npm - @spfn/auth - Versions diffs - 0.2.0-beta.65 → 0.2.0-beta.67 - Mend

@spfn/auth 0.2.0-beta.65 → 0.2.0-beta.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/LICENSE +1 -1
package/README.md +321 -2534
package/dist/{authenticate-mfVRzeIK.d.ts → authenticate-Cn5krz5U.d.ts} +82 -10
package/dist/config.d.ts +39 -3
package/dist/config.js +25 -0
package/dist/config.js.map +1 -1
package/dist/errors.d.ts +16 -2
package/dist/errors.js +9 -0
package/dist/errors.js.map +1 -1
package/dist/index.d.ts +26 -9
package/dist/index.js +9 -1
package/dist/index.js.map +1 -1
package/dist/nextjs/api.js.map +1 -1
package/dist/nextjs/server.d.ts +2 -2
package/dist/nextjs/server.js.map +1 -1
package/dist/server.d.ts +112 -72
package/dist/server.js +241 -31
package/dist/server.js.map +1 -1
package/dist/{session-2CyIVxMY.d.ts → session-s_hiXmXC.d.ts} +1 -1
package/dist/{types-B4auHIax.d.ts → types-BtksCI9X.d.ts} +1 -1
package/package.json +8 -5

package/dist/server.d.ts CHANGED Viewed

@@ -1,14 +1,15 @@
-import { i as AuthInitOptions, j as OAuthProvider, d as VerificationPurpose, h as PermissionCategory, k as AuthContext } from './authenticate-mfVRzeIK.js';
-export { v as ChangePasswordParams, q as CheckAccountExistsParams, C as CheckAccountExistsResult, a3 as EmailSchema, I as IssueOneTimeTokenResult, t as LoginParams, L as LoginResult, u as LogoutParams, a8 as NormalizedIdentity, $ as OAuthCallbackParams, a0 as OAuthCallbackResult, _ as OAuthStartParams, O as OAuthStartResult, a9 as OAuthTokens, a5 as PasswordSchema, a4 as PhoneSchema, s as RegisterParams, G as RegisterPublicKeyParams, a as RegisterResult, J as RevokeKeyParams, H as RotateKeyParams, b as RotateKeyResult, y as SendVerificationCodeParams, S as SendVerificationCodeResult, a6 as TargetTypeSchema, f as VERIFICATION_PURPOSES, e as VERIFICATION_TARGET_TYPES, a7 as VerificationPurposeSchema, V as VerificationTargetType, z as VerifyCodeParams, B as VerifyCodeResult, m as authRouter, a1 as authenticate, T as buildOAuthErrorUrl, p as changePasswordService, l as checkAccountExistsService, Y as getEnabledOAuthProviders, Z as getGoogleAccessToken, ab as getOAuthProvider, ac as getRegisteredProviders, W as isOAuthProviderEnabled, K as issueOneTimeTokenService, n as loginService, o as logoutService, Q as oauthCallbackService, N as oauthStartService, a2 as optionalAuth, aa as registerOAuthProvider, D as registerPublicKeyService, r as registerService, X as requireEnabledProvider, F as revokeKeyService, E as rotateKeyService, w as sendVerificationCodeService, x as verifyCodeService, M as verifyOneTimeTokenService } from './authenticate-mfVRzeIK.js';
+import { j as AuthInitOptions, k as OAuthProvider, e as VerificationPurpose, i as PermissionCategory, l as AuthContext } from './authenticate-Cn5krz5U.js';
+export { w as ChangePasswordParams, s as CheckAccountExistsParams, C as CheckAccountExistsResult, a6 as EmailSchema, I as IssueOneTimeTokenResult, u as LoginParams, L as LoginResult, v as LogoutParams, ad as NativeVerifyOptions, ab as NormalizedIdentity, a0 as OAuthCallbackParams, a1 as OAuthCallbackResult, a3 as OAuthNativeParams, c as OAuthNativeResult, $ as OAuthStartParams, O as OAuthStartResult, ac as OAuthTokens, a8 as PasswordSchema, a7 as PhoneSchema, t as RegisterParams, H as RegisterPublicKeyParams, a as RegisterResult, K as RevokeKeyParams, J as RotateKeyParams, b as RotateKeyResult, z as SendVerificationCodeParams, S as SendVerificationCodeResult, a9 as TargetTypeSchema, g as VERIFICATION_PURPOSES, f as VERIFICATION_TARGET_TYPES, aa as VerificationPurposeSchema, V as VerificationTargetType, B as VerifyCodeParams, D as VerifyCodeResult, m as authRouter, a4 as authenticate, W as buildOAuthErrorUrl, q as changePasswordService, n as checkAccountExistsService, Z as getEnabledOAuthProviders, _ as getGoogleAccessToken, af as getOAuthProvider, ag as getRegisteredProviders, X as isOAuthProviderEnabled, M as issueOneTimeTokenService, o as loginService, p as logoutService, T as oauthCallbackService, a2 as oauthNativeService, Q as oauthStartService, a5 as optionalAuth, ae as registerOAuthProvider, E as registerPublicKeyService, r as registerService, Y as requireEnabledProvider, G as revokeKeyService, F as rotateKeyService, x as sendVerificationCodeService, y as verifyCodeService, N as verifyOneTimeTokenService } from './authenticate-Cn5krz5U.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
-import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-B4auHIax.js';
-export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-B4auHIax.js';
+import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-BtksCI9X.js';
+export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-BtksCI9X.js';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
 import { Context } from 'hono';
 import * as _spfn_core_route from '@spfn/core/route';
 import { Algorithm } from 'jsonwebtoken';
-export { S as SessionData, g as getSessionInfo, s as sealSession, a as shouldRefreshSession, u as unsealSession } from './session-2CyIVxMY.js';
+export { S as SessionData, g as getSessionInfo, s as sealSession, a as shouldRefreshSession, u as unsealSession } from './session-s_hiXmXC.js';
+import { JWTPayload } from 'jose';
 import { SSETokenStore, SSETokenManager } from '@spfn/core/event/sse';
 import * as _spfn_core_logger from '@spfn/core/logger';
 import * as _spfn_core_event from '@spfn/core/event';
@@ -1333,7 +1334,7 @@ declare function getAuthSessionService(userId: string | number | bigint): Promis
         id: number;
         name: string;
         displayName: string;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
     }[];
     userId: number;
     publicId: string;
@@ -1526,6 +1527,31 @@ declare function createOAuthState(params: CreateOAuthStateParams): Promise<strin
  */
 declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
+/**
+ * 소셜 provider id_token JWKS 검증
+ *
+ * 네이티브/웹 SDK가 받은 id_token을 provider의 공개키(JWKS)로 검증한다.
+ * authorization code 교환이 없으므로 client secret을 쓰지 않는다.
+ * 서명·issuer·audience·만료는 jose가, nonce는 여기서 직접 대조한다.
+ */
+interface VerifyIdTokenParams {
+    idToken: string;
+    jwksUri: string;
+    issuer: string | string[];
+    audiences: string[];
+    /** 허용 서명 알고리즘 화이트리스트(alg confusion 방어). Google/Apple은 'RS256'. */
+    algorithms: string[];
+    /** id_token의 nonce claim과 정확히 일치해야 하는 값(provider별로 raw 또는 SHA-256 해시). */
+    expectedNonce: string;
+}
+/**
+ * id_token을 검증하고 claims(payload)를 반환한다.
+ *
+ * @throws InvalidSocialTokenError 서명/issuer/audience/만료/알고리즘/nonce/sub 검증 실패 시
+ */
+declare function verifyIdToken(params: VerifyIdTokenParams): Promise<JWTPayload>;
 /**
  * Google OAuthProvider 구현
  *
@@ -1537,6 +1563,20 @@ declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
 declare const googleProvider: OAuthProvider;
+/**
+ * Apple OAuthProvider 구현 (native id_token 검증 전용)
+ *
+ * Apple은 Android·웹에 네이티브 SDK를 제공하지 않으므로, web 흐름(Sign in with Apple JS,
+ * Android Custom Tab)도 결국 id_token을 클라이언트가 받아 서버로 보낸다. 서버는 그 id_token을
+ * Apple JWKS로 검증만 한다(authorization code 교환·client secret 없음).
+ *
+ * 따라서 web 메서드(getAuthUrl/exchangeCodeForTokens/getUserInfo)는 지원하지 않는다.
+ *
+ * 이 모듈을 import 하는 것만으로 apple provider가 registry에 자기 등록된다.
+ */
+declare const appleProvider: OAuthProvider;
 /**
  * @spfn/auth - Database Schema Definition
  *
@@ -2184,14 +2224,14 @@ declare const userSocialAccounts: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "user_social_accounts";
             dataType: "string";
             columnType: "PgText";
-            data: "google" | "github" | "kakao" | "naver" | "superself";
+            data: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
             driverParam: string;
             notNull: true;
             hasDefault: false;
             isPrimaryKey: false;
             isAutoincrement: false;
             hasRuntimeDefault: false;
-            enumValues: ["google", "github", "kakao", "naver", "superself"] & [string, ...string[]];
+            enumValues: ["google", "apple", "github", "kakao", "naver", "superself"] & [string, ...string[]];
             baseColumn: never;
             identity: undefined;
             generated: undefined;
@@ -2595,7 +2635,7 @@ declare const permissions: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "permissions";
             dataType: "string";
             columnType: "PgText";
-            data: "custom" | "user" | "auth" | "rbac" | "system";
+            data: "auth" | "custom" | "user" | "rbac" | "system";
             driverParam: string;
             notNull: false;
             hasDefault: false;
@@ -3186,17 +3226,17 @@ declare class UsersRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUser): Promise<{
-        username: string | null;
-        status: "active" | "inactive" | "suspended";
         email: string | null;
         phone: string | null;
         id: number;
-        createdAt: Date;
-        updatedAt: Date;
         publicId: string;
+        username: string | null;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
+        createdAt: Date;
+        updatedAt: Date;
+        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -3266,17 +3306,17 @@ declare class UsersRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteById(id: number): Promise<{
-        username: string | null;
-        status: "active" | "inactive" | "suspended";
         email: string | null;
         phone: string | null;
         id: number;
-        createdAt: Date;
-        updatedAt: Date;
         publicId: string;
+        username: string | null;
         passwordHash: string | null;
         passwordChangeRequired: boolean;
         roleId: number;
+        createdAt: Date;
+        updatedAt: Date;
+        status: "active" | "inactive" | "suspended";
         emailVerifiedAt: Date | null;
         phoneVerifiedAt: Date | null;
         lastLoginAt: Date | null;
@@ -3299,7 +3339,7 @@ declare class UsersRepository extends BaseRepository {
             id: number;
             name: string;
             displayName: string;
-            category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
+            category: "auth" | "custom" | "user" | "rbac" | "system" | undefined;
         }[];
     }>;
     /**
@@ -3414,16 +3454,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewUserPublicKey): Promise<{
-        userId: number;
+        publicKey: string;
         keyId: string;
+        fingerprint: string;
+        algorithm: "ES256" | "RS256";
+        userId: number;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        publicKey: string;
-        algorithm: "ES256" | "RS256";
-        fingerprint: string;
-        lastUsedAt: Date | null;
         expiresAt: Date | null;
+        lastUsedAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3450,16 +3490,16 @@ declare class KeysRepository extends BaseRepository {
      * Write primary 사용
      */
     deleteByKeyIdAndUserId(keyId: string, userId: number): Promise<{
-        userId: number;
+        publicKey: string;
         keyId: string;
+        fingerprint: string;
+        algorithm: "ES256" | "RS256";
+        userId: number;
         id: number;
         isActive: boolean;
         createdAt: Date;
-        publicKey: string;
-        algorithm: "ES256" | "RS256";
-        fingerprint: string;
-        lastUsedAt: Date | null;
         expiresAt: Date | null;
+        lastUsedAt: Date | null;
         revokedAt: Date | null;
         revokedReason: string | null;
     }>;
@@ -3574,14 +3614,14 @@ declare class VerificationCodesRepository extends BaseRepository {
      * Write primary 사용
      */
     create(data: NewVerificationCode): Promise<{
+        target: string;
+        targetType: "email" | "phone";
+        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
+        code: string;
         id: number;
         createdAt: Date;
         updatedAt: Date;
         expiresAt: Date;
-        target: string;
-        targetType: "email" | "phone";
-        code: string;
-        purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
         usedAt: Date | null;
         attempts: number;
     }>;
@@ -3770,7 +3810,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3786,7 +3826,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3826,7 +3866,7 @@ declare class PermissionsRepository extends BaseRepository {
         name: string;
         displayName: string;
         description: string | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
         isBuiltin: boolean;
         isSystem: boolean;
         isActive: boolean;
@@ -3837,6 +3877,7 @@ declare class PermissionsRepository extends BaseRepository {
      */
     deleteById(id: number): Promise<{
         description: string | null;
+        metadata: Record<string, any> | null;
         id: number;
         name: string;
         displayName: string;
@@ -3845,8 +3886,7 @@ declare class PermissionsRepository extends BaseRepository {
         isActive: boolean;
         createdAt: Date;
         updatedAt: Date;
-        metadata: Record<string, any> | null;
-        category: "custom" | "user" | "auth" | "rbac" | "system" | null;
+        category: "auth" | "custom" | "user" | "rbac" | "system" | null;
     }>;
 }
 declare const permissionsRepository: PermissionsRepository;
@@ -3891,9 +3931,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     createMany(data: NewRolePermission[]): Promise<{
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
         permissionId: number;
     }[]>;
     /**
@@ -3909,9 +3949,9 @@ declare class RolePermissionsRepository extends BaseRepository {
      */
     setPermissionsForRole(roleId: number, permissionIds: number[]): Promise<{
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
         permissionId: number;
     }[]>;
 }
@@ -3976,10 +4016,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        expiresAt: Date | null;
         permissionId: number;
-        granted: boolean;
+        expiresAt: Date | null;
         reason: string | null;
+        granted: boolean;
     }>;
     /**
      * 사용자 권한 오버라이드 업데이트
@@ -4002,10 +4042,10 @@ declare class UserPermissionsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        expiresAt: Date | null;
         permissionId: number;
-        granted: boolean;
+        expiresAt: Date | null;
         reason: string | null;
+        granted: boolean;
     }>;
     /**
      * 사용자의 모든 권한 오버라이드 삭제
@@ -4083,6 +4123,7 @@ declare class UserProfilesRepository extends BaseRepository {
      * 프로필 생성
      */
     create(data: NewUserProfile): Promise<{
+        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4100,7 +4141,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 업데이트 (by ID)
@@ -4152,6 +4192,7 @@ declare class UserProfilesRepository extends BaseRepository {
      * 프로필 삭제 (by ID)
      */
     deleteById(id: number): Promise<{
+        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4169,12 +4210,12 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 삭제 (by User ID)
      */
     deleteByUserId(userId: number): Promise<{
+        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4192,7 +4233,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * 프로필 Upsert (by User ID)
@@ -4201,6 +4241,7 @@ declare class UserProfilesRepository extends BaseRepository {
      * 새로 생성 시 displayName은 필수 (없으면 'User'로 설정)
      */
     upsertByUserId(userId: number, data: Partial<Omit<NewUserProfile, 'userId'>>): Promise<{
+        metadata: Record<string, any> | null;
         userId: number;
         id: number;
         displayName: string | null;
@@ -4218,7 +4259,6 @@ declare class UserProfilesRepository extends BaseRepository {
         location: string | null;
         company: string | null;
         jobTitle: string | null;
-        metadata: Record<string, any> | null;
     }>;
     /**
      * User ID로 프로필 데이터 조회 (formatted)
@@ -4345,16 +4385,16 @@ declare class InvitationsRepository extends BaseRepository {
      * 초대 생성
      */
     create(data: NewInvitation): Promise<{
-        status: "pending" | "accepted" | "expired" | "cancelled";
         email: string;
+        metadata: Record<string, any> | null;
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
-        metadata: Record<string, any> | null;
-        expiresAt: Date;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         token: string;
         invitedBy: number;
+        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4379,16 +4419,16 @@ declare class InvitationsRepository extends BaseRepository {
      * 초대 삭제
      */
     deleteById(id: number): Promise<{
-        status: "pending" | "accepted" | "expired" | "cancelled";
         email: string;
+        metadata: Record<string, any> | null;
         id: number;
+        roleId: number;
         createdAt: Date;
         updatedAt: Date;
-        roleId: number;
-        metadata: Record<string, any> | null;
-        expiresAt: Date;
+        status: "pending" | "accepted" | "expired" | "cancelled";
         token: string;
         invitedBy: number;
+        expiresAt: Date;
         acceptedAt: Date | null;
         cancelledAt: Date | null;
     }>;
@@ -4543,7 +4583,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         tokenExpiresAt: Date | null;
@@ -4559,7 +4599,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         tokenExpiresAt: Date | null;
@@ -4575,7 +4615,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         tokenExpiresAt: Date | null;
@@ -4591,7 +4631,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         tokenExpiresAt: Date | null;
@@ -4611,7 +4651,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         tokenExpiresAt: Date | null;
@@ -4625,7 +4665,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -4641,7 +4681,7 @@ declare class SocialAccountsRepository extends BaseRepository {
         id: number;
         createdAt: Date;
         updatedAt: Date;
-        provider: "google" | "github" | "kakao" | "naver" | "superself";
+        provider: "google" | "apple" | "github" | "kakao" | "naver" | "superself";
         providerUserId: string;
         providerEmail: string | null;
         accessToken: string | null;
@@ -5103,17 +5143,17 @@ declare function getOptionalAuth(c: Context | {
 declare function getUser(c: Context | {
     raw: Context;
 }): {
-    username: string | null;
-    status: "active" | "inactive" | "suspended";
     email: string | null;
     phone: string | null;
     id: number;
-    createdAt: Date;
-    updatedAt: Date;
     publicId: string;
+    username: string | null;
     passwordHash: string | null;
     passwordChangeRequired: boolean;
     roleId: number;
+    createdAt: Date;
+    updatedAt: Date;
+    status: "active" | "inactive" | "suspended";
     emailVerifiedAt: Date | null;
     phoneVerifiedAt: Date | null;
     lastLoginAt: Date | null;
@@ -5190,7 +5230,7 @@ declare function getKeyId(c: Context | {
  * - RS256 (RSA 2048):   ~294 bytes (Base64: ~392 chars)
  */
-type Unit = "Years" | "Year" | "Yrs" | "Yr" | "Y" | "Weeks" | "Week" | "W" | "Days" | "Day" | "D" | "Hours" | "Hour" | "Hrs" | "Hr" | "H" | "Minutes" | "Minute" | "Mins" | "Min" | "M" | "Seconds" | "Second" | "Secs" | "Sec" | "s" | "Milliseconds" | "Millisecond" | "Msecs" | "Msec" | "Ms";
+type Unit = 'Years' | 'Year' | 'Yrs' | 'Yr' | 'Y' | 'Weeks' | 'Week' | 'W' | 'Days' | 'Day' | 'D' | 'Hours' | 'Hour' | 'Hrs' | 'Hr' | 'H' | 'Minutes' | 'Minute' | 'Mins' | 'Min' | 'M' | 'Seconds' | 'Second' | 'Secs' | 'Sec' | 's' | 'Milliseconds' | 'Millisecond' | 'Msecs' | 'Msec' | 'Ms';
 type UnitAnyCase = Unit | Uppercase<Unit> | Lowercase<Unit>;
 type StringValue = `${number}` | `${number}${UnitAnyCase}` | `${number} ${UnitAnyCase}`;
 interface KeyPair {
@@ -5505,7 +5545,7 @@ declare function createAuthLifecycle(options?: AuthLifecycleOptions): AuthLifecy
  *
  * 직접 인증(email/phone) + 등록 가능한 모든 소셜 provider(SOCIAL_PROVIDERS).
  */
-declare const AuthProviderSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">, ..._sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]]>;
+declare const AuthProviderSchema: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"email">, _sinclair_typebox.TLiteral<"phone">, ..._sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]]>;
 /**
  * auth.login - 로그인 성공 이벤트
  *
@@ -5524,7 +5564,7 @@ declare const authLoginEvent: _spfn_core_event.EventDef<{
     email?: string | undefined;
     phone?: string | undefined;
     userId: string;
-    provider: "email" | "phone" | "google" | "github" | "kakao" | "naver" | "superself";
+    provider: "email" | "phone" | "google" | "apple" | "github" | "kakao" | "naver" | "superself";
 }>;
 /**
  * auth.register - 회원가입 성공 이벤트
@@ -5547,7 +5587,7 @@ declare const authRegisterEvent: _spfn_core_event.EventDef<{
         [x: string]: unknown;
     } | undefined;
     userId: string;
-    provider: "email" | "phone" | "google" | "github" | "kakao" | "naver" | "superself";
+    provider: "email" | "phone" | "google" | "apple" | "github" | "kakao" | "naver" | "superself";
 }>;
 /**
  * auth.invitation.created - 초대 생성 이벤트
@@ -5575,9 +5615,9 @@ declare const invitationCreatedEvent: _spfn_core_event.EventDef<{
     } | undefined;
     email: string;
     roleId: number;
-    expiresAt: string;
     token: string;
     invitedBy: string;
+    expiresAt: string;
     invitationId: string;
     isResend: boolean;
 }>;
@@ -5612,4 +5652,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
 type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
 type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, OAuthProvider, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, OAuthProvider, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, type VerifyIdTokenParams, acceptInvitation, addPermissionToRole, appleProvider, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyIdToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };