트할 URL
+ * - nonce: CSRF 방지용 일회용 토큰
+ * - provider: OAuth provider (google, github 등)
+ * - publicKey, keyId, fingerprint, algorithm: 클라이언트 키 정보
+ * - expiresAt: state 만료 시간
+ */
+interface OAuthState {
+    returnUrl: string;
+    nonce: string;
+    provider: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
+}
+interface CreateOAuthStateParams {
+    provider: string;
+    returnUrl: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * OAuth state 생성 및 암호화
+ *
+ * @param params - state 생성에 필요한 파라미터
+ * @returns 암호화된 state 문자열
+ */
+declare function createOAuthState(params: CreateOAuthStateParams): Promise<string>;
+/**
+ * OAuth state 복호화 및 검증
+ *
+ * @param encryptedState - 암호화된 state 문자열
+ * @returns 복호화된 state 객체
+ * @throws Error if state is invalid or expired (JWE exp claim으로 자동 검증)
+ */
+declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
+/**
+ * Google OAuthProvider 구현
+ *
+ * 기존 google.ts의 함수를 OAuthProvider 인터페이스로 래핑한다.
+ * google.ts 자체는 그대로 유지(테스트·google 전용 route가 직접 의존).
+ *
+ * 이 모듈을 import 하는 것만으로 google provider가 registry에 자기 등록된다.
+ */
+declare const googleProvider: OAuthProvider;
 /**
  * @spfn/auth - Database Schema Definition
  *
@@ -2474,7 +2595,7 @@ declare const permissions: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "permissions";
             dataType: "string";
             columnType: "PgText";
-            data: "auth" | "custom" | "user" | "rbac" | "system";
+            data: "custom" | "user" | "auth" | "rbac" | "system";
             driverParam: string;
             notNull: false;
             hasDefault: false;
@@ -3065,17 +3186,17 @@ declare class UsersRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUser): Promise<{
+        username: string | null;
+        status: "active" | "inactive" | "suspended";
         email: string | null;
         phone: string | null;
         id: number;
+        createdAt: Date;
+        updatedAt: Date;
         publicId: string;
-        username: string | null;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
-        createdAt: Date;
-        updatedAt: Date;
-        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -3145,17 +3266,17 @@ declare class UsersRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteById(id: number): Promise<{
+        username: string | null;
+        status: "active" | "inactive" | "suspended";
         email: string | null;
         phone: string | null;
         id: number;
+        createdAt: Date;
+        updatedAt: Date;
         publicId: string;
-        username: string | null;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
-        createdAt: Date;
-        updatedAt: Date;
-        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -3178,7 +3299,7 @@ declare class UsersRepository extends BaseRepository {
             id: number;
             name: string;
             displayName: string;
-            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
+            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
         }[];
     }>;
     /**
@@ -3293,16 +3414,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUserPublicKey): Promise<{
-        publicKey: string;
-        keyId: string;
-        fingerprint: string;
-        algorithm: "ES256" | "RS256";
         userId: number;
+        keyId: string;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        expiresAt: Date | null;
+        publicKey: string;
+        algorithm: "ES256" | "RS256";
+        fingerprint: string;
         lastUsedAt: Date | null;
+        expiresAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3329,16 +3450,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteByKeyIdAndUserId(keyId: string, userId: number): Promise<{
-        publicKey: string;
-        keyId: string;
-        fingerprint: string;
-        algorithm: "ES256" | "RS256";
         userId: number;
+        keyId: string;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        expiresAt: Date | null;
+        publicKey: string;
+        algorithm: "ES256" | "RS256";
+        fingerprint: string;
         lastUsedAt: Date | null;
+        expiresAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3453,14 +3574,14 @@ declare class VerificationCodesRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewVerificationCode): Promise<{
-        target: string;
-        targetType: "email" | "phone";
-        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
-        code: string;
         id: number;
         createdAt: Date;
         updatedAt: Date;
         expiresAt: Date;
+        target: string;
+        targetType: "email" | "phone";
+        code: string;
+        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
         usedAt: Date | null;
         attempts: number;
     }>;
@@ -3649,7 +3770,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3665,7 +3786,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3705,7 +3826,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3716,7 +3837,6 @@ declare class PermissionsRepository extends BaseRepository {
      */
     deleteById(id: number): Promise<{
         description: string | null;
-        metadata: Record<string, any> | null;
         id: number;
         name: string;
         displayName: string;
@@ -3725,7 +3845,8 @@ declare class PermissionsRepository extends BaseRepository {
         isActive: boolean;
         createdAt: Date;
         updatedAt: Date;
-        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
+        metadata: Record<string, any> | null;
+        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
     }>;
 }
 declare const permissionsRepository: PermissionsRepository;
@@ -3770,9 +3891,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     createMany(data: NewRolePermission[]): Promise<{
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
+        roleId: number;
         permissionId: number;
     }[]>;
     /**
@@ -3788,9 +3909,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     setPermissionsForRole(roleId: number, permissionIds: number[]): Promise<{
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
+        roleId: number;
         permissionId: number;
     }[]>;
 }
@@ -3855,10 +3976,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        permissionId: number;
         expiresAt: Date | null;
-        reason: string | null;
+        permissionId: number;
         granted: boolean;
+        reason: string | null;
     }>;
     /**
      * 사용자 권한 오버라이드 업데이트
@@ -3881,10 +4002,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        permissionId: number;
         expiresAt: Date | null;
-        reason: string | null;
+        permissionId: number;
         granted: boolean;
+        reason: string | null;
     }>;
     /**
      * 사용자의 모든 권한 오버라이드 삭제
@@ -3962,7 +4083,6 @@ declare class UserProfilesRepository extends BaseRepository {
      * 프로필 생성
      */
     create(data: NewUserProfile): Promise<{
-        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -3980,6 +4100,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 업데이트 (by ID)
@@ -4031,7 +4152,6 @@ declare class UserProfilesRepository extends BaseRepository {
      * 프로필 삭제 (by ID)
      */
     deleteById(id: number): Promise<{
-        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4049,12 +4169,12 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 삭제 (by User ID)
      */
     deleteByUserId(userId: number): Promise<{
-        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4072,6 +4192,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 Upsert (by User ID)
@@ -4080,7 +4201,6 @@ declare class UserProfilesRepository extends BaseRepository {
      * 새로 생성 시 displayName은 필수 (없으면 'User'로 설정)
      */
     upsertByUserId(userId: number, data: Partial<Omit<NewUserProfile, 'userId'>>): Promise<{
-        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4098,6 +4218,7 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
+        metadata: Record<string, any> | null;
     }>;
     /**
      * User ID로 프로필 데이터 조회 (formatted)
@@ -4224,16 +4345,16 @@ declare class InvitationsRepository extends BaseRepository {
      * 초대 생성
      */
     create(data: NewInvitation): Promise<{
+        status: "pending" | "accepted" | "expired" | "cancelled";
         email: string;
-        metadata: Record<string, any> | null;
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        status: "pending" | "accepted" | "expired" | "cancelled";
+        roleId: number;
+        metadata: Record<string, any> | null;
+        expiresAt: Date;
         token: string;
         invitedBy: number;
-        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4258,16 +4379,16 @@ declare class InvitationsRepository extends BaseRepository {
      * 초대 삭제
      */
     deleteById(id: number): Promise<{
+        status: "pending" | "accepted" | "expired" | "cancelled";
         email: string;
-        metadata: Record<string, any> | null;
         id: number;
-        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        status: "pending" | "accepted" | "expired" | "cancelled";
+        roleId: number;
+        metadata: Record<string, any> | null;
+        expiresAt: Date;
         token: string;
         invitedBy: number;
-        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4403,59 +4524,69 @@ declare const invitationsRepository: InvitationsRepository;
  * Social Accounts Repository 클래스
  */
 declare class SocialAccountsRepository extends BaseRepository {
+    /**
+     * 저장 row 의 토큰을 평문으로 복호화해 반환한다.
+     *
+     * 레거시 평문(마커 없음)이 감지되면 즉시 재암호화해 저장하는
+     * self-healing 마이그레이션을 수행한다. 호출자에게는 항상 평문이 반환되어
+     * 외부 API 계약(평문 토큰)이 유지된다.
+     */
+    private decryptAccount;
     /**
      * provider와 providerUserId로 소셜 계정 조회
      * Read replica 사용
      */
     findByProviderAndProviderId(provider: SocialProvider, providerUserId: string): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
+        userId: number;
+        id: number;
         createdAt: Date;
         updatedAt: Date;
-        id: number;
-        userId: number;
         provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
-        accessToken: string | null;
-        refreshToken: string | null;
         tokenExpiresAt: Date | null;
-    }>;
+    } | null>;
     /**
      * userId로 모든 소셜 계정 조회
      * Read replica 사용
      */
-    findByUserId(userId: number): Promise<{
+    findByUserId(userId: number): Promise<({
+        accessToken: string | null;
+        refreshToken: string | null;
+        userId: number;
+        id: number;
         createdAt: Date;
         updatedAt: Date;
-        id: number;
-        userId: number;
         provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
-        accessToken: string | null;
-        refreshToken: string | null;
         tokenExpiresAt: Date | null;
-    }[]>;
+    } | null)[]>;
     /**
      * userId와 provider로 소셜 계정 조회
      * Read replica 사용
      */
     findByUserIdAndProvider(userId: number, provider: SocialProvider): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
+        userId: number;
+        id: number;
         createdAt: Date;
         updatedAt: Date;
-        id: number;
-        userId: number;
         provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
-        accessToken: string | null;
-        refreshToken: string | null;
         tokenExpiresAt: Date | null;
-    }>;
+    } | null>;
     /**
      * 소셜 계정 생성
      * Write primary 사용
      */
     create(data: NewUserSocialAccount): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
         userId: number;
         id: number;
         createdAt: Date;
@@ -4463,10 +4594,8 @@ declare class SocialAccountsRepository extends BaseRepository {
         provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
-        accessToken: string | null;
-        refreshToken: string | null;
         tokenExpiresAt: Date | null;
-    }>;
+    } | null>;
     /**
      * 토큰 정보 업데이트
      * Write primary 사용
@@ -4476,17 +4605,17 @@ declare class SocialAccountsRepository extends BaseRepository {
         refreshToken?: string | null;
         tokenExpiresAt?: Date | null;
     }): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
+        userId: number;
+        id: number;
         createdAt: Date;
         updatedAt: Date;
-        id: number;
-        userId: number;
         provider: "google" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
-        accessToken: string | null;
-        refreshToken: string | null;
         tokenExpiresAt: Date | null;
-    }>;
+    } | null>;
     /**
      * 소셜 계정 삭제
      * Write primary 사용
@@ -4974,17 +5103,17 @@ declare function getOptionalAuth(c: Context | {
 declare function getUser(c: Context | {
     raw: Context;
 }): {
+    username: string | null;
+    status: "active" | "inactive" | "suspended";
     email: string | null;
     phone: string | null;
     id: number;
+    createdAt: Date;
+    updatedAt: Date;
     publicId: string;
-    username: string | null;
     passwordHash: string | null;
     passwordChangeRequired: boolean;
     roleId: number;
-    createdAt: Date;
-    updatedAt: Date;
-    status: "active" | "inactive" | "suspended";
     emailVerifiedAt: Date | null;
     phoneVerifiedAt: Date | null;
     lastLoginAt: Date | null;
@@ -5181,209 +5310,6 @@ declare function getAuthConfig(): AuthConfig;
  */
 declare function getSessionTtl(override?: string | number): number;
-/**
- * Google OAuth 2.0 Client
- *
- * Authorization Code Flow 구현
- * - getGoogleAuthUrl: Google 로그인 URL 생성
- * - exchangeCodeForTokens: Code를 Token으로 교환
- * - getGoogleUserInfo: 사용자 정보 조회
- */
-interface GoogleTokenResponse {
-    access_token: string;
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    token_type: string;
-    id_token?: string;
-}
-interface GoogleUserInfo {
-    id: string;
-    email: string;
-    verified_email: boolean;
-    name?: string;
-    given_name?: string;
-    family_name?: string;
-    picture?: string;
-    locale?: string;
-}
-/**
- * Google OAuth가 활성화되어 있는지 확인
- */
-declare function isGoogleOAuthEnabled(): boolean;
-/**
- * Google OAuth 설정 가져오기
- */
-declare function getGoogleOAuthConfig(): {
-    clientId: string;
-    clientSecret: string;
-    redirectUri: string;
-};
-/**
- * Google 로그인 URL 생성
- *
- * @param state - CSRF 방지용 state 파라미터 (암호화된 returnUrl + nonce 포함)
- * @param scopes - 요청할 OAuth scopes (기본: env 또는 email, profile)
- */
-declare function getGoogleAuthUrl(state: string, scopes?: string[]): string;
-/**
- * Authorization Code를 Token으로 교환
- *
- * @param code - Google에서 받은 authorization code
- */
-declare function exchangeCodeForTokens(code: string): Promise<GoogleTokenResponse>;
-/**
- * Access Token으로 Google 사용자 정보 조회
- *
- * @param accessToken - Google access token
- */
-declare function getGoogleUserInfo(accessToken: string): Promise<GoogleUserInfo>;
-/**
- * Refresh Token으로 새 Access Token 획득
- *
- * @param refreshToken - Google refresh token
- */
-declare function refreshAccessToken(refreshToken: string): Promise<GoogleTokenResponse>;
-/**
- * OAuth State Management
- *
- * CSRF 방지를 위한 state 파라미터 암호화/복호화
- * - returnUrl: OAuth 성공 후 리다이렉트할 URL
- * - nonce: CSRF 방지용 일회용 토큰
- * - provider: OAuth provider (google, github 등)
- * - publicKey, keyId, fingerprint, algorithm: 클라이언트 키 정보
- * - expiresAt: state 만료 시간
- */
-interface OAuthState {
-    returnUrl: string;
-    nonce: string;
-    provider: string;
-    publicKey: string;
-    keyId: string;
-    fingerprint: string;
-    algorithm: KeyAlgorithmType;
-    metadata?: Record<string, unknown>;
-}
-interface CreateOAuthStateParams {
-    provider: string;
-    returnUrl: string;
-    publicKey: string;
-    keyId: string;
-    fingerprint: string;
-    algorithm: KeyAlgorithmType;
-    metadata?: Record<string, unknown>;
-}
-/**
- * OAuth state 생성 및 암호화
- *
- * @param params - state 생성에 필요한 파라미터
- * @returns 암호화된 state 문자열
- */
-declare function createOAuthState(params: CreateOAuthStateParams): Promise<string>;
-/**
- * OAuth state 복호화 및 검증
- *
- * @param encryptedState - 암호화된 state 문자열
- * @returns 복호화된 state 객체
- * @throws Error if state is invalid or expired (JWE exp claim으로 자동 검증)
- */
-declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
-/**
- * OAuth Provider 추상화
- *
- * Provider별로 하드코딩된 분기를 제거하기 위한 공통 인터페이스와 registry.
- * - 내장 provider(google)는 패키지 로드 시점에 자기 등록(dogfood)
- * - 외부 패키지(@superself/auth 등)는 registerOAuthProvider()로 런타임 등록
- *
- * @spfn/auth는 토큰 issuer가 아니라 소비(client) 측이므로,
- * 이 추상화는 "authorize URL 생성 → code 교환 → 사용자 정보 정규화"까지만 다룬다.
- */
-/**
- * Provider 사용자 정보를 공통 형태로 정규화한 신원
- *
- * provider별 응답 형태(snake_case 등)를 service에 노출하지 않기 위한 경계.
- */
-interface NormalizedIdentity {
-    providerUserId: string;
-    email: string | null;
-    emailVerified: boolean;
-    name?: string;
-    avatar?: string;
-}
-/**
- * 정규화된 OAuth 토큰 응답
- *
- * @property expiresIn - access token 만료까지 남은 초(seconds)
- */
-interface OAuthTokens {
-    accessToken: string;
-    refreshToken?: string;
-    expiresIn: number;
-}
-/**
- * OAuth provider 구현 인터페이스
- *
- * google, superself 등 모든 provider가 이 형태를 만족해야 registry에 등록된다.
- */
-interface OAuthProvider {
-    id: SocialProvider;
-    /**
-     * provider가 사용 가능한 상태인지(필수 env 등) 확인
-     */
-    isEnabled(): boolean;
-    /**
-     * provider 로그인 페이지로 보낼 authorization URL 생성
-     *
-     * @param state - CSRF 방지용 암호화 state
-     * @param scopes - 요청할 scope (미지정 시 provider 기본값)
-     */
-    getAuthUrl(state: string, scopes?: string[]): string;
-    /**
-     * authorization code를 토큰으로 교환
-     */
-    exchangeCodeForTokens(code: string): Promise<OAuthTokens>;
-    /**
-     * access token으로 사용자 정보를 조회하고 공통 형태로 정규화
-     */
-    getUserInfo(accessToken: string): Promise<NormalizedIdentity>;
-    /**
-     * refresh token으로 access token 갱신 (provider가 지원하는 경우)
-     *
-     * 저장된 provider 토큰을 이후 API 호출에 재사용할 때 사용한다.
-     * 미구현 provider는 갱신 불가로 간주한다.
-     */
-    refreshTokens?(refreshToken: string): Promise<OAuthTokens>;
-}
-/**
- * OAuth provider 등록 (public)
- *
- * 동일 id로 다시 등록하면 덮어쓴다(외부 패키지의 override 허용).
- */
-declare function registerOAuthProvider(provider: OAuthProvider): void;
-/**
- * 등록된 provider 조회. 미등록이면 undefined.
- */
-declare function getOAuthProvider(id: SocialProvider): OAuthProvider | undefined;
-/**
- * 등록된 모든 provider 목록
- */
-declare function getRegisteredProviders(): OAuthProvider[];
-/**
- * Google OAuthProvider 구현
- *
- * 기존 google.ts의 함수를 OAuthProvider 인터페이스로 래핑한다.
- * google.ts 자체는 그대로 유지(테스트·google 전용 route가 직접 의존).
- *
- * 이 모듈을 import 하는 것만으로 google provider가 registry에 자기 등록된다.
- */
-declare const googleProvider: OAuthProvider;
 /**
  * One-Time Token Manager
  *
@@ -5649,9 +5575,9 @@ declare const invitationCreatedEvent: _spfn_core_event.EventDef<{
     } | undefined;
     email: string;
     roleId: number;
+    expiresAt: string;
     token: string;
     invitedBy: string;
-    expiresAt: string;
     invitationId: string;
     isResend: boolean;
 }>;
@@ -5686,4 +5612,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
 type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
 type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type NormalizedIdentity, type OAuthProvider, type OAuthState, type OAuthTokens, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOAuthProvider, getOneTimeTokenManager, getOptionalAuth, getRegisteredProviders, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, registerOAuthProvider, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, OAuthProvider, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };