@spfn/auth 0.2.0-beta.66 → 0.2.0-beta.68

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 INFLIKE Inc.
+Copyright (c) 2025 FXY Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -79,10 +79,11 @@ Import it for its side-effect (it self-registers); it must run before the proxy
 ```typescript
 // app/api/rpc/[routeName]/route.ts
 import '@spfn/auth/nextjs/api';        // side-effect: registers auth interceptors
-import { appRouter } from '@/server/router';
 import { createRpcProxy } from '@spfn/core/nextjs/server';
+import { authRouteMap } from '@spfn/auth';
+import { routeMap } from '@/generated/route-map';
 
-export const { GET, POST } = createRpcProxy({ router: appRouter });
+export const { GET, POST } = createRpcProxy({ routeMap: { ...routeMap, ...authRouteMap } });
 ```
 
 ### 4. Run migrations
@@ -119,13 +120,15 @@ real secret values out of band, never commit them.
 | `SPFN_AUTH_GOOGLE_CLIENT_ID` / `_CLIENT_SECRET` | `.env.server` | — | enables Google OAuth when both set |
 | `SPFN_AUTH_GOOGLE_SCOPES` | `.env.server` | — | comma-separated; default `email,profile` |
 | `SPFN_AUTH_GOOGLE_REDIRECT_URI` | `.env.server` | — | default `{NEXT_PUBLIC_SPFN_API_URL\|\|SPFN_API_URL}/_auth/oauth/google/callback` |
+| `SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS` | `.env.server` | — | comma-separated client IDs accepted as native id_token audience (iOS/Android/web); enables Google native sign-in |
+| `SPFN_AUTH_APPLE_CLIENT_IDS` | `.env.server` | — | comma-separated Apple client IDs (bundle ID / Services ID); enables Apple native sign-in |
 | `SPFN_AUTH_OAUTH_SUCCESS_URL` | `.env.server` | — | default `/auth/callback` |
 | `SPFN_AUTH_OAUTH_ERROR_URL` | `.env.server` | — | default `/auth/error?error={error}` |
 | `SPFN_AUTH_RESERVED_USERNAMES` / `_USERNAME_MIN_LENGTH` / `_USERNAME_MAX_LENGTH` | `.env.server` | — | username rules |
 | `NEXT_PUBLIC_SPFN_API_URL` / `NEXT_PUBLIC_SPFN_APP_URL` | `.env.local` | — | browser-facing URLs for OAuth redirects |
 
 Read validated values via `import { env } from '@spfn/auth/config'` (a proxy validated at
-startup). `envSchema` (also exported as `authEnvSchema`) carries descriptions/defaults.
+startup). `envSchema` carries descriptions/defaults.
 
 ### Admin seeding
 
@@ -229,9 +232,36 @@ plus the provider-generic `POST /_auth/oauth/start`. `getGoogleAccessToken(userI
 valid Google access token (auto-refreshing via stored refresh token when near expiry; throws if
 no Google account is linked or no refresh token is available).
 
+### Native social sign-in (mobile / web id_token)
+
+For native apps — and for Apple on Android/web, which has no native SDK — the client obtains an
+`id_token` from the platform SDK and posts it to **`POST /_auth/oauth/:provider/native`**. No
+authorization code, no client secret: the server verifies the id_token against the provider's
+JWKS (signature, issuer, audience, expiry, nonce), links/creates the user, and **registers the
+client's public key**. It returns `{ userId, keyId, isNewUser }` — *not* a token. The client mints
+its own Bearer client token by signing with the on-device private key (the same client-signs /
+server-verifies model as the rest of auth).
+
+Enable per provider by declaring the accepted audiences: `SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS` for
+Google (the web `SPFN_AUTH_GOOGLE_CLIENT_ID` is also accepted) and `SPFN_AUTH_APPLE_CLIENT_IDS` for
+Apple. Apple is native-only here — its web OAuth (code-exchange) methods throw.
+
+```typescript
+await authApi.oauthNative.call({
+    params: { provider: 'apple' },                 // or 'google'
+    body: { idToken, nonce, publicKey, keyId, fingerprint, algorithm: 'ES256', profile: { name } },
+});
+// → { userId, keyId, isNewUser }; client then signs its own ES256 Bearer token with keyId
+```
+
+The `nonce` is the **raw** nonce the client used; Apple hashes it (SHA-256) into the token, so send
+the raw value for either provider. `profile.name` captures the name Apple returns only on first
+sign-in. Trade-off: skipping code exchange means no Apple refresh token / server-side revoke —
+revoke SPFN access by revoking the registered key instead.
+
 ### Custom providers
 
-Implement `OAuthProvider` and register it. `SOCIAL_PROVIDERS` is `['google','github','kakao','naver','superself']`.
+Implement `OAuthProvider` and register it. `SOCIAL_PROVIDERS` is `['google','apple','github','kakao','naver','superself']`. Implement the optional `verifyNativeIdToken(idToken, { nonce })` to support native id_token sign-in.
 
 ```typescript
 import {
@@ -392,9 +422,10 @@ export type AppRouter = typeof appRouter;
 
 // app/api/rpc/[routeName]/route.ts
 import '@spfn/auth/nextjs/api';
-import { appRouter } from '@/server/router';
 import { createRpcProxy } from '@spfn/core/nextjs/server';
-export const { GET, POST } = createRpcProxy({ router: appRouter });
+import { authRouteMap } from '@spfn/auth';
+import { routeMap } from '@/generated/route-map';
+export const { GET, POST } = createRpcProxy({ routeMap: { ...routeMap, ...authRouteMap } });
 
 // any client component
 import { authApi } from '@spfn/auth';

package/dist/{authenticate-DKGNvSsH.d.ts → authenticate-Cn5krz5U.d.ts}

@@ -1,5 +1,5 @@
 import * as _spfn_core_route from '@spfn/core/route';
-import { K as KeyAlgorithmType, d as SocialProvider } from './types-B4auHIax.js';
+import { K as KeyAlgorithmType, d as SocialProvider } from './types-BtksCI9X.js';
 import * as _sinclair_typebox from '@sinclair/typebox';
 import { Static } from '@sinclair/typebox';
 import { User } from '@spfn/auth/server';
@@ -371,8 +371,9 @@ declare function verifyOneTimeTokenService(token: string): Promise<string | null
  * - 내장 provider(google)는 패키지 로드 시점에 자기 등록(dogfood)
  * - 외부 패키지(@superself/auth 등)는 registerOAuthProvider()로 런타임 등록
  *
- * @spfn/auth는 토큰 issuer가 아니라 소비(client) 측이므로,
- * 이 추상화는 "authorize URL 생성 → code 교환 → 사용자 정보 정규화"까지만 다룬다.
+ * @spfn/auth는 토큰 issuer가 아니라 소비(client) 측이므로, 이 추상화는
+ * web 흐름("authorize URL 생성 → code 교환 → 사용자 정보 정규화")과
+ * native 흐름(네이티브/웹 SDK가 받은 id_token 직접 검증)을 다룬다.
  */
 
 /**
@@ -397,6 +398,13 @@ interface OAuthTokens {
     refreshToken?: string;
     expiresIn: number;
 }
+/**
+ * 네이티브 id_token 검증 옵션
+ */
+interface NativeVerifyOptions {
+    /** 클라이언트가 생성한 raw nonce. provider별 규약(raw 또는 SHA-256 해시)으로 대조된다. */
+    nonce: string;
+}
 /**
  * OAuth provider 구현 인터페이스
  *
@@ -430,6 +438,14 @@ interface OAuthProvider {
      * 미구현 provider는 갱신 불가로 간주한다.
      */
     refreshTokens?(refreshToken: string): Promise<OAuthTokens>;
+    /**
+     * 네이티브/웹 SDK가 받은 id_token을 직접 검증하고 신원을 정규화한다.
+     *
+     * authorization code 교환 없이 provider JWKS로 서명을 검증하므로 client secret이
+     * 필요 없다. native sign-in을 지원하는 provider만 구현한다(Apple은 web SDK 부재로
+     * Android·웹도 이 경로를 쓴다).
+     */
+    verifyNativeIdToken?(idToken: string, options: NativeVerifyOptions): Promise<NormalizedIdentity>;
 }
 /**
  * OAuth provider 등록 (public)
@@ -521,6 +537,45 @@ declare function getEnabledOAuthProviders(): SocialProvider[];
  */
 declare function getGoogleAccessToken(userId: number): Promise<string>;
 
+/**
+ * @spfn/auth - Native Social Login Service
+ *
+ * 네이티브/웹 SDK가 받은 id_token을 JWKS로 검증하고, 검증된 신원에 클라이언트가 만든
+ * 공개키를 등록한다. 토큰은 발급하지 않는다 — 클라이언트가 등록한 키로 client token을
+ * 직접 서명해 Bearer로 사용한다(client-signs / server-verifies 모델).
+ *
+ * 흐름은 두 단계로 분리한다:
+ *   1) id_token 검증 — 외부 JWKS 네트워크 조회. DB 트랜잭션 밖에서 수행한다.
+ *   2) persist — 사용자 link/create + 공개키 등록을 한 트랜잭션으로. 이벤트는 커밋 후 발행.
+ */
+
+interface OAuthNativeParams {
+    provider: SocialProvider;
+    idToken: string;
+    nonce: string;
+    publicKey: string;
+    keyId: string;
+    fingerprint: string;
+    algorithm: KeyAlgorithmType;
+    /** Apple은 첫 로그인에만 이름을 별도로 주므로 클라이언트가 전달할 수 있다. */
+    profile?: {
+        name?: string;
+    };
+    metadata?: Record<string, unknown>;
+}
+interface OAuthNativeResult {
+    userId: string;
+    keyId: string;
+    isNewUser: boolean;
+}
+/**
+ * native id_token 로그인 처리
+ *
+ * @throws ValidationError provider가 native sign-in을 지원하지 않을 때
+ * @throws InvalidSocialTokenError id_token 검증 실패 시
+ */
+declare function oauthNativeService(params: OAuthNativeParams): Promise<OAuthNativeResult>;
+
 /**
  * @spfn/auth - Main Router
  *
@@ -645,7 +700,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
     }, {}, Response>;
     oauthStart: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
-            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]>;
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]>;
             returnUrl: _sinclair_typebox.TString;
             publicKey: _sinclair_typebox.TString;
             keyId: _sinclair_typebox.TString;
@@ -655,7 +710,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
         }>;
     }, {}, OAuthStartResult>;
     oauthProviders: _spfn_core_route.RouteDef<{}, {}, {
-        providers: ("google" | "github" | "kakao" | "naver" | "superself")[];
+        providers: ("google" | "apple" | "github" | "kakao" | "naver" | "superself")[];
     }>;
     getGoogleOAuthUrl: _spfn_core_route.RouteDef<{
         body: _sinclair_typebox.TObject<{
@@ -679,7 +734,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
     }>;
     oauthProviderStart: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
-            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]>;
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]>;
         }>;
         query: _sinclair_typebox.TObject<{
             state: _sinclair_typebox.TString;
@@ -687,7 +742,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
     }, {}, Response>;
     oauthProviderCallback: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
-            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]>;
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]>;
         }>;
         query: _sinclair_typebox.TObject<{
             code: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
@@ -698,7 +753,7 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
     }, {}, Response>;
     getProviderOAuthUrl: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
-            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "github" | "kakao" | "naver" | "superself">[]>;
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]>;
         }>;
         body: _sinclair_typebox.TObject<{
             returnUrl: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
@@ -707,6 +762,23 @@ declare const mainAuthRouter: _spfn_core_route.Router<{
     }, {}, {
         authUrl: string;
     }>;
+    oauthNative: _spfn_core_route.RouteDef<{
+        params: _sinclair_typebox.TObject<{
+            provider: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"google" | "apple" | "github" | "kakao" | "naver" | "superself">[]>;
+        }>;
+        body: _sinclair_typebox.TObject<{
+            idToken: _sinclair_typebox.TString;
+            nonce: _sinclair_typebox.TString;
+            publicKey: _sinclair_typebox.TString;
+            keyId: _sinclair_typebox.TString;
+            fingerprint: _sinclair_typebox.TString;
+            algorithm: _sinclair_typebox.TUnion<_sinclair_typebox.TLiteral<"ES256" | "RS256">[]>;
+            profile: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+                name: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            }>>;
+            metadata: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TUnknown>>;
+        }>;
+    }, {}, OAuthNativeResult>;
     getInvitation: _spfn_core_route.RouteDef<{
         params: _sinclair_typebox.TObject<{
             token: _sinclair_typebox.TString;
@@ -1015,4 +1087,4 @@ declare const authenticate: _spfn_core_route.NamedMiddleware<"auth">;
  */
 declare const optionalAuth: _spfn_core_route.NamedMiddleware<"optionalAuth">;
 
-export { type OAuthCallbackParams as $, type AuthSession as A, type VerifyCodeResult as B, type CheckAccountExistsResult as C, registerPublicKeyService as D, rotateKeyService as E, revokeKeyService as F, type RegisterPublicKeyParams as G, type RotateKeyParams as H, type IssueOneTimeTokenResult as I, type RevokeKeyParams as J, issueOneTimeTokenService as K, type LoginResult as L, verifyOneTimeTokenService as M, oauthStartService as N, type OAuthStartResult as O, type PermissionConfig as P, oauthCallbackService as Q, type RoleConfig as R, type SendVerificationCodeResult as S, buildOAuthErrorUrl as T, type UserProfile as U, type VerificationTargetType as V, isOAuthProviderEnabled as W, requireEnabledProvider as X, getEnabledOAuthProviders as Y, getGoogleAccessToken as Z, type OAuthStartParams as _, type RegisterResult as a, type OAuthCallbackResult as a0, authenticate as a1, optionalAuth as a2, EmailSchema as a3, PhoneSchema as a4, PasswordSchema as a5, TargetTypeSchema as a6, VerificationPurposeSchema as a7, type NormalizedIdentity as a8, type OAuthTokens as a9, registerOAuthProvider as aa, getOAuthProvider as ab, getRegisteredProviders as ac, type RotateKeyResult as b, type ProfileInfo as c, type VerificationPurpose as d, VERIFICATION_TARGET_TYPES as e, VERIFICATION_PURPOSES as f, PERMISSION_CATEGORIES as g, type PermissionCategory as h, type AuthInitOptions as i, type OAuthProvider as j, type AuthContext as k, checkAccountExistsService as l, mainAuthRouter as m, loginService as n, logoutService as o, changePasswordService as p, type CheckAccountExistsParams as q, registerService as r, type RegisterParams as s, type LoginParams as t, type LogoutParams as u, type ChangePasswordParams as v, sendVerificationCodeService as w, verifyCodeService as x, type SendVerificationCodeParams as y, type VerifyCodeParams as z };
+export { type OAuthStartParams as $, type AuthSession as A, type VerifyCodeParams as B, type CheckAccountExistsResult as C, type VerifyCodeResult as D, registerPublicKeyService as E, rotateKeyService as F, revokeKeyService as G, type RegisterPublicKeyParams as H, type IssueOneTimeTokenResult as I, type RotateKeyParams as J, type RevokeKeyParams as K, type LoginResult as L, issueOneTimeTokenService as M, verifyOneTimeTokenService as N, type OAuthStartResult as O, type PermissionConfig as P, oauthStartService as Q, type RoleConfig as R, type SendVerificationCodeResult as S, oauthCallbackService as T, type UserProfile as U, type VerificationTargetType as V, buildOAuthErrorUrl as W, isOAuthProviderEnabled as X, requireEnabledProvider as Y, getEnabledOAuthProviders as Z, getGoogleAccessToken as _, type RegisterResult as a, type OAuthCallbackParams as a0, type OAuthCallbackResult as a1, oauthNativeService as a2, type OAuthNativeParams as a3, authenticate as a4, optionalAuth as a5, EmailSchema as a6, PhoneSchema as a7, PasswordSchema as a8, TargetTypeSchema as a9, VerificationPurposeSchema as aa, type NormalizedIdentity as ab, type OAuthTokens as ac, type NativeVerifyOptions as ad, registerOAuthProvider as ae, getOAuthProvider as af, getRegisteredProviders as ag, type RotateKeyResult as b, type OAuthNativeResult as c, type ProfileInfo as d, type VerificationPurpose as e, VERIFICATION_TARGET_TYPES as f, VERIFICATION_PURPOSES as g, PERMISSION_CATEGORIES as h, type PermissionCategory as i, type AuthInitOptions as j, type OAuthProvider as k, type AuthContext as l, mainAuthRouter as m, checkAccountExistsService as n, loginService as o, logoutService as p, changePasswordService as q, registerService as r, type CheckAccountExistsParams as s, type RegisterParams as t, type LoginParams as u, type LogoutParams as v, type ChangePasswordParams as w, sendVerificationCodeService as x, verifyCodeService as y, type SendVerificationCodeParams as z };

package/dist/config.d.ts

@@ -19,11 +19,11 @@ import * as _spfn_core_env from '@spfn/core/env';
  *
  * @example
  * ```typescript
- * import { authEnvSchema } from '@spfn/auth/config';
+ * import { envSchema } from '@spfn/auth/config';
  *
  * // Access schema information
- * console.log(authEnvSchema.SPFN_AUTH_SESSION_SECRET.description);
- * console.log(authEnvSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);
+ * console.log(envSchema.SPFN_AUTH_SESSION_SECRET.description);
+ * console.log(envSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);
  * ```
  */
 declare const authEnvSchema: {
@@ -260,6 +260,24 @@ declare const authEnvSchema: {
     } & {
         key: "SPFN_AUTH_GOOGLE_REDIRECT_URI";
     };
+    SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS: {
+        description: string;
+        required: boolean;
+        examples: string[];
+        type: "string";
+        validator: (value: string) => string;
+    } & {
+        key: "SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS";
+    };
+    SPFN_AUTH_APPLE_CLIENT_IDS: {
+        description: string;
+        required: boolean;
+        examples: string[];
+        type: "string";
+        validator: (value: string) => string;
+    } & {
+        key: "SPFN_AUTH_APPLE_CLIENT_IDS";
+    };
     SPFN_AUTH_OAUTH_SUCCESS_URL: {
         description: string;
         required: boolean;
@@ -516,6 +534,24 @@ declare const env: _spfn_core_env.InferEnvType<{
     } & {
         key: "SPFN_AUTH_GOOGLE_REDIRECT_URI";
     };
+    SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS: {
+        description: string;
+        required: boolean;
+        examples: string[];
+        type: "string";
+        validator: (value: string) => string;
+    } & {
+        key: "SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS";
+    };
+    SPFN_AUTH_APPLE_CLIENT_IDS: {
+        description: string;
+        required: boolean;
+        examples: string[];
+        type: "string";
+        validator: (value: string) => string;
+    } & {
+        key: "SPFN_AUTH_APPLE_CLIENT_IDS";
+    };
     SPFN_AUTH_OAUTH_SUCCESS_URL: {
         description: string;
         required: boolean;

package/dist/config.js

@@ -274,6 +274,31 @@ var authEnvSchema = defineEnvSchema({
       ]
     })
   },
+  // ============================================================================
+  // Native Social Login (mobile/web id_token verification)
+  //
+  // 네이티브 SDK가 받은 id_token을 서버가 JWKS로 검증하는 경로 전용 설정.
+  // authorization code 교환을 하지 않으므로 client secret이 필요 없다.
+  // audience(aud)로 허용할 client id 목록만 지정한다.
+  // ============================================================================
+  SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS: {
+    ...envString({
+      description: "Comma-separated Google client IDs accepted as id_token audience for native sign-in (iOS, Android, web). When set, Google native sign-in is enabled. SPFN_AUTH_GOOGLE_CLIENT_ID is also accepted automatically.",
+      required: false,
+      examples: [
+        "123-ios.apps.googleusercontent.com,123-android.apps.googleusercontent.com"
+      ]
+    })
+  },
+  SPFN_AUTH_APPLE_CLIENT_IDS: {
+    ...envString({
+      description: "Comma-separated Apple client IDs accepted as id_token audience for native sign-in (iOS bundle ID, web/Android Services ID). When set, Apple native sign-in is enabled.",
+      required: false,
+      examples: [
+        "com.example.app,com.example.app.service"
+      ]
+    })
+  },
   SPFN_AUTH_OAUTH_SUCCESS_URL: {
     ...envString({
       description: "OAuth callback page URL. This page should use OAuthCallback component to finalize session.",

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/config/index.ts","../src/config/schema.ts"],"sourcesContent":["/**\n * Core Package Configuration\n *\n * @example\n * ```typescript\n * import { registry } from '@spfn/core/config';\n *\n * const env = registry.validate();\n * console.log(env.DB_POOL_MAX);\n * ```\n *\n * @module config\n */\n\nimport { createEnvRegistry } from '@spfn/core/env';\nimport { authEnvSchema } from './schema';\n\nexport { authEnvSchema as envSchema } from './schema';\n\n/**\n * Environment registry\n */\nconst registry = createEnvRegistry(authEnvSchema);\nexport const env = registry.validate();","/**\n * Auth Environment Variable Schema\n *\n * Centralized schema definition for all environment variables used in @spfn/auth.\n * This provides type safety, validation, and documentation for Auth configuration.\n *\n * @module config/schema\n */\n\nimport {\n    defineEnvSchema,\n    envString,\n    envNumber,\n    envBoolean,\n    createSecureSecretParser,\n    createPasswordParser,\n} from '@spfn/core/env';\n\n/**\n * Auth environment variable schema\n *\n * Defines all Auth environment variables with:\n * - Type information\n * - Default values\n * - Validation rules\n * - Documentation\n *\n * @example\n * ```typescript\n * import { authEnvSchema } from '@spfn/auth/config';\n *\n * // Access schema information\n * console.log(authEnvSchema.SPFN_AUTH_SESSION_SECRET.description);\n * console.log(authEnvSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);\n * ```\n */\nexport const authEnvSchema = defineEnvSchema({\n    // ============================================================================\n    // Session Configuration\n    // ============================================================================\n    SPFN_AUTH_SESSION_SECRET: {\n        ...envString({\n            description: 'Session encryption secret (minimum 32 characters for AES-256)',\n            required: true,\n            fallbackKeys: ['SESSION_SECRET'],\n            validator: createSecureSecretParser({\n                minLength: 32,\n                minUniqueChars: 16,\n                minEntropy: 3.5,\n            }),\n            sensitive: true,\n            nextjs: true, // Required for Next.js RSC session validation\n            examples: [\n                'my-super-secret-session-key-at-least-32-chars-long',\n                'use-a-cryptographically-secure-random-string-here',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_SESSION_TTL: {\n        ...envString({\n            description: 'Session TTL (time to live) - supports duration strings like \\'7d\\', \\'12h\\', \\'45m\\'',\n            default: '7d',\n            required: false,\n            nextjs: true, // May be needed for session validation in Next.js RSC\n            examples: ['7d', '30d', '12h', '45m', '3600'],\n        }),\n    },\n\n    // ============================================================================\n    // JWT Configuration\n    // ============================================================================\n    SPFN_AUTH_JWT_SECRET: {\n        ...envString({\n            description: 'JWT signing secret for server-signed tokens (legacy mode)',\n            default: 'dev-secret-key-change-in-production',\n            required: false,\n            examples: [\n                'your-jwt-secret-key-here',\n                'use-different-from-session-secret',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_JWT_EXPIRES_IN: {\n        ...envString({\n            description: 'JWT token expiration time (e.g., \\'7d\\', \\'24h\\', \\'1h\\')',\n            default: '7d',\n            required: false,\n            examples: ['7d', '24h', '1h', '30m'],\n        }),\n    },\n\n    // ============================================================================\n    // Security Configuration\n    // ============================================================================\n    SPFN_AUTH_COOKIE_SECURE: {\n        ...envBoolean({\n            description: 'Override cookie Secure flag. Defaults to NODE_ENV === \"production\". Set to false for HTTP-only environments (e.g. bastion over plain HTTP).',\n            required: false,\n            nextjs: true,\n            examples: [true, false],\n        }),\n    },\n\n    SPFN_AUTH_BCRYPT_SALT_ROUNDS: {\n        ...envNumber({\n            description: 'Bcrypt salt rounds (cost factor, higher = more secure but slower)',\n            default: 10,\n            required: false,\n            examples: [10, 12, 14],\n        }),\n        key: 'SPFN_AUTH_BCRYPT_SALT_ROUNDS',\n    },\n\n    SPFN_AUTH_VERIFICATION_TOKEN_SECRET: {\n        ...envString({\n            description: 'Verification token secret for email verification, password reset, etc.',\n            required: true,\n            examples: [\n                'your-verification-token-secret',\n                'can-be-different-from-jwt-secret',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // Admin Account Configuration\n    // ============================================================================\n    SPFN_AUTH_ADMIN_ACCOUNTS: {\n        ...envString({\n            description: 'JSON array of admin accounts (recommended for multiple admins)',\n            required: false,\n            examples: [\n                '[{\"email\":\"admin@example.com\",\"password\":\"secure-pass\",\"role\":\"admin\"}]',\n                '[{\"email\":\"super@example.com\",\"password\":\"pass1\",\"role\":\"superadmin\"},{\"email\":\"admin@example.com\",\"password\":\"pass2\",\"role\":\"admin\"}]',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAILS: {\n        ...envString({\n            description: 'Comma-separated list of admin emails (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin@example.com,user@example.com',\n                'super@example.com,admin@example.com,user@example.com',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORDS: {\n        ...envString({\n            description: 'Comma-separated list of admin passwords (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin-pass,user-pass',\n                'super-pass,admin-pass,user-pass',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_ROLES: {\n        ...envString({\n            description: 'Comma-separated list of admin roles (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin,user',\n                'superadmin,admin,user',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAIL: {\n        ...envString({\n            description: 'Single admin email (simplest format)',\n            required: false,\n            examples: ['admin@example.com'],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORD: {\n        ...envString({\n            description: 'Single admin password (simplest format)',\n            required: false,\n            validator: createPasswordParser({\n                minLength: 8,\n                requireUppercase: true,\n                requireLowercase: true,\n                requireNumber: true,\n                requireSpecial: true,\n            }),\n            sensitive: true,\n            examples: ['SecureAdmin123!'],\n        }),\n    },\n\n    // ============================================================================\n    // Username Configuration\n    // ============================================================================\n    SPFN_AUTH_RESERVED_USERNAMES: {\n        ...envString({\n            description: 'Comma-separated list of reserved usernames that cannot be registered',\n            required: false,\n            default: 'admin,root,system,support,help,moderator,superadmin',\n            examples: [\n                'admin,root,system,support,help',\n                'admin,root,system,support,help,moderator,superadmin,operator',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MIN_LENGTH: {\n        ...envNumber({\n            description: 'Minimum username length',\n            default: 3,\n            required: false,\n            examples: [2, 3, 4],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MAX_LENGTH: {\n        ...envNumber({\n            description: 'Maximum username length',\n            default: 30,\n            required: false,\n            examples: [20, 30, 50],\n        }),\n    },\n\n    // ============================================================================\n    // API Configuration\n    // ============================================================================\n    SPFN_API_URL: {\n        ...envString({\n            description: 'Internal API URL for server-to-server communication',\n            default: 'http://localhost:8790',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_API_URL: {\n        ...envString({\n            description: 'Public-facing API URL used for browser-facing redirects (e.g. OAuth callback). Falls back to SPFN_API_URL if not set.',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    SPFN_APP_URL: {\n        ...envString({\n            description: 'Next.js application URL (internal). Used for server-to-server communication.',\n            default: 'http://localhost:3000',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_APP_URL: {\n        ...envString({\n            description: 'Public-facing Next.js app URL for browser redirects (e.g. OAuth redirect). Falls back to SPFN_APP_URL if not set.',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // OAuth Configuration - Google\n    // ============================================================================\n    SPFN_AUTH_GOOGLE_CLIENT_ID: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client ID. When set, Google OAuth routes are automatically enabled.',\n            required: false,\n            examples: ['123456789-abc123.apps.googleusercontent.com'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_CLIENT_SECRET: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client Secret',\n            required: false,\n            sensitive: true,\n            examples: ['GOCSPX-abcdefghijklmnop'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_SCOPES: {\n        ...envString({\n            description: 'Comma-separated Google OAuth scopes. Defaults to \"email,profile\" if not set.',\n            required: false,\n            examples: [\n                'email,profile',\n                'email,profile,https://www.googleapis.com/auth/gmail.readonly',\n                'email,profile,https://www.googleapis.com/auth/calendar.readonly',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_REDIRECT_URI: {\n        ...envString({\n            description: 'Google OAuth callback URL. Defaults to {NEXT_PUBLIC_SPFN_API_URL || SPFN_API_URL}/_auth/oauth/google/callback',\n            required: false,\n            examples: [\n                'https://api.example.com/_auth/oauth/google/callback',\n                'http://localhost:8790/_auth/oauth/google/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_SUCCESS_URL: {\n        ...envString({\n            description: 'OAuth callback page URL. This page should use OAuthCallback component to finalize session.',\n            required: false,\n            default: '/auth/callback',\n            examples: [\n                '/auth/callback',\n                'https://app.example.com/auth/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_ERROR_URL: {\n        ...envString({\n            description: 'URL to redirect after OAuth error. Use {error} placeholder for error message.',\n            required: false,\n            default: '/auth/error?error={error}',\n            examples: [\n                'https://app.example.com/auth/error?error={error}',\n                'http://localhost:3000/auth/error?error={error}',\n            ],\n        }),\n    },\n});"],"mappings":";AAcA,SAAS,yBAAyB;;;ACLlC;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAoBA,IAAM,gBAAgB,gBAAgB;AAAA;AAAA;AAAA;AAAA,EAIzC,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,cAAc,CAAC,gBAAgB;AAAA,MAC/B,WAAW,yBAAyB;AAAA,QAChC,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,YAAY;AAAA,MAChB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,QAAQ;AAAA;AAAA,MACR,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,QAAQ;AAAA;AAAA,MACR,UAAU,CAAC,MAAM,OAAO,OAAO,OAAO,MAAM;AAAA,IAChD,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB;AAAA,IAClB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,MAAM,OAAO,MAAM,KAAK;AAAA,IACvC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,yBAAyB;AAAA,IACrB,GAAG,WAAW;AAAA,MACV,aAAa;AAAA,MACb,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU,CAAC,MAAM,KAAK;AAAA,IAC1B,CAAC;AAAA,EACL;AAAA,EAEA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,IACD,KAAK;AAAA,EACT;AAAA,EAEA,qCAAqC;AAAA,IACjC,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,wBAAwB;AAAA,IACpB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,mBAAmB;AAAA,IAClC,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW,qBAAqB;AAAA,QAC5B,WAAW;AAAA,QACX,kBAAkB;AAAA,QAClB,kBAAkB;AAAA,QAClB,eAAe;AAAA,QACf,gBAAgB;AAAA,MACpB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,UAAU,CAAC,iBAAiB;AAAA,IAChC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,GAAG,GAAG,CAAC;AAAA,IACtB,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,4BAA4B;AAAA,IACxB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,6CAA6C;AAAA,IAC5D,CAAC;AAAA,EACL;AAAA,EAEA,gCAAgC;AAAA,IAC5B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW;AAAA,MACX,UAAU,CAAC,yBAAyB;AAAA,IACxC,CAAC;AAAA,EACL;AAAA,EAEA,yBAAyB;AAAA,IACrB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,6BAA6B;AAAA,IACzB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AACJ,CAAC;;;ADnUD,IAAM,WAAW,kBAAkB,aAAa;AACzC,IAAM,MAAM,SAAS,SAAS;","names":[]}
+{"version":3,"sources":["../src/config/index.ts","../src/config/schema.ts"],"sourcesContent":["/**\n * Core Package Configuration\n *\n * @example\n * ```typescript\n * import { registry } from '@spfn/core/config';\n *\n * const env = registry.validate();\n * console.log(env.DB_POOL_MAX);\n * ```\n *\n * @module config\n */\n\nimport { createEnvRegistry } from '@spfn/core/env';\nimport { authEnvSchema } from './schema';\n\nexport { authEnvSchema as envSchema } from './schema';\n\n/**\n * Environment registry\n */\nconst registry = createEnvRegistry(authEnvSchema);\nexport const env = registry.validate();\n","/**\n * Auth Environment Variable Schema\n *\n * Centralized schema definition for all environment variables used in @spfn/auth.\n * This provides type safety, validation, and documentation for Auth configuration.\n *\n * @module config/schema\n */\n\nimport {\n    defineEnvSchema,\n    envString,\n    envNumber,\n    envBoolean,\n    createSecureSecretParser,\n    createPasswordParser,\n} from '@spfn/core/env';\n\n/**\n * Auth environment variable schema\n *\n * Defines all Auth environment variables with:\n * - Type information\n * - Default values\n * - Validation rules\n * - Documentation\n *\n * @example\n * ```typescript\n * import { envSchema } from '@spfn/auth/config';\n *\n * // Access schema information\n * console.log(envSchema.SPFN_AUTH_SESSION_SECRET.description);\n * console.log(envSchema.SPFN_AUTH_JWT_EXPIRES_IN.default);\n * ```\n */\nexport const authEnvSchema = defineEnvSchema({\n    // ============================================================================\n    // Session Configuration\n    // ============================================================================\n    SPFN_AUTH_SESSION_SECRET: {\n        ...envString({\n            description: 'Session encryption secret (minimum 32 characters for AES-256)',\n            required: true,\n            fallbackKeys: ['SESSION_SECRET'],\n            validator: createSecureSecretParser({\n                minLength: 32,\n                minUniqueChars: 16,\n                minEntropy: 3.5,\n            }),\n            sensitive: true,\n            nextjs: true, // Required for Next.js RSC session validation\n            examples: [\n                'my-super-secret-session-key-at-least-32-chars-long',\n                'use-a-cryptographically-secure-random-string-here',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_SESSION_TTL: {\n        ...envString({\n            description: 'Session TTL (time to live) - supports duration strings like \\'7d\\', \\'12h\\', \\'45m\\'',\n            default: '7d',\n            required: false,\n            nextjs: true, // May be needed for session validation in Next.js RSC\n            examples: ['7d', '30d', '12h', '45m', '3600'],\n        }),\n    },\n\n    // ============================================================================\n    // JWT Configuration\n    // ============================================================================\n    SPFN_AUTH_JWT_SECRET: {\n        ...envString({\n            description: 'JWT signing secret for server-signed tokens (legacy mode)',\n            default: 'dev-secret-key-change-in-production',\n            required: false,\n            examples: [\n                'your-jwt-secret-key-here',\n                'use-different-from-session-secret',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_JWT_EXPIRES_IN: {\n        ...envString({\n            description: 'JWT token expiration time (e.g., \\'7d\\', \\'24h\\', \\'1h\\')',\n            default: '7d',\n            required: false,\n            examples: ['7d', '24h', '1h', '30m'],\n        }),\n    },\n\n    // ============================================================================\n    // Security Configuration\n    // ============================================================================\n    SPFN_AUTH_COOKIE_SECURE: {\n        ...envBoolean({\n            description: 'Override cookie Secure flag. Defaults to NODE_ENV === \"production\". Set to false for HTTP-only environments (e.g. bastion over plain HTTP).',\n            required: false,\n            nextjs: true,\n            examples: [true, false],\n        }),\n    },\n\n    SPFN_AUTH_BCRYPT_SALT_ROUNDS: {\n        ...envNumber({\n            description: 'Bcrypt salt rounds (cost factor, higher = more secure but slower)',\n            default: 10,\n            required: false,\n            examples: [10, 12, 14],\n        }),\n        key: 'SPFN_AUTH_BCRYPT_SALT_ROUNDS',\n    },\n\n    SPFN_AUTH_VERIFICATION_TOKEN_SECRET: {\n        ...envString({\n            description: 'Verification token secret for email verification, password reset, etc.',\n            required: true,\n            examples: [\n                'your-verification-token-secret',\n                'can-be-different-from-jwt-secret',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // Admin Account Configuration\n    // ============================================================================\n    SPFN_AUTH_ADMIN_ACCOUNTS: {\n        ...envString({\n            description: 'JSON array of admin accounts (recommended for multiple admins)',\n            required: false,\n            examples: [\n                '[{\"email\":\"admin@example.com\",\"password\":\"secure-pass\",\"role\":\"admin\"}]',\n                '[{\"email\":\"super@example.com\",\"password\":\"pass1\",\"role\":\"superadmin\"},{\"email\":\"admin@example.com\",\"password\":\"pass2\",\"role\":\"admin\"}]',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAILS: {\n        ...envString({\n            description: 'Comma-separated list of admin emails (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin@example.com,user@example.com',\n                'super@example.com,admin@example.com,user@example.com',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORDS: {\n        ...envString({\n            description: 'Comma-separated list of admin passwords (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin-pass,user-pass',\n                'super-pass,admin-pass,user-pass',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_ROLES: {\n        ...envString({\n            description: 'Comma-separated list of admin roles (legacy CSV format)',\n            required: false,\n            examples: [\n                'admin,user',\n                'superadmin,admin,user',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_EMAIL: {\n        ...envString({\n            description: 'Single admin email (simplest format)',\n            required: false,\n            examples: ['admin@example.com'],\n        }),\n    },\n\n    SPFN_AUTH_ADMIN_PASSWORD: {\n        ...envString({\n            description: 'Single admin password (simplest format)',\n            required: false,\n            validator: createPasswordParser({\n                minLength: 8,\n                requireUppercase: true,\n                requireLowercase: true,\n                requireNumber: true,\n                requireSpecial: true,\n            }),\n            sensitive: true,\n            examples: ['SecureAdmin123!'],\n        }),\n    },\n\n    // ============================================================================\n    // Username Configuration\n    // ============================================================================\n    SPFN_AUTH_RESERVED_USERNAMES: {\n        ...envString({\n            description: 'Comma-separated list of reserved usernames that cannot be registered',\n            required: false,\n            default: 'admin,root,system,support,help,moderator,superadmin',\n            examples: [\n                'admin,root,system,support,help',\n                'admin,root,system,support,help,moderator,superadmin,operator',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MIN_LENGTH: {\n        ...envNumber({\n            description: 'Minimum username length',\n            default: 3,\n            required: false,\n            examples: [2, 3, 4],\n        }),\n    },\n\n    SPFN_AUTH_USERNAME_MAX_LENGTH: {\n        ...envNumber({\n            description: 'Maximum username length',\n            default: 30,\n            required: false,\n            examples: [20, 30, 50],\n        }),\n    },\n\n    // ============================================================================\n    // API Configuration\n    // ============================================================================\n    SPFN_API_URL: {\n        ...envString({\n            description: 'Internal API URL for server-to-server communication',\n            default: 'http://localhost:8790',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_API_URL: {\n        ...envString({\n            description: 'Public-facing API URL used for browser-facing redirects (e.g. OAuth callback). Falls back to SPFN_API_URL if not set.',\n            required: false,\n            examples: [\n                'https://api.example.com',\n                'http://localhost:8790',\n            ],\n        }),\n    },\n\n    SPFN_APP_URL: {\n        ...envString({\n            description: 'Next.js application URL (internal). Used for server-to-server communication.',\n            default: 'http://localhost:3000',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    NEXT_PUBLIC_SPFN_APP_URL: {\n        ...envString({\n            description: 'Public-facing Next.js app URL for browser redirects (e.g. OAuth redirect). Falls back to SPFN_APP_URL if not set.',\n            required: false,\n            examples: [\n                'https://app.example.com',\n                'http://localhost:3000',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // OAuth Configuration - Google\n    // ============================================================================\n    SPFN_AUTH_GOOGLE_CLIENT_ID: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client ID. When set, Google OAuth routes are automatically enabled.',\n            required: false,\n            examples: ['123456789-abc123.apps.googleusercontent.com'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_CLIENT_SECRET: {\n        ...envString({\n            description: 'Google OAuth 2.0 Client Secret',\n            required: false,\n            sensitive: true,\n            examples: ['GOCSPX-abcdefghijklmnop'],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_SCOPES: {\n        ...envString({\n            description: 'Comma-separated Google OAuth scopes. Defaults to \"email,profile\" if not set.',\n            required: false,\n            examples: [\n                'email,profile',\n                'email,profile,https://www.googleapis.com/auth/gmail.readonly',\n                'email,profile,https://www.googleapis.com/auth/calendar.readonly',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_GOOGLE_REDIRECT_URI: {\n        ...envString({\n            description: 'Google OAuth callback URL. Defaults to {NEXT_PUBLIC_SPFN_API_URL || SPFN_API_URL}/_auth/oauth/google/callback',\n            required: false,\n            examples: [\n                'https://api.example.com/_auth/oauth/google/callback',\n                'http://localhost:8790/_auth/oauth/google/callback',\n            ],\n        }),\n    },\n\n    // ============================================================================\n    // Native Social Login (mobile/web id_token verification)\n    //\n    // 네이티브 SDK가 받은 id_token을 서버가 JWKS로 검증하는 경로 전용 설정.\n    // authorization code 교환을 하지 않으므로 client secret이 필요 없다.\n    // audience(aud)로 허용할 client id 목록만 지정한다.\n    // ============================================================================\n    SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS: {\n        ...envString({\n            description: 'Comma-separated Google client IDs accepted as id_token audience for native sign-in (iOS, Android, web). When set, Google native sign-in is enabled. SPFN_AUTH_GOOGLE_CLIENT_ID is also accepted automatically.',\n            required: false,\n            examples: [\n                '123-ios.apps.googleusercontent.com,123-android.apps.googleusercontent.com',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_APPLE_CLIENT_IDS: {\n        ...envString({\n            description: 'Comma-separated Apple client IDs accepted as id_token audience for native sign-in (iOS bundle ID, web/Android Services ID). When set, Apple native sign-in is enabled.',\n            required: false,\n            examples: [\n                'com.example.app,com.example.app.service',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_SUCCESS_URL: {\n        ...envString({\n            description: 'OAuth callback page URL. This page should use OAuthCallback component to finalize session.',\n            required: false,\n            default: '/auth/callback',\n            examples: [\n                '/auth/callback',\n                'https://app.example.com/auth/callback',\n            ],\n        }),\n    },\n\n    SPFN_AUTH_OAUTH_ERROR_URL: {\n        ...envString({\n            description: 'URL to redirect after OAuth error. Use {error} placeholder for error message.',\n            required: false,\n            default: '/auth/error?error={error}',\n            examples: [\n                'https://app.example.com/auth/error?error={error}',\n                'http://localhost:3000/auth/error?error={error}',\n            ],\n        }),\n    },\n});\n"],"mappings":";AAcA,SAAS,yBAAyB;;;ACLlC;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAoBA,IAAM,gBAAgB,gBAAgB;AAAA;AAAA;AAAA;AAAA,EAIzC,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,cAAc,CAAC,gBAAgB;AAAA,MAC/B,WAAW,yBAAyB;AAAA,QAChC,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,YAAY;AAAA,MAChB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,QAAQ;AAAA;AAAA,MACR,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,QAAQ;AAAA;AAAA,MACR,UAAU,CAAC,MAAM,OAAO,OAAO,OAAO,MAAM;AAAA,IAChD,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB;AAAA,IAClB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,MAAM,OAAO,MAAM,KAAK;AAAA,IACvC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,yBAAyB;AAAA,IACrB,GAAG,WAAW;AAAA,MACV,aAAa;AAAA,MACb,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU,CAAC,MAAM,KAAK;AAAA,IAC1B,CAAC;AAAA,EACL;AAAA,EAEA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,IACD,KAAK;AAAA,EACT;AAAA,EAEA,qCAAqC;AAAA,IACjC,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,wBAAwB;AAAA,IACpB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,uBAAuB;AAAA,IACnB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,mBAAmB;AAAA,IAClC,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW,qBAAqB;AAAA,QAC5B,WAAW;AAAA,QACX,kBAAkB;AAAA,QAClB,kBAAkB;AAAA,QAClB,eAAe;AAAA,QACf,gBAAgB;AAAA,MACpB,CAAC;AAAA,MACD,WAAW;AAAA,MACX,UAAU,CAAC,iBAAiB;AAAA,IAChC,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,8BAA8B;AAAA,IAC1B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,GAAG,GAAG,CAAC;AAAA,IACtB,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU,CAAC,IAAI,IAAI,EAAE;AAAA,IACzB,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,cAAc;AAAA,IACV,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,MACT,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,0BAA0B;AAAA,IACtB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKA,4BAA4B;AAAA,IACxB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU,CAAC,6CAA6C;AAAA,IAC5D,CAAC;AAAA,EACL;AAAA,EAEA,gCAAgC;AAAA,IAC5B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,WAAW;AAAA,MACX,UAAU,CAAC,yBAAyB;AAAA,IACxC,CAAC;AAAA,EACL;AAAA,EAEA,yBAAyB;AAAA,IACrB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,+BAA+B;AAAA,IAC3B,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,oCAAoC;AAAA,IAChC,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,4BAA4B;AAAA,IACxB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,UAAU;AAAA,QACN;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,6BAA6B;AAAA,IACzB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,2BAA2B;AAAA,IACvB,GAAG,UAAU;AAAA,MACT,aAAa;AAAA,MACb,UAAU;AAAA,MACV,SAAS;AAAA,MACT,UAAU;AAAA,QACN;AAAA,QACA;AAAA,MACJ;AAAA,IACJ,CAAC;AAAA,EACL;AACJ,CAAC;;;AD9VD,IAAM,WAAW,kBAAkB,aAAa;AACzC,IAAM,MAAM,SAAS,SAAS;","names":[]}

package/dist/errors.d.ts

@@ -28,6 +28,18 @@ declare class InvalidTokenError extends UnauthorizedError {
         details?: Record<string, any>;
     });
 }
+/**
+ * Invalid Social Token Error (401)
+ *
+ * Thrown when a social provider id_token fails verification
+ * (bad signature, wrong issuer/audience, expired, or nonce mismatch).
+ */
+declare class InvalidSocialTokenError extends UnauthorizedError {
+    constructor(data?: {
+        message?: string;
+        details?: Record<string, any>;
+    });
+}
 /**
  * Token Expired Error (401)
  *
@@ -193,6 +205,8 @@ type authErrors_InvalidCredentialsError = InvalidCredentialsError;
 declare const authErrors_InvalidCredentialsError: typeof InvalidCredentialsError;
 type authErrors_InvalidKeyFingerprintError = InvalidKeyFingerprintError;
 declare const authErrors_InvalidKeyFingerprintError: typeof InvalidKeyFingerprintError;
+type authErrors_InvalidSocialTokenError = InvalidSocialTokenError;
+declare const authErrors_InvalidSocialTokenError: typeof InvalidSocialTokenError;
 type authErrors_InvalidTokenError = InvalidTokenError;
 declare const authErrors_InvalidTokenError: typeof InvalidTokenError;
 type authErrors_InvalidVerificationCodeError = InvalidVerificationCodeError;
@@ -212,7 +226,7 @@ declare const authErrors_VerificationTokenPurposeMismatchError: typeof Verificat
 type authErrors_VerificationTokenTargetMismatchError = VerificationTokenTargetMismatchError;
 declare const authErrors_VerificationTokenTargetMismatchError: typeof VerificationTokenTargetMismatchError;
 declare namespace authErrors {
-  export { authErrors_AccountAlreadyExistsError as AccountAlreadyExistsError, authErrors_AccountDisabledError as AccountDisabledError, authErrors_InsufficientPermissionsError as InsufficientPermissionsError, authErrors_InsufficientRoleError as InsufficientRoleError, authErrors_InvalidCredentialsError as InvalidCredentialsError, authErrors_InvalidKeyFingerprintError as InvalidKeyFingerprintError, authErrors_InvalidTokenError as InvalidTokenError, authErrors_InvalidVerificationCodeError as InvalidVerificationCodeError, authErrors_InvalidVerificationTokenError as InvalidVerificationTokenError, authErrors_KeyExpiredError as KeyExpiredError, authErrors_ReservedUsernameError as ReservedUsernameError, authErrors_TokenExpiredError as TokenExpiredError, authErrors_UsernameAlreadyTakenError as UsernameAlreadyTakenError, authErrors_VerificationTokenPurposeMismatchError as VerificationTokenPurposeMismatchError, authErrors_VerificationTokenTargetMismatchError as VerificationTokenTargetMismatchError };
+  export { authErrors_AccountAlreadyExistsError as AccountAlreadyExistsError, authErrors_AccountDisabledError as AccountDisabledError, authErrors_InsufficientPermissionsError as InsufficientPermissionsError, authErrors_InsufficientRoleError as InsufficientRoleError, authErrors_InvalidCredentialsError as InvalidCredentialsError, authErrors_InvalidKeyFingerprintError as InvalidKeyFingerprintError, authErrors_InvalidSocialTokenError as InvalidSocialTokenError, authErrors_InvalidTokenError as InvalidTokenError, authErrors_InvalidVerificationCodeError as InvalidVerificationCodeError, authErrors_InvalidVerificationTokenError as InvalidVerificationTokenError, authErrors_KeyExpiredError as KeyExpiredError, authErrors_ReservedUsernameError as ReservedUsernameError, authErrors_TokenExpiredError as TokenExpiredError, authErrors_UsernameAlreadyTakenError as UsernameAlreadyTakenError, authErrors_VerificationTokenPurposeMismatchError as VerificationTokenPurposeMismatchError, authErrors_VerificationTokenTargetMismatchError as VerificationTokenTargetMismatchError };
 }
 
 /**
@@ -221,4 +235,4 @@ declare namespace authErrors {
 
 declare const authErrorRegistry: ErrorRegistry;
 
-export { AccountAlreadyExistsError, AccountDisabledError, authErrors as AuthError, InsufficientPermissionsError, InsufficientRoleError, InvalidCredentialsError, InvalidKeyFingerprintError, InvalidTokenError, InvalidVerificationCodeError, InvalidVerificationTokenError, KeyExpiredError, ReservedUsernameError, TokenExpiredError, UsernameAlreadyTakenError, VerificationTokenPurposeMismatchError, VerificationTokenTargetMismatchError, authErrorRegistry };
+export { AccountAlreadyExistsError, AccountDisabledError, authErrors as AuthError, InsufficientPermissionsError, InsufficientRoleError, InvalidCredentialsError, InvalidKeyFingerprintError, InvalidSocialTokenError, InvalidTokenError, InvalidVerificationCodeError, InvalidVerificationTokenError, KeyExpiredError, ReservedUsernameError, TokenExpiredError, UsernameAlreadyTakenError, VerificationTokenPurposeMismatchError, VerificationTokenTargetMismatchError, authErrorRegistry };

package/dist/errors.js

@@ -16,6 +16,7 @@ __export(auth_errors_exports, {
   InsufficientRoleError: () => InsufficientRoleError,
   InvalidCredentialsError: () => InvalidCredentialsError,
   InvalidKeyFingerprintError: () => InvalidKeyFingerprintError,
+  InvalidSocialTokenError: () => InvalidSocialTokenError,
   InvalidTokenError: () => InvalidTokenError,
   InvalidVerificationCodeError: () => InvalidVerificationCodeError,
   InvalidVerificationTokenError: () => InvalidVerificationTokenError,
@@ -44,6 +45,12 @@ var InvalidTokenError = class extends UnauthorizedError {
     this.name = "InvalidTokenError";
   }
 };
+var InvalidSocialTokenError = class extends UnauthorizedError {
+  constructor(data = {}) {
+    super({ message: data.message || "Invalid social id_token", details: data.details });
+    this.name = "InvalidSocialTokenError";
+  }
+};
 var TokenExpiredError = class extends UnauthorizedError {
   constructor(data = {}) {
     super({ message: data.message || "Authentication token has expired", details: data.details });
@@ -161,6 +168,7 @@ var authErrorRegistry = new ErrorRegistry();
 authErrorRegistry.append([
   InvalidCredentialsError,
   InvalidTokenError,
+  InvalidSocialTokenError,
   TokenExpiredError,
   KeyExpiredError,
   AccountDisabledError,
@@ -183,6 +191,7 @@ export {
   InsufficientRoleError,
   InvalidCredentialsError,
   InvalidKeyFingerprintError,
+  InvalidSocialTokenError,
   InvalidTokenError,
   InvalidVerificationCodeError,
   InvalidVerificationTokenError,

package/dist/errors.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/errors/index.ts","../src/errors/auth-errors.ts"],"sourcesContent":["/**\n * Auth Error Exports\n */\n\nimport { ErrorRegistry } from \"@spfn/core/errors\";\n\nimport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport const authErrorRegistry = new ErrorRegistry();\nauthErrorRegistry.append([\n    InvalidCredentialsError,\n    InvalidTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n]);\n\nexport * as AuthError from './auth-errors';","/**\n * Authentication & Authorization Error Classes\n *\n * Custom error classes for auth-specific scenarios\n */\n\nimport {\n    ValidationError,\n    UnauthorizedError,\n    ForbiddenError,\n    ConflictError\n} from '@spfn/core/errors';\n\n/**\n * Invalid Credentials Error (401)\n *\n * Thrown when login credentials are incorrect\n */\nexport class InvalidCredentialsError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid credentials', details: data.details });\n        this.name = 'InvalidCredentialsError';\n    }\n}\n\n/**\n * Invalid Token Error (401)\n *\n * Thrown when authentication token is invalid or malformed\n */\nexport class InvalidTokenError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid authentication token', details: data.details });\n        this.name = 'InvalidTokenError';\n    }\n}\n\n/**\n * Token Expired Error (401)\n *\n * Thrown when authentication token has expired\n */\nexport class TokenExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Authentication token has expired', details: data.details });\n        this.name = 'TokenExpiredError';\n    }\n}\n\n/**\n * Key Expired Error (401)\n *\n * Thrown when public key has expired\n */\nexport class KeyExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Public key has expired', details: data.details });\n        this.name = 'KeyExpiredError';\n    }\n}\n\n/**\n * Account Disabled Error (403)\n *\n * Thrown when user account is disabled or inactive\n */\nexport class AccountDisabledError extends ForbiddenError\n{\n    constructor(data: { status?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const status = data.status || 'disabled';\n        super({\n            message: data.message || `Account is ${status}`,\n            details: { status, ...data.details }\n        });\n        this.name = 'AccountDisabledError';\n    }\n}\n\n/**\n * Account Already Exists Error (409)\n *\n * Thrown when trying to register with existing email/phone\n */\nexport class AccountAlreadyExistsError extends ConflictError\n{\n    constructor(data: { identifier?: string; identifierType?: 'email' | 'phone'; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Account already exists',\n            details: {\n                identifier: data.identifier,\n                identifierType: data.identifierType,\n                ...data.details\n            }\n        });\n        this.name = 'AccountAlreadyExistsError';\n    }\n}\n\n/**\n * Invalid Verification Code Error (400)\n *\n * Thrown when verification code is invalid, expired, or already used\n */\nexport class InvalidVerificationCodeError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid verification code', details: data.details });\n        this.name = 'InvalidVerificationCodeError';\n    }\n}\n\n/**\n * Invalid Verification Token Error (400)\n *\n * Thrown when verification token is invalid or expired\n */\nexport class InvalidVerificationTokenError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid or expired verification token', details: data.details });\n        this.name = 'InvalidVerificationTokenError';\n    }\n}\n\n/**\n * Invalid Key Fingerprint Error (400)\n *\n * Thrown when public key fingerprint doesn't match the public key\n */\nexport class InvalidKeyFingerprintError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid key fingerprint', details: data.details });\n        this.name = 'InvalidKeyFingerprintError';\n    }\n}\n\n/**\n * Verification Token Purpose Mismatch Error (400)\n *\n * Thrown when verification token purpose doesn't match expected purpose\n */\nexport class VerificationTokenPurposeMismatchError extends ValidationError\n{\n    constructor(data: { expected?: string; actual?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const expected = data.expected || 'unknown';\n        const actual = data.actual || 'unknown';\n        super({\n            message: data.message || `Verification token is for ${actual}, but ${expected} was expected`,\n            details: { expected, actual, ...data.details }\n        });\n        this.name = 'VerificationTokenPurposeMismatchError';\n    }\n}\n\n/**\n * Verification Token Target Mismatch Error (400)\n *\n * Thrown when verification token target doesn't match provided email/phone\n */\nexport class VerificationTokenTargetMismatchError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Verification token does not match provided email/phone',\n            details: data.details\n        });\n        this.name = 'VerificationTokenTargetMismatchError';\n    }\n}\n\n/**\n * Reserved Username Error (400)\n *\n * Thrown when trying to use a reserved/prohibited username\n */\nexport class ReservedUsernameError extends ValidationError\n{\n    constructor(data: { username?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'This username is reserved',\n            details: { username: data.username, ...data.details }\n        });\n        this.name = 'ReservedUsernameError';\n    }\n}\n\n/**\n * Username Already Taken Error (409)\n *\n * Thrown when trying to set a username that is already in use\n */\nexport class UsernameAlreadyTakenError extends ConflictError\n{\n    constructor(data: { username?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Username is already taken',\n            details: { username: data.username, ...data.details }\n        });\n        this.name = 'UsernameAlreadyTakenError';\n    }\n}\n\n/**\n * Insufficient Permissions Error (403)\n *\n * Thrown when user lacks required permissions for the operation\n */\nexport class InsufficientPermissionsError extends ForbiddenError\n{\n    constructor(data: { requiredPermissions?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredPermissions = data.requiredPermissions || [];\n        super({\n            message: data.message || `Missing required permissions: ${requiredPermissions.join(', ')}`,\n            details: { requiredPermissions, ...data.details }\n        });\n        this.name = 'InsufficientPermissionsError';\n    }\n}\n\n/**\n * Insufficient Role Error (403)\n *\n * Thrown when user lacks required role for the operation\n */\nexport class InsufficientRoleError extends ForbiddenError\n{\n    constructor(data: { requiredRoles?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredRoles = data.requiredRoles || [];\n        super({\n            message: data.message || `Required roles: ${requiredRoles.join(', ')}`,\n            details: { requiredRoles, ...data.details }\n        });\n        this.name = 'InsufficientRoleError';\n    }\n}"],"mappings":";;;;;;;AAIA,SAAS,qBAAqB;;;ACJ9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAOA,IAAM,0BAAN,cAAsC,kBAC7C;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,uBAAuB,SAAS,KAAK,QAAQ,CAAC;AAC/E,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,gCAAgC,SAAS,KAAK,QAAQ,CAAC;AACxF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,oCAAoC,SAAS,KAAK,QAAQ,CAAC;AAC5F,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,kBAAN,cAA8B,kBACrC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,0BAA0B,SAAS,KAAK,QAAQ,CAAC;AAClF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uBAAN,cAAmC,eAC1C;AAAA,EACI,YAAY,OAA6E,CAAC,GAC1F;AACI,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,cAAc,MAAM;AAAA,MAC7C,SAAS,EAAE,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACvC,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,4BAAN,cAAwC,cAC/C;AAAA,EACI,YAAY,OAAqH,CAAC,GAClI;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS;AAAA,QACL,YAAY,KAAK;AAAA,QACjB,gBAAgB,KAAK;AAAA,QACrB,GAAG,KAAK;AAAA,MACZ;AAAA,IACJ,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,gBAClD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,6BAA6B,SAAS,KAAK,QAAQ,CAAC;AACrF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,gCAAN,cAA4C,gBACnD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,yCAAyC,SAAS,KAAK,QAAQ,CAAC;AACjG,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,6BAAN,cAAyC,gBAChD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,2BAA2B,SAAS,KAAK,QAAQ,CAAC;AACnF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wCAAN,cAAoD,gBAC3D;AAAA,EACI,YAAY,OAAgG,CAAC,GAC7G;AACI,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,6BAA6B,MAAM,SAAS,QAAQ;AAAA,MAC7E,SAAS,EAAE,UAAU,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACjD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uCAAN,cAAmD,gBAC1D;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,KAAK;AAAA,IAClB,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wBAAN,cAAoC,gBAC3C;AAAA,EACI,YAAY,OAA+E,CAAC,GAC5F;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,EAAE,UAAU,KAAK,UAAU,GAAG,KAAK,QAAQ;AAAA,IACxD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,4BAAN,cAAwC,cAC/C;AAAA,EACI,YAAY,OAA+E,CAAC,GAC5F;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,EAAE,UAAU,KAAK,UAAU,GAAG,KAAK,QAAQ;AAAA,IACxD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,eAClD;AAAA,EACI,YAAY,OAA4F,CAAC,GACzG;AACI,UAAM,sBAAsB,KAAK,uBAAuB,CAAC;AACzD,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,iCAAiC,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACxF,SAAS,EAAE,qBAAqB,GAAG,KAAK,QAAQ;AAAA,IACpD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wBAAN,cAAoC,eAC3C;AAAA,EACI,YAAY,OAAsF,CAAC,GACnG;AACI,UAAM,gBAAgB,KAAK,iBAAiB,CAAC;AAC7C,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,mBAAmB,cAAc,KAAK,IAAI,CAAC;AAAA,MACpE,SAAS,EAAE,eAAe,GAAG,KAAK,QAAQ;AAAA,IAC9C,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;;;ADpNO,IAAM,oBAAoB,IAAI,cAAc;AACnD,kBAAkB,OAAO;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACJ,CAAC;","names":[]}
+{"version":3,"sources":["../src/errors/index.ts","../src/errors/auth-errors.ts"],"sourcesContent":["/**\n * Auth Error Exports\n */\n\nimport { ErrorRegistry } from '@spfn/core/errors';\n\nimport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    InvalidSocialTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport {\n    InvalidCredentialsError,\n    InvalidTokenError,\n    InvalidSocialTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n} from './auth-errors';\n\nexport const authErrorRegistry = new ErrorRegistry();\nauthErrorRegistry.append([\n    InvalidCredentialsError,\n    InvalidTokenError,\n    InvalidSocialTokenError,\n    TokenExpiredError,\n    KeyExpiredError,\n    AccountDisabledError,\n    AccountAlreadyExistsError,\n    ReservedUsernameError,\n    UsernameAlreadyTakenError,\n    InvalidVerificationCodeError,\n    InvalidVerificationTokenError,\n    InvalidKeyFingerprintError,\n    VerificationTokenPurposeMismatchError,\n    VerificationTokenTargetMismatchError,\n    InsufficientPermissionsError,\n    InsufficientRoleError,\n]);\n\nexport * as AuthError from './auth-errors';\n","/**\n * Authentication & Authorization Error Classes\n *\n * Custom error classes for auth-specific scenarios\n */\n\nimport {\n    ValidationError,\n    UnauthorizedError,\n    ForbiddenError,\n    ConflictError,\n} from '@spfn/core/errors';\n\n/**\n * Invalid Credentials Error (401)\n *\n * Thrown when login credentials are incorrect\n */\nexport class InvalidCredentialsError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid credentials', details: data.details });\n        this.name = 'InvalidCredentialsError';\n    }\n}\n\n/**\n * Invalid Token Error (401)\n *\n * Thrown when authentication token is invalid or malformed\n */\nexport class InvalidTokenError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid authentication token', details: data.details });\n        this.name = 'InvalidTokenError';\n    }\n}\n\n/**\n * Invalid Social Token Error (401)\n *\n * Thrown when a social provider id_token fails verification\n * (bad signature, wrong issuer/audience, expired, or nonce mismatch).\n */\nexport class InvalidSocialTokenError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid social id_token', details: data.details });\n        this.name = 'InvalidSocialTokenError';\n    }\n}\n\n/**\n * Token Expired Error (401)\n *\n * Thrown when authentication token has expired\n */\nexport class TokenExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Authentication token has expired', details: data.details });\n        this.name = 'TokenExpiredError';\n    }\n}\n\n/**\n * Key Expired Error (401)\n *\n * Thrown when public key has expired\n */\nexport class KeyExpiredError extends UnauthorizedError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Public key has expired', details: data.details });\n        this.name = 'KeyExpiredError';\n    }\n}\n\n/**\n * Account Disabled Error (403)\n *\n * Thrown when user account is disabled or inactive\n */\nexport class AccountDisabledError extends ForbiddenError\n{\n    constructor(data: { status?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const status = data.status || 'disabled';\n        super({\n            message: data.message || `Account is ${status}`,\n            details: { status, ...data.details },\n        });\n        this.name = 'AccountDisabledError';\n    }\n}\n\n/**\n * Account Already Exists Error (409)\n *\n * Thrown when trying to register with existing email/phone\n */\nexport class AccountAlreadyExistsError extends ConflictError\n{\n    constructor(data: { identifier?: string; identifierType?: 'email' | 'phone'; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Account already exists',\n            details: {\n                identifier: data.identifier,\n                identifierType: data.identifierType,\n                ...data.details,\n            },\n        });\n        this.name = 'AccountAlreadyExistsError';\n    }\n}\n\n/**\n * Invalid Verification Code Error (400)\n *\n * Thrown when verification code is invalid, expired, or already used\n */\nexport class InvalidVerificationCodeError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid verification code', details: data.details });\n        this.name = 'InvalidVerificationCodeError';\n    }\n}\n\n/**\n * Invalid Verification Token Error (400)\n *\n * Thrown when verification token is invalid or expired\n */\nexport class InvalidVerificationTokenError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid or expired verification token', details: data.details });\n        this.name = 'InvalidVerificationTokenError';\n    }\n}\n\n/**\n * Invalid Key Fingerprint Error (400)\n *\n * Thrown when public key fingerprint doesn't match the public key\n */\nexport class InvalidKeyFingerprintError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({ message: data.message || 'Invalid key fingerprint', details: data.details });\n        this.name = 'InvalidKeyFingerprintError';\n    }\n}\n\n/**\n * Verification Token Purpose Mismatch Error (400)\n *\n * Thrown when verification token purpose doesn't match expected purpose\n */\nexport class VerificationTokenPurposeMismatchError extends ValidationError\n{\n    constructor(data: { expected?: string; actual?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        const expected = data.expected || 'unknown';\n        const actual = data.actual || 'unknown';\n        super({\n            message: data.message || `Verification token is for ${actual}, but ${expected} was expected`,\n            details: { expected, actual, ...data.details },\n        });\n        this.name = 'VerificationTokenPurposeMismatchError';\n    }\n}\n\n/**\n * Verification Token Target Mismatch Error (400)\n *\n * Thrown when verification token target doesn't match provided email/phone\n */\nexport class VerificationTokenTargetMismatchError extends ValidationError\n{\n    constructor(data: { message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Verification token does not match provided email/phone',\n            details: data.details,\n        });\n        this.name = 'VerificationTokenTargetMismatchError';\n    }\n}\n\n/**\n * Reserved Username Error (400)\n *\n * Thrown when trying to use a reserved/prohibited username\n */\nexport class ReservedUsernameError extends ValidationError\n{\n    constructor(data: { username?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'This username is reserved',\n            details: { username: data.username, ...data.details },\n        });\n        this.name = 'ReservedUsernameError';\n    }\n}\n\n/**\n * Username Already Taken Error (409)\n *\n * Thrown when trying to set a username that is already in use\n */\nexport class UsernameAlreadyTakenError extends ConflictError\n{\n    constructor(data: { username?: string; message?: string; details?: Record<string, any> } = {})\n    {\n        super({\n            message: data.message || 'Username is already taken',\n            details: { username: data.username, ...data.details },\n        });\n        this.name = 'UsernameAlreadyTakenError';\n    }\n}\n\n/**\n * Insufficient Permissions Error (403)\n *\n * Thrown when user lacks required permissions for the operation\n */\nexport class InsufficientPermissionsError extends ForbiddenError\n{\n    constructor(data: { requiredPermissions?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredPermissions = data.requiredPermissions || [];\n        super({\n            message: data.message || `Missing required permissions: ${requiredPermissions.join(', ')}`,\n            details: { requiredPermissions, ...data.details },\n        });\n        this.name = 'InsufficientPermissionsError';\n    }\n}\n\n/**\n * Insufficient Role Error (403)\n *\n * Thrown when user lacks required role for the operation\n */\nexport class InsufficientRoleError extends ForbiddenError\n{\n    constructor(data: { requiredRoles?: string[]; message?: string; details?: Record<string, any> } = {})\n    {\n        const requiredRoles = data.requiredRoles || [];\n        super({\n            message: data.message || `Required roles: ${requiredRoles.join(', ')}`,\n            details: { requiredRoles, ...data.details },\n        });\n        this.name = 'InsufficientRoleError';\n    }\n}\n"],"mappings":";;;;;;;AAIA,SAAS,qBAAqB;;;ACJ9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAOA,IAAM,0BAAN,cAAsC,kBAC7C;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,uBAAuB,SAAS,KAAK,QAAQ,CAAC;AAC/E,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,gCAAgC,SAAS,KAAK,QAAQ,CAAC;AACxF,SAAK,OAAO;AAAA,EAChB;AACJ;AAQO,IAAM,0BAAN,cAAsC,kBAC7C;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,2BAA2B,SAAS,KAAK,QAAQ,CAAC;AACnF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,oBAAN,cAAgC,kBACvC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,oCAAoC,SAAS,KAAK,QAAQ,CAAC;AAC5F,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,kBAAN,cAA8B,kBACrC;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,0BAA0B,SAAS,KAAK,QAAQ,CAAC;AAClF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uBAAN,cAAmC,eAC1C;AAAA,EACI,YAAY,OAA6E,CAAC,GAC1F;AACI,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,cAAc,MAAM;AAAA,MAC7C,SAAS,EAAE,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACvC,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,4BAAN,cAAwC,cAC/C;AAAA,EACI,YAAY,OAAqH,CAAC,GAClI;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS;AAAA,QACL,YAAY,KAAK;AAAA,QACjB,gBAAgB,KAAK;AAAA,QACrB,GAAG,KAAK;AAAA,MACZ;AAAA,IACJ,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,gBAClD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,6BAA6B,SAAS,KAAK,QAAQ,CAAC;AACrF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,gCAAN,cAA4C,gBACnD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,yCAAyC,SAAS,KAAK,QAAQ,CAAC;AACjG,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,6BAAN,cAAyC,gBAChD;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM,EAAE,SAAS,KAAK,WAAW,2BAA2B,SAAS,KAAK,QAAQ,CAAC;AACnF,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wCAAN,cAAoD,gBAC3D;AAAA,EACI,YAAY,OAAgG,CAAC,GAC7G;AACI,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,6BAA6B,MAAM,SAAS,QAAQ;AAAA,MAC7E,SAAS,EAAE,UAAU,QAAQ,GAAG,KAAK,QAAQ;AAAA,IACjD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,uCAAN,cAAmD,gBAC1D;AAAA,EACI,YAAY,OAA4D,CAAC,GACzE;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,KAAK;AAAA,IAClB,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wBAAN,cAAoC,gBAC3C;AAAA,EACI,YAAY,OAA+E,CAAC,GAC5F;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,EAAE,UAAU,KAAK,UAAU,GAAG,KAAK,QAAQ;AAAA,IACxD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,4BAAN,cAAwC,cAC/C;AAAA,EACI,YAAY,OAA+E,CAAC,GAC5F;AACI,UAAM;AAAA,MACF,SAAS,KAAK,WAAW;AAAA,MACzB,SAAS,EAAE,UAAU,KAAK,UAAU,GAAG,KAAK,QAAQ;AAAA,IACxD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,+BAAN,cAA2C,eAClD;AAAA,EACI,YAAY,OAA4F,CAAC,GACzG;AACI,UAAM,sBAAsB,KAAK,uBAAuB,CAAC;AACzD,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,iCAAiC,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACxF,SAAS,EAAE,qBAAqB,GAAG,KAAK,QAAQ;AAAA,IACpD,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;AAOO,IAAM,wBAAN,cAAoC,eAC3C;AAAA,EACI,YAAY,OAAsF,CAAC,GACnG;AACI,UAAM,gBAAgB,KAAK,iBAAiB,CAAC;AAC7C,UAAM;AAAA,MACF,SAAS,KAAK,WAAW,mBAAmB,cAAc,KAAK,IAAI,CAAC;AAAA,MACpE,SAAS,EAAE,eAAe,GAAG,KAAK,QAAQ;AAAA,IAC9C,CAAC;AACD,SAAK,OAAO;AAAA,EAChB;AACJ;;;ADjOO,IAAM,oBAAoB,IAAI,cAAc;AACnD,kBAAkB,OAAO;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACJ,CAAC;","names":[]}