@better-auth/infra 0.1.12 → 0.1.14

package/dist/client.d.mts

@@ -1,5 +1,48 @@
-import * as _better_fetch_fetch0 from "@better-fetch/fetch";
+import * as _$_better_fetch_fetch0 from "@better-fetch/fetch";
 
+//#region src/sentinel/client.d.ts
+interface SentinelClientOptions {
+  /**
+   * The URL of the identification service
+   * @default "https://kv.better-auth.com"
+   */
+  identifyUrl?: string;
+  /**
+   * Whether to automatically solve PoW challenges (default: true)
+   */
+  autoSolveChallenge?: boolean;
+  /**
+   * Callback when a PoW challenge is received
+   */
+  onChallengeReceived?: (reason: string) => void;
+  /**
+   * Callback when a PoW challenge is solved
+   */
+  onChallengeSolved?: (solveTimeMs: number) => void;
+  /**
+   * Callback when a PoW challenge fails to solve
+   */
+  onChallengeFailed?: (error: Error) => void;
+}
+declare const sentinelClient: (options?: SentinelClientOptions) => {
+  id: "sentinel";
+  fetchPlugins: ({
+    id: string;
+    name: string;
+    hooks: {
+      onRequest<T extends Record<string, any>>(context: _$_better_fetch_fetch0.RequestContext<T>): Promise<_$_better_fetch_fetch0.RequestContext<T>>;
+      onResponse?: undefined;
+    };
+  } | {
+    id: string;
+    name: string;
+    hooks: {
+      onResponse(context: _$_better_fetch_fetch0.ResponseContext): Promise<_$_better_fetch_fetch0.ResponseContext>;
+      onRequest<T extends Record<string, any>>(context: _$_better_fetch_fetch0.RequestContext<T>): Promise<_$_better_fetch_fetch0.RequestContext<T>>;
+    };
+  })[];
+};
+//#endregion
 //#region src/client.d.ts
 interface DashAuditLog {
   eventType: string;
@@ -10,10 +53,10 @@ interface DashAuditLog {
   updatedAt: string;
   ageInMinutes?: number;
   location?: {
-    ipAddress?: string;
-    city?: string;
-    country?: string;
-    countryCode?: string;
+    ipAddress?: string | null;
+    city?: string | null;
+    country?: string | null;
+    countryCode?: string | null;
   };
 }
 interface DashAuditLogsResponse {
@@ -49,7 +92,7 @@ interface DashClientOptions {
 }
 declare const dashClient: (options?: DashClientOptions) => {
   id: "dash";
-  getActions: ($fetch: _better_fetch_fetch0.BetterFetch) => {
+  getActions: ($fetch: _$_better_fetch_fetch0.BetterFetch) => {
     dash: {
       getAuditLogs: (input?: DashGetAuditLogsInput) => Promise<{
         data: DashAuditLogsResponse;
@@ -68,46 +111,5 @@ declare const dashClient: (options?: DashClientOptions) => {
     "/events/audit-logs": "GET";
   };
 };
-interface SentinelClientOptions {
-  /**
-   * The URL of the identification service
-   * @default "https://kv.better-auth.com"
-   */
-  identifyUrl?: string;
-  /**
-   * Whether to automatically solve PoW challenges (default: true)
-   */
-  autoSolveChallenge?: boolean;
-  /**
-   * Callback when a PoW challenge is received
-   */
-  onChallengeReceived?: (reason: string) => void;
-  /**
-   * Callback when a PoW challenge is solved
-   */
-  onChallengeSolved?: (solveTimeMs: number) => void;
-  /**
-   * Callback when a PoW challenge fails to solve
-   */
-  onChallengeFailed?: (error: Error) => void;
-}
-declare const sentinelClient: (options?: SentinelClientOptions) => {
-  id: "sentinel";
-  fetchPlugins: ({
-    id: string;
-    name: string;
-    hooks: {
-      onRequest<T extends Record<string, any>>(context: _better_fetch_fetch0.RequestContext<T>): Promise<_better_fetch_fetch0.RequestContext<T>>;
-      onResponse?: undefined;
-    };
-  } | {
-    id: string;
-    name: string;
-    hooks: {
-      onResponse(context: _better_fetch_fetch0.ResponseContext): Promise<_better_fetch_fetch0.ResponseContext>;
-      onRequest<T extends Record<string, any>>(context: _better_fetch_fetch0.RequestContext<T>): Promise<_better_fetch_fetch0.RequestContext<T>>;
-    };
-  })[];
-};
 //#endregion
-export { DashAuditLog, DashAuditLogsResponse, DashClientOptions, DashGetAuditLogsInput, SentinelClientOptions, dashClient, sentinelClient };
+export { DashAuditLog, DashAuditLogsResponse, DashClientOptions, DashGetAuditLogsInput, type SentinelClientOptions, dashClient, sentinelClient };

package/dist/client.mjs

@@ -1,19 +1,7 @@
-import { r as KV_TIMEOUT_MS } from "./constants-B-e0_Nsv.mjs";
+import { r as KV_TIMEOUT_MS } from "./constants-DdWGfvz1.mjs";
+import { a as hash, i as identify, r as generateRequestId } from "./identification-DF2nvmng.mjs";
 import { env } from "@better-auth/core/env";
-
-//#region src/client.ts
-const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
-async function sha256(message) {
-	const msgBuffer = new TextEncoder().encode(message);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateRequestId() {
-	const array = new Uint8Array(16);
-	crypto.getRandomValues(array);
-	const hex = Array.from(array).map((b) => b.toString(16).padStart(2, "0")).join("");
-	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
-}
+//#region src/sentinel/fingerprint.ts
 function murmurhash3(str, seed = 0) {
 	let h1 = seed;
 	const c1 = 3432918353;
@@ -337,7 +325,7 @@ async function generateVisitorId(components) {
 		fonts: components.fonts,
 		maxTouchPoints: components.maxTouchPoints
 	};
-	return (await sha256(JSON.stringify(stableData))).slice(0, 20);
+	return (await hash(JSON.stringify(stableData))).slice(0, 20);
 }
 function calculateConfidence(components) {
 	const weights = {
@@ -370,6 +358,8 @@ function calculateConfidence(components) {
 let cachedFingerprint = null;
 let fingerprintPromise = null;
 let identifySent = false;
+let identifyCompletePromise = null;
+let identifyCompleteResolve = null;
 async function getFingerprint() {
 	if (typeof window === "undefined") return null;
 	if (await cachedFingerprint) return cachedFingerprint;
@@ -394,8 +384,6 @@ async function getFingerprint() {
 		return null;
 	}
 }
-let identifyCompletePromise = null;
-let identifyCompleteResolve = null;
 async function sendIdentify(identifyUrl) {
 	if (identifySent || typeof window === "undefined") return;
 	const fingerprint = await getFingerprint();
@@ -413,12 +401,7 @@ async function sendIdentify(identifyUrl) {
 		incognito: detectIncognito()
 	};
 	try {
-		await fetch(`${identifyUrl}/identify`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(payload),
-			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
-		});
+		await identify(identifyUrl, payload, AbortSignal.timeout(KV_TIMEOUT_MS));
 	} catch (error) {
 		console.warn("[Dash] Identify request failed:", error);
 	} finally {
@@ -433,9 +416,8 @@ async function waitForIdentify(timeoutMs = 500) {
 	if (!identifyCompletePromise) return;
 	await Promise.race([identifyCompletePromise, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
 }
-/**
-* Check if a hash has the required number of leading zero bits
-*/
+//#endregion
+//#region src/sentinel/pow.ts
 function hasLeadingZeroBits(hash, bits) {
 	const fullHexChars = Math.floor(bits / 4);
 	const remainingBits = bits % 4;
@@ -445,15 +427,11 @@ function hasLeadingZeroBits(hash, bits) {
 	}
 	return true;
 }
-/**
-* Solve a PoW challenge
-* @returns solution or null if challenge couldn't be solved
-*/
 async function solvePoWChallenge(challenge) {
 	const { nonce, difficulty } = challenge;
 	let counter = 0;
 	while (true) {
-		if (hasLeadingZeroBits(await sha256(`${nonce}:${counter}`), difficulty)) return {
+		if (hasLeadingZeroBits(await hash(`${nonce}:${counter}`), difficulty)) return {
 			nonce,
 			counter
 		};
@@ -462,50 +440,42 @@ async function solvePoWChallenge(challenge) {
 		if (counter > 1e8) throw new Error("PoW challenge took too long to solve");
 	}
 }
-/**
-* Decode a base64-encoded challenge string
-*/
+function decodeBase64ToUtf8(encoded) {
+	if (typeof globalThis.atob === "function") return globalThis.atob(encoded);
+	throw new Error("[Sentinel] Base64 decode requires atob (browser, Hermes, or Bun)");
+}
+function encodeUtf8ToBase64(str) {
+	if (typeof globalThis.btoa === "function") return globalThis.btoa(str);
+	const bytes = new TextEncoder().encode(str);
+	const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	let out = "";
+	for (let i = 0; i < bytes.length; i += 3) {
+		const b0 = bytes[i];
+		const b1 = bytes[i + 1] ?? 0;
+		const b2 = bytes[i + 2] ?? 0;
+		const triple = b0 << 16 | b1 << 8 | b2;
+		const pad = i + 2 >= bytes.length ? i + 1 >= bytes.length ? 2 : 1 : 0;
+		out += chars[triple >> 18 & 63];
+		out += chars[triple >> 12 & 63];
+		out += pad < 2 ? chars[triple >> 6 & 63] : "=";
+		out += pad < 1 ? chars[triple & 63] : "=";
+	}
+	return out;
+}
 function decodePoWChallenge(encoded) {
 	try {
-		const decoded = atob(encoded);
+		const decoded = decodeBase64ToUtf8(encoded);
 		return JSON.parse(decoded);
 	} catch {
 		return null;
 	}
 }
-/**
-* Encode a solution to base64
-*/
 function encodePoWSolution(solution) {
-	return btoa(JSON.stringify(solution));
-}
-function resolveDashUserId(input, options) {
-	return input.userId || options?.resolveUserId?.({
-		userId: input.userId,
-		user: input.user,
-		session: input.session
-	}) || input.user?.id || input.session?.user?.id || void 0;
+	return encodeUtf8ToBase64(JSON.stringify(solution));
 }
-const dashClient = (options) => {
-	return {
-		id: "dash",
-		getActions: ($fetch) => ({ dash: { getAuditLogs: async (input = {}) => {
-			const userId = resolveDashUserId(input, options);
-			return $fetch("/events/audit-logs", {
-				method: "GET",
-				query: {
-					limit: input.limit,
-					offset: input.offset,
-					organizationId: input.organizationId,
-					identifier: input.identifier,
-					eventType: input.eventType,
-					userId
-				}
-			});
-		} } }),
-		pathMethods: { "/events/audit-logs": "GET" }
-	};
-};
+//#endregion
+//#region src/sentinel/client.ts
+const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
 const sentinelClient = (options) => {
 	const autoSolve = options?.autoSolveChallenge !== false;
 	const identifyUrl = options?.identifyUrl ?? env.BETTER_AUTH_KV_URL ?? DEFAULT_IDENTIFY_URL;
@@ -594,6 +564,34 @@ const sentinelClient = (options) => {
 		}]
 	};
 };
-
 //#endregion
-export { dashClient, sentinelClient };
+//#region src/client.ts
+function resolveDashUserId(input, options) {
+	return input.userId || options?.resolveUserId?.({
+		userId: input.userId,
+		user: input.user,
+		session: input.session
+	}) || input.user?.id || input.session?.user?.id || void 0;
+}
+const dashClient = (options) => {
+	return {
+		id: "dash",
+		getActions: ($fetch) => ({ dash: { getAuditLogs: async (input = {}) => {
+			const userId = resolveDashUserId(input, options);
+			return $fetch("/events/audit-logs", {
+				method: "GET",
+				query: {
+					limit: input.limit,
+					offset: input.offset,
+					organizationId: input.organizationId,
+					identifier: input.identifier,
+					eventType: input.eventType,
+					userId
+				}
+			});
+		} } }),
+		pathMethods: { "/events/audit-logs": "GET" }
+	};
+};
+//#endregion
+export { dashClient, sentinelClient };

package/dist/{constants-B-e0_Nsv.mjs → constants-DdWGfvz1.mjs}

@@ -1,5 +1,4 @@
 import { env } from "@better-auth/core/env";
-
 //#region src/constants.ts
 /**
 * Infrastructure API URL
@@ -13,6 +12,5 @@ const INFRA_API_URL = env.BETTER_AUTH_API_URL || "https://dash.better-auth.com";
 const INFRA_KV_URL = env.BETTER_AUTH_KV_URL || "https://kv.better-auth.com";
 /** Timeout for KV HTTP operations (ms) */
 const KV_TIMEOUT_MS = 5e3;
-
 //#endregion
-export { INFRA_KV_URL as n, KV_TIMEOUT_MS as r, INFRA_API_URL as t };
+export { INFRA_KV_URL as n, KV_TIMEOUT_MS as r, INFRA_API_URL as t };

package/dist/email.mjs

@@ -1,7 +1,6 @@
-import { t as INFRA_API_URL } from "./constants-B-e0_Nsv.mjs";
+import { t as INFRA_API_URL } from "./constants-DdWGfvz1.mjs";
 import { logger } from "better-auth";
 import { env } from "@better-auth/core/env";
-
 //#region src/email.ts
 /**
 * Email sending module for @better-auth/infra
@@ -178,6 +177,5 @@ async function sendEmail(options, config) {
 async function sendBulkEmails(options, config) {
 	return createEmailSender(config).sendBulk(options);
 }
-
 //#endregion
-export { EMAIL_TEMPLATES, createEmailSender, sendBulkEmails, sendEmail };
+export { EMAIL_TEMPLATES, createEmailSender, sendBulkEmails, sendEmail };

package/dist/identification-DF2nvmng.mjs

@@ -0,0 +1,178 @@
+import { n as INFRA_KV_URL, r as KV_TIMEOUT_MS } from "./constants-DdWGfvz1.mjs";
+import { logger } from "better-auth";
+import { createAuthMiddleware } from "better-auth/api";
+//#region src/crypto.ts
+function randomBytes(length) {
+	const bytes = new Uint8Array(length);
+	crypto.getRandomValues(bytes);
+	return bytes;
+}
+function bytesToHex(bytes) {
+	return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hash(message) {
+	const msgBuffer = new TextEncoder().encode(message);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
+	return bytesToHex(new Uint8Array(hashBuffer));
+}
+//#endregion
+//#region src/identification.ts
+/**
+* Identification Service
+*
+* Fetches identification data from the durable-kv service
+* when a request includes an X-Request-Id header.
+*/
+const IDENTIFICATION_COOKIE_NAME = "__infra-rid";
+const identificationCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 6e4;
+const CACHE_MAX_SIZE = 1e3;
+let lastCleanup = Date.now();
+function cleanupCache() {
+	const now = Date.now();
+	for (const [key, value] of identificationCache.entries()) if (now - value.timestamp > CACHE_TTL_MS) identificationCache.delete(key);
+	lastCleanup = now;
+}
+function maybeCleanup() {
+	if (Date.now() - lastCleanup > CACHE_TTL_MS || identificationCache.size > CACHE_MAX_SIZE) cleanupCache();
+}
+/**
+* Fetch identification data from durable-kv by requestId
+*/
+async function getIdentification(requestId, apiKey, kvUrl) {
+	maybeCleanup();
+	const cached = identificationCache.get(requestId);
+	if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) return cached.data;
+	const baseUrl = kvUrl || INFRA_KV_URL;
+	const maxRetries = 3;
+	const retryDelays = [
+		50,
+		100,
+		200
+	];
+	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
+		const response = await fetch(`${baseUrl}/identify/${requestId}`, {
+			method: "GET",
+			headers: { "x-api-key": apiKey },
+			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
+		});
+		if (response.ok) {
+			const data = await response.json();
+			identificationCache.set(requestId, {
+				data,
+				timestamp: Date.now()
+			});
+			return data;
+		}
+		if (response.status === 404 && attempt < maxRetries) {
+			await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt]));
+			continue;
+		}
+		if (response.status !== 404) identificationCache.set(requestId, {
+			data: null,
+			timestamp: Date.now()
+		});
+		return null;
+	} catch (error) {
+		if (attempt === maxRetries) {
+			logger.error("[Dash] Failed to fetch identification:", error);
+			return null;
+		}
+		await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt] || 50));
+	}
+	return null;
+}
+function generateRequestId() {
+	const hex = bytesToHex(randomBytes(16));
+	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+}
+async function identify(baseURL, payload, signal) {
+	const base = baseURL.replace(/\/$/, "");
+	await fetch(`${base}/identify`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: signal ?? AbortSignal.timeout(5e3)
+	});
+}
+/**
+* Extract identification headers from a request
+*/
+function extractIdentificationHeaders(request) {
+	if (!request) return {
+		visitorId: null,
+		requestId: null
+	};
+	return {
+		visitorId: request.headers.get("X-Visitor-Id"),
+		requestId: request.headers.get("X-Request-Id")
+	};
+}
+/**
+* Early middleware that loads identification data
+*/
+function createIdentificationMiddleware(options) {
+	return createAuthMiddleware(async (ctx) => {
+		const { visitorId, requestId: headerRequestId } = extractIdentificationHeaders(ctx.request);
+		const requestId = headerRequestId ?? ctx.getCookie("__infra-rid") ?? null;
+		ctx.context.visitorId = visitorId;
+		ctx.context.requestId = requestId;
+		if (requestId) ctx.context.identification = ctx.context.identification ?? await getIdentification(requestId, options.apiKey, options.kvUrl) ?? null;
+		else ctx.context.identification = null;
+		const ipConfig = ctx.context.options?.advanced?.ipAddress;
+		if (ipConfig?.disableIpTracking === true) {
+			ctx.context.location = void 0;
+			return;
+		}
+		const identification = ctx.context.identification;
+		if (requestId && identification) {
+			const loc = getLocation(identification);
+			ctx.context.location = {
+				ipAddress: identification.ip || void 0,
+				city: loc?.city || void 0,
+				country: loc?.country?.name || void 0,
+				countryCode: loc?.country?.code || void 0
+			};
+			return;
+		}
+		const ipAddress = getClientIpFromRequest(ctx.request, ipConfig?.ipAddressHeaders || null);
+		const countryCode = getCountryCodeFromRequest(ctx.request);
+		if (ipAddress || countryCode) {
+			ctx.context.location = {
+				ipAddress,
+				countryCode
+			};
+			return;
+		}
+		ctx.context.location = void 0;
+	});
+}
+/**
+* Get the visitor's location
+*/
+function getLocation(identification) {
+	if (!identification) return null;
+	return identification.location;
+}
+function getClientIpFromRequest(request, ipAddressHeaders) {
+	if (!request) return void 0;
+	const headers = ipAddressHeaders?.length ? ipAddressHeaders : [
+		"cf-connecting-ip",
+		"x-forwarded-for",
+		"x-real-ip",
+		"x-vercel-forwarded-for"
+	];
+	for (const headerName of headers) {
+		const value = request.headers.get(headerName);
+		if (!value) continue;
+		const ip = value.split(",")[0]?.trim();
+		if (ip) return ip;
+	}
+}
+function getCountryCodeFromRequest(request) {
+	if (!request) return void 0;
+	const cc = request.headers.get("cf-ipcountry") ?? request.headers.get("x-vercel-ip-country");
+	return cc ? cc.toUpperCase() : void 0;
+}
+//#endregion
+export { hash as a, identify as i, createIdentificationMiddleware as n, generateRequestId as r, IDENTIFICATION_COOKIE_NAME as t };