@spfn/auth 0.2.0-beta.66 → 0.2.0-beta.68

package/dist/server.js

@@ -4501,7 +4501,7 @@ var init_types = __esm({
     KEY_ALGORITHM = ["ES256", "RS256"];
     INVITATION_STATUSES = ["pending", "accepted", "expired", "cancelled"];
     USER_STATUSES = ["active", "inactive", "suspended"];
-    SOCIAL_PROVIDERS = ["google", "github", "kakao", "naver", "superself"];
+    SOCIAL_PROVIDERS = ["google", "apple", "github", "kakao", "naver", "superself"];
   }
 });
 
@@ -8104,8 +8104,8 @@ async function updateUserProfileService(userId, params) {
 
 // src/server/services/oauth.service.ts
 init_repositories();
-import { env as env9 } from "@spfn/auth/config";
-import { ValidationError as ValidationError3 } from "@spfn/core/errors";
+import { env as env11 } from "@spfn/auth/config";
+import { ValidationError as ValidationError5 } from "@spfn/core/errors";
 
 // src/server/lib/oauth/google.ts
 import { env as env7 } from "@spfn/auth/config";
@@ -8255,7 +8255,59 @@ function getRegisteredProviders() {
   return [...registry.values()];
 }
 
+// src/server/lib/oauth/jwks-verify.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { InvalidSocialTokenError } from "@spfn/auth/errors";
+var CLOCK_TOLERANCE_SECONDS = 30;
+var jwksByUri = /* @__PURE__ */ new Map();
+function getRemoteJwks(jwksUri) {
+  const cached = jwksByUri.get(jwksUri);
+  if (cached) {
+    return cached;
+  }
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  jwksByUri.set(jwksUri, jwks);
+  return jwks;
+}
+async function verifyIdToken(params) {
+  const payload = await verifySignature(params);
+  if (payload.nonce !== params.expectedNonce) {
+    throw new InvalidSocialTokenError({ message: "id_token nonce mismatch" });
+  }
+  if (typeof payload.sub !== "string" || payload.sub.length === 0) {
+    throw new InvalidSocialTokenError({ message: "id_token is missing the subject (sub) claim" });
+  }
+  return payload;
+}
+async function verifySignature(params) {
+  try {
+    const { payload } = await jwtVerify(params.idToken, getRemoteJwks(params.jwksUri), {
+      issuer: params.issuer,
+      audience: params.audiences,
+      algorithms: params.algorithms,
+      clockTolerance: CLOCK_TOLERANCE_SECONDS
+    });
+    return payload;
+  } catch (err) {
+    authLogger.service.warn("id_token signature/claims verification failed", {
+      reason: err instanceof Error ? err.message : "unknown"
+    });
+    throw new InvalidSocialTokenError();
+  }
+}
+
 // src/server/lib/oauth/google-provider.ts
+import { env as env9 } from "@spfn/auth/config";
+import { ValidationError as ValidationError3 } from "@spfn/core/errors";
+var GOOGLE_JWKS_URI = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+function getGoogleNativeAudiences() {
+  const ids = (env9.SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS || "").split(",").map((s) => s.trim()).filter(Boolean);
+  if (env9.SPFN_AUTH_GOOGLE_CLIENT_ID) {
+    ids.push(env9.SPFN_AUTH_GOOGLE_CLIENT_ID);
+  }
+  return ids;
+}
 var googleProvider = {
   id: "google",
   isEnabled: isGoogleOAuthEnabled,
@@ -8285,20 +8337,98 @@ var googleProvider = {
       refreshToken: tokens.refresh_token,
       expiresIn: tokens.expires_in
     };
+  },
+  async verifyNativeIdToken(idToken, options) {
+    const audiences = getGoogleNativeAudiences();
+    if (audiences.length === 0) {
+      throw new ValidationError3({
+        message: "Google native sign-in is not configured. Set SPFN_AUTH_GOOGLE_NATIVE_CLIENT_IDS."
+      });
+    }
+    const payload = await verifyIdToken({
+      idToken,
+      jwksUri: GOOGLE_JWKS_URI,
+      issuer: GOOGLE_ISSUERS,
+      audiences,
+      algorithms: ["RS256"],
+      expectedNonce: options.nonce
+    });
+    return {
+      providerUserId: payload.sub,
+      email: payload.email ?? null,
+      emailVerified: payload.email_verified === true || payload.email_verified === "true",
+      name: payload.name,
+      avatar: payload.picture
+    };
   }
 };
 registerOAuthProvider(googleProvider);
 
+// src/server/lib/oauth/apple-provider.ts
+import { createHash as createHash2 } from "crypto";
+import { env as env10 } from "@spfn/auth/config";
+import { ValidationError as ValidationError4 } from "@spfn/core/errors";
+var APPLE_JWKS_URI = "https://appleid.apple.com/auth/keys";
+var APPLE_ISSUER = "https://appleid.apple.com";
+function getAppleClientIds() {
+  return (env10.SPFN_AUTH_APPLE_CLIENT_IDS || "").split(",").map((s) => s.trim()).filter(Boolean);
+}
+function hashNonce(rawNonce) {
+  return createHash2("sha256").update(rawNonce).digest("hex");
+}
+function unsupportedWebFlow() {
+  throw new ValidationError4({
+    message: "Apple provider supports native id_token sign-in only. Use POST /_auth/oauth/apple/native."
+  });
+}
+var appleProvider = {
+  id: "apple",
+  isEnabled() {
+    return getAppleClientIds().length > 0;
+  },
+  getAuthUrl() {
+    unsupportedWebFlow();
+  },
+  async exchangeCodeForTokens() {
+    unsupportedWebFlow();
+  },
+  async getUserInfo() {
+    unsupportedWebFlow();
+  },
+  async verifyNativeIdToken(idToken, options) {
+    const audiences = getAppleClientIds();
+    if (audiences.length === 0) {
+      throw new ValidationError4({
+        message: "Apple native sign-in is not configured. Set SPFN_AUTH_APPLE_CLIENT_IDS."
+      });
+    }
+    const payload = await verifyIdToken({
+      idToken,
+      jwksUri: APPLE_JWKS_URI,
+      issuer: APPLE_ISSUER,
+      audiences,
+      algorithms: ["RS256"],
+      expectedNonce: hashNonce(options.nonce)
+    });
+    return {
+      providerUserId: payload.sub,
+      email: payload.email ?? null,
+      emailVerified: payload.email_verified === true || payload.email_verified === "true"
+    };
+  }
+};
+registerOAuthProvider(appleProvider);
+
 // src/server/services/oauth.service.ts
 function requireEnabledProvider(provider) {
   const oauthProvider = getOAuthProvider(provider);
   if (!oauthProvider) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: `Unsupported OAuth provider: ${provider}. No provider is registered for this id.`
     });
   }
   if (!oauthProvider.isEnabled()) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: `OAuth provider '${provider}' is registered but not configured. Check its required environment variables.`
     });
   }
@@ -8306,7 +8436,7 @@ function requireEnabledProvider(provider) {
 }
 function tokenExpiryDate(expiresIn) {
   if (!Number.isFinite(expiresIn)) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: `Invalid token expiry returned from OAuth provider: ${expiresIn}`
     });
   }
@@ -8330,7 +8460,7 @@ async function oauthCallbackService(params) {
   const { provider, code, state } = params;
   const stateData = await verifyOAuthState(state);
   if (stateData.provider !== provider) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: "OAuth state provider mismatch"
     });
   }
@@ -8363,8 +8493,8 @@ async function oauthCallbackService(params) {
     algorithm: stateData.algorithm
   });
   await updateLastLoginService(userId);
-  const appUrl = env9.NEXT_PUBLIC_SPFN_APP_URL || env9.SPFN_APP_URL;
-  const callbackPath = env9.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const appUrl = env11.NEXT_PUBLIC_SPFN_APP_URL || env11.SPFN_APP_URL;
+  const callbackPath = env11.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
   const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
   const redirectUrl = buildRedirectUrl(callbackUrl, {
     userId: String(userId),
@@ -8398,7 +8528,7 @@ async function createOrLinkUser(provider, identity, tokens) {
   let isNewUser = false;
   if (existingUser) {
     if (!identity.emailVerified) {
-      throw new ValidationError3({
+      throw new ValidationError5({
         message: "Cannot link to existing account with unverified email. Please verify your email with the provider first."
       });
     }
@@ -8432,9 +8562,9 @@ async function createOrLinkUser(provider, identity, tokens) {
     provider,
     providerUserId: identity.providerUserId,
     providerEmail: identity.email,
-    accessToken: tokens.accessToken,
-    refreshToken: tokens.refreshToken ?? null,
-    tokenExpiresAt: tokenExpiryDate(tokens.expiresIn)
+    accessToken: tokens?.accessToken ?? null,
+    refreshToken: tokens?.refreshToken ?? null,
+    tokenExpiresAt: tokens ? tokenExpiryDate(tokens.expiresIn) : null
   });
   return { userId, isNewUser };
 }
@@ -8449,7 +8579,7 @@ function buildRedirectUrl(baseUrl, params) {
   return `${url.pathname}${url.search}`;
 }
 function buildOAuthErrorUrl(error) {
-  const errorUrl = env9.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  const errorUrl = env11.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
   return errorUrl.replace("{error}", encodeURIComponent(error));
 }
 function isOAuthProviderEnabled(provider) {
@@ -8462,7 +8592,7 @@ var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
 async function getGoogleAccessToken(userId) {
   const account = await socialAccountsRepository.findByUserIdAndProvider(userId, "google");
   if (!account) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: "No Google account linked. User must sign in with Google first."
     });
   }
@@ -8471,7 +8601,7 @@ async function getGoogleAccessToken(userId) {
     return account.accessToken;
   }
   if (!account.refreshToken) {
-    throw new ValidationError3({
+    throw new ValidationError5({
       message: "Google refresh token not available. User must re-authenticate with Google."
     });
   }
@@ -8484,6 +8614,57 @@ async function getGoogleAccessToken(userId) {
   return tokens.access_token;
 }
 
+// src/server/services/oauth-native.service.ts
+init_repositories();
+import { ValidationError as ValidationError6 } from "@spfn/core/errors";
+import { runInTransaction, onAfterCommit } from "@spfn/core/db";
+async function oauthNativeService(params) {
+  const oauthProvider = getOAuthProvider(params.provider);
+  if (!oauthProvider?.verifyNativeIdToken) {
+    throw new ValidationError6({
+      message: `Provider '${params.provider}' does not support native id_token sign-in.`
+    });
+  }
+  const identity = await oauthProvider.verifyNativeIdToken(params.idToken, { nonce: params.nonce });
+  if (params.profile?.name && !identity.name) {
+    identity.name = params.profile.name;
+  }
+  return persistNativeLogin(identity, params);
+}
+async function persistNativeLogin(identity, params) {
+  return runInTransaction(async () => {
+    const existing = await socialAccountsRepository.findByProviderAndProviderId(
+      params.provider,
+      identity.providerUserId
+    );
+    let userId;
+    let isNewUser = false;
+    if (existing) {
+      userId = existing.userId;
+    } else {
+      const result = await createOrLinkUser(params.provider, identity);
+      userId = result.userId;
+      isNewUser = result.isNewUser;
+    }
+    await registerPublicKeyService({
+      userId,
+      keyId: params.keyId,
+      publicKey: params.publicKey,
+      fingerprint: params.fingerprint,
+      algorithm: params.algorithm
+    });
+    await updateLastLoginService(userId);
+    const eventPayload = {
+      userId: String(userId),
+      provider: params.provider,
+      email: identity.email || void 0,
+      metadata: params.metadata
+    };
+    onAfterCommit(() => (isNewUser ? authRegisterEvent : authLoginEvent).emit(eventPayload));
+    return { userId: String(userId), keyId: params.keyId, isNewUser };
+  }, { context: "auth:oauth-native" });
+}
+
 // src/server/routes/auth/index.ts
 init_esm();
 import { Transactional } from "@spfn/core/db";
@@ -8975,6 +9156,7 @@ function extractOTTHeader(header) {
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
+import { Transactional as Transactional2 } from "@spfn/core/db";
 import { defineRouter as defineRouter2, route as route2 } from "@spfn/core/route";
 var INVITATION_STATUSES2 = ["pending", "accepted", "expired", "cancelled"];
 var getInvitation = route2.get("/_auth/invitations/:token").input({
@@ -9022,7 +9204,7 @@ var acceptInvitation2 = route2.post("/_auth/invitations/accept").input({
     fingerprint: Type.String({ description: "Key fingerprint" }),
     algorithm: Type.Union(KEY_ALGORITHM.map((algo) => Type.Literal(algo)), { description: "Signature algorithm" })
   })
-}).skip(["auth"]).handler(async (c) => {
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
   const { body } = await c.data();
   return await acceptInvitation({
     token: body.token,
@@ -9238,8 +9420,8 @@ var userRouter = defineRouter3({
 // src/server/routes/oauth/index.ts
 init_esm();
 init_types();
-import { Transactional as Transactional2 } from "@spfn/core/db";
-import { ValidationError as ValidationError4 } from "@spfn/core/errors";
+import { Transactional as Transactional3 } from "@spfn/core/db";
+import { ValidationError as ValidationError7 } from "@spfn/core/errors";
 import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
 var providerParams = Type.Object({
   provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
@@ -9275,7 +9457,7 @@ var oauthGoogleCallback = route4.get("/_auth/oauth/google/callback").input({
       description: "Error description from Google"
     }))
   })
-}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+}).use([Transactional3()]).skip(["auth"]).handler(async (c) => {
   const { query } = await c.data();
   if (query.error) {
     const errorMessage = query.error_description || query.error;
@@ -9342,10 +9524,10 @@ var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
 }).skip(["auth"]).handler(async (c) => {
   const { body } = await c.data();
   if (!isGoogleOAuthEnabled()) {
-    throw new ValidationError4({ message: "Google OAuth is not configured" });
+    throw new ValidationError7({ message: "Google OAuth is not configured" });
   }
   if (!body.state) {
-    throw new ValidationError4({
+    throw new ValidationError7({
       message: "OAuth state is required. Ensure the OAuth interceptor is configured."
     });
   }
@@ -9397,7 +9579,7 @@ var oauthProviderCallback = route4.get("/_auth/oauth/:provider/callback").input(
       description: "Error description from provider"
     }))
   })
-}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+}).use([Transactional3()]).skip(["auth"]).handler(async (c) => {
   const { params, query } = await c.data();
   if (query.error) {
     const errorMessage = query.error_description || query.error;
@@ -9432,12 +9614,36 @@ var getProviderOAuthUrl = route4.post("/_auth/oauth/:provider/url").input({
   const { params, body } = await c.data();
   const provider = requireEnabledProvider(params.provider);
   if (!body.state) {
-    throw new ValidationError4({
+    throw new ValidationError7({
       message: "OAuth state is required. Ensure the OAuth interceptor is configured."
     });
   }
   return { authUrl: provider.getAuthUrl(body.state) };
 });
+var oauthNative = route4.post("/_auth/oauth/:provider/native").input({
+  params: providerParams,
+  body: Type.Object({
+    idToken: Type.String({ description: "id_token from native/web social SDK" }),
+    nonce: Type.String({ description: "Raw nonce used when requesting the id_token" }),
+    publicKey: Type.String({ description: "Client public key (Base64 DER)" }),
+    keyId: Type.String({ description: "Key identifier (UUID)" }),
+    fingerprint: Type.String({ description: "Key fingerprint (SHA-256 hex)" }),
+    algorithm: Type.Union(KEY_ALGORITHM.map((a) => Type.Literal(a)), {
+      description: "Key algorithm (ES256 or RS256)"
+    }),
+    profile: Type.Optional(Type.Object({
+      name: Type.Optional(Type.String())
+    }, {
+      description: "Optional profile. Apple provides name only on first sign-in."
+    })),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown(), {
+      description: "Custom metadata passed to auth events (e.g. referral code, UTM params)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { params, body } = await c.data();
+  return await oauthNativeService({ provider: params.provider, ...body });
+});
 var oauthRouter = defineRouter4({
   oauthGoogleStart,
   oauthGoogleCallback,
@@ -9447,7 +9653,8 @@ var oauthRouter = defineRouter4({
   oauthFinalize,
   oauthProviderStart,
   oauthProviderCallback,
-  getProviderOAuthUrl
+  getProviderOAuthUrl,
+  oauthNative
 });
 
 // src/server/routes/admin/index.ts
@@ -9570,6 +9777,7 @@ var mainAuthRouter = defineRouter5({
   oauthProviderStart,
   oauthProviderCallback,
   getProviderOAuthUrl,
+  oauthNative,
   // Invitation routes
   getInvitation,
   acceptInvitation: acceptInvitation2,
@@ -9700,10 +9908,10 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 
 // src/server/lib/session.ts
 import * as jose2 from "jose";
-import { env as env10 } from "@spfn/auth/config";
+import { env as env12 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env10.SPFN_AUTH_SESSION_SECRET;
+  const secret = env12.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -9785,14 +9993,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env11 } from "@spfn/auth/config";
+import { env as env13 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env11.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env13.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env11.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env13.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -9819,11 +10027,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env11.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env13.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env11.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env11.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env13.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env13.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -9845,8 +10053,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env11.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env11.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env13.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env13.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -9952,6 +10160,7 @@ export {
   VerificationPurposeSchema,
   acceptInvitation,
   addPermissionToRole,
+  appleProvider,
   authLogger,
   authLoginEvent,
   authMetadata,
@@ -10031,6 +10240,7 @@ export {
   loginService,
   logoutService,
   oauthCallbackService,
+  oauthNativeService,
   oauthStartService,
   oneTimeTokenAuth,
   optionalAuth,
@@ -10082,6 +10292,7 @@ export {
   verificationCodesRepository,
   verifyClientToken,
   verifyCodeService,
+  verifyIdToken,
   verifyKeyFingerprint,
   verifyOAuthState,
   verifyOneTimeTokenService,