@beignet/provider-auth-better-auth 0.0.25 → 0.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # @beignet/provider-auth-better-auth
2
2
 
3
+ ## 0.0.27
4
+
5
+ ### Patch Changes
6
+
7
+ - f2461a9: Add lazy Next route server loaders and update generated route files and package docs to avoid booting providers during production build imports.
8
+
9
+ ## 0.0.26
10
+
11
+ ### Patch Changes
12
+
13
+ - 104302c: Refresh package-shipped TanStack Intent skills and add package skills for Drizzle database providers, Better Auth, React Hook Form, and React uploads.
14
+
3
15
  ## 0.0.25
4
16
 
5
17
  ## 0.0.24
package/README.md CHANGED
@@ -38,6 +38,14 @@ The provider supports Better Auth `>=1.3.26 <1.7.0`. The standard Beignet
38
38
  starter pins Better Auth to `1.6.20` so clean installs do not float into
39
39
  untested prerelease adapter versions.
40
40
 
41
+ ## Agent skills
42
+
43
+ This package ships a TanStack Intent skill for coding agents:
44
+ `@beignet/provider-auth-better-auth#auth-provider`. Load it when wiring
45
+ Better Auth configuration, auth routes, `AuthPort` typing, deferred auth port
46
+ registration, server context, `createAuthHooks`, user/session helpers,
47
+ policies, devtools auth instrumentation, tests, or auth doctor drift.
48
+
41
49
  ## Setup
42
50
 
43
51
  ### 1. Configure Better Auth in your app
@@ -171,17 +179,20 @@ export const appContext = defineServerContext<AppContext, AppRuntimePorts>()({
171
179
 
172
180
  ```ts
173
181
  // server/index.ts
174
- import { createNextServer } from "@beignet/next";
182
+ import { createNextServer, createNextServerLoader } from "@beignet/next";
175
183
  import { appPorts } from "@/infra/app-ports";
176
184
  import { appContext } from "@/server/context";
177
185
  import { routes } from "@/server/routes";
178
- import { providers } from "./providers";
179
186
 
180
- export const server = await createNextServer({
181
- ports: appPorts,
182
- providers,
183
- context: appContext,
184
- routes,
187
+ export const getServer = createNextServerLoader(async () => {
188
+ const { providers } = await import("./providers");
189
+
190
+ return createNextServer({
191
+ ports: appPorts,
192
+ providers,
193
+ context: appContext,
194
+ routes,
195
+ });
185
196
  });
186
197
  ```
187
198
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@beignet/provider-auth-better-auth",
3
- "version": "0.0.25",
3
+ "version": "0.0.27",
4
4
  "type": "module",
5
5
  "description": "Better Auth provider for Beignet - adds auth port for authentication and session management",
6
6
  "main": "./dist/index.js",
@@ -17,6 +17,7 @@
17
17
  "!src/**/*.test.ts",
18
18
  "!src/**/*.test.tsx",
19
19
  "!src/**/*.test-d.ts",
20
+ "skills",
20
21
  "README.md",
21
22
  "CHANGELOG.md"
22
23
  ],
@@ -35,7 +36,8 @@
35
36
  "provider",
36
37
  "authentication",
37
38
  "session",
38
- "ports"
39
+ "ports",
40
+ "tanstack-intent"
39
41
  ],
40
42
  "license": "MIT",
41
43
  "repository": {
@@ -0,0 +1,138 @@
1
+ ---
2
+ name: auth-provider
3
+ description: "Wire Beignet Better Auth integration with @beignet/provider-auth-better-auth: app-owned Better Auth config, auth routes, AuthPort typing, deferred auth port registration, server context, createAuthHooks, requireUser helpers, policies, devtools auth instrumentation, tests, and doctor drift. Use when adding, fixing, or reviewing Better Auth provider setup in a Beignet app."
4
+ ---
5
+
6
+ # Beignet Better Auth Provider
7
+
8
+ Use this skill when working in an app that depends on
9
+ `@beignet/provider-auth-better-auth`. Read local `AGENTS.md`,
10
+ `lib/better-auth.ts`, auth route files, `ports/`, `infra/app-ports.ts`,
11
+ `server/context.ts`, and `server/providers.ts` before changing auth code.
12
+
13
+ ## Ownership
14
+
15
+ The provider wraps an app-owned Better Auth server and contributes the shared
16
+ Beignet `AuthPort` at `ctx.ports.auth`.
17
+
18
+ The app still owns:
19
+
20
+ - Better Auth configuration, secrets, database adapter, and social providers
21
+ - Better Auth route handlers, usually `app/api/auth/[...all]/route.ts`
22
+ - public `AuthUser`, `AuthSession`, and app context shapes
23
+ - business authorization policies and use-case checks
24
+ - tests and production environment validation
25
+
26
+ Do not put provider-specific Better Auth details in contracts, domain code,
27
+ use cases, or feature route groups.
28
+
29
+ ## Provider Registration
30
+
31
+ Create Better Auth in an app-local module, then register the provider in
32
+ `server/providers.ts`.
33
+
34
+ ```ts
35
+ import { createAuthBetterAuthProvider } from "@beignet/provider-auth-better-auth";
36
+ import { auth } from "@/lib/better-auth";
37
+
38
+ export const providers = [createAuthBetterAuthProvider(auth)] as const;
39
+ ```
40
+
41
+ Add `auth` to `definePorts(...)` as a deferred port because the provider
42
+ contributes it at startup.
43
+
44
+ ```ts
45
+ export const appPorts = definePorts<AppPorts>()({
46
+ bound: { gate },
47
+ deferred: ["auth"],
48
+ });
49
+ ```
50
+
51
+ `beignet doctor --strict` checks that installed Better Auth providers are
52
+ registered. Better Auth env vars remain app-owned, so validate them in the
53
+ app's env module rather than expecting this provider to declare them.
54
+
55
+ ## Context
56
+
57
+ Read the session once in `server/context.ts`, then store the result on
58
+ `ctx.auth` and derive an audit actor.
59
+
60
+ ```ts
61
+ export const appContext = defineServerContext<AppContext, AppRuntimePorts>()({
62
+ gate: (ports) => ports.gate,
63
+ request: async ({ req, ports, requestId, trace }) => {
64
+ const auth = await ports.auth.getSession(req);
65
+
66
+ return {
67
+ actor: auth ? createUserActor(auth.user.id) : createAnonymousActor(),
68
+ auth,
69
+ requestId,
70
+ ...trace,
71
+ ports,
72
+ };
73
+ },
74
+ });
75
+ ```
76
+
77
+ Service contexts for schedules, tasks, outbox drains, jobs, and webhooks should
78
+ use a service or system actor and must not assume a browser session.
79
+
80
+ ## HTTP Auth Hooks
81
+
82
+ Use `createAuthHooks(...)` for authentication at the HTTP boundary:
83
+
84
+ ```ts
85
+ export const auth = createAuthHooks<AppContext>()({
86
+ resolve: ({ ctx }) => (ctx.auth ? { user: ctx.auth.user } : null),
87
+ });
88
+ ```
89
+
90
+ Attach `auth.required()` to route groups or route entries. Contract metadata
91
+ may document auth requirements, but use cases should still enforce business
92
+ rules that matter outside HTTP.
93
+
94
+ ## Use Cases And Policies
95
+
96
+ Use app-owned helpers such as `requireUser(ctx)` or Beignet's
97
+ `requireUser`, `requireUserId`, `requireTenant`, and `requireTenantId`
98
+ helpers from `@beignet/core/ports` inside use cases.
99
+
100
+ Put authorization in use cases or feature policies. The ability belongs to the
101
+ feature that owns the authorized resource, not the feature initiating the
102
+ action.
103
+
104
+ ## Gotchas
105
+
106
+ - Better Auth routes are mounted separately from Beignet contract routes. Do
107
+ not route sign-in/sign-up through `defineRouteGroup(...)`.
108
+ - The provider does not declare Better Auth env vars. Validate secrets,
109
+ trusted origins, adapter settings, and social credentials in app-owned env
110
+ code.
111
+ - HTTP auth hooks prove a request is authenticated; they do not replace
112
+ use-case authorization or feature policies.
113
+ - Service contexts for schedules, tasks, outbox drains, jobs, and webhooks
114
+ should use service/system actors, not `ctx.auth`.
115
+ - Keep session objects, cookies, bearer tokens, and provider-native auth data
116
+ out of devtools, audit metadata, and error reports.
117
+
118
+ ## Devtools
119
+
120
+ When `@beignet/devtools` is registered before this provider, auth checks are
121
+ recorded under the Auth watcher. User and session objects are not recorded.
122
+ Keep extra auth logging redacted and avoid placing raw tokens or cookies in
123
+ devtools, audit metadata, or error reports.
124
+
125
+ ## Testing
126
+
127
+ Use app-owned fake `AuthPort` implementations in use-case tests and route tests
128
+ that only need authenticated/anonymous branches. Test Better Auth route wiring
129
+ where the app mounts Better Auth handlers.
130
+
131
+ After auth provider changes, run from the app root:
132
+
133
+ ```bash
134
+ beignet lint
135
+ beignet doctor --strict
136
+ bun run test
137
+ bun run typecheck
138
+ ```