@ascendkit/nextjs 0.1.0

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,aAAa,EACb,0BAA0B,EAC1B,sBAAsB,EACtB,wBAAwB,EACxB,SAAS,GACV,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAG5G,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAG/J,OAAO,EACL,KAAK,EACL,MAAM,EACN,iBAAiB,EACjB,cAAc,EACd,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,mBAAmB,EACnB,aAAa,GACd,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+// Server
+export { AscendKitAuth, createAscendKitAuthRuntime, createAscendKitAdapter, createAccessTokenHandler, Analytics, } from "./server";
+// Client
+export { AscendKitProvider, useAscendKitContext, useAscendKit, useAuthModal, useAccessToken, useSessions, useUser, useAnalytics, verifyEmail } from "./client";
+// Components
+export { Login, SignUp, EmailVerification, ForgotPassword, ResetPassword, SocialButton, AscendKitAuthCard, AuthModal, SignInButton, SignUpButton, AscendKitUserButton, BrandingBadge, } from "./components";
+// Re-exports from Better Auth UI (convenience)
+export { SignedIn, SignedOut, AuthLoading } from "@daveyplate/better-auth-ui";

package/dist/server/access-token.d.ts

@@ -0,0 +1,39 @@
+import type { AscendKitAuthRuntime } from "./auth-runtime";
+interface AccessTokenHandlerOptions {
+    /** Dynamic auth runtime returned by createAscendKitAuthRuntime(). */
+    authRuntime: AscendKitAuthRuntime;
+    /** AscendKit environment public key (default: ASCENDKIT_ENV_KEY env var). */
+    publicKey?: string;
+    /** AscendKit API URL (default: ASCENDKIT_API_URL env var, then https://api.ascendkit.com). */
+    apiUrl?: string;
+}
+/**
+ * Create a Next.js route handler that exchanges a Better Auth session
+ * for a short-lived RS256 access token.
+ *
+ * The access token can be verified by any backend using AscendKit's JWKS
+ * endpoint — no shared secrets needed.
+ *
+ * Usage:
+ * ```ts
+ * // lib/auth.ts
+ * import { createAscendKitAuthRuntime } from "@ascendkit/nextjs/server";
+ * export const authRuntime = createAscendKitAuthRuntime();
+ *
+ * // app/api/access-token/route.ts
+ * import { authRuntime } from "@/lib/auth";
+ * import { createAccessTokenHandler } from "@ascendkit/nextjs/server";
+ *
+ * export const GET = createAccessTokenHandler({ authRuntime });
+ * ```
+ *
+ * Frontend usage:
+ * ```ts
+ * const { getAccessToken } = useAccessToken();
+ * const token = await getAccessToken();
+ * fetch("/api/data", { headers: { Authorization: `Bearer ${token}` } });
+ * ```
+ */
+export declare function createAccessTokenHandler(options: AccessTokenHandlerOptions): (req: Request) => Promise<Response>;
+export {};
+//# sourceMappingURL=access-token.d.ts.map

package/dist/server/access-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../../src/server/access-token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAE3D,UAAU,yBAAyB;IACjC,qEAAqE;IACrE,WAAW,EAAE,oBAAoB,CAAC;IAClC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8FAA8F;IAC9F,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,yBAAyB,IAO/C,KAAK,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC,CA+D3D"}

package/dist/server/access-token.js

@@ -0,0 +1,74 @@
+/**
+ * Create a Next.js route handler that exchanges a Better Auth session
+ * for a short-lived RS256 access token.
+ *
+ * The access token can be verified by any backend using AscendKit's JWKS
+ * endpoint — no shared secrets needed.
+ *
+ * Usage:
+ * ```ts
+ * // lib/auth.ts
+ * import { createAscendKitAuthRuntime } from "@ascendkit/nextjs/server";
+ * export const authRuntime = createAscendKitAuthRuntime();
+ *
+ * // app/api/access-token/route.ts
+ * import { authRuntime } from "@/lib/auth";
+ * import { createAccessTokenHandler } from "@ascendkit/nextjs/server";
+ *
+ * export const GET = createAccessTokenHandler({ authRuntime });
+ * ```
+ *
+ * Frontend usage:
+ * ```ts
+ * const { getAccessToken } = useAccessToken();
+ * const token = await getAccessToken();
+ * fetch("/api/data", { headers: { Authorization: `Bearer ${token}` } });
+ * ```
+ */
+export function createAccessTokenHandler(options) {
+    const { authRuntime, publicKey = process.env.ASCENDKIT_ENV_KEY ?? "", apiUrl = process.env.ASCENDKIT_API_URL || "https://api.ascendkit.com", } = options;
+    return async function GET(req) {
+        try {
+            if (!publicKey || publicKey === "undefined" || publicKey === "null") {
+                return Response.json({
+                    data: null,
+                    error: "Server misconfiguration: missing AscendKit public key in createAccessTokenHandler",
+                }, { status: 500 });
+            }
+            // Read session via Better Auth (handles cookies internally)
+            let session;
+            try {
+                session = await authRuntime.getSession(req.headers);
+            }
+            catch (err) {
+                console.error("[AscendKit] getSession() failed:", err instanceof Error ? err.message : err);
+                return Response.json({ data: null, error: "Failed to read session" }, { status: 401 });
+            }
+            if (!session?.session?.token) {
+                return Response.json({ data: null, error: "Unauthorized" }, { status: 401 });
+            }
+            // Exchange session token for RS256 access token
+            const res = await fetch(`${apiUrl}/api/auth/access-token`, {
+                method: "POST",
+                headers: {
+                    "X-AscendKit-Public-Key": publicKey,
+                    Authorization: `Bearer ${session.session.token}`,
+                    "Content-Type": "application/json",
+                },
+            });
+            if (!res.ok) {
+                const body = await res.json().catch(() => ({}));
+                return Response.json({
+                    data: null,
+                    error: body.error || body.detail || body.message || "Failed to get access token",
+                }, { status: res.status });
+            }
+            const json = (await res.json());
+            return Response.json({ data: json.data });
+        }
+        catch (err) {
+            console.error("[AscendKit] Access token handler error:", err);
+            return Response.json({ data: null, error: "Internal error in access token handler" }, { status: 500 });
+        }
+    };
+}

package/dist/server/adapter.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Creates a Better Auth database adapter that routes all CRUD operations
+ * through the AscendKit backend API, scoped by public key.
+ */
+export declare function createAscendKitAdapter(publicKey: string, apiUrl: string): import("better-auth/adapters").AdapterFactory;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/server/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../src/server/adapter.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,iDA+DvE"}

package/dist/server/adapter.js

@@ -0,0 +1,57 @@
+import { createAdapterFactory } from "better-auth/adapters";
+import { createHttpClient } from "../shared/http-client";
+/**
+ * Creates a Better Auth database adapter that routes all CRUD operations
+ * through the AscendKit backend API, scoped by public key.
+ */
+export function createAscendKitAdapter(publicKey, apiUrl) {
+    return createAdapterFactory({
+        config: {
+            adapterId: "ascendkit",
+            disableIdGeneration: true,
+            supportsJSON: true,
+            supportsDates: false,
+            supportsBooleans: true,
+        },
+        adapter: () => {
+            const http = createHttpClient({ publicKey, apiUrl });
+            return {
+                async create({ model, data, select }) {
+                    return await http.post("/api/auth/db/create", { model, data, select });
+                },
+                async findOne({ model, where, select }) {
+                    return await http.post("/api/auth/db/find-one", { model, where, select });
+                },
+                async findMany({ model, where, limit, select, sortBy, offset, }) {
+                    return await http.post("/api/auth/db/find-many", {
+                        model, where, select, limit, offset, sortBy,
+                    });
+                },
+                async update({ model, where, update }) {
+                    return await http.post("/api/auth/db/update", { model, where, update });
+                },
+                async updateMany({ model, where, update }) {
+                    const result = await http.post("/api/auth/db/update-many", {
+                        model, where, update,
+                    });
+                    return result?.count ?? 0;
+                },
+                async delete({ model, where }) {
+                    await http.post("/api/auth/db/delete", { model, where });
+                },
+                async deleteMany({ model, where }) {
+                    const result = await http.post("/api/auth/db/delete-many", {
+                        model, where,
+                    });
+                    return result?.count ?? 0;
+                },
+                async count({ model, where }) {
+                    const result = await http.post("/api/auth/db/count", {
+                        model, where,
+                    });
+                    return result?.count ?? 0;
+                },
+            };
+        },
+    });
+}

package/dist/server/analytics.d.ts

@@ -0,0 +1,61 @@
+interface AnalyticsOptions {
+    /** Your project's secret key (sk_prod_...). */
+    secretKey: string;
+    /** Your project's public key. */
+    publicKey: string;
+    /** AscendKit API base URL. Defaults to https://api.ascendkit.com. */
+    apiUrl?: string;
+    /** Milliseconds between automatic flushes. Defaults to 30000. */
+    flushIntervalMs?: number;
+    /** Max events before auto-flush. Defaults to 10. */
+    batchSize?: number;
+}
+/**
+ * Server-side analytics client for AscendKit.
+ *
+ * Tracks events from your backend with trusted identity (secret key auth).
+ * Events are queued in-memory and flushed in batches via a background timer.
+ *
+ * @example
+ * ```ts
+ * import { Analytics } from "@ascendkit/nextjs/server";
+ *
+ * const analytics = new Analytics({
+ *   secretKey: process.env.ASCENDKIT_SECRET_KEY!,
+ *   publicKey: process.env.ASCENDKIT_ENV_KEY!,
+ * });
+ *
+ * analytics.track("usr_456", "checkout.completed", { orderId: "ord_789" });
+ *
+ * // Events flush automatically every 30s or when batch size (10) is reached.
+ * // Call shutdown() for graceful cleanup (e.g. in process.on("beforeExit")).
+ * ```
+ */
+export declare class Analytics {
+    private queue;
+    private http;
+    private batchSize;
+    private flushTimer;
+    private flushing;
+    constructor(options: AnalyticsOptions);
+    /**
+     * Queue a server-side event for a user.
+     *
+     * @param userId - The user ID (usr_ prefixed).
+     * @param event - Event name (e.g. "checkout.completed").
+     * @param properties - Optional event properties.
+     *
+     * @example
+     * ```ts
+     * analytics.track("usr_456", "checkout.completed", { total: 99.99 });
+     * ```
+     */
+    track(userId: string, event: string, properties?: Record<string, unknown>): void;
+    /** Manually flush the event queue. */
+    flush(): Promise<void>;
+    /** Gracefully shut down: stop the flush timer and flush remaining events. */
+    shutdown(): Promise<void>;
+    private sendBatch;
+}
+export {};
+//# sourceMappingURL=analytics.d.ts.map

package/dist/server/analytics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analytics.d.ts","sourceRoot":"","sources":["../../src/server/analytics.ts"],"names":[],"mappings":"AAcA,UAAU,gBAAgB;IACxB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,KAAK,CAAwB;IACrC,OAAO,CAAC,IAAI,CAAsC;IAClD,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAiC;IACnD,OAAO,CAAC,QAAQ,CAAS;gBAEb,OAAO,EAAE,gBAAgB;IAqBrC;;;;;;;;;;;OAWG;IACH,KAAK,CACH,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,IAAI;IAcP,sCAAsC;IAChC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB5B,6EAA6E;IACvE,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;YASjB,SAAS;CAuBxB"}

package/dist/server/analytics.js

@@ -0,0 +1,117 @@
+import { createHttpClient } from "../shared/http-client";
+const SDK_VERSION = "0.1.0";
+const DEFAULT_FLUSH_INTERVAL_MS = 30_000;
+const DEFAULT_BATCH_SIZE = 10;
+const MAX_RETRY_ATTEMPTS = 3;
+/**
+ * Server-side analytics client for AscendKit.
+ *
+ * Tracks events from your backend with trusted identity (secret key auth).
+ * Events are queued in-memory and flushed in batches via a background timer.
+ *
+ * @example
+ * ```ts
+ * import { Analytics } from "@ascendkit/nextjs/server";
+ *
+ * const analytics = new Analytics({
+ *   secretKey: process.env.ASCENDKIT_SECRET_KEY!,
+ *   publicKey: process.env.ASCENDKIT_ENV_KEY!,
+ * });
+ *
+ * analytics.track("usr_456", "checkout.completed", { orderId: "ord_789" });
+ *
+ * // Events flush automatically every 30s or when batch size (10) is reached.
+ * // Call shutdown() for graceful cleanup (e.g. in process.on("beforeExit")).
+ * ```
+ */
+export class Analytics {
+    queue = [];
+    http;
+    batchSize;
+    flushTimer;
+    flushing = false;
+    constructor(options) {
+        const apiUrl = options.apiUrl ?? "https://api.ascendkit.com";
+        this.batchSize = options.batchSize ?? DEFAULT_BATCH_SIZE;
+        this.http = createHttpClient({
+            publicKey: options.publicKey,
+            apiUrl,
+            secretKey: options.secretKey,
+        });
+        this.flushTimer = setInterval(() => void this.flush(), options.flushIntervalMs ?? DEFAULT_FLUSH_INTERVAL_MS);
+        // Unref so the timer doesn't keep the process alive
+        if (typeof this.flushTimer === "object" && "unref" in this.flushTimer) {
+            this.flushTimer.unref();
+        }
+    }
+    /**
+     * Queue a server-side event for a user.
+     *
+     * @param userId - The user ID (usr_ prefixed).
+     * @param event - Event name (e.g. "checkout.completed").
+     * @param properties - Optional event properties.
+     *
+     * @example
+     * ```ts
+     * analytics.track("usr_456", "checkout.completed", { total: 99.99 });
+     * ```
+     */
+    track(userId, event, properties) {
+        const prefixedEvent = event.startsWith("app.") ? event : `app.${event}`;
+        this.queue.push({
+            event: prefixedEvent,
+            userId,
+            properties,
+            timestamp: new Date().toISOString(),
+        });
+        if (this.queue.length >= this.batchSize) {
+            void this.flush();
+        }
+    }
+    /** Manually flush the event queue. */
+    async flush() {
+        if (this.flushing || this.queue.length === 0)
+            return;
+        this.flushing = true;
+        const batch = this.queue.splice(0);
+        try {
+            await this.sendBatch(batch, 0);
+        }
+        catch {
+            // Put events back at the front of the queue
+            this.queue.unshift(...batch);
+        }
+        finally {
+            this.flushing = false;
+        }
+    }
+    /** Gracefully shut down: stop the flush timer and flush remaining events. */
+    async shutdown() {
+        clearInterval(this.flushTimer);
+        await this.flush();
+    }
+    // ---------------------------------------------------------------------------
+    // Internal
+    // ---------------------------------------------------------------------------
+    async sendBatch(batch, attempt) {
+        try {
+            await this.http.post("/api/v1/events", {
+                batch: batch.map((e) => ({
+                    event: e.event,
+                    userId: e.userId,
+                    properties: e.properties,
+                    timestamp: e.timestamp,
+                    context: { sdk: "js", sdkVersion: SDK_VERSION },
+                })),
+            });
+        }
+        catch (err) {
+            if (attempt < MAX_RETRY_ATTEMPTS) {
+                const delay = 2 ** attempt * 1000; // 1s, 2s, 4s
+                await new Promise((r) => setTimeout(r, delay));
+                return this.sendBatch(batch, attempt + 1);
+            }
+            throw err;
+        }
+    }
+}

package/dist/server/ascendkit-auth.d.ts

@@ -0,0 +1,122 @@
+import type { AscendKitAuthOptions, AuthConfig } from "../shared/types";
+import type { BetterAuthPlugin } from "better-auth";
+/**
+ * Pre-configured Better Auth setup for AscendKit.
+ *
+ * NOTE: This helper builds a static auth instance. For runtime hot-reload
+ * behavior (no server restarts when auth settings change), use
+ * createAscendKitAuthRuntime() instead.
+ *
+ * Fetches auth config (enabled providers, OAuth credentials, features)
+ * from the AscendKit backend and returns a fully configured Better Auth instance.
+ * Email callbacks route through AscendKit's content service + SES for delivery.
+ *
+ * Usage:
+ * ```ts
+ * // lib/auth.ts — zero-config (reads from env vars automatically)
+ * import { AscendKitAuth } from "@ascendkit/nextjs/server";
+ * export const auth = await AscendKitAuth();
+ * ```
+ *
+ * Environment variables (set by `ascendkit init` + `ascendkit set-env`):
+ * - ASCENDKIT_ENV_KEY — public key (server-side)
+ * - ASCENDKIT_SECRET_KEY — secret key (server-side)
+ * - ASCENDKIT_API_URL — backend URL (default: https://api.ascendkit.com)
+ *
+ * ```ts
+ * // app/api/auth/[...all]/route.ts
+ * import { auth } from "@/lib/auth";
+ * import { toNextJsHandler } from "@ascendkit/nextjs/server";
+ * export const { GET, POST } = toNextJsHandler(auth.handler);
+ * ```
+ */
+export declare function AscendKitAuth(options?: AscendKitAuthOptions): Promise<import("better-auth").Auth<{
+    database: import("better-auth/adapters").AdapterFactory;
+    emailAndPassword: {
+        enabled: false;
+    };
+}> | import("better-auth").Auth<{
+    plugins?: BetterAuthPlugin[] | undefined;
+    socialProviders: Record<string, {
+        clientId: string;
+        clientSecret: string;
+    }>;
+    session: {
+        expiresIn: number;
+        cookieCache: {
+            enabled: true;
+            maxAge: number;
+        };
+    };
+    emailVerification?: {
+        sendVerificationEmail: (data: {
+            user: {
+                name: string;
+                email: string;
+            };
+            url: string;
+        }) => Promise<void>;
+        sendOnSignUp: boolean;
+    } | undefined;
+    database: import("better-auth/adapters").AdapterFactory;
+    emailAndPassword: {
+        sendResetPassword?: ((data: {
+            user: {
+                name: string;
+                email: string;
+            };
+            url: string;
+        }) => Promise<void>) | undefined;
+        requireEmailVerification?: boolean | undefined;
+        enabled: boolean;
+    };
+}>>;
+export declare function createDisabledAuth(publicKey: string, apiUrl: string): import("better-auth").Auth<{
+    database: import("better-auth/adapters").AdapterFactory;
+    emailAndPassword: {
+        enabled: false;
+    };
+}>;
+export declare function buildAscendKitAuthFromConfig(args: {
+    publicKey: string;
+    apiUrl: string;
+    config: AuthConfig;
+    waitlistRedirectPath?: string;
+    rejectedRedirectPath?: string;
+}): Promise<import("better-auth").Auth<{
+    plugins?: BetterAuthPlugin[] | undefined;
+    socialProviders: Record<string, {
+        clientId: string;
+        clientSecret: string;
+    }>;
+    session: {
+        expiresIn: number;
+        cookieCache: {
+            enabled: true;
+            maxAge: number;
+        };
+    };
+    emailVerification?: {
+        sendVerificationEmail: (data: {
+            user: {
+                name: string;
+                email: string;
+            };
+            url: string;
+        }) => Promise<void>;
+        sendOnSignUp: boolean;
+    } | undefined;
+    database: import("better-auth/adapters").AdapterFactory;
+    emailAndPassword: {
+        sendResetPassword?: ((data: {
+            user: {
+                name: string;
+                email: string;
+            };
+            url: string;
+        }) => Promise<void>) | undefined;
+        requireEmailVerification?: boolean | undefined;
+        enabled: boolean;
+    };
+}>>;
+//# sourceMappingURL=ascendkit-auth.d.ts.map

package/dist/server/ascendkit-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ascendkit-auth.d.ts","sourceRoot":"","sources":["../../src/server/ascendkit-auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,aAAa,CAAC,OAAO,GAAE,oBAAyB;;;;;;;;;;;;;;;;;;;sCAuG1B;YAAE,IAAI,EAAE;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE;;;;;oCARxD;YAAE,IAAI,EAAE;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE;;;;IA1E/F;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;;;;;GAMnE;AAED,wBAAsB,4BAA4B,CAAC,IAAI,EAAE;IACvD,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,UAAU,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;;;;;;;;;;;;;;sCAkE2C;YAAE,IAAI,EAAE;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE;;;;;oCARxD;YAAE,IAAI,EAAE;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE;;;;IAwB/F"}

package/dist/server/ascendkit-auth.js

@@ -0,0 +1,146 @@
+import { betterAuth } from "better-auth";
+import { createAscendKitAdapter } from "./adapter";
+import { fetchAuthConfig } from "./config-fetcher";
+import { buildSocialProviders } from "./social-providers";
+import { createEmailSender } from "./email-sender";
+import { ascendkitOAuthProxyPlugin } from "./oauth-proxy-plugin";
+/**
+ * Pre-configured Better Auth setup for AscendKit.
+ *
+ * NOTE: This helper builds a static auth instance. For runtime hot-reload
+ * behavior (no server restarts when auth settings change), use
+ * createAscendKitAuthRuntime() instead.
+ *
+ * Fetches auth config (enabled providers, OAuth credentials, features)
+ * from the AscendKit backend and returns a fully configured Better Auth instance.
+ * Email callbacks route through AscendKit's content service + SES for delivery.
+ *
+ * Usage:
+ * ```ts
+ * // lib/auth.ts — zero-config (reads from env vars automatically)
+ * import { AscendKitAuth } from "@ascendkit/nextjs/server";
+ * export const auth = await AscendKitAuth();
+ * ```
+ *
+ * Environment variables (set by `ascendkit init` + `ascendkit set-env`):
+ * - ASCENDKIT_ENV_KEY — public key (server-side)
+ * - ASCENDKIT_SECRET_KEY — secret key (server-side)
+ * - ASCENDKIT_API_URL — backend URL (default: https://api.ascendkit.com)
+ *
+ * ```ts
+ * // app/api/auth/[...all]/route.ts
+ * import { auth } from "@/lib/auth";
+ * import { toNextJsHandler } from "@ascendkit/nextjs/server";
+ * export const { GET, POST } = toNextJsHandler(auth.handler);
+ * ```
+ */
+export async function AscendKitAuth(options = {}) {
+    const publicKey = options.publicKey || process.env.ASCENDKIT_ENV_KEY || "";
+    const secretKey = options.secretKey || process.env.ASCENDKIT_SECRET_KEY || "";
+    const apiUrl = options.apiUrl || process.env.ASCENDKIT_API_URL || "https://api.ascendkit.com";
+    let config;
+    try {
+        config = await fetchAuthConfig(publicKey, secretKey, apiUrl);
+    }
+    catch (err) {
+        console.error("[AscendKit] Failed to fetch auth config:", err instanceof Error ? err.message : err);
+        console.error("[AscendKit] Auth routes will operate with no providers until config is available.");
+        return createDisabledAuth(publicKey, apiUrl);
+    }
+    return buildAscendKitAuthFromConfig({
+        publicKey,
+        apiUrl,
+        config,
+        waitlistRedirectPath: options.waitlistRedirectPath,
+        rejectedRedirectPath: options.rejectedRedirectPath,
+    });
+}
+export function createDisabledAuth(publicKey, apiUrl) {
+    const adapter = createAscendKitAdapter(publicKey, apiUrl);
+    return betterAuth({
+        database: adapter,
+        emailAndPassword: { enabled: false },
+    });
+}
+export async function buildAscendKitAuthFromConfig(args) {
+    const { publicKey, apiUrl, config, waitlistRedirectPath, rejectedRedirectPath, } = args;
+    const adapter = createAscendKitAdapter(publicKey, apiUrl);
+    const proxyProviders = Object.entries(config.oauth)
+        .filter(([, creds]) => creds.flowType === "proxy")
+        .map(([provider]) => provider);
+    const socialProviders = buildSocialProviders(config);
+    const email = createEmailSender(publicKey, apiUrl, {
+        waitlistEnabled: config.features.waitlist,
+    });
+    // Build plugins array based on feature flags
+    const plugins = [];
+    if (proxyProviders.length > 0) {
+        plugins.push(ascendkitOAuthProxyPlugin({
+            publicKey,
+            apiUrl,
+            proxyProviders,
+            waitlistRedirectPath: config.features.waitlist ? waitlistRedirectPath : undefined,
+            rejectedRedirectPath: config.features.waitlist ? rejectedRedirectPath : undefined,
+        }));
+    }
+    const magicLinkEnabled = config.providers.includes("magic-link");
+    if (magicLinkEnabled) {
+        const { magicLink } = await import("better-auth/plugins/magic-link");
+        plugins.push(magicLink({
+            sendMagicLink: async (data) => {
+                await email.sendMagicLinkEmail(data);
+            },
+        }));
+    }
+    if (config.features.requireUsername) {
+        const { username } = await import("better-auth/plugins/username");
+        plugins.push(username());
+    }
+    // Parse session duration (e.g. "7d", "24h") to seconds
+    const sessionMaxAge = parseSessionDuration(config.sessionDuration);
+    const credentialsEnabled = config.providers.includes("credentials") && !magicLinkEnabled;
+    return betterAuth({
+        database: adapter,
+        emailAndPassword: {
+            enabled: credentialsEnabled,
+            ...(credentialsEnabled && {
+                requireEmailVerification: config.features.emailVerification,
+                ...(config.features.passwordReset && {
+                    sendResetPassword: async (data) => {
+                        await email.sendResetPasswordEmail(data);
+                    },
+                }),
+            }),
+        },
+        ...(credentialsEnabled && {
+            emailVerification: {
+                sendVerificationEmail: async (data) => {
+                    await email.sendVerificationEmail(data);
+                },
+                sendOnSignUp: config.features.emailVerification,
+            },
+        }),
+        socialProviders,
+        session: {
+            expiresIn: sessionMaxAge,
+            cookieCache: {
+                enabled: true,
+                maxAge: 5 * 60, // 5 minutes — auth'd requests skip the adapter
+            },
+        },
+        ...(plugins.length > 0 && { plugins }),
+    });
+}
+function parseSessionDuration(duration) {
+    const match = duration.match(/^(\d+)([dhms])$/);
+    if (!match)
+        return 7 * 24 * 60 * 60; // default 7 days
+    const value = parseInt(match[1], 10);
+    switch (match[2]) {
+        case "d": return value * 24 * 60 * 60;
+        case "h": return value * 60 * 60;
+        case "m": return value * 60;
+        case "s": return value;
+        default: return 7 * 24 * 60 * 60;
+    }
+}

package/dist/server/auth-runtime.d.ts

@@ -0,0 +1,12 @@
+import { betterAuth } from "better-auth";
+import type { AscendKitAuthOptions } from "../shared/types";
+type BetterAuthInstance = ReturnType<typeof betterAuth>;
+type SessionResult = Awaited<ReturnType<BetterAuthInstance["api"]["getSession"]>>;
+export interface AscendKitAuthRuntime {
+    handler: (request: Request) => Promise<Response>;
+    getSession: (headers: HeadersInit) => Promise<SessionResult>;
+    getAuth: () => Promise<BetterAuthInstance>;
+}
+export declare function createAscendKitAuthRuntime(options?: AscendKitAuthOptions): AscendKitAuthRuntime;
+export {};
+//# sourceMappingURL=auth-runtime.d.ts.map

package/dist/server/auth-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-runtime.d.ts","sourceRoot":"","sources":["../../src/server/auth-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAI5D,KAAK,kBAAkB,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC;AACxD,KAAK,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;AAOlF,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,UAAU,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;IAC7D,OAAO,EAAE,MAAM,OAAO,CAAC,kBAAkB,CAAC,CAAC;CAC5C;AA8BD,wBAAgB,0BAA0B,CAAC,OAAO,GAAE,oBAAyB,GAAG,oBAAoB,CA0HnG"}