@anarchitects/auth-nest 0.5.0 → 0.6.0

package/README.md

@@ -1,6 +1,8 @@
 # @anarchitects/auth-nest
 
-NestJS services, controllers, and infrastructure for the Anarchitecture authentication domain. This package wires contract-driven DTOs from `@anarchitects/auth-ts`, orchestrates user lifecycle flows (registration, activation, login/logout, password management, email verification), and persists auth state through pluggable repositories.
+NestJS services, controllers, and infrastructure for the Anarchitecture authentication domain. This package wires contract-driven DTOs from `@anarchitects/auth-ts`, uses Better Auth as the canonical internal auth engine, keeps email/password always enabled, and layers repo-owned RBAC on top of Better Auth-backed user/session state.
+
+Migration guidance for the Better Auth realignment lives in the [auth migration guide](../../../docs/guides/auth-migration.md).
 
 ## Developer + AI Agent Start Here
 
@@ -11,55 +13,82 @@ NestJS services, controllers, and infrastructure for the Anarchitecture authenti
 
 ## Features
 
-- **Application layer** – `JwtAuthService`, `BcryptHashService`, JWT Passport strategy, CASL-based `PoliciesService` and `AbilityFactory` encapsulating business rules for tokens, passwords, and fine-grained access control.
-- **Presentation layer** – `AuthController` exposing REST handlers for the full auth lifecycle, `PoliciesGuard` and `@Policies()` decorator for route-level authorization.
-- **Infrastructure persistence** – `PersistenceModule` with TypeORM entities and repositories (users, roles, permissions, invalidated tokens). Configurable adapters to swap implementations while preserving the application contract.
+- **Application layer** – Better Auth-backed `AuthService`, `BcryptHashService`, CASL-based `PoliciesService`, and `AbilityFactory` encapsulating business rules for sessions, passwords, and fine-grained access control.
+- **Presentation layer** – `AuthController` exposing the package-owned core session-oriented auth lifecycle, `PoliciesGuard` and `@Policies()` decorator for route-level authorization, plus internal plugin controllers such as JWT when enabled.
+- **Infrastructure persistence** – TypeORM entities and repositories for users, roles, permissions, and core Better Auth tables in the `auth` schema. Better Auth database operations are bridged internally through the published `@anarchitects/better-auth-typeorm-adapter`, while this repo keeps the Nest wrapper, entity registration, and migrations local. Plugin-specific tables and plugin-owned persistence such as JWT invalidation stay with their plugin modules.
 - **Infrastructure mailer** – `AuthMailerModule` wrapper over shared `CommonMailerModule.forRoot(...)` provider wiring; `NodeMailerAdapter` is re-exported for compatibility.
-- **Config** – Typed `authConfig` namespace using `@nestjs/config` with an `InjectAuthConfig()` helper decorator.
+- **Config** – Typed `authConfig` namespace using `@nestjs/config` with a Better Auth core config branch and typed plugin configuration.
 
 ## Installation
 
 ```bash
-npm install @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/passport @nestjs/platform-fastify @nestjs/typeorm typeorm
+npm install @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/platform-fastify @nestjs/typeorm typeorm
 # or
-yarn add @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/passport @nestjs/platform-fastify @nestjs/typeorm typeorm
+yarn add @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/platform-fastify @nestjs/typeorm typeorm
 ```
 
 Peer requirements:
 
-- `@nestjs/common`, `@nestjs/core`, `@nestjs/jwt`, `@nestjs/typeorm`, `@nestjs/config`, `@nestjs/passport`
+- `@nestjs/common`, `@nestjs/core`, `@nestjs/jwt`, `@nestjs/typeorm`, `@nestjs/config`
 - `@nestjs/platform-fastify`, `typeorm`
 
-The internal `@anarchitects/auth-ts` and `@anarchitects/common-nest-mailer` packages are installed transitively. Runtime utilities such as `@casl/ability`, `bcrypt`, and `passport-jwt` are direct dependencies of this package. Add `@nestjs-modules/mailer` only when your host app enables the shared/common mailer integration.
+The internal `@anarchitects/auth-ts` and `@anarchitects/common-nest-mailer` packages are installed transitively. The published community package `@anarchitects/better-auth-typeorm-adapter` is also installed transitively and used internally by `@anarchitects/auth-nest`; consumers do not need to wire it directly when using this package facade. Runtime utilities such as `@casl/ability`, `bcrypt`, `better-auth`, and `@better-auth/passkey` are direct dependencies of this package. Add `@nestjs-modules/mailer` only when your host app enables the shared/common mailer integration.
+
+## Better Auth Adapter Boundary
+
+`@anarchitects/auth-nest` now consumes the published `@anarchitects/better-auth-typeorm-adapter` package internally for Better Auth database composition.
+
+- The community package provides only the framework-neutral Better Auth `database` adapter.
+- This repo still owns the Nest wrapper, dependency injection, TypeORM entities, migrations, and plugin model registration.
+- This internal swap does not add a new public Nest API or change the existing `AuthModule` / `AuthApplicationModule` integration surface.
+
+Maintainers can validate the published npm artifact integration path with:
+
+```bash
+yarn nx run auth-nest:test-published-adapter
+```
+
+That target boots `auth-nest` against ephemeral PostgreSQL and exercises the real published adapter package through the host repo's Nest integration path. It requires Docker or another supported local container runtime because the suite provisions PostgreSQL through `testcontainers`.
 
 ## Exports
 
-| Import path                                          | Contents                                                                                                                                         |
-| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `@anarchitects/auth-nest`                            | `AuthModule.forRoot(...)`, `AuthModule.forRootFromConfig(...)`, plus re-exports of layered entry points for convenience                          |
-| `@anarchitects/auth-nest/application`                | `AuthApplicationModule`, `AuthService`, `JwtAuthService`, `HashService`, `BcryptHashService`, `PoliciesService`, `AbilityFactory`, `JwtStrategy`, resource-authorization helpers/types |
+| Import path                                          | Contents                                                                                                                                                                 |
+| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `@anarchitects/auth-nest`                            | `AuthModule.forRoot(...)`, `AuthModule.forRootFromConfig(...)`, plus re-exports of layered entry points for convenience                                                  |
+| `@anarchitects/auth-nest/application`                | `AuthApplicationModule`, `AuthService`, `HashService`, `BcryptHashService`, `PoliciesService`, `AbilityFactory`, resource-authorization helpers/types                    |
 | `@anarchitects/auth-nest/presentation`               | `AuthPresentationModule`, `AuthController`, `PoliciesGuard`, `ResourceAuthorizationGuard`, `@Policies()`, `@AuthorizeResource()`, `@AuthorizedResource()`, `RoutePolicy` |
-| `@anarchitects/auth-nest/infrastructure-persistence` | `AuthPersistenceModule`, `AuthUserRepository`, `TypeormAuthUserRepository`, migration                                                            |
-| `@anarchitects/auth-nest/infrastructure-mailer`      | `AuthMailerModule`, `NodeMailerAdapter`                                                                                                          |
-| `@anarchitects/auth-nest/config`                     | `authConfig`, `AuthConfig` type, `InjectAuthConfig()`                                                                                            |
+| `@anarchitects/auth-nest/infrastructure-persistence` | `AuthPersistenceModule`, compatibility export for `AuthUserRepository`, and persistence module option types                                                              |
+| `@anarchitects/auth-nest/infrastructure-mailer`      | `AuthMailerModule`, `NodeMailerAdapter`                                                                                                                                  |
+| `@anarchitects/auth-nest/config`                     | `authConfig`, `AuthConfig` type, `InjectAuthConfig()`                                                                                                                    |
 
 ## Configuration
 
 The library reads configuration through `@nestjs/config` using a namespaced `authConfig` registered under the key `auth`. Set the following environment variables to customise behaviour:
 
-| Variable                    | Description                                                                          | Default                  |
-| --------------------------- | ------------------------------------------------------------------------------------ | ------------------------ |
-| `AUTH_JWT_SECRET`           | Secret key used to sign and verify JWTs. **Must** be overridden in production.       | `default_jwt_secret`     |
-| `AUTH_JWT_EXPIRATION`       | Token lifetime (e.g. `3600s`, `15m`, `1d`).                                          | `3600s`                  |
-| `AUTH_JWT_AUDIENCE`         | Expected `aud` claim in the JWT.                                                     | `your_audience`          |
-| `AUTH_JWT_ISSUER`           | Expected `iss` claim in the JWT.                                                     | `your_issuer`            |
-| `AUTH_ENCRYPTION_ALGORITHM` | Password hashing algorithm (`bcrypt`).                                               | `bcrypt`                 |
-| `AUTH_ENCRYPTION_KEY`       | Symmetric key for additional encryption needs. **Must** be overridden in production. | `default_encryption_key` |
-| `AUTH_PERSISTENCE`          | Persistence adapter key used by `forRootFromConfig(...)`.                            | `typeorm`                |
-| `AUTH_MAILER_PROVIDER`      | Domain mailer provider for `forRootFromConfig(...)` (`node` or `noop`).              | `node`                   |
-| `AUTH_STRATEGIES`           | Comma-separated auth strategies for config-driven module composition.                | `jwt`                    |
-
-> **Security note:** The defaults for `AUTH_JWT_SECRET` and `AUTH_ENCRYPTION_KEY` are intentionally insecure placeholders. Always provide strong, unique values in any deployed environment.
+| Variable                                       | Description                                                             | Default                               |
+| ---------------------------------------------- | ----------------------------------------------------------------------- | ------------------------------------- |
+| `AUTH_BETTER_AUTH_BASE_URL`                    | Better Auth base URL used for internal route generation.                | `http://localhost:3000/api/auth`      |
+| `AUTH_BETTER_AUTH_SECRET`                      | Better Auth secret. **Must** be overridden in production.               | `better-auth-secret-32-chars-minimum` |
+| `AUTH_BETTER_AUTH_VERIFY_EMAIL_CALLBACK_URL`   | App-facing callback URL embedded in verification emails.                | `<base-url origin>/verify-email`      |
+| `AUTH_BETTER_AUTH_RESET_PASSWORD_CALLBACK_URL` | App-facing callback URL embedded in password reset emails.              | `<base-url origin>/reset-password`    |
+| `AUTH_PLUGIN_JWT_ENABLED`                      | Enables the internal JWT plugin routes.                                 | `false`                               |
+| `AUTH_PLUGIN_JWT_SECRET`                       | Secret key used by the JWT plugin. **Must** be overridden when enabled. | `default_jwt_secret`                  |
+| `AUTH_PLUGIN_JWT_EXPIRATION`                   | JWT plugin token lifetime (e.g. `3600s`, `15m`, `1d`).                  | `3600s`                               |
+| `AUTH_PLUGIN_JWT_AUDIENCE`                     | Expected `aud` claim for JWT plugin tokens.                             | `your_audience`                       |
+| `AUTH_PLUGIN_JWT_ISSUER`                       | Expected `iss` claim for JWT plugin tokens.                             | `your_issuer`                         |
+| `AUTH_PLUGIN_PASSKEYS_ENABLED`                 | Enables the passkeys plugin.                                            | `false`                               |
+| `AUTH_PLUGIN_PASSKEY_RP_ID`                    | Passkey relying-party ID.                                               | `localhost`                           |
+| `AUTH_PLUGIN_PASSKEY_RP_NAME`                  | Passkey relying-party display name.                                     | `Anarchitecture Auth`                 |
+| `AUTH_PLUGIN_PASSKEY_ORIGIN`                   | Explicit passkey origin when needed.                                    | unset                                 |
+| `AUTH_PLUGIN_SOCIAL_ENABLED`                   | Enables social auth plugins.                                            | `false`                               |
+| `AUTH_PLUGIN_SOCIAL_GITHUB_CLIENT_ID`          | GitHub social sign-in client ID.                                        | unset                                 |
+| `AUTH_PLUGIN_SOCIAL_GITHUB_CLIENT_SECRET`      | GitHub social sign-in client secret.                                    | unset                                 |
+| `AUTH_PLUGIN_OIDC_ENABLED`                     | Enables future OIDC plugin wiring.                                      | `false`                               |
+| `AUTH_ENCRYPTION_ALGORITHM`                    | Password hashing algorithm (`bcrypt`).                                  | `bcrypt`                              |
+| `AUTH_ENCRYPTION_KEY`                          | Symmetric key for additional encryption needs. **Must** be overridden.  | `default_encryption_key`              |
+| `AUTH_MAILER_PROVIDER`                         | Domain mailer provider for `forRootFromConfig(...)` (`node` or `noop`). | `node`                                |
+
+> **Security note:** The defaults for `AUTH_BETTER_AUTH_SECRET`, `AUTH_PLUGIN_JWT_SECRET`, and `AUTH_ENCRYPTION_KEY` are intentionally insecure placeholders. Always provide strong, unique values in any deployed environment.
 
 ### Injecting the config
 
@@ -71,7 +100,7 @@ export class MyService {
   constructor(@InjectAuthConfig() private readonly config: AuthConfig) {}
 
   someMethod() {
-    const secret = this.config.jwtSecret;
+    const secret = this.config.betterAuth.secret;
   }
 }
 ```
@@ -109,14 +138,10 @@ import { authConfig } from '@anarchitects/auth-nest/config';
     AuthModule.forRoot({
       presentation: {
         application: {
-          authStrategies: ['jwt'],
           encryption: {
             algorithm: 'bcrypt',
             key: process.env.AUTH_ENCRYPTION_KEY!,
           },
-          persistence: {
-            persistence: 'typeorm',
-          },
         },
       },
       mailer: {
@@ -161,21 +186,17 @@ import { AuthMailerModule } from '@anarchitects/auth-nest/infrastructure-mailer'
     }),
     CommonMailerModule.forRootFromConfig(),
     AuthApplicationModule.forRoot({
-      authStrategies: ['jwt'],
       encryption: {
         algorithm: 'bcrypt',
         key: process.env.AUTH_ENCRYPTION_KEY!,
       },
-      persistence: { persistence: 'typeorm' },
     }),
     AuthPresentationModule.forRoot({
       application: {
-        authStrategies: ['jwt'],
         encryption: {
           algorithm: 'bcrypt',
           key: process.env.AUTH_ENCRYPTION_KEY!,
         },
-        persistence: { persistence: 'typeorm' },
       },
     }),
     AuthMailerModule.forRoot({
@@ -188,6 +209,27 @@ export class AuthApiModule {}
 
 Use layered composition when you need to replace or selectively compose infrastructure/application concerns.
 
+### Optional JWT plugin
+
+Core auth remains session-first. Only enable the JWT plugin when the host app explicitly needs token-based routes:
+
+```ts
+AuthModule.forRoot({
+  presentation: {
+    application: {
+      plugins: {
+        jwt: {
+          enabled: true,
+          secret: process.env.AUTH_PLUGIN_JWT_SECRET!,
+        },
+      },
+    },
+  },
+});
+```
+
+That mounts the plugin-owned `/auth/jwt/login`, `/auth/jwt/logout`, and `/auth/jwt/refresh` routes alongside the package-owned core session routes.
+
 ## Mailer Migration Note
 
 `AuthMailerModule` is now adapter-only. It wraps shared `CommonMailerModule.forRoot(...)`
@@ -202,12 +244,12 @@ The shared mailer DI contract (`MailerPort`) and concrete `NodeMailerAdapter` no
 
 ```ts
 import { Controller, Post, Body } from '@nestjs/common';
-import { JwtAuthService } from '@anarchitects/auth-nest/application';
+import { AuthService } from '@anarchitects/auth-nest/application';
 import { LoginRequestDTO } from '@anarchitects/auth-ts/dtos';
 
 @Controller('auth')
 export class AuthController {
-  constructor(private readonly authService: JwtAuthService) {}
+  constructor(private readonly authService: AuthService) {}
 
   @Post('login')
   login(@Body() dto: LoginRequestDTO) {
@@ -216,14 +258,6 @@ export class AuthController {
 }
 ```
 
-### Token invalidation
-
-```ts
-import { TypeormAuthUserRepository } from '@anarchitects/auth-nest/infrastructure-persistence';
-
-await authUserRepository.invalidateTokens([hashedAccessToken, hashedRefreshToken], userId);
-```
-
 ### Route-level authorization with policies
 
 ```ts
@@ -292,19 +326,26 @@ The library owns authorization orchestration. The host app still owns how domain
 
 The `AuthController` exposes the following routes (all prefixed with `/auth`):
 
-| Method  | Path                            | Description                            |
-| ------- | ------------------------------- | -------------------------------------- |
-| `POST`  | `/auth/register`                | Register a new user                    |
-| `PATCH` | `/auth/activate`                | Activate a user account                |
-| `POST`  | `/auth/login`                   | Log in and receive JWT tokens          |
-| `POST`  | `/auth/logout`                  | Log out and invalidate tokens          |
-| `PATCH` | `/auth/change-password/:userId` | Change password for a user             |
-| `POST`  | `/auth/forgot-password`         | Request a password-reset email         |
-| `POST`  | `/auth/reset-password`          | Reset password with token              |
-| `POST`  | `/auth/verify-email`            | Verify an email address                |
-| `PATCH` | `/auth/update-email/:userId`    | Update email for a user                |
-| `POST`  | `/auth/refresh-tokens/:userId`  | Refresh access/refresh tokens          |
-| `GET`   | `/auth/me`                      | Get logged-in user info and RBAC rules |
+| Method  | Path                            | Description                                |
+| ------- | ------------------------------- | ------------------------------------------ |
+| `POST`  | `/auth/register`                | Register a new user                        |
+| `PATCH` | `/auth/activate`                | Activate a user account                    |
+| `POST`  | `/auth/login`                   | Log in and establish a Better Auth session |
+| `POST`  | `/auth/logout`                  | Log out and clear the Better Auth session  |
+| `PATCH` | `/auth/change-password/:userId` | Change password for a user                 |
+| `POST`  | `/auth/forgot-password`         | Request a password-reset email             |
+| `POST`  | `/auth/reset-password`          | Reset password with token                  |
+| `POST`  | `/auth/verify-email`            | Verify an email address                    |
+| `PATCH` | `/auth/update-email/:userId`    | Update email for a user                    |
+| `GET`   | `/auth/me`                      | Get logged-in user info and RBAC rules     |
+
+When the JWT plugin is enabled, these plugin-owned routes are also mounted:
+
+| Method | Path                | Description                    |
+| ------ | ------------------- | ------------------------------ |
+| `POST` | `/auth/jwt/login`   | Log in and receive JWT tokens  |
+| `POST` | `/auth/jwt/logout`  | Invalidate JWT plugin tokens   |
+| `POST` | `/auth/jwt/refresh` | Refresh JWT plugin token pairs |
 
 ## Nx scripts
 

package/package.json

@@ -1,17 +1,18 @@
 {
   "name": "@anarchitects/auth-nest",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
   "dependencies": {
+    "@anarchitects/better-auth-typeorm-adapter": "0.1.0",
     "@better-auth/passkey": "^1.5.6",
-    "@anarchitects/auth-ts": "^0.5.0",
-    "@anarchitects/common-nest-mailer": "^0.3.0",
+    "@anarchitects/auth-ts": "^0.6.0",
+    "@anarchitects/common-nest-mailer": "^0.3.1",
     "@casl/ability": "^6.7.3",
+    "@opentelemetry/api": "^1.9.0",
     "bcrypt": "^6.0.0",
     "better-auth": "^1.5.6",
-    "passport-jwt": "^4.0.1",
     "tslib": "^2.3.0",
     "uuidv7": "^1.0.2"
   },
@@ -20,7 +21,6 @@
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.0.0",
     "@nestjs/jwt": "^11.0.1",
-    "@nestjs/passport": "^11.0.5",
     "@nestjs/platform-fastify": "^11.1.6",
     "@nestjs/typeorm": "^11.0.0",
     "typeorm": "^0.3.27"
@@ -56,6 +56,26 @@
   "bugs": {
     "url": "https://github.com/anarchitects/anarchitecture-bricks-3tier/issues"
   },
+  "nx": {
+    "targets": {
+      "test-published-adapter": {
+        "executor": "nx:run-commands",
+        "dependsOn": [
+          "build"
+        ],
+        "options": {
+          "command": "yarn node tools/testing/run-auth-nest-published-adapter-smoke.mjs"
+        },
+        "parallelism": false,
+        "cache": true,
+        "inputs": [
+          "default",
+          "^production",
+          "{workspaceRoot}/jest.preset.js"
+        ]
+      }
+    }
+  },
   "exports": {
     "./package.json": "./package.json",
     ".": {

package/src/application/application.module.js

@@ -7,26 +7,28 @@ const config_1 = require("@nestjs/config");
 const jwt_1 = require("@nestjs/jwt");
 const config_2 = require("../config");
 const better_auth_auth_engine_adapter_1 = require("../infrastructure-engine/better-auth/better-auth-auth-engine.adapter");
-const legacy_jwt_auth_engine_adapter_1 = require("../infrastructure-engine/legacy-jwt-auth-engine.adapter");
+const better_auth_jwt_plugin_service_1 = require("../infrastructure-engine/better-auth/plugins/jwt/better-auth-jwt-plugin.service");
+const better_auth_jwt_typeorm_support_module_1 = require("../infrastructure-engine/better-auth/plugins/jwt/better-auth-jwt-typeorm-support.module");
+const better_auth_passkeys_typeorm_support_module_1 = require("../infrastructure-engine/better-auth/plugins/passkeys/better-auth-passkeys-typeorm-support.module");
+const better_auth_typeorm_adapter_persistence_adapter_1 = require("../infrastructure-engine/better-auth/better-auth-typeorm-adapter-persistence.adapter");
 const infrastructure_persistence_1 = require("../infrastructure-persistence");
 const application_module_definition_1 = require("./application.module-definition");
 const ability_factory_1 = require("./factories/ability.factory");
 const resource_authorization_tokens_1 = require("./resource-authorization.tokens");
 const auth_engine_port_1 = require("./services/auth-engine.port");
+const better_auth_database_port_1 = require("./services/better-auth-database.port");
 const auth_orchestration_service_1 = require("./services/auth-orchestration.service");
 const auth_service_1 = require("./services/auth.service");
 const bcrypt_hash_service_1 = require("./services/bcrypt-hash.service");
 const hash_service_1 = require("./services/hash.service");
-const jwt_auth_service_1 = require("./services/jwt-auth.service");
 const policies_service_1 = require("./services/policies.service");
-const jwt_strategy_1 = require("./strategies/jwt-strategy");
 let AuthApplicationModule = class AuthApplicationModule extends application_module_definition_1.ConfigurableModuleClass {
     static forRoot(options = {}) {
         const resolvedOptions = (0, config_2.resolveAuthApplicationModuleOptions)(options);
-        const { authStrategies, engine, encryption, persistence, resourceAuthorization, } = resolvedOptions;
+        const { encryption, resourceAuthorization } = resolvedOptions;
         const imports = [
             config_1.ConfigModule.forFeature(config_2.authConfig),
-            infrastructure_persistence_1.AuthPersistenceModule.forRoot(persistence),
+            infrastructure_persistence_1.AuthPersistenceModule.forRoot(),
         ];
         const providers = [];
         const exports = [];
@@ -49,45 +51,44 @@ let AuthApplicationModule = class AuthApplicationModule extends application_modu
             default:
                 throw new Error(`Unsupported encryption algorithm: ${encryption.algorithm}`);
         }
-        if (authStrategies.includes('jwt')) {
+        if (resolvedOptions.plugins.jwt.enabled) {
+            imports.push(better_auth_jwt_typeorm_support_module_1.BetterAuthJwtTypeormSupportModule);
             imports.push(jwt_1.JwtModule.registerAsync({
                 imports: [config_1.ConfigModule.forFeature(config_2.authConfig)],
                 inject: [config_2.authConfig.KEY],
-                useFactory: (authConfig) => ({
-                    secret: authConfig.jwtSecret,
+                useFactory: (config) => ({
+                    secret: config.plugins.jwt.secret,
                     signOptions: {
-                        expiresIn: parseInt(authConfig.jwtExpiration, 10),
-                        audience: authConfig.jwtAudience,
-                        issuer: authConfig.jwtIssuer,
+                        expiresIn: config.plugins.jwt.expiration,
+                        audience: config.plugins.jwt.audience,
+                        issuer: config.plugins.jwt.issuer,
                     },
                 }),
             }));
-            providers.push(auth_orchestration_service_1.AuthOrchestrationService, jwt_strategy_1.JwtStrategy, {
-                provide: auth_service_1.AuthService,
-                useExisting: auth_orchestration_service_1.AuthOrchestrationService,
-            }, {
-                provide: jwt_auth_service_1.JwtAuthService,
-                useExisting: auth_orchestration_service_1.AuthOrchestrationService,
-            });
-            exports.push(auth_service_1.AuthService);
         }
-        if (engine === 'better-auth') {
-            providers.push(better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter, {
-                provide: auth_engine_port_1.AuthEnginePort,
-                useExisting: better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter,
-            });
+        if (resolvedOptions.plugins.passkeys.enabled) {
+            imports.push(better_auth_passkeys_typeorm_support_module_1.BetterAuthPasskeysTypeormSupportModule);
         }
-        else {
-            providers.push(legacy_jwt_auth_engine_adapter_1.LegacyJwtAuthEngineAdapter, {
-                provide: auth_engine_port_1.AuthEnginePort,
-                useExisting: legacy_jwt_auth_engine_adapter_1.LegacyJwtAuthEngineAdapter,
-            });
+        providers.push(auth_orchestration_service_1.AuthOrchestrationService, {
+            provide: auth_service_1.AuthService,
+            useExisting: auth_orchestration_service_1.AuthOrchestrationService,
+        }, better_auth_typeorm_adapter_persistence_adapter_1.BetterAuthTypeormDatabaseAdapter, {
+            provide: better_auth_database_port_1.BetterAuthDatabasePort,
+            useExisting: better_auth_typeorm_adapter_persistence_adapter_1.BetterAuthTypeormDatabaseAdapter,
+        }, better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter, {
+            provide: auth_engine_port_1.AuthEnginePort,
+            useExisting: better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter,
+        });
+        exports.push(auth_service_1.AuthService);
+        if (resolvedOptions.plugins.jwt.enabled) {
+            providers.push(better_auth_jwt_plugin_service_1.BetterAuthJwtPluginService);
         }
+        const baseModule = super.forRoot(resolvedOptions);
         return {
-            ...super.forRoot(resolvedOptions),
-            imports,
-            providers,
-            exports,
+            ...baseModule,
+            imports: [...(baseModule.imports ?? []), ...imports],
+            providers: [...(baseModule.providers ?? []), ...providers],
+            exports: [...(baseModule.exports ?? []), ...exports],
         };
     }
     static forRootFromConfig(overrides = {}) {
@@ -95,13 +96,37 @@ let AuthApplicationModule = class AuthApplicationModule extends application_modu
         const moduleDefinition = this.forRoot({
             ...configOptions,
             ...overrides,
+            betterAuth: {
+                ...configOptions.betterAuth,
+                ...overrides.betterAuth,
+                callbackUrls: {
+                    ...configOptions.betterAuth?.callbackUrls,
+                    ...overrides.betterAuth?.callbackUrls,
+                },
+            },
             encryption: {
                 ...configOptions.encryption,
                 ...overrides.encryption,
             },
-            persistence: {
-                ...configOptions.persistence,
-                ...overrides.persistence,
+            plugins: {
+                ...configOptions.plugins,
+                ...overrides.plugins,
+                jwt: {
+                    ...configOptions.plugins?.jwt,
+                    ...overrides.plugins?.jwt,
+                },
+                passkeys: {
+                    ...configOptions.plugins?.passkeys,
+                    ...overrides.plugins?.passkeys,
+                },
+                social: {
+                    ...configOptions.plugins?.social,
+                    ...overrides.plugins?.social,
+                },
+                oidc: {
+                    ...configOptions.plugins?.oidc,
+                    ...overrides.plugins?.oidc,
+                },
             },
         });
         return {

package/src/application/application.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"application.module.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module.ts"],"names":[],"mappings":";;;;AAAA,2CAAuD;AACvD,2CAA8C;AAC9C,qCAAwC;AAExC,sCAKmB;AACnB,0HAAmH;AACnH,4GAAqG;AACrG,8EAAsE;AACtE,mFAGyC;AACzC,iEAA6D;AAC7D,mFAAsF;AACtF,kEAA6D;AAC7D,sFAAiF;AACjF,0DAAsD;AACtD,wEAAmE;AACnE,0DAAsD;AACtD,kEAA6D;AAC7D,kEAA8D;AAC9D,4DAAwD;AAGjD,IAAM,qBAAqB,GAA3B,MAAM,qBAAsB,SAAQ,uDAAuB;IAChE,MAAM,CAAC,OAAO,CAAC,UAAwC,EAAE;QACvD,MAAM,eAAe,GACnB,IAAA,4CAAmC,EAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,EACJ,cAAc,EACd,MAAM,EACN,UAAU,EACV,WAAW,EACX,qBAAqB,GACtB,GAAG,eAAe,CAAC;QACpB,MAAM,OAAO,GAAG;YACd,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;YACnC,kDAAqB,CAAC,OAAO,CAAC,WAAW,CAAC;SAC3C,CAAC;QACF,MAAM,SAAS,GAAG,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,EAAE,CAAC;QAEnB,SAAS,CAAC,IAAI,CAAC,gCAAc,EAAE,kCAAe,EAAE;YAC9C,OAAO,EAAE,mEAAmC;YAC5C,QAAQ,EAAE,qBAAqB,CAAC,OAAO;SACxC,CAAC,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,mEAAmC,EAAE,kCAAe,CAAC,CAAC;QAEnE,QAAQ,UAAU,CAAC,SAAS,EAAE,CAAC;YAC7B,KAAK,QAAQ;gBACX,SAAS,CAAC,IAAI,CAAC,uCAAiB,EAAE;oBAChC,OAAO,EAAE,0BAAW;oBACpB,WAAW,EAAE,uCAAiB;iBAC/B,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,QAAQ;gBACX,gEAAgE;gBAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D;gBACE,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,CAAC,SAAS,EAAE,CAC5D,CAAC;QACN,CAAC;QAED,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CACV,eAAS,CAAC,aAAa,CAAC;gBACtB,OAAO,EAAE,CAAC,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC,CAAC;gBAC9C,MAAM,EAAE,CAAC,mBAAU,CAAC,GAAG,CAAC;gBACxB,UAAU,EAAE,CAAC,UAAsB,EAAE,EAAE,CAAC,CAAC;oBACvC,MAAM,EAAE,UAAU,CAAC,SAAS;oBAC5B,WAAW,EAAE;wBACX,SAAS,EAAE,QAAQ,CAAC,UAAU,CAAC,aAAa,EAAE,EAAE,CAAC;wBACjD,QAAQ,EAAE,UAAU,CAAC,WAAW;wBAChC,MAAM,EAAE,UAAU,CAAC,SAAS;qBAC7B;iBACF,CAAC;aACH,CAAC,CACH,CAAC;YAEF,SAAS,CAAC,IAAI,CACZ,qDAAwB,EACxB,0BAAW,EACX;gBACE,OAAO,EAAE,0BAAW;gBACpB,WAAW,EAAE,qDAAwB;aACtC,EACD;gBACE,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,qDAAwB;aACtC,CACF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC,6DAA2B,EAAE;gBAC1C,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,6DAA2B;aACzC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,2DAA0B,EAAE;gBACzC,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,2DAA0B;aACxC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;YACjC,OAAO;YACP,SAAS;YACT,OAAO;SACR,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,iBAAiB,CACtB,YAA0C,EAAE;QAE5C,MAAM,aAAa,GAAG,IAAA,gDAAuC,EAAC,IAAA,mBAAU,GAAE,CAAC,CAAC;QAC5E,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC;YACpC,GAAG,aAAa;YAChB,GAAG,SAAS;YACZ,UAAU,EAAE;gBACV,GAAG,aAAa,CAAC,UAAU;gBAC3B,GAAG,SAAS,CAAC,UAAU;aACxB;YACD,WAAW,EAAE;gBACX,GAAG,aAAa,CAAC,WAAW;gBAC5B,GAAG,SAAS,CAAC,WAAW;aACzB;SACF,CAAC,CAAC;QAEH,OAAO;YACL,GAAG,gBAAgB;YACnB,OAAO,EAAE;gBACP,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;gBACnC,GAAG,CAAC,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC;aACpC;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AArHY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,qBAAqB,CAqHjC"}
+{"version":3,"file":"application.module.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module.ts"],"names":[],"mappings":";;;;AAAA,2CAA6D;AAC7D,2CAA8C;AAC9C,qCAAwC;AAExC,sCAKmB;AACnB,0HAAmH;AACnH,oIAA6H;AAC7H,oJAA4I;AAC5I,mKAA2J;AAC3J,0JAAwI;AACxI,8EAAsE;AACtE,mFAGyC;AACzC,iEAA6D;AAC7D,mFAAsF;AACtF,kEAA6D;AAC7D,oFAA8E;AAC9E,sFAAiF;AACjF,0DAAsD;AACtD,wEAAmE;AACnE,0DAAsD;AACtD,kEAA8D;AAGvD,IAAM,qBAAqB,GAA3B,MAAM,qBAAsB,SAAQ,uDAAuB;IAChE,MAAM,CAAC,OAAO,CAAC,UAAwC,EAAE;QACvD,MAAM,eAAe,GACnB,IAAA,4CAAmC,EAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,EAAE,UAAU,EAAE,qBAAqB,EAAE,GAAG,eAAe,CAAC;QAC9D,MAAM,OAAO,GAAyC;YACpD,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;YACnC,kDAAqB,CAAC,OAAO,EAAE;SAChC,CAAC;QACF,MAAM,SAAS,GAAG,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,EAAE,CAAC;QAEnB,SAAS,CAAC,IAAI,CAAC,gCAAc,EAAE,kCAAe,EAAE;YAC9C,OAAO,EAAE,mEAAmC;YAC5C,QAAQ,EAAE,qBAAqB,CAAC,OAAO;SACxC,CAAC,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,mEAAmC,EAAE,kCAAe,CAAC,CAAC;QAEnE,QAAQ,UAAU,CAAC,SAAS,EAAE,CAAC;YAC7B,KAAK,QAAQ;gBACX,SAAS,CAAC,IAAI,CAAC,uCAAiB,EAAE;oBAChC,OAAO,EAAE,0BAAW;oBACpB,WAAW,EAAE,uCAAiB;iBAC/B,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,QAAQ;gBACX,gEAAgE;gBAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D;gBACE,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,CAAC,SAAS,EAAE,CAC5D,CAAC;QACN,CAAC;QAED,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,0EAAiC,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CACV,eAAS,CAAC,aAAa,CAAC;gBACtB,OAAO,EAAE,CAAC,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC,CAAC;gBAC9C,MAAM,EAAE,CAAC,mBAAU,CAAC,GAAG,CAAC;gBACxB,UAAU,EAAE,CAAC,MAAkB,EAAE,EAAE,CAAC,CAAC;oBACnC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;oBACjC,WAAW,EAAE;wBACX,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,UAAmB;wBACjD,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ;wBACrC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;qBAClC;iBACF,CAAC;aACH,CAAC,CACH,CAAC;QACJ,CAAC;QAED,IAAI,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,oFAAsC,CAAC,CAAC;QACvD,CAAC;QAED,SAAS,CAAC,IAAI,CACZ,qDAAwB,EACxB;YACE,OAAO,EAAE,0BAAW;YACpB,WAAW,EAAE,qDAAwB;SACtC,EACD,kFAAgC,EAChC;YACE,OAAO,EAAE,kDAAsB;YAC/B,WAAW,EAAE,kFAAgC;SAC9C,EACD,6DAA2B,EAC3B;YACE,OAAO,EAAE,iCAAc;YACvB,WAAW,EAAE,6DAA2B;SACzC,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;QAE1B,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,2DAA0B,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAElD,OAAO;YACL,GAAG,UAAU;YACb,OAAO,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC;YACpD,SAAS,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,GAAG,SAAS,CAAC;YAC1D,OAAO,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC;SACrD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,iBAAiB,CACtB,YAA0C,EAAE;QAE5C,MAAM,aAAa,GAAG,IAAA,gDAAuC,EAAC,IAAA,mBAAU,GAAE,CAAC,CAAC;QAC5E,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC;YACpC,GAAG,aAAa;YAChB,GAAG,SAAS;YACZ,UAAU,EAAE;gBACV,GAAG,aAAa,CAAC,UAAU;gBAC3B,GAAG,SAAS,CAAC,UAAU;gBACvB,YAAY,EAAE;oBACZ,GAAG,aAAa,CAAC,UAAU,EAAE,YAAY;oBACzC,GAAG,SAAS,CAAC,UAAU,EAAE,YAAY;iBACtC;aACF;YACD,UAAU,EAAE;gBACV,GAAG,aAAa,CAAC,UAAU;gBAC3B,GAAG,SAAS,CAAC,UAAU;aACxB;YACD,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,GAAG,SAAS,CAAC,OAAO;gBACpB,GAAG,EAAE;oBACH,GAAG,aAAa,CAAC,OAAO,EAAE,GAAG;oBAC7B,GAAG,SAAS,CAAC,OAAO,EAAE,GAAG;iBAC1B;gBACD,QAAQ,EAAE;oBACR,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ;oBAClC,GAAG,SAAS,CAAC,OAAO,EAAE,QAAQ;iBAC/B;gBACD,MAAM,EAAE;oBACN,GAAG,aAAa,CAAC,OAAO,EAAE,MAAM;oBAChC,GAAG,SAAS,CAAC,OAAO,EAAE,MAAM;iBAC7B;gBACD,IAAI,EAAE;oBACJ,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI;oBAC9B,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI;iBAC3B;aACF;SACF,CAAC,CAAC;QAEH,OAAO;YACL,GAAG,gBAAgB;YACnB,OAAO,EAAE;gBACP,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;gBACnC,GAAG,CAAC,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC;aACpC;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AA3IY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,qBAAqB,CA2IjC"}

package/src/application/index.d.ts

@@ -6,7 +6,5 @@ export * from './resource-authorization.types';
 export * from './services/auth.service';
 export * from './services/bcrypt-hash.service';
 export * from './services/hash.service';
-export * from './services/jwt-auth.service';
 export * from './services/policies.service';
 export * from './services/resource-authorization';
-export * from './strategies/jwt-strategy';

package/src/application/index.js

@@ -8,8 +8,6 @@ tslib_1.__exportStar(require("./resource-authorization.types"), exports);
 tslib_1.__exportStar(require("./services/auth.service"), exports);
 tslib_1.__exportStar(require("./services/bcrypt-hash.service"), exports);
 tslib_1.__exportStar(require("./services/hash.service"), exports);
-tslib_1.__exportStar(require("./services/jwt-auth.service"), exports);
 tslib_1.__exportStar(require("./services/policies.service"), exports);
 tslib_1.__exportStar(require("./services/resource-authorization"), exports);
-tslib_1.__exportStar(require("./strategies/jwt-strategy"), exports);
 //# sourceMappingURL=index.js.map

package/src/application/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/index.ts"],"names":[],"mappings":";;;AACA,+DAAqC;AACrC,sEAA4C;AAC5C,0EAAgD;AAChD,yEAA+C;AAC/C,kEAAwC;AACxC,yEAA+C;AAC/C,kEAAwC;AACxC,sEAA4C;AAC5C,sEAA4C;AAC5C,4EAAkD;AAClD,oEAA0C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/index.ts"],"names":[],"mappings":";;;AACA,+DAAqC;AACrC,sEAA4C;AAC5C,0EAAgD;AAChD,yEAA+C;AAC/C,kEAAwC;AACxC,yEAA+C;AAC/C,kEAAwC;AACxC,sEAA4C;AAC5C,4EAAkD"}

package/src/application/ports/auth-account.repository.d.ts

@@ -0,0 +1,18 @@
+export type CredentialAccount = {
+    id: string;
+    userId: string;
+    accountId: string;
+    providerId: 'credential';
+    password: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+};
+export declare abstract class AuthAccountRepository {
+    abstract findCredentialAccountByUserId(userId: string): Promise<CredentialAccount | null>;
+    abstract upsertCredentialAccount(input: {
+        userId: string;
+        passwordHash: string;
+        createdAt?: Date;
+        updatedAt?: Date;
+    }): Promise<CredentialAccount>;
+}

package/src/application/ports/auth-account.repository.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthAccountRepository = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+let AuthAccountRepository = class AuthAccountRepository {
+};
+exports.AuthAccountRepository = AuthAccountRepository;
+exports.AuthAccountRepository = AuthAccountRepository = tslib_1.__decorate([
+    (0, common_1.Injectable)()
+], AuthAccountRepository);
+//# sourceMappingURL=auth-account.repository.js.map

package/src/application/ports/auth-account.repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-account.repository.js","sourceRoot":"","sources":["../../../../../../../libs/auth/nest/src/application/ports/auth-account.repository.ts"],"names":[],"mappings":";;;;AAAA,2CAA4C;AAarC,IAAe,qBAAqB,GAApC,MAAe,qBAAqB;CAW1C,CAAA;AAXqB,sDAAqB;gCAArB,qBAAqB;IAD1C,IAAA,mBAAU,GAAE;GACS,qBAAqB,CAW1C"}

package/src/{infrastructure-persistence/repositories → application/ports}/auth-user.repository.d.ts

@@ -2,9 +2,8 @@ import { User } from '@anarchitects/auth-ts/models';
 export declare abstract class AuthUserRepository {
     abstract find(conditions: unknown): Promise<User[]>;
     abstract findOne(conditions: unknown): Promise<User>;
+    abstract ensureRole(userId: string, roleName: string): Promise<void>;
     abstract create(user: Partial<User>): Promise<User>;
     abstract update(user: Partial<User>): Promise<User>;
     abstract delete(userId: string): Promise<User>;
-    abstract invalidateTokens(tokens: string[], userId: string | null): Promise<void>;
-    abstract isTokenInvalidated(tokenId: string): Promise<boolean>;
 }

package/src/application/ports/auth-user.repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-user.repository.js","sourceRoot":"","sources":["../../../../../../../libs/auth/nest/src/application/ports/auth-user.repository.ts"],"names":[],"mappings":";;;;AAAA,2CAA4C;AAIrC,IAAe,kBAAkB,GAAjC,MAAe,kBAAkB;CAOvC,CAAA;AAPqB,gDAAkB;6BAAlB,kBAAkB;IADvC,IAAA,mBAAU,GAAE;GACS,kBAAkB,CAOvC"}

package/src/application/resource-authorization.types.d.ts

@@ -1,16 +1 @@
-import { Action, Subject, User } from '@anarchitects/auth-ts/models';
-export type AuthorizableResource = Record<string, unknown>;
-export type ResourceAuthorizationLoaderInput = {
-    user: User;
-    resourceId: string;
-};
-export type ResourceAuthorizationLoader<TResource extends AuthorizableResource = AuthorizableResource> = (input: ResourceAuthorizationLoaderInput) => Promise<TResource | null> | TResource | null;
-export type ResourceAuthorizationLoaders = Record<string, ResourceAuthorizationLoader>;
-export type ResourceAuthorizationOptions = {
-    loaders?: ResourceAuthorizationLoaders;
-};
-export type ResourceAuthorizationRoute = {
-    action: Action;
-    subject: Subject;
-    idParam: string;
-};
+export type { AuthorizableResource, ResourceAuthorizationLoader, ResourceAuthorizationLoaderInput, ResourceAuthorizationLoaders, ResourceAuthorizationOptions, ResourceAuthorizationRoute, } from '../config/resource-authorization.types';