@better-auth/infra 0.1.13 → 0.2.0

package/README.md

@@ -6,6 +6,7 @@ Infra plugins for Better Auth:
 - `dashClient()` for dashboard client actions (including audit log queries).
 - `sentinel()` for security checks and abuse protection.
 - `sentinelClient()` for browser fingerprint headers + optional PoW auto-solving.
+- `sentinelNativeClient()` (from `@better-auth/infra/native`) for React Native / Expo.
 
 ## Installation
 
@@ -69,6 +70,45 @@ const auditLogs = await authClient.dash.getAuditLogs({
 });
 ```
 
+## Native client
+
+Use this plugin for your React Native / Expo app. This plugin is designed to work along with the server side sentinel and dash plugins and will ensure your app is protected from abuse and bot attacks.
+
+### Install peers
+
+```bash
+pnpm add react-native @react-native-async-storage/async-storage
+# Optional, for richer device metadata in the identify payload:
+pnpm add expo-constants expo-device
+```
+
+`@react-native-async-storage/async-storage` is optional; if it is not installed, a session-only in-memory visitor id is used. For production, install it or pass `storage` (for example secure storage).
+
+### Example
+
+```ts
+import { createAuthClient } from "better-auth/client";
+import { dashClient, sentinelNativeClient } from "@better-auth/infra/native";
+
+export const authClient = createAuthClient({
+  baseURL: "https://your-api.example.com",
+  plugins: [
+    dashClient(),
+    sentinelNativeClient({
+      identifyUrl: process.env.EXPO_PUBLIC_BETTER_AUTH_KV_URL,
+      autoSolveChallenge: true,
+    }),
+  ],
+});
+```
+
+### Options (`sentinelNativeClient`)
+
+- `identifyUrl?: string` — KV identify endpoint base (defaults to `BETTER_AUTH_KV_URL` from env, then `https://kv.better-auth.com`).
+- `autoSolveChallenge?: boolean` — When `true` (default), `423` responses that include `X-PoW-Challenge` are solved and the request is retried once with `X-PoW-Solution`.
+- `onChallengeReceived?` / `onChallengeSolved?` / `onChallengeFailed?` — PoW lifecycle hooks (reason string, solve time in ms, or error).
+- `storage?: { getItem, setItem }` — Async key/value storage for a stable per-install visitor id (recommended for production).
+
 ## Audit Log APIs
 
 ### `dashClient()` API
@@ -249,6 +289,10 @@ All security configuration now belongs in `sentinel()`.
 
 See `Audit Log APIs` above for full method details.
 
+### `SentinelNativeClientOptions`
+
+Exported from `@better-auth/infra/native`. See [React Native client](#native-client) for the full option list and usage.
+
 ## Migration
 
 If you previously passed security config to `dash()`, move it to `sentinel()`:

package/dist/client.d.mts

@@ -1,73 +1,7 @@
-import * as _better_fetch_fetch0 from "@better-fetch/fetch";
+import { a as dashClient, i as DashGetAuditLogsInput, n as DashAuditLogsResponse, r as DashClientOptions, t as DashAuditLog } from "./dash-client-hJHp7l_X.mjs";
+import * as _$_better_fetch_fetch0 from "@better-fetch/fetch";
 
-//#region src/client.d.ts
-interface DashAuditLog {
-  eventType: string;
-  eventData: Record<string, unknown>;
-  eventKey: string;
-  projectId: string;
-  createdAt: string;
-  updatedAt: string;
-  ageInMinutes?: number;
-  location?: {
-    ipAddress?: string | null;
-    city?: string | null;
-    country?: string | null;
-    countryCode?: string | null;
-  };
-}
-interface DashAuditLogsResponse {
-  events: DashAuditLog[];
-  total: number;
-  limit: number;
-  offset: number;
-}
-type SessionLike = {
-  user?: {
-    id?: string | null;
-  };
-};
-type UserLike = {
-  id?: string | null;
-};
-interface DashGetAuditLogsInput {
-  limit?: number;
-  offset?: number;
-  organizationId?: string;
-  identifier?: string;
-  eventType?: string;
-  userId?: string;
-  user?: UserLike | null;
-  session?: SessionLike | null;
-}
-interface DashClientOptions {
-  resolveUserId?: (input: {
-    userId?: string;
-    user?: UserLike | null;
-    session?: SessionLike | null;
-  }) => string | undefined;
-}
-declare const dashClient: (options?: DashClientOptions) => {
-  id: "dash";
-  getActions: ($fetch: _better_fetch_fetch0.BetterFetch) => {
-    dash: {
-      getAuditLogs: (input?: DashGetAuditLogsInput) => Promise<{
-        data: null;
-        error: {
-          message?: string | undefined;
-          status: number;
-          statusText: string;
-        };
-      } | {
-        data: DashAuditLogsResponse;
-        error: null;
-      }>;
-    };
-  };
-  pathMethods: {
-    "/events/audit-logs": "GET";
-  };
-};
+//#region src/sentinel/client.d.ts
 interface SentinelClientOptions {
   /**
    * The URL of the identification service
@@ -97,17 +31,17 @@ declare const sentinelClient: (options?: SentinelClientOptions) => {
     id: string;
     name: string;
     hooks: {
-      onRequest<T extends Record<string, any>>(context: _better_fetch_fetch0.RequestContext<T>): Promise<_better_fetch_fetch0.RequestContext<T>>;
+      onRequest<T extends Record<string, any>>(context: _$_better_fetch_fetch0.RequestContext<T>): Promise<_$_better_fetch_fetch0.RequestContext<T>>;
       onResponse?: undefined;
     };
   } | {
     id: string;
     name: string;
     hooks: {
-      onResponse(context: _better_fetch_fetch0.ResponseContext): Promise<_better_fetch_fetch0.ResponseContext>;
-      onRequest<T extends Record<string, any>>(context: _better_fetch_fetch0.RequestContext<T>): Promise<_better_fetch_fetch0.RequestContext<T>>;
+      onResponse(context: _$_better_fetch_fetch0.ResponseContext): Promise<_$_better_fetch_fetch0.ResponseContext>;
+      onRequest<T extends Record<string, any>>(context: _$_better_fetch_fetch0.RequestContext<T>): Promise<_$_better_fetch_fetch0.RequestContext<T>>;
     };
   })[];
 };
 //#endregion
-export { DashAuditLog, DashAuditLogsResponse, DashClientOptions, DashGetAuditLogsInput, SentinelClientOptions, dashClient, sentinelClient };
+export { type DashAuditLog, type DashAuditLogsResponse, type DashClientOptions, type DashGetAuditLogsInput, type SentinelClientOptions, dashClient, sentinelClient };

package/dist/client.mjs

@@ -1,18 +1,7 @@
 import { r as KV_TIMEOUT_MS } from "./constants-DdWGfvz1.mjs";
+import { a as identify, c as dashClient, i as generateRequestId, n as encodePoWSolution, r as solvePoWChallenge, s as hash, t as decodePoWChallenge } from "./pow-BUuN_EKw.mjs";
 import { env } from "@better-auth/core/env";
-//#region src/client.ts
-const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
-async function sha256(message) {
-	const msgBuffer = new TextEncoder().encode(message);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateRequestId() {
-	const array = new Uint8Array(16);
-	crypto.getRandomValues(array);
-	const hex = Array.from(array).map((b) => b.toString(16).padStart(2, "0")).join("");
-	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
-}
+//#region src/sentinel/fingerprint.ts
 function murmurhash3(str, seed = 0) {
 	let h1 = seed;
 	const c1 = 3432918353;
@@ -336,7 +325,7 @@ async function generateVisitorId(components) {
 		fonts: components.fonts,
 		maxTouchPoints: components.maxTouchPoints
 	};
-	return (await sha256(JSON.stringify(stableData))).slice(0, 20);
+	return (await hash(JSON.stringify(stableData))).slice(0, 20);
 }
 function calculateConfidence(components) {
 	const weights = {
@@ -369,6 +358,8 @@ function calculateConfidence(components) {
 let cachedFingerprint = null;
 let fingerprintPromise = null;
 let identifySent = false;
+let identifyCompletePromise = null;
+let identifyCompleteResolve = null;
 async function getFingerprint() {
 	if (typeof window === "undefined") return null;
 	if (await cachedFingerprint) return cachedFingerprint;
@@ -393,8 +384,6 @@ async function getFingerprint() {
 		return null;
 	}
 }
-let identifyCompletePromise = null;
-let identifyCompleteResolve = null;
 async function sendIdentify(identifyUrl) {
 	if (identifySent || typeof window === "undefined") return;
 	const fingerprint = await getFingerprint();
@@ -412,12 +401,7 @@ async function sendIdentify(identifyUrl) {
 		incognito: detectIncognito()
 	};
 	try {
-		await fetch(`${identifyUrl}/identify`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(payload),
-			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
-		});
+		await identify(identifyUrl, payload, AbortSignal.timeout(KV_TIMEOUT_MS));
 	} catch (error) {
 		console.warn("[Dash] Identify request failed:", error);
 	} finally {
@@ -432,79 +416,9 @@ async function waitForIdentify(timeoutMs = 500) {
 	if (!identifyCompletePromise) return;
 	await Promise.race([identifyCompletePromise, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
 }
-/**
-* Check if a hash has the required number of leading zero bits
-*/
-function hasLeadingZeroBits(hash, bits) {
-	const fullHexChars = Math.floor(bits / 4);
-	const remainingBits = bits % 4;
-	for (let i = 0; i < fullHexChars; i++) if (hash[i] !== "0") return false;
-	if (remainingBits > 0 && fullHexChars < hash.length) {
-		if (parseInt(hash[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
-	}
-	return true;
-}
-/**
-* Solve a PoW challenge
-* @returns solution or null if challenge couldn't be solved
-*/
-async function solvePoWChallenge(challenge) {
-	const { nonce, difficulty } = challenge;
-	let counter = 0;
-	while (true) {
-		if (hasLeadingZeroBits(await sha256(`${nonce}:${counter}`), difficulty)) return {
-			nonce,
-			counter
-		};
-		counter++;
-		if (counter % 1e3 === 0) await new Promise((resolve) => setTimeout(resolve, 0));
-		if (counter > 1e8) throw new Error("PoW challenge took too long to solve");
-	}
-}
-/**
-* Decode a base64-encoded challenge string
-*/
-function decodePoWChallenge(encoded) {
-	try {
-		const decoded = atob(encoded);
-		return JSON.parse(decoded);
-	} catch {
-		return null;
-	}
-}
-/**
-* Encode a solution to base64
-*/
-function encodePoWSolution(solution) {
-	return btoa(JSON.stringify(solution));
-}
-function resolveDashUserId(input, options) {
-	return input.userId || options?.resolveUserId?.({
-		userId: input.userId,
-		user: input.user,
-		session: input.session
-	}) || input.user?.id || input.session?.user?.id || void 0;
-}
-const dashClient = (options) => {
-	return {
-		id: "dash",
-		getActions: ($fetch) => ({ dash: { getAuditLogs: async (input = {}) => {
-			const userId = resolveDashUserId(input, options);
-			return $fetch("/events/audit-logs", {
-				method: "GET",
-				query: {
-					limit: input.limit,
-					offset: input.offset,
-					organizationId: input.organizationId,
-					identifier: input.identifier,
-					eventType: input.eventType,
-					userId
-				}
-			});
-		} } }),
-		pathMethods: { "/events/audit-logs": "GET" }
-	};
-};
+//#endregion
+//#region src/sentinel/client.ts
+const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
 const sentinelClient = (options) => {
 	const autoSolve = options?.autoSolveChallenge !== false;
 	const identifyUrl = options?.identifyUrl ?? env.BETTER_AUTH_KV_URL ?? DEFAULT_IDENTIFY_URL;

package/dist/dash-client-hJHp7l_X.d.mts

@@ -0,0 +1,72 @@
+import * as _$_better_fetch_fetch0 from "@better-fetch/fetch";
+
+//#region src/dash-client.d.ts
+interface DashAuditLog {
+  eventType: string;
+  eventData: Record<string, unknown>;
+  eventKey: string;
+  projectId: string;
+  createdAt: string;
+  updatedAt: string;
+  ageInMinutes?: number;
+  location?: {
+    ipAddress?: string | null;
+    city?: string | null;
+    country?: string | null;
+    countryCode?: string | null;
+  };
+}
+interface DashAuditLogsResponse {
+  events: DashAuditLog[];
+  total: number;
+  limit: number;
+  offset: number;
+}
+type SessionLike = {
+  user?: {
+    id?: string | null;
+  };
+};
+type UserLike = {
+  id?: string | null;
+};
+interface DashGetAuditLogsInput {
+  limit?: number;
+  offset?: number;
+  organizationId?: string;
+  identifier?: string;
+  eventType?: string;
+  userId?: string;
+  user?: UserLike | null;
+  session?: SessionLike | null;
+}
+interface DashClientOptions {
+  resolveUserId?: (input: {
+    userId?: string;
+    user?: UserLike | null;
+    session?: SessionLike | null;
+  }) => string | undefined;
+}
+declare const dashClient: (options?: DashClientOptions) => {
+  id: "dash";
+  getActions: ($fetch: _$_better_fetch_fetch0.BetterFetch) => {
+    dash: {
+      getAuditLogs: (input?: DashGetAuditLogsInput) => Promise<{
+        data: null;
+        error: {
+          message?: string | undefined;
+          status: number;
+          statusText: string;
+        };
+      } | {
+        data: DashAuditLogsResponse;
+        error: null;
+      }>;
+    };
+  };
+  pathMethods: {
+    "/events/audit-logs": "GET";
+  };
+};
+//#endregion
+export { dashClient as a, DashGetAuditLogsInput as i, DashAuditLogsResponse as n, DashClientOptions as r, DashAuditLog as t };