@thinkingcat/auth-utils 1.0.49 → 2.0.0

package/dist/core/auth-response.d.ts

@@ -0,0 +1,15 @@
+import type { NextResponse, NextRequest } from 'next/server';
+/**
+ * access token과 refresh token을 사용하여 완전한 인증 세션 생성
+ */
+export declare function createAuthResponse(accessToken: string, secret: string, options: {
+    req: NextRequest;
+    refreshToken?: string;
+    redirectPath?: string;
+    text?: string;
+    cookiePrefix?: string;
+    isProduction?: boolean;
+    cookieDomain?: string;
+    serviceId: string;
+    licenseKey: string;
+}): Promise<NextResponse>;

package/dist/core/auth-response.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthResponse = createAuthResponse;
+const license_1 = require("../utils/license");
+const jwt_1 = require("./jwt");
+const server_1 = require("../utils/server");
+const cookies_1 = require("./cookies");
+const logger_1 = require("../utils/logger");
+/**
+ * access token과 refresh token을 사용하여 완전한 인증 세션 생성
+ */
+async function createAuthResponse(accessToken, secret, options) {
+    await (0, license_1.checkLicenseKey)(options.licenseKey);
+    const { req, refreshToken, redirectPath, text, cookiePrefix, isProduction = false, cookieDomain, serviceId, } = options;
+    const tokenResult = await (0, jwt_1.verifyToken)(accessToken, secret);
+    if (!tokenResult) {
+        throw new Error('Invalid token');
+    }
+    const { payload } = tokenResult;
+    const jwt = (0, jwt_1.createNextAuthJWT)(payload, serviceId);
+    if (refreshToken) {
+        jwt.refreshToken = refreshToken;
+    }
+    jwt.accessTokenExpires = Date.now() + (15 * 60 * 1000);
+    (0, logger_1.debugLog)('createAuthResponse', 'JWT prepared', { jwtId: jwt?.id });
+    const { NextResponse: NextResponseClass } = await (0, server_1.getNextServer)();
+    const response = redirectPath
+        ? NextResponseClass.redirect(new URL(redirectPath, req.url), { status: 302 })
+        : NextResponseClass.json({ success: true, message: text || 'Authentication successful' }, { status: 200 });
+    if (refreshToken) {
+        (0, cookies_1.setCustomTokens)(response, accessToken, refreshToken, {
+            cookiePrefix,
+            isProduction,
+            cookieDomain,
+        });
+    }
+    else {
+        (0, cookies_1.setCustomTokens)(response, accessToken, {
+            cookiePrefix,
+            isProduction,
+            cookieDomain,
+        });
+    }
+    return response;
+}

package/dist/core/cookies.d.ts

@@ -0,0 +1,33 @@
+import type { ResponseLike } from '../types';
+/**
+ * NextAuth 세션 토큰 쿠키를 삭제하는 헬퍼 함수
+ */
+export declare function deleteNextAuthSessionCookie(response: ResponseLike, isProduction: boolean): void;
+/**
+ * 인증 쿠키를 삭제하는 헬퍼 함수
+ */
+export declare function clearAuthCookies(response: ResponseLike, cookiePrefix: string): void;
+/**
+ * 모든 인증 관련 쿠키를 삭제하는 헬퍼 함수
+ */
+export declare function clearAllAuthCookies(response: ResponseLike, cookiePrefix: string, isProduction: boolean): void;
+/**
+ * 자체 토큰만 설정 (access token, refresh token)
+ */
+export declare function setCustomTokens(response: ResponseLike, accessToken: string, optionsOrRefreshToken?: string | {
+    refreshToken?: string;
+    cookiePrefix?: string;
+    isProduction?: boolean;
+    cookieDomain?: string;
+}, options?: {
+    cookiePrefix?: string;
+    isProduction?: boolean;
+    cookieDomain?: string;
+}): void;
+/**
+ * NextAuth 세션 토큰만 설정
+ */
+export declare function setNextAuthToken(response: ResponseLike, sessionToken: string, options?: {
+    isProduction?: boolean;
+    cookieDomain?: string;
+}): void;

package/dist/core/cookies.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteNextAuthSessionCookie = deleteNextAuthSessionCookie;
+exports.clearAuthCookies = clearAuthCookies;
+exports.clearAllAuthCookies = clearAllAuthCookies;
+exports.setCustomTokens = setCustomTokens;
+exports.setNextAuthToken = setNextAuthToken;
+const logger_1 = require("../utils/logger");
+/**
+ * NextAuth 세션 토큰 쿠키를 삭제하는 헬퍼 함수
+ */
+function deleteNextAuthSessionCookie(response, isProduction) {
+    const cookieName = isProduction
+        ? '__Secure-next-auth.session-token'
+        : 'next-auth.session-token';
+    response.cookies.delete(cookieName);
+}
+/**
+ * 인증 쿠키를 삭제하는 헬퍼 함수
+ */
+function clearAuthCookies(response, cookiePrefix) {
+    response.cookies.delete(`${cookiePrefix}_access_token`);
+    response.cookies.delete(`${cookiePrefix}_refresh_token`);
+}
+/**
+ * 모든 인증 관련 쿠키를 삭제하는 헬퍼 함수
+ */
+function clearAllAuthCookies(response, cookiePrefix, isProduction) {
+    clearAuthCookies(response, cookiePrefix);
+    deleteNextAuthSessionCookie(response, isProduction);
+}
+/**
+ * 자체 토큰만 설정 (access token, refresh token)
+ */
+function setCustomTokens(response, accessToken, optionsOrRefreshToken, options) {
+    let refreshTokenValue;
+    let cookiePrefix;
+    let isProduction;
+    let cookieDomain;
+    if (typeof optionsOrRefreshToken === 'string') {
+        refreshTokenValue = optionsOrRefreshToken;
+        const { cookiePrefix: prefix, isProduction: prod = false, cookieDomain: domain, } = options || {};
+        if (!prefix) {
+            throw new Error('cookiePrefix is required');
+        }
+        cookiePrefix = prefix;
+        isProduction = prod;
+        cookieDomain = domain;
+    }
+    else {
+        const opts = optionsOrRefreshToken || {};
+        refreshTokenValue = opts.refreshToken;
+        if (!opts.cookiePrefix) {
+            throw new Error('cookiePrefix is required');
+        }
+        cookiePrefix = opts.cookiePrefix;
+        isProduction = opts.isProduction || false;
+        cookieDomain = opts.cookieDomain;
+    }
+    const cookieOptions = {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: isProduction ? 'none' : 'lax',
+        path: '/',
+        maxAge: 15 * 60,
+    };
+    if (cookieDomain) {
+        cookieOptions.domain = cookieDomain;
+    }
+    const accessTokenName = `${cookiePrefix}_access_token`;
+    response.cookies.delete(accessTokenName);
+    response.cookies.set(accessTokenName, accessToken, cookieOptions);
+    (0, logger_1.debugLog)('setCustomTokens', `Set ${accessTokenName} cookie`, { domain: cookieOptions.domain });
+    if (refreshTokenValue) {
+        const refreshTokenName = `${cookiePrefix}_refresh_token`;
+        const refreshCookieOptions = {
+            ...cookieOptions,
+            maxAge: 30 * 24 * 60 * 60,
+        };
+        response.cookies.set(refreshTokenName, refreshTokenValue, refreshCookieOptions);
+    }
+}
+/**
+ * NextAuth 세션 토큰만 설정
+ */
+function setNextAuthToken(response, sessionToken, options = {}) {
+    const { isProduction = false, cookieDomain, } = options;
+    // Circular dependency avoidance: use dynamic require or move createNextAuthCookies to a shared file
+    // For now, we'll implement the logic directly to avoid complexity
+    const isSecure = isProduction;
+    const sameSiteValue = cookieDomain ? 'lax' : (isSecure ? 'none' : 'lax');
+    const cookieName = isSecure ? `__Secure-next-auth.session-token` : `next-auth.session-token`;
+    response.cookies.delete(cookieName);
+    response.cookies.set(cookieName, sessionToken, {
+        httpOnly: true,
+        sameSite: sameSiteValue,
+        path: '/',
+        secure: isSecure,
+        maxAge: 30 * 24 * 60 * 60,
+        ...(cookieDomain && { domain: cookieDomain }),
+    });
+}

package/dist/core/jwt.d.ts

@@ -0,0 +1,28 @@
+import type { JWT } from "next-auth/jwt";
+import type { JWTPayload } from '../types';
+/**
+ * 토큰 검증 및 디코딩
+ */
+export declare function verifyToken(accessToken: string, secret: string): Promise<{
+    payload: JWTPayload;
+} | null>;
+/**
+ * payload에서 역할 추출 (서비스별)
+ */
+export declare function extractRoleFromPayload(payload: JWTPayload, serviceId: string, defaultRole?: string): string;
+/**
+ * payload에서 NextAuth JWT 객체 생성
+ */
+export declare function createNextAuthJWT(payload: JWTPayload, serviceId: string): JWT;
+/**
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ */
+export declare function encodeNextAuthToken(jwt: JWT, secret: string, maxAge?: number): Promise<string>;
+/**
+ * 토큰이 만료되었는지 확인하는 함수
+ */
+export declare function isTokenExpired(token: JWT | null): boolean;
+/**
+ * 토큰이 유효한지 확인하는 함수 (만료 및 필수 필드 체크)
+ */
+export declare function isValidToken(token: JWT | null): boolean;

package/dist/core/jwt.js

@@ -0,0 +1,180 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyToken = verifyToken;
+exports.extractRoleFromPayload = extractRoleFromPayload;
+exports.createNextAuthJWT = createNextAuthJWT;
+exports.encodeNextAuthToken = encodeNextAuthToken;
+exports.isTokenExpired = isTokenExpired;
+exports.isValidToken = isValidToken;
+const jose_1 = require("jose");
+const logger_1 = require("../utils/logger");
+const crypto_1 = require("../utils/crypto");
+/**
+ * 토큰 검증 및 디코딩
+ */
+async function verifyToken(accessToken, secret) {
+    try {
+        const secretBytes = new TextEncoder().encode(secret);
+        const { payload } = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+        if (payload && typeof payload === 'object' && payload.email) {
+            return { payload: payload };
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * payload에서 역할 추출 (서비스별)
+ */
+function extractRoleFromPayload(payload, serviceId, defaultRole = 'ADMIN') {
+    const services = payload.services || [];
+    const service = services.find((s) => s.serviceId === serviceId);
+    return service?.role || payload.role || defaultRole;
+}
+/**
+ * payload에서 NextAuth JWT 객체 생성
+ */
+function createNextAuthJWT(payload, serviceId) {
+    const services = payload.services || [];
+    const service = services.find((s) => s.serviceId === serviceId);
+    const effectiveRole = service?.role || payload.role || 'ADMIN';
+    const displayName = payload.name
+        || payload.decryptedEmail
+        || payload.maskedEmail
+        || 'User';
+    const jwt = {
+        id: (payload.id || payload.sub),
+        email: payload.email,
+        name: displayName,
+        role: effectiveRole,
+        services: payload.services,
+        phoneVerified: payload.phoneVerified ?? false,
+        emailVerified: payload.emailVerified ?? false,
+        smsVerified: payload.smsVerified ?? false,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + (30 * 24 * 60 * 60), // 30일
+    };
+    if (payload.phone)
+        jwt.phone = payload.phone;
+    if (payload.isPasswordReset)
+        jwt.isPasswordReset = payload.isPasswordReset;
+    if (payload.decryptedEmail)
+        jwt.decryptedEmail = payload.decryptedEmail;
+    if (payload.decryptedPhone)
+        jwt.decryptedPhone = payload.decryptedPhone;
+    if (payload.emailHash)
+        jwt.emailHash = payload.emailHash;
+    if (payload.maskedEmail)
+        jwt.maskedEmail = payload.maskedEmail;
+    if (payload.phoneHash)
+        jwt.phoneHash = payload.phoneHash;
+    if (payload.maskedPhone)
+        jwt.maskedPhone = payload.maskedPhone;
+    if (payload.refreshToken)
+        jwt.refreshToken = payload.refreshToken;
+    if (payload.accessToken)
+        jwt.accessToken = payload.accessToken;
+    if (payload.accessTokenExpires)
+        jwt.accessTokenExpires = payload.accessTokenExpires;
+    if (payload.serviceId)
+        jwt.serviceId = payload.serviceId;
+    return jwt;
+}
+/**
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ */
+async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
+    try {
+        const { encode } = await Promise.resolve().then(() => __importStar(require('next-auth/jwt')));
+        (0, logger_1.debugLog)('encodeNextAuthToken', 'Using next-auth/jwt encode');
+        const encoded = await encode({
+            token: jwt,
+            secret: secret,
+            maxAge: maxAge,
+        });
+        return encoded;
+    }
+    catch (error) {
+        (0, logger_1.debugLog)('encodeNextAuthToken', 'NextAuth encode failed, using jose EncryptJWT fallback', error);
+        const secretHash = await (0, crypto_1.createHashSHA256)(secret);
+        const keyBytes = new Uint8Array(32);
+        for (let i = 0; i < 32; i++) {
+            keyBytes[i] = parseInt(secretHash.slice(i * 2, i * 2 + 2), 16);
+        }
+        const now = Math.floor(Date.now() / 1000);
+        try {
+            const token = await new jose_1.EncryptJWT(jwt)
+                .setProtectedHeader({
+                alg: 'dir',
+                enc: 'A256GCM'
+            })
+                .setIssuedAt(now)
+                .setExpirationTime(now + maxAge)
+                .setJti(crypto.randomUUID())
+                .encrypt(keyBytes);
+            return token;
+        }
+        catch (encryptError) {
+            (0, logger_1.debugError)('encodeNextAuthToken', 'EncryptJWT also failed:', encryptError);
+            throw new Error(`Failed to encode NextAuth token: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+}
+/**
+ * 토큰이 만료되었는지 확인하는 함수
+ */
+function isTokenExpired(token) {
+    if (!token)
+        return true;
+    if (token.exp && typeof token.exp === 'number' && token.exp < Math.floor(Date.now() / 1000)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * 토큰이 유효한지 확인하는 함수 (만료 및 필수 필드 체크)
+ */
+function isValidToken(token) {
+    if (!token)
+        return false;
+    if (isTokenExpired(token))
+        return false;
+    if (!token.email || !token.id)
+        return false;
+    return true;
+}

package/dist/core/roles.d.ts

@@ -0,0 +1,25 @@
+import type { JWT } from "next-auth/jwt";
+import type { RoleAccessConfig } from '../types';
+/**
+ * JWT에서 서비스별 역할을 추출하는 헬퍼 함수
+ */
+export declare function getEffectiveRole(token: JWT | null, serviceId: string): string | undefined;
+/**
+ * 구독이 필요한 경로인지 확인하는 헬퍼 함수
+ */
+export declare function requiresSubscription(pathname: string, role: string, subscriptionRequiredPaths: string[], systemAdminRole?: string): boolean;
+/**
+ * 역할 기반 접근 제어 확인
+ */
+export declare function checkRoleAccess(pathname: string, role: string, roleConfig: RoleAccessConfig): {
+    allowed: boolean;
+    message?: string;
+};
+/**
+ * 특정 역할을 가지고 있는지 확인하는 함수
+ */
+export declare function hasRole(token: JWT | null, role: string, serviceId: string): boolean;
+/**
+ * 여러 역할 중 하나라도 가지고 있는지 확인하는 함수
+ */
+export declare function hasAnyRole(token: JWT | null, roles: string[], serviceId: string): boolean;

package/dist/core/roles.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getEffectiveRole = getEffectiveRole;
+exports.requiresSubscription = requiresSubscription;
+exports.checkRoleAccess = checkRoleAccess;
+exports.hasRole = hasRole;
+exports.hasAnyRole = hasAnyRole;
+/**
+ * JWT에서 서비스별 역할을 추출하는 헬퍼 함수
+ */
+function getEffectiveRole(token, serviceId) {
+    if (!token)
+        return undefined;
+    if (token.role) {
+        return token.role;
+    }
+    const services = token.services || [];
+    const service = services.find((s) => s.serviceId === serviceId);
+    return service?.role;
+}
+/**
+ * 구독이 필요한 경로인지 확인하는 헬퍼 함수
+ */
+function requiresSubscription(pathname, role, subscriptionRequiredPaths, systemAdminRole = 'SYSTEM_ADMIN') {
+    if (role === systemAdminRole)
+        return false;
+    return subscriptionRequiredPaths.some(path => pathname.startsWith(path));
+}
+/**
+ * 역할 기반 접근 제어 확인
+ */
+function checkRoleAccess(pathname, role, roleConfig) {
+    for (const [configRole, config] of Object.entries(roleConfig)) {
+        const isPathMatch = config.paths.some(path => pathname.startsWith(path));
+        if (isPathMatch) {
+            if (role === configRole || config.allowedRoles?.includes(role)) {
+                return { allowed: true };
+            }
+            return { allowed: false, message: config.message };
+        }
+    }
+    return { allowed: true };
+}
+/**
+ * 특정 역할을 가지고 있는지 확인하는 함수
+ */
+function hasRole(token, role, serviceId) {
+    if (!token)
+        return false;
+    const effectiveRole = getEffectiveRole(token, serviceId);
+    return effectiveRole === role;
+}
+/**
+ * 여러 역할 중 하나라도 가지고 있는지 확인하는 함수
+ */
+function hasAnyRole(token, roles, serviceId) {
+    if (!token)
+        return false;
+    const effectiveRole = getEffectiveRole(token, serviceId);
+    return roles.includes(effectiveRole || '');
+}

package/dist/core/verify.d.ts

@@ -0,0 +1,40 @@
+import type { NextRequest, NextResponse } from 'next/server';
+import type { JWTPayload } from '../types';
+/**
+ * 토큰 검증 및 갱신 시도
+ */
+export declare function verifyAndRefreshToken(req: NextRequest, secret: string, options: {
+    cookiePrefix: string;
+    serviceId: string;
+    isProduction: boolean;
+    cookieDomain?: string;
+    text?: string;
+    ssoBaseURL?: string;
+    authServiceKey?: string;
+    licenseKey: string;
+    forceRefresh?: boolean;
+}): Promise<{
+    isValid: boolean;
+    response?: NextResponse;
+    payload?: JWTPayload;
+    error?: string;
+}>;
+/**
+ * NextAuth 토큰과 자체 토큰을 모두 확인하는 미들웨어용 함수
+ */
+export declare function verifyAndRefreshTokenWithNextAuth(req: NextRequest, nextAuthToken: any, secret: string, options: {
+    cookiePrefix: string;
+    serviceId: string;
+    isProduction: boolean;
+    cookieDomain?: string;
+    text?: string;
+    ssoBaseURL?: string;
+    authServiceKey?: string;
+    licenseKey: string;
+}): Promise<{
+    isValid: boolean;
+    response?: NextResponse;
+    error?: string;
+    payload?: JWTPayload;
+    token?: any;
+}>;