@beignet/provider-auth-better-auth 0.0.1

package/CHANGELOG.md

@@ -0,0 +1,5 @@
+# @beignet/provider-auth-better-auth
+
+## 0.0.1
+
+- Initial Beignet release under the `@beignet` npm scope.

package/README.md

@@ -0,0 +1,426 @@
+# @beignet/provider-auth-better-auth
+
+Better Auth provider for Beignet applications.
+
+The provider wraps an already-configured [Better Auth](https://better-auth.com)
+server instance and exposes the shared `AuthPort` from `@beignet/core/ports` on
+`ctx.ports.auth`. Your app still owns Better Auth configuration, database
+schema, and auth routes.
+
+## Overview
+
+**What this provider does:**
+
+- Wraps a Better Auth instance with a simple, stable API
+- Extends `ports.auth` with `getSession`, `getUser`, and `requireUser` methods
+- Maintains type safety for your custom User type
+- Records auth checks in devtools when devtools is installed
+
+**What this provider does NOT do:**
+
+- Define database schema (you own your user table)
+- Define the User type (you define it in your app)
+- Configure Better Auth (secrets, session strategy, etc. stay in your app)
+- Implement login/signup routes (use Better Auth's routes directly)
+- Manage RBAC/permissions (that's application logic)
+
+## Install
+
+```bash
+bun add @beignet/core @beignet/provider-auth-better-auth better-auth
+```
+
+## Setup
+
+### 1. Configure Better Auth in your app
+
+First, set up Better Auth with your database and configuration:
+
+```ts
+// lib/better-auth.ts
+import { betterAuth } from "better-auth";
+import { db } from "./db"; // Your Drizzle/Prisma/etc. client
+
+export const auth = betterAuth({
+  database: db,
+  emailAndPassword: {
+    enabled: true,
+  },
+  // ...other Better Auth configuration
+});
+```
+
+### 2. Define your ports type
+
+Own the public session shape in your app, then add the `auth` port to your
+application's ports type:
+
+```ts
+// ports/auth.ts
+import type { AuthPort as BeignetAuthPort } from "@beignet/core/ports";
+
+export type AuthUser = {
+  id: string;
+  name?: string | null;
+  email?: string | null;
+  image?: string | null;
+};
+
+export type AuthSessionMetadata = unknown;
+
+export type AuthPort = BeignetAuthPort<AuthUser, AuthSessionMetadata>;
+```
+
+```ts
+// ports/index.ts
+import type { AuthPort } from "./auth";
+
+export type AppPorts = {
+  auth: AuthPort;
+  // ...other ports (db, mailer, eventBus, etc.)
+};
+```
+
+### 3. Wire the provider into Beignet
+
+Register the provider when creating your server:
+
+```ts
+// server/providers.ts
+import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+import { auth } from "@/lib/better-auth";
+
+export const providers = [
+  createAuthBetterAuthProvider(auth),
+  // ...other providers
+];
+```
+
+```ts
+// server/index.ts
+import { createNextServer } from "@beignet/next";
+import { definePorts } from "@beignet/core/ports";
+import { routes } from "@/server/routes";
+import { providers } from "./providers";
+
+const appPorts = definePorts({
+  // add your app's other ports here
+});
+
+export const server = await createNextServer({
+  ports: appPorts,
+  providers,
+  createContext: async ({ ports }) => ({ ports }),
+  routes,
+});
+```
+
+### 4. Use the auth port in auth hooks
+
+Use `createAuthHooks(...)` to protect routes that declare
+`.meta({ auth: "required" })`:
+
+```ts
+// server/auth-hooks.ts
+import { createAuthHooks } from "@beignet/core/server";
+
+export const authHooks = createAuthHooks<AppContext>({
+  assign: ({ ctx, session }) => ({
+    ...ctx,
+    auth: session,
+    user: session?.user ?? null,
+  }),
+});
+```
+
+Then register it on your server:
+
+```ts
+const server = await createNextServer({
+  ports: appPorts,
+  providers: [createAuthBetterAuthProvider(auth)],
+  hooks: [authHooks],
+  createContext: async ({ ports }) => ({
+    ports,
+    auth: null,
+    user: null,
+  }),
+  routes,
+});
+```
+
+### 5. Optional: check auth in use cases
+
+You can also check authentication in use cases:
+
+```ts
+// features/users/use-cases/get-profile.ts
+import { createUseCase } from "@beignet/core/application";
+import { z } from "zod";
+import { requireUser } from "@/lib/auth";
+
+const UserProfileSchema = z.object({
+  id: z.string(),
+  email: z.string().email(),
+});
+
+const useCase = createUseCase<AppCtx>();
+
+export const getUserProfile = useCase
+  .query("users.profile")
+  .input(z.object({ userId: z.string() }))
+  .output(UserProfileSchema)
+  .run(async ({ ctx, input }) => {
+    requireUser(ctx);
+
+    return ctx.ports.db.users.getProfile(input.userId);
+  });
+```
+
+In the standard app shape, `createContext` reads the request once with
+`ctx.ports.auth.getSession(req)` and stores the result on `ctx.auth`. Use cases
+then call an app-owned helper such as `requireUser(ctx)` instead of depending
+on the raw request.
+
+## Devtools
+
+When `@beignet/devtools` is installed before this provider, auth checks
+appear under the dashboard's Auth watcher.
+
+The provider records `auth.getSession`, `auth.getUser`, and
+`auth.requireUser` events with the operation, authenticated status, and
+duration. User and session objects are not recorded. Provider failures are
+recorded with `.failed` event names and the original error is rethrown.
+
+## API reference
+
+### `AuthPort<User, Session>`
+
+The provider implements the auth port interface exported by
+`@beignet/core/ports`:
+
+#### `getSession(req: Request): Promise<AuthSession<User, Session> | null>`
+
+Get the current session from a Request. Returns `null` if not authenticated.
+
+```ts
+const session = await ctx.ports.auth.getSession(req);
+if (session) {
+  console.log(session.user);
+}
+```
+
+#### `getUser(req: Request): Promise<User | null>`
+
+Get the current user from a Request. Returns `null` if not authenticated.
+
+This is a convenience method that extracts the user from the session.
+
+```ts
+const user = await ctx.ports.auth.getUser(req);
+if (user) {
+  console.log(user.email);
+}
+```
+
+#### `requireUser(req: Request): Promise<User>`
+
+Require an authenticated user. Throws an error if not authenticated.
+
+Use this in lifecycle hooks or use cases that require authentication.
+
+```ts
+const user = await ctx.ports.auth.requireUser(req);
+// user is guaranteed to exist here
+```
+
+**Throws:** `AuthUnauthorizedError` from `@beignet/core/ports` if not
+authenticated. When this error reaches Beignet's server runtime, it is
+returned as a framework-owned `401` response with the standard error envelope.
+
+### `AuthSession<User, Session>`
+
+Represents an authenticated session:
+
+```ts
+interface AuthSession<User = unknown, Session = unknown> {
+  user: User;
+  session?: Session;
+}
+```
+
+### `createAuthBetterAuthProvider(auth)`
+
+Factory function that creates the provider:
+
+```ts
+function createAuthBetterAuthProvider<User = unknown, Session = unknown>(
+  auth: BetterAuthServer<User, Session>
+): ServiceProvider
+```
+
+**Parameters:**
+- `auth`: A Better Auth server instance configured in your application
+
+**Returns:** A Beignet provider that can be registered with the server
+
+## Advanced usage
+
+### Metadata-driven authentication
+
+Use `createAuthHooks(...)` from `@beignet/core/server` to enforce
+contract authentication metadata through the shared auth port:
+
+```ts
+// Define a contract with auth metadata
+const users = createContractGroup();
+
+const getProfile = users
+  .get("/api/profile")
+  .responses({
+    200: z.object({ name: z.string() }),
+  })
+  .meta({ auth: "required" });
+
+const authHooks = createAuthHooks<AppContext>({
+  assign: ({ ctx, session }) => ({
+    ...ctx,
+    auth: session,
+    user: session?.user ?? null,
+  }),
+});
+```
+
+### Custom error types
+
+You can wrap `requireUser` to throw custom error types:
+
+```ts
+class UnauthorizedError extends Error {
+  constructor() {
+    super("Unauthorized");
+    this.name = "UnauthorizedError";
+  }
+}
+
+export const requireAuth = async (
+  req: Request,
+  auth: { requireUser: (req: Request) => Promise<unknown> },
+) => {
+  try {
+    return await auth.requireUser(req);
+  } catch (error) {
+    throw new UnauthorizedError();
+  }
+};
+```
+
+### Multiple authentication strategies
+
+If you need multiple auth strategies (e.g., JWT + session), you can:
+
+1. Configure Better Auth with multiple strategies
+2. Or create multiple providers (e.g., `createAuthBetterAuthProvider(sessionAuth)` + `createAuthJWTProvider(jwtAuth)`)
+
+Better Auth supports multiple strategies out of the box, so the first approach is recommended.
+
+## Type safety
+
+The provider maintains full type safety for your custom User type:
+
+```ts
+type MyUser = {
+  id: string;
+  email: string;
+  role: "admin" | "user";
+};
+
+const authProvider = createAuthBetterAuthProvider<MyUser>(auth);
+
+// Later, in your routes:
+const user = await ctx.ports.auth.requireUser(req);
+// user.role is typed as "admin" | "user"
+```
+
+## Integration with Better Auth routes
+
+Better Auth provides its own route handlers for login, signup, etc. You can mount these alongside your Beignet routes:
+
+```ts
+// Next.js App Router example
+import { auth } from "@/lib/better-auth";
+
+// Better Auth handles /api/auth/*
+export const { GET, POST } = auth.handler;
+
+// Your Beignet routes handle /api/app/*
+// (mounted separately)
+```
+
+See the [Better Auth documentation](https://better-auth.com) for details on route configuration.
+
+## Examples
+
+### Basic setup
+
+```ts
+import { betterAuth } from "better-auth";
+import { createNextServer } from "@beignet/next";
+import { definePorts } from "@beignet/core/ports";
+import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+import { routes } from "@/server/routes";
+
+const auth = betterAuth({ database: db });
+const appPorts = definePorts({});
+
+const server = await createNextServer({
+  ports: appPorts,
+  providers: [createAuthBetterAuthProvider(auth)],
+  createContext: async ({ ports }) => ({ ports }),
+  routes,
+});
+```
+
+### Protecting routes
+
+```ts
+const authHook = {
+  name: "auth",
+  beforeHandle: async ({ req, ctx }) => {
+    const user = await ctx.ports.auth.requireUser(req);
+    return { ctx: { ...ctx, user } };
+  },
+};
+
+const server = await createNextServer({
+  ports: appPorts,
+  providers: [createAuthBetterAuthProvider(auth)],
+  hooks: [authHook],
+  createContext: async ({ ports }) => ({ ports }),
+  routes,
+});
+```
+
+### Optional authentication
+
+```ts
+const listData = async ({ req, ctx }) => {
+  const user = await ctx.ports.auth.getUser(req);
+
+  if (user) {
+    return {
+      status: 200,
+      body: { data: getPersonalizedData(user) },
+    };
+  }
+
+  return {
+    status: 200,
+    body: { data: getPublicData() },
+  };
+};
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,130 @@
+/**
+ * @beignet/provider-auth-better-auth
+ *
+ * Better Auth provider that extends ports with authentication capabilities.
+ * This provider wraps an already-configured Better Auth server instance
+ * and exposes the shared Beignet AuthPort on ctx.ports.auth.
+ *
+ * The provider does NOT own:
+ * - Database schema
+ * - User type definition
+ * - Better Auth configuration (secrets, session strategy, etc.)
+ *
+ * Those stay in the application layer. This provider simply wires
+ * an existing Better Auth instance into the Beignet framework.
+ *
+ * @example
+ * ```ts
+ * // 1. Configure Better Auth in your app
+ * import { betterAuth } from "better-auth";
+ * import { db } from "./db";
+ *
+ * export const auth = betterAuth({
+ *   database: db,
+ *   // ...other Better Auth config
+ * });
+ *
+ * // Own this shape in your app instead of exporting provider-inferred types.
+ * export type AuthUser = {
+ *   id: string;
+ *   name?: string | null;
+ *   email?: string | null;
+ *   image?: string | null;
+ * };
+ *
+ * // 2. Define your ports type
+ * import type { AuthPort } from "@beignet/core/ports";
+ *
+ * export type AppPorts = {
+ *   auth: AuthPort<AuthUser>;
+ *   // ...other ports
+ * };
+ *
+ * // 3. Wire the provider into Beignet
+ * import { createNextServer } from "@beignet/next";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [
+ *     createAuthBetterAuthProvider(auth),
+ *     // ...other providers
+ *   ],
+ * });
+ *
+ * // 4. Use the auth port through createAuthHooks(...)
+ * import { createAuthHooks } from "@beignet/core/server";
+ *
+ * const authHooks = createAuthHooks<AppContext>({
+ *   assign: ({ ctx, session }) => ({
+ *     ...ctx,
+ *     auth: session,
+ *     user: session?.user ?? null,
+ *   }),
+ * });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ *   hooks: [authHooks],
+ *   createContext: async ({ ports }) => ({ ports, auth: null, user: null }),
+ * });
+ * ```
+ */
+import { type AuthPort, type AuthRequestLike } from "@beignet/core/ports";
+/**
+ * Minimal type representing a Better Auth server instance.
+ * This is the interface we expect from the Better Auth library.
+ *
+ * Applications pass their configured Better Auth instance to
+ * createAuthBetterAuthProvider, which must have an api.getSession method.
+ */
+export type BetterAuthServer<User = unknown, Session = unknown> = {
+    /**
+     * Better Auth's session API.
+     * The exact shape depends on Better Auth's API version.
+     */
+    api: {
+        /**
+         * Get the current session from a request.
+         * Better Auth returns null if not authenticated, or a session object
+         * containing user and session data.
+         */
+        getSession(context: {
+            headers: Headers;
+        }): Promise<{
+            user: User;
+            session: Session;
+        } | null>;
+    };
+};
+/**
+ * Create a Beignet provider for Better Auth.
+ *
+ * This factory accepts an already-configured Better Auth server instance
+ * and returns a provider that can be registered with Beignet.
+ *
+ * The provider extends ports.auth with an AuthPort that wraps the
+ * Better Auth instance with a simple, stable API.
+ *
+ * @param auth - A Better Auth server instance configured in the application
+ * @returns A Beignet provider that extends ports.auth
+ *
+ * @example
+ * ```ts
+ * import { betterAuth } from "better-auth";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ * import { createNextServer } from "@beignet/next";
+ *
+ * const auth = betterAuth({ database: db });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ * });
+ * ```
+ */
+export declare function createAuthBetterAuthProvider<User = unknown, Session = unknown>(auth: BetterAuthServer<User, Session>): import("@beignet/core/providers").ServiceProvider<unknown, import("@standard-schema/spec").StandardSchemaV1<void, void>, {
+    auth: AuthPort<User, Session, AuthRequestLike>;
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AAEH,OAAO,EACL,KAAK,QAAQ,EACb,KAAK,eAAe,EAErB,MAAM,qBAAqB,CAAC;AAM7B;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,CAAC,IAAI,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,IAAI;IAChE;;;OAGG;IACH,GAAG,EAAE;QACH;;;;WAIG;QACH,UAAU,CAAC,OAAO,EAAE;YAClB,OAAO,EAAE,OAAO,CAAC;SAClB,GAAG,OAAO,CAAC;YAAE,IAAI,EAAE,IAAI,CAAC;YAAC,OAAO,EAAE,OAAO,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;KACtD,CAAC;CACH,CAAC;AAMF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,4BAA4B,CAAC,IAAI,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAC5E,IAAI,EAAE,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC;;GAsItC"}

package/dist/index.js

@@ -0,0 +1,225 @@
+/**
+ * @beignet/provider-auth-better-auth
+ *
+ * Better Auth provider that extends ports with authentication capabilities.
+ * This provider wraps an already-configured Better Auth server instance
+ * and exposes the shared Beignet AuthPort on ctx.ports.auth.
+ *
+ * The provider does NOT own:
+ * - Database schema
+ * - User type definition
+ * - Better Auth configuration (secrets, session strategy, etc.)
+ *
+ * Those stay in the application layer. This provider simply wires
+ * an existing Better Auth instance into the Beignet framework.
+ *
+ * @example
+ * ```ts
+ * // 1. Configure Better Auth in your app
+ * import { betterAuth } from "better-auth";
+ * import { db } from "./db";
+ *
+ * export const auth = betterAuth({
+ *   database: db,
+ *   // ...other Better Auth config
+ * });
+ *
+ * // Own this shape in your app instead of exporting provider-inferred types.
+ * export type AuthUser = {
+ *   id: string;
+ *   name?: string | null;
+ *   email?: string | null;
+ *   image?: string | null;
+ * };
+ *
+ * // 2. Define your ports type
+ * import type { AuthPort } from "@beignet/core/ports";
+ *
+ * export type AppPorts = {
+ *   auth: AuthPort<AuthUser>;
+ *   // ...other ports
+ * };
+ *
+ * // 3. Wire the provider into Beignet
+ * import { createNextServer } from "@beignet/next";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [
+ *     createAuthBetterAuthProvider(auth),
+ *     // ...other providers
+ *   ],
+ * });
+ *
+ * // 4. Use the auth port through createAuthHooks(...)
+ * import { createAuthHooks } from "@beignet/core/server";
+ *
+ * const authHooks = createAuthHooks<AppContext>({
+ *   assign: ({ ctx, session }) => ({
+ *     ...ctx,
+ *     auth: session,
+ *     user: session?.user ?? null,
+ *   }),
+ * });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ *   hooks: [authHooks],
+ *   createContext: async ({ ports }) => ({ ports, auth: null, user: null }),
+ * });
+ * ```
+ */
+import { AuthUnauthorizedError, } from "@beignet/core/ports";
+import { createProvider, createProviderInstrumentation, } from "@beignet/core/providers";
+function errorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+/**
+ * Create a Beignet provider for Better Auth.
+ *
+ * This factory accepts an already-configured Better Auth server instance
+ * and returns a provider that can be registered with Beignet.
+ *
+ * The provider extends ports.auth with an AuthPort that wraps the
+ * Better Auth instance with a simple, stable API.
+ *
+ * @param auth - A Better Auth server instance configured in the application
+ * @returns A Beignet provider that extends ports.auth
+ *
+ * @example
+ * ```ts
+ * import { betterAuth } from "better-auth";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ * import { createNextServer } from "@beignet/next";
+ *
+ * const auth = betterAuth({ database: db });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ * });
+ * ```
+ */
+export function createAuthBetterAuthProvider(auth) {
+    return createProvider({
+        name: "auth-better-auth",
+        async setup({ ports }) {
+            const instrumentation = createProviderInstrumentation(ports, {
+                providerName: "auth-better-auth",
+                watcher: "auth",
+            });
+            async function resolveSession(req) {
+                const session = await auth.api.getSession({
+                    headers: req.headers,
+                });
+                if (!session) {
+                    return null;
+                }
+                return {
+                    user: session.user,
+                    session: session.session,
+                };
+            }
+            function recordAuthEvent(event) {
+                instrumentation.custom({
+                    name: `auth.${event.operation}`,
+                    label: `Auth ${event.operation}`,
+                    summary: event.summary,
+                    details: {
+                        operation: event.operation,
+                        authenticated: event.authenticated,
+                        durationMs: event.durationMs,
+                        ...(event.error ? { error: event.error } : {}),
+                    },
+                });
+            }
+            const authPort = {
+                async getSession(req) {
+                    const startedAt = Date.now();
+                    try {
+                        const session = await resolveSession(req);
+                        recordAuthEvent({
+                            operation: "getSession",
+                            authenticated: session != null,
+                            summary: session ? "Session found" : "No session",
+                            durationMs: Date.now() - startedAt,
+                        });
+                        return session;
+                    }
+                    catch (error) {
+                        recordAuthEvent({
+                            operation: "getSession.failed",
+                            authenticated: false,
+                            summary: "Session lookup failed",
+                            durationMs: Date.now() - startedAt,
+                            error: errorMessage(error),
+                        });
+                        throw error;
+                    }
+                },
+                async getUser(req) {
+                    const startedAt = Date.now();
+                    try {
+                        const session = await resolveSession(req);
+                        recordAuthEvent({
+                            operation: "getUser",
+                            authenticated: session != null,
+                            summary: session ? "User found" : "No user",
+                            durationMs: Date.now() - startedAt,
+                        });
+                        return session?.user ?? null;
+                    }
+                    catch (error) {
+                        recordAuthEvent({
+                            operation: "getUser.failed",
+                            authenticated: false,
+                            summary: "User lookup failed",
+                            durationMs: Date.now() - startedAt,
+                            error: errorMessage(error),
+                        });
+                        throw error;
+                    }
+                },
+                async requireUser(req) {
+                    const startedAt = Date.now();
+                    try {
+                        const session = await resolveSession(req);
+                        if (!session) {
+                            recordAuthEvent({
+                                operation: "requireUser",
+                                authenticated: false,
+                                summary: "Unauthorized",
+                                durationMs: Date.now() - startedAt,
+                            });
+                            throw new AuthUnauthorizedError();
+                        }
+                        recordAuthEvent({
+                            operation: "requireUser",
+                            authenticated: true,
+                            summary: "Authorized",
+                            durationMs: Date.now() - startedAt,
+                        });
+                        return session.user;
+                    }
+                    catch (error) {
+                        if (error instanceof AuthUnauthorizedError) {
+                            throw error;
+                        }
+                        recordAuthEvent({
+                            operation: "requireUser.failed",
+                            authenticated: false,
+                            summary: "Required user lookup failed",
+                            durationMs: Date.now() - startedAt,
+                            error: errorMessage(error),
+                        });
+                        throw error;
+                    }
+                },
+            };
+            return { ports: { auth: authPort } };
+        },
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AAEH,OAAO,EAGL,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,6BAA6B,GAC9B,MAAM,yBAAyB,CAAC;AA0BjC,SAAS,YAAY,CAAC,KAAc;IAClC,OAAO,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,4BAA4B,CAC1C,IAAqC;IAErC,OAAO,cAAc,CAAC;QACpB,IAAI,EAAE,kBAAkB;QAExB,KAAK,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE;YACnB,MAAM,eAAe,GAAG,6BAA6B,CAAC,KAAK,EAAE;gBAC3D,YAAY,EAAE,kBAAkB;gBAChC,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;YAEH,KAAK,UAAU,cAAc,CAAC,GAAoB;gBAChD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;oBACxC,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,OAAO;oBACL,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,OAAO,CAAC,OAAO;iBACzB,CAAC;YACJ,CAAC;YAED,SAAS,eAAe,CAAC,KAMxB;gBACC,eAAe,CAAC,MAAM,CAAC;oBACrB,IAAI,EAAE,QAAQ,KAAK,CAAC,SAAS,EAAE;oBAC/B,KAAK,EAAE,QAAQ,KAAK,CAAC,SAAS,EAAE;oBAChC,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,OAAO,EAAE;wBACP,SAAS,EAAE,KAAK,CAAC,SAAS;wBAC1B,aAAa,EAAE,KAAK,CAAC,aAAa;wBAClC,UAAU,EAAE,KAAK,CAAC,UAAU;wBAC5B,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAC/C;iBACF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,QAAQ,GAA4B;gBACxC,KAAK,CAAC,UAAU,CAAC,GAAG;oBAClB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;wBAC1C,eAAe,CAAC;4BACd,SAAS,EAAE,YAAY;4BACvB,aAAa,EAAE,OAAO,IAAI,IAAI;4BAC9B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;4BACjD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;yBACnC,CAAC,CAAC;wBAEH,OAAO,OAAO,CAAC;oBACjB,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,eAAe,CAAC;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,aAAa,EAAE,KAAK;4BACpB,OAAO,EAAE,uBAAuB;4BAChC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;4BAClC,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC;yBAC3B,CAAC,CAAC;wBACH,MAAM,KAAK,CAAC;oBACd,CAAC;gBACH,CAAC;gBAED,KAAK,CAAC,OAAO,CAAC,GAAG;oBACf,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;wBAC1C,eAAe,CAAC;4BACd,SAAS,EAAE,SAAS;4BACpB,aAAa,EAAE,OAAO,IAAI,IAAI;4BAC9B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;4BAC3C,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;yBACnC,CAAC,CAAC;wBACH,OAAO,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC;oBAC/B,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,eAAe,CAAC;4BACd,SAAS,EAAE,gBAAgB;4BAC3B,aAAa,EAAE,KAAK;4BACpB,OAAO,EAAE,oBAAoB;4BAC7B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;4BAClC,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC;yBAC3B,CAAC,CAAC;wBACH,MAAM,KAAK,CAAC;oBACd,CAAC;gBACH,CAAC;gBAED,KAAK,CAAC,WAAW,CAAC,GAAG;oBACnB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;wBAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,eAAe,CAAC;gCACd,SAAS,EAAE,aAAa;gCACxB,aAAa,EAAE,KAAK;gCACpB,OAAO,EAAE,cAAc;gCACvB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;6BACnC,CAAC,CAAC;4BACH,MAAM,IAAI,qBAAqB,EAAE,CAAC;wBACpC,CAAC;wBAED,eAAe,CAAC;4BACd,SAAS,EAAE,aAAa;4BACxB,aAAa,EAAE,IAAI;4BACnB,OAAO,EAAE,YAAY;4BACrB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;yBACnC,CAAC,CAAC;wBACH,OAAO,OAAO,CAAC,IAAI,CAAC;oBACtB,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;4BAC3C,MAAM,KAAK,CAAC;wBACd,CAAC;wBAED,eAAe,CAAC;4BACd,SAAS,EAAE,oBAAoB;4BAC/B,aAAa,EAAE,KAAK;4BACpB,OAAO,EAAE,6BAA6B;4BACtC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;4BAClC,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC;yBAC3B,CAAC,CAAC;wBACH,MAAM,KAAK,CAAC;oBACd,CAAC;gBACH,CAAC;aACF,CAAC;YAEF,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC;QACvC,CAAC;KACF,CAAC,CAAC;AACL,CAAC"}

package/package.json

@@ -0,0 +1,69 @@
+{
+  "name": "@beignet/provider-auth-better-auth",
+  "version": "0.0.1",
+  "type": "module",
+  "description": "Better Auth provider for Beignet - adds auth port for authentication and session management",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "!src/**/*.test.ts",
+    "!src/**/*.test.tsx",
+    "!src/**/*.test-d.ts",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist coverage .turbo",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage",
+    "lint": "biome check ."
+  },
+  "keywords": [
+    "beignet",
+    "auth",
+    "better-auth",
+    "provider",
+    "authentication",
+    "session",
+    "ports"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/taylorbryant/beignet.git",
+    "directory": "packages/provider-auth-better-auth"
+  },
+  "author": "Taylor Bryant",
+  "homepage": "https://github.com/taylorbryant/beignet#readme",
+  "bugs": "https://github.com/taylorbryant/beignet/issues",
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "better-auth": "^1.3.26"
+  },
+  "dependencies": {
+    "@beignet/core": "*"
+  },
+  "devDependencies": {
+    "@beignet/devtools": "*",
+    "@types/bun": "^1.3.13",
+    "@types/node": "^20.10.0",
+    "better-auth": "^1.4.6",
+    "typescript": "^5.3.0"
+  }
+}

package/src/index.ts

@@ -0,0 +1,274 @@
+/**
+ * @beignet/provider-auth-better-auth
+ *
+ * Better Auth provider that extends ports with authentication capabilities.
+ * This provider wraps an already-configured Better Auth server instance
+ * and exposes the shared Beignet AuthPort on ctx.ports.auth.
+ *
+ * The provider does NOT own:
+ * - Database schema
+ * - User type definition
+ * - Better Auth configuration (secrets, session strategy, etc.)
+ *
+ * Those stay in the application layer. This provider simply wires
+ * an existing Better Auth instance into the Beignet framework.
+ *
+ * @example
+ * ```ts
+ * // 1. Configure Better Auth in your app
+ * import { betterAuth } from "better-auth";
+ * import { db } from "./db";
+ *
+ * export const auth = betterAuth({
+ *   database: db,
+ *   // ...other Better Auth config
+ * });
+ *
+ * // Own this shape in your app instead of exporting provider-inferred types.
+ * export type AuthUser = {
+ *   id: string;
+ *   name?: string | null;
+ *   email?: string | null;
+ *   image?: string | null;
+ * };
+ *
+ * // 2. Define your ports type
+ * import type { AuthPort } from "@beignet/core/ports";
+ *
+ * export type AppPorts = {
+ *   auth: AuthPort<AuthUser>;
+ *   // ...other ports
+ * };
+ *
+ * // 3. Wire the provider into Beignet
+ * import { createNextServer } from "@beignet/next";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [
+ *     createAuthBetterAuthProvider(auth),
+ *     // ...other providers
+ *   ],
+ * });
+ *
+ * // 4. Use the auth port through createAuthHooks(...)
+ * import { createAuthHooks } from "@beignet/core/server";
+ *
+ * const authHooks = createAuthHooks<AppContext>({
+ *   assign: ({ ctx, session }) => ({
+ *     ...ctx,
+ *     auth: session,
+ *     user: session?.user ?? null,
+ *   }),
+ * });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ *   hooks: [authHooks],
+ *   createContext: async ({ ports }) => ({ ports, auth: null, user: null }),
+ * });
+ * ```
+ */
+
+import {
+  type AuthPort,
+  type AuthRequestLike,
+  AuthUnauthorizedError,
+} from "@beignet/core/ports";
+import {
+  createProvider,
+  createProviderInstrumentation,
+} from "@beignet/core/providers";
+
+/**
+ * Minimal type representing a Better Auth server instance.
+ * This is the interface we expect from the Better Auth library.
+ *
+ * Applications pass their configured Better Auth instance to
+ * createAuthBetterAuthProvider, which must have an api.getSession method.
+ */
+export type BetterAuthServer<User = unknown, Session = unknown> = {
+  /**
+   * Better Auth's session API.
+   * The exact shape depends on Better Auth's API version.
+   */
+  api: {
+    /**
+     * Get the current session from a request.
+     * Better Auth returns null if not authenticated, or a session object
+     * containing user and session data.
+     */
+    getSession(context: {
+      headers: Headers;
+    }): Promise<{ user: User; session: Session } | null>;
+  };
+};
+
+function errorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : String(error);
+}
+
+/**
+ * Create a Beignet provider for Better Auth.
+ *
+ * This factory accepts an already-configured Better Auth server instance
+ * and returns a provider that can be registered with Beignet.
+ *
+ * The provider extends ports.auth with an AuthPort that wraps the
+ * Better Auth instance with a simple, stable API.
+ *
+ * @param auth - A Better Auth server instance configured in the application
+ * @returns A Beignet provider that extends ports.auth
+ *
+ * @example
+ * ```ts
+ * import { betterAuth } from "better-auth";
+ * import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
+ * import { createNextServer } from "@beignet/next";
+ *
+ * const auth = betterAuth({ database: db });
+ *
+ * const server = await createNextServer({
+ *   ports: basePorts,
+ *   providers: [createAuthBetterAuthProvider(auth)],
+ * });
+ * ```
+ */
+export function createAuthBetterAuthProvider<User = unknown, Session = unknown>(
+  auth: BetterAuthServer<User, Session>,
+) {
+  return createProvider({
+    name: "auth-better-auth",
+
+    async setup({ ports }) {
+      const instrumentation = createProviderInstrumentation(ports, {
+        providerName: "auth-better-auth",
+        watcher: "auth",
+      });
+
+      async function resolveSession(req: AuthRequestLike) {
+        const session = await auth.api.getSession({
+          headers: req.headers,
+        });
+        if (!session) {
+          return null;
+        }
+
+        return {
+          user: session.user,
+          session: session.session,
+        };
+      }
+
+      function recordAuthEvent(event: {
+        operation: string;
+        authenticated: boolean;
+        summary: string;
+        durationMs: number;
+        error?: string;
+      }) {
+        instrumentation.custom({
+          name: `auth.${event.operation}`,
+          label: `Auth ${event.operation}`,
+          summary: event.summary,
+          details: {
+            operation: event.operation,
+            authenticated: event.authenticated,
+            durationMs: event.durationMs,
+            ...(event.error ? { error: event.error } : {}),
+          },
+        });
+      }
+
+      const authPort: AuthPort<User, Session> = {
+        async getSession(req) {
+          const startedAt = Date.now();
+          try {
+            const session = await resolveSession(req);
+            recordAuthEvent({
+              operation: "getSession",
+              authenticated: session != null,
+              summary: session ? "Session found" : "No session",
+              durationMs: Date.now() - startedAt,
+            });
+
+            return session;
+          } catch (error) {
+            recordAuthEvent({
+              operation: "getSession.failed",
+              authenticated: false,
+              summary: "Session lookup failed",
+              durationMs: Date.now() - startedAt,
+              error: errorMessage(error),
+            });
+            throw error;
+          }
+        },
+
+        async getUser(req) {
+          const startedAt = Date.now();
+          try {
+            const session = await resolveSession(req);
+            recordAuthEvent({
+              operation: "getUser",
+              authenticated: session != null,
+              summary: session ? "User found" : "No user",
+              durationMs: Date.now() - startedAt,
+            });
+            return session?.user ?? null;
+          } catch (error) {
+            recordAuthEvent({
+              operation: "getUser.failed",
+              authenticated: false,
+              summary: "User lookup failed",
+              durationMs: Date.now() - startedAt,
+              error: errorMessage(error),
+            });
+            throw error;
+          }
+        },
+
+        async requireUser(req) {
+          const startedAt = Date.now();
+          try {
+            const session = await resolveSession(req);
+            if (!session) {
+              recordAuthEvent({
+                operation: "requireUser",
+                authenticated: false,
+                summary: "Unauthorized",
+                durationMs: Date.now() - startedAt,
+              });
+              throw new AuthUnauthorizedError();
+            }
+
+            recordAuthEvent({
+              operation: "requireUser",
+              authenticated: true,
+              summary: "Authorized",
+              durationMs: Date.now() - startedAt,
+            });
+            return session.user;
+          } catch (error) {
+            if (error instanceof AuthUnauthorizedError) {
+              throw error;
+            }
+
+            recordAuthEvent({
+              operation: "requireUser.failed",
+              authenticated: false,
+              summary: "Required user lookup failed",
+              durationMs: Date.now() - startedAt,
+              error: errorMessage(error),
+            });
+            throw error;
+          }
+        },
+      };
+
+      return { ports: { auth: authPort } };
+    },
+  });
+}