@spfn/auth 0.2.0-beta.62 → 0.2.0-beta.65

package/dist/server.js

@@ -6492,6 +6492,50 @@ var init_invitations_repository = __esm({
   }
 });
 
+// src/server/lib/oauth/token-cipher.ts
+import crypto3 from "crypto";
+import { env as env3 } from "@spfn/auth/config";
+function getTokenKey() {
+  return crypto3.createHash("sha256").update(`social-token:${env3.SPFN_AUTH_SESSION_SECRET}`).digest();
+}
+function isEncrypted(value) {
+  return value.startsWith(ENC_PREFIX);
+}
+function encryptToken(plain) {
+  if (isEncrypted(plain)) {
+    return plain;
+  }
+  const iv = crypto3.randomBytes(IV_BYTES);
+  const cipher = crypto3.createCipheriv("aes-256-gcm", getTokenKey(), iv);
+  const ciphertext = Buffer.concat([cipher.update(plain, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return ENC_PREFIX + Buffer.concat([iv, tag, ciphertext]).toString("base64");
+}
+function decryptToken(stored) {
+  if (!isEncrypted(stored)) {
+    return stored;
+  }
+  const packed = Buffer.from(stored.slice(ENC_PREFIX.length), "base64");
+  if (packed.length < IV_BYTES + TAG_BYTES) {
+    throw new Error("Malformed encrypted token: payload too short");
+  }
+  const iv = packed.subarray(0, IV_BYTES);
+  const tag = packed.subarray(IV_BYTES, IV_BYTES + TAG_BYTES);
+  const ciphertext = packed.subarray(IV_BYTES + TAG_BYTES);
+  const decipher = crypto3.createDecipheriv("aes-256-gcm", getTokenKey(), iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+}
+var ENC_PREFIX, IV_BYTES, TAG_BYTES;
+var init_token_cipher = __esm({
+  "src/server/lib/oauth/token-cipher.ts"() {
+    "use strict";
+    ENC_PREFIX = "enc:v1:";
+    IV_BYTES = 12;
+    TAG_BYTES = 16;
+  }
+});
+
 // src/server/repositories/social-accounts.repository.ts
 import { eq as eq10, and as and7 } from "drizzle-orm";
 import { BaseRepository as BaseRepository10 } from "@spfn/core/db";
@@ -6500,7 +6544,38 @@ var init_social_accounts_repository = __esm({
   "src/server/repositories/social-accounts.repository.ts"() {
     "use strict";
     init_entities();
+    init_token_cipher();
     SocialAccountsRepository = class extends BaseRepository10 {
+      /**
+       * 저장 row 의 토큰을 평문으로 복호화해 반환한다.
+       *
+       * 레거시 평문(마커 없음)이 감지되면 즉시 재암호화해 저장하는
+       * self-healing 마이그레이션을 수행한다. 호출자에게는 항상 평문이 반환되어
+       * 외부 API 계약(평문 토큰)이 유지된다.
+       */
+      async decryptAccount(account) {
+        if (!account) {
+          return account;
+        }
+        const heal = {};
+        if (account.accessToken && !isEncrypted(account.accessToken)) {
+          heal.accessToken = encryptToken(account.accessToken);
+        }
+        if (account.refreshToken && !isEncrypted(account.refreshToken)) {
+          heal.refreshToken = encryptToken(account.refreshToken);
+        }
+        if (heal.accessToken || heal.refreshToken) {
+          try {
+            await this.db.update(userSocialAccounts).set(heal).where(eq10(userSocialAccounts.id, account.id));
+          } catch {
+          }
+        }
+        return {
+          ...account,
+          accessToken: account.accessToken ? decryptToken(account.accessToken) : account.accessToken,
+          refreshToken: account.refreshToken ? decryptToken(account.refreshToken) : account.refreshToken
+        };
+      }
       /**
        * provider와 providerUserId로 소셜 계정 조회
        * Read replica 사용
@@ -6512,14 +6587,15 @@ var init_social_accounts_repository = __esm({
             eq10(userSocialAccounts.providerUserId, providerUserId)
           )
         ).limit(1);
-        return result[0] ?? null;
+        return this.decryptAccount(result[0] ?? null);
       }
       /**
        * userId로 모든 소셜 계정 조회
        * Read replica 사용
        */
       async findByUserId(userId) {
-        return await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+        const result = await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+        return Promise.all(result.map((account) => this.decryptAccount(account)));
       }
       /**
        * userId와 provider로 소셜 계정 조회
@@ -6532,18 +6608,21 @@ var init_social_accounts_repository = __esm({
             eq10(userSocialAccounts.provider, provider)
           )
         ).limit(1);
-        return result[0] ?? null;
+        return this.decryptAccount(result[0] ?? null);
       }
       /**
        * 소셜 계정 생성
        * Write primary 사용
        */
       async create(data) {
-        return await this._create(userSocialAccounts, {
+        const created = await this._create(userSocialAccounts, {
           ...data,
+          accessToken: data.accessToken ? encryptToken(data.accessToken) : data.accessToken,
+          refreshToken: data.refreshToken ? encryptToken(data.refreshToken) : data.refreshToken,
           createdAt: /* @__PURE__ */ new Date(),
           updatedAt: /* @__PURE__ */ new Date()
         });
+        return this.decryptAccount(created);
       }
       /**
        * 토큰 정보 업데이트
@@ -6552,9 +6631,11 @@ var init_social_accounts_repository = __esm({
       async updateTokens(id11, data) {
         const result = await this.db.update(userSocialAccounts).set({
           ...data,
+          accessToken: data.accessToken ? encryptToken(data.accessToken) : data.accessToken,
+          refreshToken: data.refreshToken ? encryptToken(data.refreshToken) : data.refreshToken,
           updatedAt: /* @__PURE__ */ new Date()
         }).where(eq10(userSocialAccounts.id, id11)).returning();
-        return result[0] ?? null;
+        return this.decryptAccount(result[0] ?? null);
       }
       /**
        * 소셜 계정 삭제
@@ -6921,7 +7002,7 @@ import {
 } from "@spfn/auth/errors";
 
 // src/server/services/verification.service.ts
-import { env as env3 } from "@spfn/auth/config";
+import { env as env4 } from "@spfn/auth/config";
 import { InvalidVerificationCodeError } from "@spfn/auth/errors";
 import jwt2 from "jsonwebtoken";
 import { sendEmail, sendSMS } from "@spfn/notification/server";
@@ -6989,7 +7070,7 @@ async function markCodeAsUsed(codeId) {
   await verificationCodesRepository.markAsUsed(codeId);
 }
 function createVerificationToken(payload) {
-  return jwt2.sign(payload, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+  return jwt2.sign(payload, env4.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
     expiresIn: VERIFICATION_TOKEN_EXPIRY,
     issuer: "spfn-auth",
     audience: "spfn-client"
@@ -6997,7 +7078,7 @@ function createVerificationToken(payload) {
 }
 function validateVerificationToken(token) {
   try {
-    const decoded = jwt2.verify(token, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+    const decoded = jwt2.verify(token, env4.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
@@ -7142,7 +7223,7 @@ async function revokeKeyService(params) {
 init_repositories();
 import { ValidationError } from "@spfn/core/errors";
 import { ReservedUsernameError, UsernameAlreadyTakenError } from "@spfn/auth/errors";
-import { env as env4 } from "@spfn/auth/config";
+import { env as env5 } from "@spfn/auth/config";
 async function getUserByIdService(userId) {
   return await usersRepository.findById(userId);
 }
@@ -7159,7 +7240,7 @@ async function updateUserService(userId, updates) {
   await usersRepository.updateById(userId, updates);
 }
 function getReservedUsernames() {
-  const raw = env4.SPFN_AUTH_RESERVED_USERNAMES ?? "";
+  const raw = env5.SPFN_AUTH_RESERVED_USERNAMES ?? "";
   if (!raw) {
     return /* @__PURE__ */ new Set();
   }
@@ -7171,8 +7252,8 @@ function isReservedUsername(username) {
   return getReservedUsernames().has(username.toLowerCase());
 }
 function validateUsernameLength(username) {
-  const min = env4.SPFN_AUTH_USERNAME_MIN_LENGTH ?? 3;
-  const max = env4.SPFN_AUTH_USERNAME_MAX_LENGTH ?? 30;
+  const min = env5.SPFN_AUTH_USERNAME_MIN_LENGTH ?? 3;
+  const max = env5.SPFN_AUTH_USERNAME_MAX_LENGTH ?? 30;
   if (username.length < min) {
     throw new ValidationError({
       message: `Username must be at least ${min} characters`,
@@ -7428,7 +7509,7 @@ init_rbac();
 import { createHash } from "crypto";
 
 // src/server/lib/config.ts
-import { env as env5 } from "@spfn/auth/config";
+import { env as env6 } from "@spfn/auth/config";
 function getCookieSuffix() {
   const port = process.env.PORT;
   return port ? `_${port}` : "";
@@ -7490,7 +7571,7 @@ function getSessionTtl(override) {
   if (globalConfig.sessionTtl !== void 0) {
     return parseDuration(globalConfig.sessionTtl);
   }
-  const envTtl = env5.SPFN_AUTH_SESSION_TTL;
+  const envTtl = env6.SPFN_AUTH_SESSION_TTL;
   if (envTtl) {
     return parseDuration(envTtl);
   }
@@ -7706,9 +7787,9 @@ init_role_service();
 
 // src/server/services/invitation.service.ts
 init_repositories();
-import crypto3 from "crypto";
+import crypto4 from "crypto";
 function generateInvitationToken() {
-  return crypto3.randomUUID();
+  return crypto4.randomUUID();
 }
 function calculateExpiresAt(days = 7) {
   const expiresAt = /* @__PURE__ */ new Date();
@@ -8023,25 +8104,25 @@ async function updateUserProfileService(userId, params) {
 
 // src/server/services/oauth.service.ts
 init_repositories();
-import { env as env8 } from "@spfn/auth/config";
+import { env as env9 } from "@spfn/auth/config";
 import { ValidationError as ValidationError3 } from "@spfn/core/errors";
 
 // src/server/lib/oauth/google.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env7 } from "@spfn/auth/config";
 var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
 var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
 var GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
 function isGoogleOAuthEnabled() {
-  return !!(env6.SPFN_AUTH_GOOGLE_CLIENT_ID && env6.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
+  return !!(env7.SPFN_AUTH_GOOGLE_CLIENT_ID && env7.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
 }
 function getGoogleOAuthConfig() {
-  const clientId = env6.SPFN_AUTH_GOOGLE_CLIENT_ID;
-  const clientSecret = env6.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
+  const clientId = env7.SPFN_AUTH_GOOGLE_CLIENT_ID;
+  const clientSecret = env7.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
   if (!clientId || !clientSecret) {
     throw new Error("Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET.");
   }
-  const baseUrl = env6.NEXT_PUBLIC_SPFN_API_URL || env6.SPFN_API_URL;
-  const redirectUri = env6.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${baseUrl}/_auth/oauth/google/callback`;
+  const baseUrl = env7.NEXT_PUBLIC_SPFN_API_URL || env7.SPFN_API_URL;
+  const redirectUri = env7.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${baseUrl}/_auth/oauth/google/callback`;
   return {
     clientId,
     clientSecret,
@@ -8049,7 +8130,7 @@ function getGoogleOAuthConfig() {
   };
 }
 function getDefaultScopes() {
-  const envScopes = env6.SPFN_AUTH_GOOGLE_SCOPES;
+  const envScopes = env7.SPFN_AUTH_GOOGLE_SCOPES;
   if (envScopes) {
     return envScopes.split(",").map((s) => s.trim()).filter(Boolean);
   }
@@ -8127,9 +8208,9 @@ async function refreshAccessToken(refreshToken) {
 
 // src/server/lib/oauth/state.ts
 import * as jose from "jose";
-import { env as env7 } from "@spfn/auth/config";
+import { env as env8 } from "@spfn/auth/config";
 async function getStateKey() {
-  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const secret = env8.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(`oauth-state:${secret}`);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -8282,8 +8363,8 @@ async function oauthCallbackService(params) {
     algorithm: stateData.algorithm
   });
   await updateLastLoginService(userId);
-  const appUrl = env8.NEXT_PUBLIC_SPFN_APP_URL || env8.SPFN_APP_URL;
-  const callbackPath = env8.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const appUrl = env9.NEXT_PUBLIC_SPFN_APP_URL || env9.SPFN_APP_URL;
+  const callbackPath = env9.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
   const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
   const redirectUrl = buildRedirectUrl(callbackUrl, {
     userId: String(userId),
@@ -8368,7 +8449,7 @@ function buildRedirectUrl(baseUrl, params) {
   return `${url.pathname}${url.search}`;
 }
 function buildOAuthErrorUrl(error) {
-  const errorUrl = env8.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  const errorUrl = env9.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
   return errorUrl.replace("{error}", encodeURIComponent(error));
 }
 function isOAuthProviderEnabled(provider) {
@@ -9158,7 +9239,13 @@ var userRouter = defineRouter3({
 init_esm();
 init_types();
 import { Transactional as Transactional2 } from "@spfn/core/db";
+import { ValidationError as ValidationError4 } from "@spfn/core/errors";
 import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var providerParams = Type.Object({
+  provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+    description: "OAuth provider id (google, github, kakao, naver, superself)"
+  })
+});
 var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
   query: Type.Object({
     state: Type.String({
@@ -9255,10 +9342,12 @@ var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
 }).skip(["auth"]).handler(async (c) => {
   const { body } = await c.data();
   if (!isGoogleOAuthEnabled()) {
-    throw new Error("Google OAuth is not configured");
+    throw new ValidationError4({ message: "Google OAuth is not configured" });
   }
   if (!body.state) {
-    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+    throw new ValidationError4({
+      message: "OAuth state is required. Ensure the OAuth interceptor is configured."
+    });
   }
   return { authUrl: getGoogleAuthUrl(body.state) };
 });
@@ -9277,13 +9366,88 @@ var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
     returnUrl: body.returnUrl || "/"
   };
 });
+var oauthProviderStart = route4.get("/_auth/oauth/:provider").input({
+  params: providerParams,
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { params, query } = await c.data();
+  const provider = getOAuthProvider(params.provider);
+  if (!provider?.isEnabled()) {
+    return c.redirect(buildOAuthErrorUrl(`OAuth provider '${params.provider}' is not configured`));
+  }
+  return c.redirect(provider.getAuthUrl(query.state));
+});
+var oauthProviderCallback = route4.get("/_auth/oauth/:provider/callback").input({
+  params: providerParams,
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from provider"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from provider"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from provider"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { params, query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: params.provider,
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var getProviderOAuthUrl = route4.post("/_auth/oauth/:provider/url").input({
+  params: providerParams,
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { params, body } = await c.data();
+  const provider = requireEnabledProvider(params.provider);
+  if (!body.state) {
+    throw new ValidationError4({
+      message: "OAuth state is required. Ensure the OAuth interceptor is configured."
+    });
+  }
+  return { authUrl: provider.getAuthUrl(body.state) };
+});
 var oauthRouter = defineRouter4({
   oauthGoogleStart,
   oauthGoogleCallback,
   oauthStart,
   oauthProviders,
   getGoogleOAuthUrl,
-  oauthFinalize
+  oauthFinalize,
+  oauthProviderStart,
+  oauthProviderCallback,
+  getProviderOAuthUrl
 });
 
 // src/server/routes/admin/index.ts
@@ -9403,6 +9567,9 @@ var mainAuthRouter = defineRouter5({
   oauthProviders,
   getGoogleOAuthUrl,
   oauthFinalize,
+  oauthProviderStart,
+  oauthProviderCallback,
+  getProviderOAuthUrl,
   // Invitation routes
   getInvitation,
   acceptInvitation: acceptInvitation2,
@@ -9432,11 +9599,11 @@ init_types();
 init_schema3();
 
 // src/server/lib/crypto.ts
-import crypto4 from "crypto";
+import crypto5 from "crypto";
 import jwt3 from "jsonwebtoken";
 function generateKeyPairES256() {
-  const keyId = crypto4.randomUUID();
-  const { privateKey, publicKey } = crypto4.generateKeyPairSync("ec", {
+  const keyId = crypto5.randomUUID();
+  const { privateKey, publicKey } = crypto5.generateKeyPairSync("ec", {
     namedCurve: "P-256",
     // ES256
     publicKeyEncoding: {
@@ -9450,7 +9617,7 @@ function generateKeyPairES256() {
   });
   const privateKeyB64 = privateKey.toString("base64");
   const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto4.createHash("sha256").update(publicKey).digest("hex");
+  const fingerprint = crypto5.createHash("sha256").update(publicKey).digest("hex");
   return {
     privateKey: privateKeyB64,
     publicKey: publicKeyB64,
@@ -9460,8 +9627,8 @@ function generateKeyPairES256() {
   };
 }
 function generateKeyPairRS256() {
-  const keyId = crypto4.randomUUID();
-  const { privateKey, publicKey } = crypto4.generateKeyPairSync("rsa", {
+  const keyId = crypto5.randomUUID();
+  const { privateKey, publicKey } = crypto5.generateKeyPairSync("rsa", {
     modulusLength: 2048,
     publicKeyEncoding: {
       type: "spki",
@@ -9474,7 +9641,7 @@ function generateKeyPairRS256() {
   });
   const privateKeyB64 = privateKey.toString("base64");
   const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto4.createHash("sha256").update(publicKey).digest("hex");
+  const fingerprint = crypto5.createHash("sha256").update(publicKey).digest("hex");
   return {
     privateKey: privateKeyB64,
     publicKey: publicKeyB64,
@@ -9489,7 +9656,7 @@ function generateKeyPair(algorithm = "ES256") {
 function generateClientToken(payload, privateKeyB64, algorithm, options) {
   try {
     const privateKeyDER = Buffer.from(privateKeyB64, "base64");
-    const privateKeyObject = crypto4.createPrivateKey({
+    const privateKeyObject = crypto5.createPrivateKey({
       key: privateKeyDER,
       format: "der",
       type: "pkcs8"
@@ -9533,10 +9700,10 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 
 // src/server/lib/session.ts
 import * as jose2 from "jose";
-import { env as env9 } from "@spfn/auth/config";
+import { env as env10 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env9.SPFN_AUTH_SESSION_SECRET;
+  const secret = env10.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -9618,14 +9785,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env10 } from "@spfn/auth/config";
+import { env as env11 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env10.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env11.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env10.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env11.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -9652,11 +9819,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env10.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env11.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env10.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env10.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env11.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env11.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -9678,8 +9845,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env10.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env10.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env11.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env11.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -9876,6 +10043,7 @@ export {
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
+  requireEnabledProvider,
   requirePermissions,
   requireRole,
   resendInvitation,