@beignet/provider-auth-better-auth 0.0.25 → 0.0.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +8 -0
- package/package.json +4 -2
- package/skills/auth-provider/SKILL.md +138 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# @beignet/provider-auth-better-auth
|
|
2
2
|
|
|
3
|
+
## 0.0.26
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 104302c: Refresh package-shipped TanStack Intent skills and add package skills for Drizzle database providers, Better Auth, React Hook Form, and React uploads.
|
|
8
|
+
|
|
3
9
|
## 0.0.25
|
|
4
10
|
|
|
5
11
|
## 0.0.24
|
package/README.md
CHANGED
|
@@ -38,6 +38,14 @@ The provider supports Better Auth `>=1.3.26 <1.7.0`. The standard Beignet
|
|
|
38
38
|
starter pins Better Auth to `1.6.20` so clean installs do not float into
|
|
39
39
|
untested prerelease adapter versions.
|
|
40
40
|
|
|
41
|
+
## Agent skills
|
|
42
|
+
|
|
43
|
+
This package ships a TanStack Intent skill for coding agents:
|
|
44
|
+
`@beignet/provider-auth-better-auth#auth-provider`. Load it when wiring
|
|
45
|
+
Better Auth configuration, auth routes, `AuthPort` typing, deferred auth port
|
|
46
|
+
registration, server context, `createAuthHooks`, user/session helpers,
|
|
47
|
+
policies, devtools auth instrumentation, tests, or auth doctor drift.
|
|
48
|
+
|
|
41
49
|
## Setup
|
|
42
50
|
|
|
43
51
|
### 1. Configure Better Auth in your app
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@beignet/provider-auth-better-auth",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.26",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "Better Auth provider for Beignet - adds auth port for authentication and session management",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
"!src/**/*.test.ts",
|
|
18
18
|
"!src/**/*.test.tsx",
|
|
19
19
|
"!src/**/*.test-d.ts",
|
|
20
|
+
"skills",
|
|
20
21
|
"README.md",
|
|
21
22
|
"CHANGELOG.md"
|
|
22
23
|
],
|
|
@@ -35,7 +36,8 @@
|
|
|
35
36
|
"provider",
|
|
36
37
|
"authentication",
|
|
37
38
|
"session",
|
|
38
|
-
"ports"
|
|
39
|
+
"ports",
|
|
40
|
+
"tanstack-intent"
|
|
39
41
|
],
|
|
40
42
|
"license": "MIT",
|
|
41
43
|
"repository": {
|
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: auth-provider
|
|
3
|
+
description: "Wire Beignet Better Auth integration with @beignet/provider-auth-better-auth: app-owned Better Auth config, auth routes, AuthPort typing, deferred auth port registration, server context, createAuthHooks, requireUser helpers, policies, devtools auth instrumentation, tests, and doctor drift. Use when adding, fixing, or reviewing Better Auth provider setup in a Beignet app."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Beignet Better Auth Provider
|
|
7
|
+
|
|
8
|
+
Use this skill when working in an app that depends on
|
|
9
|
+
`@beignet/provider-auth-better-auth`. Read local `AGENTS.md`,
|
|
10
|
+
`lib/better-auth.ts`, auth route files, `ports/`, `infra/app-ports.ts`,
|
|
11
|
+
`server/context.ts`, and `server/providers.ts` before changing auth code.
|
|
12
|
+
|
|
13
|
+
## Ownership
|
|
14
|
+
|
|
15
|
+
The provider wraps an app-owned Better Auth server and contributes the shared
|
|
16
|
+
Beignet `AuthPort` at `ctx.ports.auth`.
|
|
17
|
+
|
|
18
|
+
The app still owns:
|
|
19
|
+
|
|
20
|
+
- Better Auth configuration, secrets, database adapter, and social providers
|
|
21
|
+
- Better Auth route handlers, usually `app/api/auth/[...all]/route.ts`
|
|
22
|
+
- public `AuthUser`, `AuthSession`, and app context shapes
|
|
23
|
+
- business authorization policies and use-case checks
|
|
24
|
+
- tests and production environment validation
|
|
25
|
+
|
|
26
|
+
Do not put provider-specific Better Auth details in contracts, domain code,
|
|
27
|
+
use cases, or feature route groups.
|
|
28
|
+
|
|
29
|
+
## Provider Registration
|
|
30
|
+
|
|
31
|
+
Create Better Auth in an app-local module, then register the provider in
|
|
32
|
+
`server/providers.ts`.
|
|
33
|
+
|
|
34
|
+
```ts
|
|
35
|
+
import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
|
|
36
|
+
import { auth } from "@/lib/better-auth";
|
|
37
|
+
|
|
38
|
+
export const providers = [createAuthBetterAuthProvider(auth)] as const;
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
Add `auth` to `definePorts(...)` as a deferred port because the provider
|
|
42
|
+
contributes it at startup.
|
|
43
|
+
|
|
44
|
+
```ts
|
|
45
|
+
export const appPorts = definePorts<AppPorts>()({
|
|
46
|
+
bound: { gate },
|
|
47
|
+
deferred: ["auth"],
|
|
48
|
+
});
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
`beignet doctor --strict` checks that installed Better Auth providers are
|
|
52
|
+
registered. Better Auth env vars remain app-owned, so validate them in the
|
|
53
|
+
app's env module rather than expecting this provider to declare them.
|
|
54
|
+
|
|
55
|
+
## Context
|
|
56
|
+
|
|
57
|
+
Read the session once in `server/context.ts`, then store the result on
|
|
58
|
+
`ctx.auth` and derive an audit actor.
|
|
59
|
+
|
|
60
|
+
```ts
|
|
61
|
+
export const appContext = defineServerContext<AppContext, AppRuntimePorts>()({
|
|
62
|
+
gate: (ports) => ports.gate,
|
|
63
|
+
request: async ({ req, ports, requestId, trace }) => {
|
|
64
|
+
const auth = await ports.auth.getSession(req);
|
|
65
|
+
|
|
66
|
+
return {
|
|
67
|
+
actor: auth ? createUserActor(auth.user.id) : createAnonymousActor(),
|
|
68
|
+
auth,
|
|
69
|
+
requestId,
|
|
70
|
+
...trace,
|
|
71
|
+
ports,
|
|
72
|
+
};
|
|
73
|
+
},
|
|
74
|
+
});
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
Service contexts for schedules, tasks, outbox drains, jobs, and webhooks should
|
|
78
|
+
use a service or system actor and must not assume a browser session.
|
|
79
|
+
|
|
80
|
+
## HTTP Auth Hooks
|
|
81
|
+
|
|
82
|
+
Use `createAuthHooks(...)` for authentication at the HTTP boundary:
|
|
83
|
+
|
|
84
|
+
```ts
|
|
85
|
+
export const auth = createAuthHooks<AppContext>()({
|
|
86
|
+
resolve: ({ ctx }) => (ctx.auth ? { user: ctx.auth.user } : null),
|
|
87
|
+
});
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
Attach `auth.required()` to route groups or route entries. Contract metadata
|
|
91
|
+
may document auth requirements, but use cases should still enforce business
|
|
92
|
+
rules that matter outside HTTP.
|
|
93
|
+
|
|
94
|
+
## Use Cases And Policies
|
|
95
|
+
|
|
96
|
+
Use app-owned helpers such as `requireUser(ctx)` or Beignet's
|
|
97
|
+
`requireUser`, `requireUserId`, `requireTenant`, and `requireTenantId`
|
|
98
|
+
helpers from `@beignet/core/ports` inside use cases.
|
|
99
|
+
|
|
100
|
+
Put authorization in use cases or feature policies. The ability belongs to the
|
|
101
|
+
feature that owns the authorized resource, not the feature initiating the
|
|
102
|
+
action.
|
|
103
|
+
|
|
104
|
+
## Gotchas
|
|
105
|
+
|
|
106
|
+
- Better Auth routes are mounted separately from Beignet contract routes. Do
|
|
107
|
+
not route sign-in/sign-up through `defineRouteGroup(...)`.
|
|
108
|
+
- The provider does not declare Better Auth env vars. Validate secrets,
|
|
109
|
+
trusted origins, adapter settings, and social credentials in app-owned env
|
|
110
|
+
code.
|
|
111
|
+
- HTTP auth hooks prove a request is authenticated; they do not replace
|
|
112
|
+
use-case authorization or feature policies.
|
|
113
|
+
- Service contexts for schedules, tasks, outbox drains, jobs, and webhooks
|
|
114
|
+
should use service/system actors, not `ctx.auth`.
|
|
115
|
+
- Keep session objects, cookies, bearer tokens, and provider-native auth data
|
|
116
|
+
out of devtools, audit metadata, and error reports.
|
|
117
|
+
|
|
118
|
+
## Devtools
|
|
119
|
+
|
|
120
|
+
When `@beignet/devtools` is registered before this provider, auth checks are
|
|
121
|
+
recorded under the Auth watcher. User and session objects are not recorded.
|
|
122
|
+
Keep extra auth logging redacted and avoid placing raw tokens or cookies in
|
|
123
|
+
devtools, audit metadata, or error reports.
|
|
124
|
+
|
|
125
|
+
## Testing
|
|
126
|
+
|
|
127
|
+
Use app-owned fake `AuthPort` implementations in use-case tests and route tests
|
|
128
|
+
that only need authenticated/anonymous branches. Test Better Auth route wiring
|
|
129
|
+
where the app mounts Better Auth handlers.
|
|
130
|
+
|
|
131
|
+
After auth provider changes, run from the app root:
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
beignet lint
|
|
135
|
+
beignet doctor --strict
|
|
136
|
+
bun run test
|
|
137
|
+
bun run typecheck
|
|
138
|
+
```
|