@spfn/auth 0.2.0-beta.68 → 0.2.0-beta.70
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/{authenticate-Cn5krz5U.d.ts → authenticate-tmmbh1ux.d.ts} +3 -23
- package/dist/config.js +1 -1
- package/dist/config.js.map +1 -1
- package/dist/index.d.ts +3 -10
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/nextjs/api.js.map +1 -1
- package/dist/server.d.ts +94 -77
- package/dist/server.js +159 -114
- package/dist/server.js.map +1 -1
- package/package.json +9 -10
package/dist/server.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { j as AuthInitOptions, k as OAuthProvider, e as VerificationPurpose, i as PermissionCategory, l as AuthContext } from './authenticate-
|
|
2
|
-
export {
|
|
1
|
+
import { j as AuthInitOptions, k as OAuthProvider, e as VerificationPurpose, i as PermissionCategory, l as AuthContext } from './authenticate-tmmbh1ux.js';
|
|
2
|
+
export { C as ChangePasswordParams, a3 as EmailSchema, I as IssueOneTimeTokenResult, s as LoginParams, L as LoginResult, t as LogoutParams, aa as NativeVerifyOptions, a8 as NormalizedIdentity, Z as OAuthCallbackParams, _ as OAuthCallbackResult, a0 as OAuthNativeParams, c as OAuthNativeResult, Y as OAuthStartParams, O as OAuthStartResult, a9 as OAuthTokens, a5 as PasswordSchema, a4 as PhoneSchema, q as RegisterParams, E as RegisterPublicKeyParams, a as RegisterResult, G as RevokeKeyParams, F as RotateKeyParams, b as RotateKeyResult, w as SendVerificationCodeParams, S as SendVerificationCodeResult, a6 as TargetTypeSchema, g as VERIFICATION_PURPOSES, f as VERIFICATION_TARGET_TYPES, a7 as VerificationPurposeSchema, V as VerificationTargetType, x as VerifyCodeParams, y as VerifyCodeResult, m as authRouter, a1 as authenticate, N as buildOAuthErrorUrl, p as changePasswordService, W as getEnabledOAuthProviders, X as getGoogleAccessToken, ac as getOAuthProvider, ad as getRegisteredProviders, Q as isOAuthProviderEnabled, H as issueOneTimeTokenService, n as loginService, o as logoutService, M as oauthCallbackService, $ as oauthNativeService, K as oauthStartService, a2 as optionalAuth, ab as registerOAuthProvider, z as registerPublicKeyService, r as registerService, T as requireEnabledProvider, D as revokeKeyService, B as rotateKeyService, u as sendVerificationCodeService, v as verifyCodeService, J as verifyOneTimeTokenService } from './authenticate-tmmbh1ux.js';
|
|
3
3
|
import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
|
|
4
4
|
import { K as KeyAlgorithmType, b as InvitationStatus, d as SocialProvider } from './types-BtksCI9X.js';
|
|
5
5
|
export { I as INVITATION_STATUSES, a as KEY_ALGORITHM, S as SOCIAL_PROVIDERS, U as USER_STATUSES, c as UserStatus } from './types-BtksCI9X.js';
|
|
@@ -520,6 +520,24 @@ declare function hasRole(userId: string | number | bigint, roleName: string): Pr
|
|
|
520
520
|
* @returns true if user has at least one role
|
|
521
521
|
*/
|
|
522
522
|
declare function hasAnyRole(userId: string | number | bigint, roleNames: string[]): Promise<boolean>;
|
|
523
|
+
/**
|
|
524
|
+
* Assert that the caller is allowed to assign the given role.
|
|
525
|
+
*
|
|
526
|
+
* Centralizes the privilege rule shared by direct role assignment and invitation:
|
|
527
|
+
* a non-superadmin caller may never grant the superadmin role, and may grant the
|
|
528
|
+
* admin role only when they hold the `admin:promote` permission. Assigning any
|
|
529
|
+
* lower role is unrestricted (the route's own permission guard still applies).
|
|
530
|
+
*
|
|
531
|
+
* @param callerUserId - User performing the assignment
|
|
532
|
+
* @param targetRoleId - Role being assigned
|
|
533
|
+
* @throws ForbiddenError when the caller lacks the authority for the target role
|
|
534
|
+
*
|
|
535
|
+
* @example
|
|
536
|
+
* ```typescript
|
|
537
|
+
* await assertCanAssignRole(auth.userId, body.roleId);
|
|
538
|
+
* ```
|
|
539
|
+
*/
|
|
540
|
+
declare function assertCanAssignRole(callerUserId: string | number | bigint, targetRoleId: number): Promise<void>;
|
|
523
541
|
|
|
524
542
|
/**
|
|
525
543
|
* @spfn/auth - Roles Entity
|
|
@@ -1334,7 +1352,7 @@ declare function getAuthSessionService(userId: string | number | bigint): Promis
|
|
|
1334
1352
|
id: number;
|
|
1335
1353
|
name: string;
|
|
1336
1354
|
displayName: string;
|
|
1337
|
-
category: "
|
|
1355
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
|
|
1338
1356
|
}[];
|
|
1339
1357
|
userId: number;
|
|
1340
1358
|
publicId: string;
|
|
@@ -2635,7 +2653,7 @@ declare const permissions: drizzle_orm_pg_core.PgTableWithColumns<{
|
|
|
2635
2653
|
tableName: "permissions";
|
|
2636
2654
|
dataType: "string";
|
|
2637
2655
|
columnType: "PgText";
|
|
2638
|
-
data: "
|
|
2656
|
+
data: "custom" | "user" | "auth" | "rbac" | "system";
|
|
2639
2657
|
driverParam: string;
|
|
2640
2658
|
notNull: false;
|
|
2641
2659
|
hasDefault: false;
|
|
@@ -3228,15 +3246,15 @@ declare class UsersRepository extends BaseRepository {
|
|
|
3228
3246
|
create(data: NewUser): Promise<{
|
|
3229
3247
|
email: string | null;
|
|
3230
3248
|
phone: string | null;
|
|
3249
|
+
status: "active" | "inactive" | "suspended";
|
|
3250
|
+
username: string | null;
|
|
3231
3251
|
id: number;
|
|
3252
|
+
createdAt: Date;
|
|
3253
|
+
updatedAt: Date;
|
|
3232
3254
|
publicId: string;
|
|
3233
|
-
username: string | null;
|
|
3234
3255
|
passwordHash: string | null;
|
|
3235
3256
|
passwordChangeRequired: boolean;
|
|
3236
3257
|
roleId: number;
|
|
3237
|
-
createdAt: Date;
|
|
3238
|
-
updatedAt: Date;
|
|
3239
|
-
status: "active" | "inactive" | "suspended";
|
|
3240
3258
|
emailVerifiedAt: Date | null;
|
|
3241
3259
|
phoneVerifiedAt: Date | null;
|
|
3242
3260
|
lastLoginAt: Date | null;
|
|
@@ -3308,15 +3326,15 @@ declare class UsersRepository extends BaseRepository {
|
|
|
3308
3326
|
deleteById(id: number): Promise<{
|
|
3309
3327
|
email: string | null;
|
|
3310
3328
|
phone: string | null;
|
|
3329
|
+
status: "active" | "inactive" | "suspended";
|
|
3330
|
+
username: string | null;
|
|
3311
3331
|
id: number;
|
|
3332
|
+
createdAt: Date;
|
|
3333
|
+
updatedAt: Date;
|
|
3312
3334
|
publicId: string;
|
|
3313
|
-
username: string | null;
|
|
3314
3335
|
passwordHash: string | null;
|
|
3315
3336
|
passwordChangeRequired: boolean;
|
|
3316
3337
|
roleId: number;
|
|
3317
|
-
createdAt: Date;
|
|
3318
|
-
updatedAt: Date;
|
|
3319
|
-
status: "active" | "inactive" | "suspended";
|
|
3320
3338
|
emailVerifiedAt: Date | null;
|
|
3321
3339
|
phoneVerifiedAt: Date | null;
|
|
3322
3340
|
lastLoginAt: Date | null;
|
|
@@ -3339,7 +3357,7 @@ declare class UsersRepository extends BaseRepository {
|
|
|
3339
3357
|
id: number;
|
|
3340
3358
|
name: string;
|
|
3341
3359
|
displayName: string;
|
|
3342
|
-
category: "
|
|
3360
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | undefined;
|
|
3343
3361
|
}[];
|
|
3344
3362
|
}>;
|
|
3345
3363
|
/**
|
|
@@ -3454,16 +3472,16 @@ declare class KeysRepository extends BaseRepository {
|
|
|
3454
3472
|
* Write primary 사용
|
|
3455
3473
|
*/
|
|
3456
3474
|
create(data: NewUserPublicKey): Promise<{
|
|
3457
|
-
publicKey: string;
|
|
3458
|
-
keyId: string;
|
|
3459
|
-
fingerprint: string;
|
|
3460
|
-
algorithm: "ES256" | "RS256";
|
|
3461
3475
|
userId: number;
|
|
3476
|
+
keyId: string;
|
|
3462
3477
|
id: number;
|
|
3463
3478
|
isActive: boolean;
|
|
3464
3479
|
createdAt: Date;
|
|
3465
|
-
|
|
3480
|
+
publicKey: string;
|
|
3481
|
+
algorithm: "ES256" | "RS256";
|
|
3482
|
+
fingerprint: string;
|
|
3466
3483
|
lastUsedAt: Date | null;
|
|
3484
|
+
expiresAt: Date | null;
|
|
3467
3485
|
revokedAt: Date | null;
|
|
3468
3486
|
revokedReason: string | null;
|
|
3469
3487
|
}>;
|
|
@@ -3490,16 +3508,16 @@ declare class KeysRepository extends BaseRepository {
|
|
|
3490
3508
|
* Write primary 사용
|
|
3491
3509
|
*/
|
|
3492
3510
|
deleteByKeyIdAndUserId(keyId: string, userId: number): Promise<{
|
|
3493
|
-
publicKey: string;
|
|
3494
|
-
keyId: string;
|
|
3495
|
-
fingerprint: string;
|
|
3496
|
-
algorithm: "ES256" | "RS256";
|
|
3497
3511
|
userId: number;
|
|
3512
|
+
keyId: string;
|
|
3498
3513
|
id: number;
|
|
3499
3514
|
isActive: boolean;
|
|
3500
3515
|
createdAt: Date;
|
|
3501
|
-
|
|
3516
|
+
publicKey: string;
|
|
3517
|
+
algorithm: "ES256" | "RS256";
|
|
3518
|
+
fingerprint: string;
|
|
3502
3519
|
lastUsedAt: Date | null;
|
|
3520
|
+
expiresAt: Date | null;
|
|
3503
3521
|
revokedAt: Date | null;
|
|
3504
3522
|
revokedReason: string | null;
|
|
3505
3523
|
}>;
|
|
@@ -3541,22 +3559,14 @@ declare class KeysRepository extends BaseRepository {
|
|
|
3541
3559
|
}>;
|
|
3542
3560
|
/**
|
|
3543
3561
|
* Primary key로 마지막 사용 시간 업데이트 (authenticate용)
|
|
3544
|
-
* Write primary
|
|
3562
|
+
* Write primary 사용.
|
|
3563
|
+
*
|
|
3564
|
+
* Throttled: only writes when lastUsedAt is stale (older than
|
|
3565
|
+
* LAST_USED_THROTTLE_MS), so a busy key isn't UPDATEd on every request. The
|
|
3566
|
+
* throttle lives in the WHERE clause — atomic, no read-then-write race. No
|
|
3567
|
+
* RETURNING (callers fire-and-forget and discard the row).
|
|
3545
3568
|
*/
|
|
3546
|
-
updateLastUsedById(id: number): Promise<
|
|
3547
|
-
id: number;
|
|
3548
|
-
userId: number;
|
|
3549
|
-
keyId: string;
|
|
3550
|
-
publicKey: string;
|
|
3551
|
-
algorithm: "ES256" | "RS256";
|
|
3552
|
-
fingerprint: string;
|
|
3553
|
-
isActive: boolean;
|
|
3554
|
-
createdAt: Date;
|
|
3555
|
-
lastUsedAt: Date | null;
|
|
3556
|
-
expiresAt: Date | null;
|
|
3557
|
-
revokedAt: Date | null;
|
|
3558
|
-
revokedReason: string | null;
|
|
3559
|
-
}>;
|
|
3569
|
+
updateLastUsedById(id: number): Promise<void>;
|
|
3560
3570
|
}
|
|
3561
3571
|
declare const keysRepository: KeysRepository;
|
|
3562
3572
|
|
|
@@ -3614,14 +3624,14 @@ declare class VerificationCodesRepository extends BaseRepository {
|
|
|
3614
3624
|
* Write primary 사용
|
|
3615
3625
|
*/
|
|
3616
3626
|
create(data: NewVerificationCode): Promise<{
|
|
3617
|
-
target: string;
|
|
3618
|
-
targetType: "email" | "phone";
|
|
3619
|
-
purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
|
|
3620
|
-
code: string;
|
|
3621
3627
|
id: number;
|
|
3622
3628
|
createdAt: Date;
|
|
3623
3629
|
updatedAt: Date;
|
|
3624
3630
|
expiresAt: Date;
|
|
3631
|
+
target: string;
|
|
3632
|
+
targetType: "email" | "phone";
|
|
3633
|
+
code: string;
|
|
3634
|
+
purpose: "registration" | "login" | "password_reset" | "email_change" | "phone_change";
|
|
3625
3635
|
usedAt: Date | null;
|
|
3626
3636
|
attempts: number;
|
|
3627
3637
|
}>;
|
|
@@ -3810,7 +3820,7 @@ declare class PermissionsRepository extends BaseRepository {
|
|
|
3810
3820
|
name: string;
|
|
3811
3821
|
displayName: string;
|
|
3812
3822
|
description: string | null;
|
|
3813
|
-
category: "
|
|
3823
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | null;
|
|
3814
3824
|
isBuiltin: boolean;
|
|
3815
3825
|
isSystem: boolean;
|
|
3816
3826
|
isActive: boolean;
|
|
@@ -3826,7 +3836,7 @@ declare class PermissionsRepository extends BaseRepository {
|
|
|
3826
3836
|
name: string;
|
|
3827
3837
|
displayName: string;
|
|
3828
3838
|
description: string | null;
|
|
3829
|
-
category: "
|
|
3839
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | null;
|
|
3830
3840
|
isBuiltin: boolean;
|
|
3831
3841
|
isSystem: boolean;
|
|
3832
3842
|
isActive: boolean;
|
|
@@ -3866,7 +3876,7 @@ declare class PermissionsRepository extends BaseRepository {
|
|
|
3866
3876
|
name: string;
|
|
3867
3877
|
displayName: string;
|
|
3868
3878
|
description: string | null;
|
|
3869
|
-
category: "
|
|
3879
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | null;
|
|
3870
3880
|
isBuiltin: boolean;
|
|
3871
3881
|
isSystem: boolean;
|
|
3872
3882
|
isActive: boolean;
|
|
@@ -3877,7 +3887,6 @@ declare class PermissionsRepository extends BaseRepository {
|
|
|
3877
3887
|
*/
|
|
3878
3888
|
deleteById(id: number): Promise<{
|
|
3879
3889
|
description: string | null;
|
|
3880
|
-
metadata: Record<string, any> | null;
|
|
3881
3890
|
id: number;
|
|
3882
3891
|
name: string;
|
|
3883
3892
|
displayName: string;
|
|
@@ -3886,7 +3895,8 @@ declare class PermissionsRepository extends BaseRepository {
|
|
|
3886
3895
|
isActive: boolean;
|
|
3887
3896
|
createdAt: Date;
|
|
3888
3897
|
updatedAt: Date;
|
|
3889
|
-
|
|
3898
|
+
metadata: Record<string, any> | null;
|
|
3899
|
+
category: "custom" | "user" | "auth" | "rbac" | "system" | null;
|
|
3890
3900
|
}>;
|
|
3891
3901
|
}
|
|
3892
3902
|
declare const permissionsRepository: PermissionsRepository;
|
|
@@ -3931,9 +3941,9 @@ declare class RolePermissionsRepository extends BaseRepository {
|
|
|
3931
3941
|
*/
|
|
3932
3942
|
createMany(data: NewRolePermission[]): Promise<{
|
|
3933
3943
|
id: number;
|
|
3934
|
-
roleId: number;
|
|
3935
3944
|
createdAt: Date;
|
|
3936
3945
|
updatedAt: Date;
|
|
3946
|
+
roleId: number;
|
|
3937
3947
|
permissionId: number;
|
|
3938
3948
|
}[]>;
|
|
3939
3949
|
/**
|
|
@@ -3949,9 +3959,9 @@ declare class RolePermissionsRepository extends BaseRepository {
|
|
|
3949
3959
|
*/
|
|
3950
3960
|
setPermissionsForRole(roleId: number, permissionIds: number[]): Promise<{
|
|
3951
3961
|
id: number;
|
|
3952
|
-
roleId: number;
|
|
3953
3962
|
createdAt: Date;
|
|
3954
3963
|
updatedAt: Date;
|
|
3964
|
+
roleId: number;
|
|
3955
3965
|
permissionId: number;
|
|
3956
3966
|
}[]>;
|
|
3957
3967
|
}
|
|
@@ -4016,10 +4026,10 @@ declare class UserPermissionsRepository extends BaseRepository {
|
|
|
4016
4026
|
id: number;
|
|
4017
4027
|
createdAt: Date;
|
|
4018
4028
|
updatedAt: Date;
|
|
4019
|
-
permissionId: number;
|
|
4020
4029
|
expiresAt: Date | null;
|
|
4021
|
-
|
|
4030
|
+
permissionId: number;
|
|
4022
4031
|
granted: boolean;
|
|
4032
|
+
reason: string | null;
|
|
4023
4033
|
}>;
|
|
4024
4034
|
/**
|
|
4025
4035
|
* 사용자 권한 오버라이드 업데이트
|
|
@@ -4042,10 +4052,10 @@ declare class UserPermissionsRepository extends BaseRepository {
|
|
|
4042
4052
|
id: number;
|
|
4043
4053
|
createdAt: Date;
|
|
4044
4054
|
updatedAt: Date;
|
|
4045
|
-
permissionId: number;
|
|
4046
4055
|
expiresAt: Date | null;
|
|
4047
|
-
|
|
4056
|
+
permissionId: number;
|
|
4048
4057
|
granted: boolean;
|
|
4058
|
+
reason: string | null;
|
|
4049
4059
|
}>;
|
|
4050
4060
|
/**
|
|
4051
4061
|
* 사용자의 모든 권한 오버라이드 삭제
|
|
@@ -4123,7 +4133,6 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4123
4133
|
* 프로필 생성
|
|
4124
4134
|
*/
|
|
4125
4135
|
create(data: NewUserProfile): Promise<{
|
|
4126
|
-
metadata: Record<string, any> | null;
|
|
4127
4136
|
userId: number;
|
|
4128
4137
|
id: number;
|
|
4129
4138
|
displayName: string | null;
|
|
@@ -4141,6 +4150,7 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4141
4150
|
location: string | null;
|
|
4142
4151
|
company: string | null;
|
|
4143
4152
|
jobTitle: string | null;
|
|
4153
|
+
metadata: Record<string, any> | null;
|
|
4144
4154
|
}>;
|
|
4145
4155
|
/**
|
|
4146
4156
|
* 프로필 업데이트 (by ID)
|
|
@@ -4192,7 +4202,6 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4192
4202
|
* 프로필 삭제 (by ID)
|
|
4193
4203
|
*/
|
|
4194
4204
|
deleteById(id: number): Promise<{
|
|
4195
|
-
metadata: Record<string, any> | null;
|
|
4196
4205
|
userId: number;
|
|
4197
4206
|
id: number;
|
|
4198
4207
|
displayName: string | null;
|
|
@@ -4210,12 +4219,12 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4210
4219
|
location: string | null;
|
|
4211
4220
|
company: string | null;
|
|
4212
4221
|
jobTitle: string | null;
|
|
4222
|
+
metadata: Record<string, any> | null;
|
|
4213
4223
|
}>;
|
|
4214
4224
|
/**
|
|
4215
4225
|
* 프로필 삭제 (by User ID)
|
|
4216
4226
|
*/
|
|
4217
4227
|
deleteByUserId(userId: number): Promise<{
|
|
4218
|
-
metadata: Record<string, any> | null;
|
|
4219
4228
|
userId: number;
|
|
4220
4229
|
id: number;
|
|
4221
4230
|
displayName: string | null;
|
|
@@ -4233,6 +4242,7 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4233
4242
|
location: string | null;
|
|
4234
4243
|
company: string | null;
|
|
4235
4244
|
jobTitle: string | null;
|
|
4245
|
+
metadata: Record<string, any> | null;
|
|
4236
4246
|
}>;
|
|
4237
4247
|
/**
|
|
4238
4248
|
* 프로필 Upsert (by User ID)
|
|
@@ -4241,7 +4251,6 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4241
4251
|
* 새로 생성 시 displayName은 필수 (없으면 'User'로 설정)
|
|
4242
4252
|
*/
|
|
4243
4253
|
upsertByUserId(userId: number, data: Partial<Omit<NewUserProfile, 'userId'>>): Promise<{
|
|
4244
|
-
metadata: Record<string, any> | null;
|
|
4245
4254
|
userId: number;
|
|
4246
4255
|
id: number;
|
|
4247
4256
|
displayName: string | null;
|
|
@@ -4259,6 +4268,7 @@ declare class UserProfilesRepository extends BaseRepository {
|
|
|
4259
4268
|
location: string | null;
|
|
4260
4269
|
company: string | null;
|
|
4261
4270
|
jobTitle: string | null;
|
|
4271
|
+
metadata: Record<string, any> | null;
|
|
4262
4272
|
}>;
|
|
4263
4273
|
/**
|
|
4264
4274
|
* User ID로 프로필 데이터 조회 (formatted)
|
|
@@ -4386,15 +4396,15 @@ declare class InvitationsRepository extends BaseRepository {
|
|
|
4386
4396
|
*/
|
|
4387
4397
|
create(data: NewInvitation): Promise<{
|
|
4388
4398
|
email: string;
|
|
4389
|
-
|
|
4399
|
+
status: "pending" | "accepted" | "expired" | "cancelled";
|
|
4390
4400
|
id: number;
|
|
4391
|
-
roleId: number;
|
|
4392
4401
|
createdAt: Date;
|
|
4393
4402
|
updatedAt: Date;
|
|
4394
|
-
|
|
4403
|
+
roleId: number;
|
|
4404
|
+
metadata: Record<string, any> | null;
|
|
4405
|
+
expiresAt: Date;
|
|
4395
4406
|
token: string;
|
|
4396
4407
|
invitedBy: number;
|
|
4397
|
-
expiresAt: Date;
|
|
4398
4408
|
acceptedAt: Date | null;
|
|
4399
4409
|
cancelledAt: Date | null;
|
|
4400
4410
|
}>;
|
|
@@ -4420,15 +4430,15 @@ declare class InvitationsRepository extends BaseRepository {
|
|
|
4420
4430
|
*/
|
|
4421
4431
|
deleteById(id: number): Promise<{
|
|
4422
4432
|
email: string;
|
|
4423
|
-
|
|
4433
|
+
status: "pending" | "accepted" | "expired" | "cancelled";
|
|
4424
4434
|
id: number;
|
|
4425
|
-
roleId: number;
|
|
4426
4435
|
createdAt: Date;
|
|
4427
4436
|
updatedAt: Date;
|
|
4428
|
-
|
|
4437
|
+
roleId: number;
|
|
4438
|
+
metadata: Record<string, any> | null;
|
|
4439
|
+
expiresAt: Date;
|
|
4429
4440
|
token: string;
|
|
4430
4441
|
invitedBy: number;
|
|
4431
|
-
expiresAt: Date;
|
|
4432
4442
|
acceptedAt: Date | null;
|
|
4433
4443
|
cancelledAt: Date | null;
|
|
4434
4444
|
}>;
|
|
@@ -4713,10 +4723,17 @@ declare const authMetadataRepository: AuthMetadataRepository;
|
|
|
4713
4723
|
/**
|
|
4714
4724
|
* @spfn/auth - Password Helpers
|
|
4715
4725
|
*
|
|
4716
|
-
* Password hashing and verification using bcrypt
|
|
4726
|
+
* Password hashing and verification using bcrypt (@node-rs/bcrypt).
|
|
4727
|
+
*
|
|
4728
|
+
* Uses the native (Rust/napi) implementation, which runs the CPU-bound key
|
|
4729
|
+
* derivation on the libuv threadpool instead of the main event loop — so
|
|
4730
|
+
* concurrent logins run in parallel and don't head-of-line-block other requests.
|
|
4731
|
+
* Hashes are standard bcrypt ($2*$) and verify against existing bcryptjs hashes.
|
|
4732
|
+
* For very high concurrent-login load, raise UV_THREADPOOL_SIZE toward the core
|
|
4733
|
+
* count (default pool is 4).
|
|
4717
4734
|
*
|
|
4718
4735
|
* Security:
|
|
4719
|
-
* - Adaptive hashing (configurable rounds)
|
|
4736
|
+
* - Adaptive hashing (configurable rounds, default 12)
|
|
4720
4737
|
* - Automatic salt generation (per-password)
|
|
4721
4738
|
* - Constant-time comparison (timing attack protection)
|
|
4722
4739
|
* - Rainbow table protection
|
|
@@ -4729,10 +4746,10 @@ declare const authMetadataRepository: AuthMetadataRepository;
|
|
|
4729
4746
|
* 2. Apply bcrypt key derivation (2^rounds iterations)
|
|
4730
4747
|
* 3. Return $2b$rounds$[salt][hash] (60 chars)
|
|
4731
4748
|
*
|
|
4732
|
-
* Salt rounds are configured via SPFN_AUTH_BCRYPT_SALT_ROUNDS:
|
|
4733
|
-
* -
|
|
4734
|
-
* -
|
|
4735
|
-
* - 14 rounds: ~
|
|
4749
|
+
* Salt rounds are configured via SPFN_AUTH_BCRYPT_SALT_ROUNDS (native timings):
|
|
4750
|
+
* - 12 rounds: ~200ms (default — OWASP-aligned, off the event loop)
|
|
4751
|
+
* - 10 rounds: ~55ms (faster, lower work factor)
|
|
4752
|
+
* - 14 rounds: ~800ms (very secure, heavy)
|
|
4736
4753
|
*
|
|
4737
4754
|
* @param password - Plain text password to hash
|
|
4738
4755
|
* @returns Bcrypt hash string (includes salt)
|
|
@@ -5145,15 +5162,15 @@ declare function getUser(c: Context | {
|
|
|
5145
5162
|
}): {
|
|
5146
5163
|
email: string | null;
|
|
5147
5164
|
phone: string | null;
|
|
5165
|
+
status: "active" | "inactive" | "suspended";
|
|
5166
|
+
username: string | null;
|
|
5148
5167
|
id: number;
|
|
5168
|
+
createdAt: Date;
|
|
5169
|
+
updatedAt: Date;
|
|
5149
5170
|
publicId: string;
|
|
5150
|
-
username: string | null;
|
|
5151
5171
|
passwordHash: string | null;
|
|
5152
5172
|
passwordChangeRequired: boolean;
|
|
5153
5173
|
roleId: number;
|
|
5154
|
-
createdAt: Date;
|
|
5155
|
-
updatedAt: Date;
|
|
5156
|
-
status: "active" | "inactive" | "suspended";
|
|
5157
5174
|
emailVerifiedAt: Date | null;
|
|
5158
5175
|
phoneVerifiedAt: Date | null;
|
|
5159
5176
|
lastLoginAt: Date | null;
|
|
@@ -5615,9 +5632,9 @@ declare const invitationCreatedEvent: _spfn_core_event.EventDef<{
|
|
|
5615
5632
|
} | undefined;
|
|
5616
5633
|
email: string;
|
|
5617
5634
|
roleId: number;
|
|
5635
|
+
expiresAt: string;
|
|
5618
5636
|
token: string;
|
|
5619
5637
|
invitedBy: string;
|
|
5620
|
-
expiresAt: string;
|
|
5621
5638
|
invitationId: string;
|
|
5622
5639
|
isResend: boolean;
|
|
5623
5640
|
}>;
|
|
@@ -5652,4 +5669,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
|
|
|
5652
5669
|
type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
|
|
5653
5670
|
type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
|
|
5654
5671
|
|
|
5655
|
-
export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, OAuthProvider, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, type VerifyIdTokenParams, acceptInvitation, addPermissionToRole, appleProvider, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyIdToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
|
|
5672
|
+
export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, OAuthProvider, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, type VerifyIdTokenParams, acceptInvitation, addPermissionToRole, appleProvider, assertCanAssignRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, googleProvider, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, setRolePermissions, shouldRotateKey, socialAccountsRepository, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyIdToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
|