@better-auth/infra 0.1.14 → 0.2.1

package/dist/native.mjs

@@ -0,0 +1,292 @@
+import { a as identify, c as dashClient, n as encodePoWSolution, o as bytesToHex, r as solvePoWChallenge, t as decodePoWChallenge } from "./pow-BUuN_EKw.mjs";
+import { env } from "@better-auth/core/env";
+import { Dimensions, InteractionManager, PixelRatio, Platform } from "react-native";
+//#region src/sentinel/native/components.ts
+/**
+* Default first-party component payload for React Native / Expo.
+* Avoids browser-style entropy; sets `clientRuntime` for durable-kv bot scoring.
+*/
+async function defaultCollectNativeComponents() {
+	const windowDims = Dimensions.get("window");
+	const scale = PixelRatio.get();
+	let locale = "en";
+	let locales = ["en"];
+	try {
+		locale = Intl.DateTimeFormat().resolvedOptions().locale || locale;
+		locales = [locale];
+	} catch {}
+	const nav = globalThis.navigator;
+	if (nav?.languages?.length) locales = [...nav.languages];
+	let timezone = "";
+	let timezoneOffset = 0;
+	try {
+		timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
+		timezoneOffset = (/* @__PURE__ */ new Date()).getTimezoneOffset();
+	} catch {
+		timezone = "unknown";
+	}
+	const components = {
+		clientRuntime: "react-native",
+		platform: Platform.OS,
+		screenResolution: `${Math.round(windowDims.width)}x${Math.round(windowDims.height)}`,
+		pixelRatio: scale,
+		fontScale: windowDims.fontScale,
+		language: locales[0] ?? locale,
+		languages: locales,
+		locale,
+		timezone,
+		timezoneOffset,
+		touchSupport: true,
+		maxTouchPoints: Platform.OS === "ios" ? 5 : 10
+	};
+	if (nav?.userAgent) components.userAgent = nav.userAgent;
+	await applyOptionalExpoMetadata(components);
+	return components;
+}
+async function applyOptionalExpoMetadata(components) {
+	try {
+		const c = (await import("expo-constants")).default;
+		if (c?.expoConfig?.version) components.appVersion = c.expoConfig.version;
+		else if (c?.nativeAppVersion) components.appVersion = c.nativeAppVersion;
+		if (c?.expoConfig?.slug) components.expoSlug = c.expoConfig.slug;
+	} catch {}
+	try {
+		const d = (await import("expo-device")).default;
+		if (d?.modelName) components.deviceModel = d.modelName;
+		if (d?.osVersion) components.osVersion = d.osVersion;
+	} catch {}
+}
+//#endregion
+//#region src/sentinel/native/crypto.ts
+/**
+* Cryptographically secure random bytes for React Native, Node (e.g. Expo API routes),
+* and other runtimes
+*/
+async function randomBytesAsync(length) {
+	const c = globalThis.crypto;
+	if (c && typeof c.getRandomValues === "function") {
+		const bytes = new Uint8Array(length);
+		c.getRandomValues(bytes);
+		return bytes;
+	}
+	try {
+		const { getRandomBytesAsync } = await import("expo-crypto");
+		return await getRandomBytesAsync(length);
+	} catch {
+		throw new Error("[@better-auth/infra] No secure RNG available: use Web Crypto / Node, add `import \"react-native-get-random-values\"` at app entry (before other imports), or install `expo-crypto` with a native dev build.");
+	}
+}
+//#endregion
+//#region src/sentinel/native/fingerprint.ts
+async function randomVisitorId() {
+	return bytesToHex(await randomBytesAsync(10)).slice(0, 20);
+}
+async function generateRequestId() {
+	const h = bytesToHex(await randomBytesAsync(16));
+	return [
+		h.slice(0, 8),
+		h.slice(8, 12),
+		h.slice(12, 16),
+		h.slice(16, 20),
+		h.slice(20, 32)
+	].join("-");
+}
+/** Conservative confidence for first-party native payloads (not web-grade signals). */
+const NATIVE_IDENTIFY_CONFIDENCE = .52;
+/** Logical URL recorded with native identify payloads. */
+const NATIVE_IDENTIFY_CONTEXT_URL = "react-native://identify";
+function createNativeFingerprintRuntime(deps) {
+	let cached = null;
+	let pending = null;
+	let identifySent = false;
+	let identifyComplete = null;
+	let identifyCompleteResolve = null;
+	async function getFingerprint() {
+		if (cached != null) return cached;
+		if (pending != null) return pending;
+		pending = (async () => {
+			try {
+				const visitorId = await deps.getOrCreateVisitorId();
+				const components = await defaultCollectNativeComponents();
+				const result = {
+					visitorId,
+					requestId: await generateRequestId(),
+					confidence: NATIVE_IDENTIFY_CONFIDENCE,
+					components
+				};
+				cached = result;
+				return result;
+			} catch (error) {
+				console.warn("[Sentinel native] Fingerprint generation failed:", error);
+				pending = null;
+				return null;
+			}
+		})();
+		return pending;
+	}
+	async function sendIdentify() {
+		if (identifySent) return;
+		const fingerprint = await getFingerprint();
+		if (!fingerprint) return;
+		identifySent = true;
+		identifyComplete = new Promise((resolve) => {
+			identifyCompleteResolve = resolve;
+		});
+		const payload = {
+			visitorId: fingerprint.visitorId,
+			requestId: fingerprint.requestId,
+			confidence: fingerprint.confidence,
+			components: fingerprint.components,
+			url: NATIVE_IDENTIFY_CONTEXT_URL,
+			incognito: false
+		};
+		try {
+			await identify(deps.identifyUrl, payload);
+		} catch (error) {
+			console.warn("[Sentinel native] Identify request failed:", error);
+		} finally {
+			identifyCompleteResolve?.();
+			identifyCompleteResolve = null;
+		}
+	}
+	async function waitForIdentify(timeoutMs = 500) {
+		if (!identifyComplete) return;
+		await Promise.race([identifyComplete, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
+	}
+	return {
+		getFingerprint,
+		sendIdentify,
+		waitForIdentify
+	};
+}
+const VISITOR_STORAGE_KEY = "better-auth.infra.sentinel.visitorId";
+let memoryVisitorId = null;
+/**
+* Stable per-install visitor id. Prefer passing `storage` (e.g. secure storage).
+* Otherwise tries `@react-native-async-storage/async-storage`, then falls back to an in-memory id (session only).
+*/
+async function getOrCreateVisitorId(storage) {
+	if (storage) {
+		const existing = await storage.getItem(VISITOR_STORAGE_KEY);
+		if (existing) return existing;
+		const id = await randomVisitorId();
+		await storage.setItem(VISITOR_STORAGE_KEY, id);
+		return id;
+	}
+	try {
+		const { default: AsyncStorage } = await import("@react-native-async-storage/async-storage");
+		const existing = await AsyncStorage.getItem(VISITOR_STORAGE_KEY);
+		if (existing) return existing;
+		const id = await randomVisitorId();
+		await AsyncStorage.setItem(VISITOR_STORAGE_KEY, id);
+		return id;
+	} catch {
+		memoryVisitorId ??= await randomVisitorId();
+		return memoryVisitorId;
+	}
+}
+//#endregion
+//#region src/sentinel/native/client.ts
+const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
+function scheduleIdentify(send) {
+	const run = () => {
+		try {
+			send();
+		} catch (e) {
+			console.warn("[Sentinel native] identify schedule error:", e);
+		}
+	};
+	try {
+		const im = InteractionManager;
+		if (im && typeof im.runAfterInteractions === "function") {
+			im.runAfterInteractions(run);
+			return;
+		}
+	} catch {}
+	if (typeof queueMicrotask === "function") queueMicrotask(run);
+	else setTimeout(run, 0);
+}
+const sentinelNativeClient = (options) => {
+	const autoSolve = options?.autoSolveChallenge !== false;
+	const runtime = createNativeFingerprintRuntime({
+		identifyUrl: options?.identifyUrl ?? env.BETTER_AUTH_KV_URL ?? DEFAULT_IDENTIFY_URL,
+		getOrCreateVisitorId: () => getOrCreateVisitorId(options?.storage)
+	});
+	scheduleIdentify(() => {
+		runtime.sendIdentify();
+	});
+	return {
+		id: "sentinel",
+		fetchPlugins: [{
+			id: "sentinel-fingerprint",
+			name: "sentinel-fingerprint",
+			hooks: { async onRequest(context) {
+				await runtime.waitForIdentify(500);
+				const fingerprint = await runtime.getFingerprint();
+				if (!fingerprint) return context;
+				const headers = context.headers || new Headers();
+				if (headers instanceof Headers) {
+					headers.set("X-Visitor-Id", fingerprint.visitorId);
+					headers.set("X-Request-Id", fingerprint.requestId);
+				}
+				return {
+					...context,
+					headers
+				};
+			} }
+		}, {
+			id: "sentinel-pow-solver",
+			name: "sentinel-pow-solver",
+			hooks: {
+				async onResponse(context) {
+					if (context.response.status !== 423 || !autoSolve) return context;
+					const challengeHeader = context.response.headers.get("X-PoW-Challenge");
+					const reason = context.response.headers.get("X-PoW-Reason") || "";
+					if (!challengeHeader) return context;
+					options?.onChallengeReceived?.(reason);
+					const challenge = decodePoWChallenge(challengeHeader);
+					if (!challenge) return context;
+					try {
+						const startTime = Date.now();
+						const solution = await solvePoWChallenge(challenge);
+						const solveTime = Date.now() - startTime;
+						options?.onChallengeSolved?.(solveTime);
+						const originalUrl = context.response.url;
+						const fingerprint = await runtime.getFingerprint();
+						const retryHeaders = new Headers();
+						retryHeaders.set("X-PoW-Solution", encodePoWSolution(solution));
+						if (fingerprint) {
+							retryHeaders.set("X-Visitor-Id", fingerprint.visitorId);
+							retryHeaders.set("X-Request-Id", fingerprint.requestId);
+						}
+						retryHeaders.set("Content-Type", "application/json");
+						let body;
+						if (context.request?.body) body = context.request._originalBody;
+						const retryResponse = await fetch(originalUrl, {
+							method: context.request?.method || "POST",
+							headers: retryHeaders,
+							body
+						});
+						return {
+							...context,
+							response: retryResponse
+						};
+					} catch (err) {
+						console.error("[Sentinel native] Failed to solve PoW challenge:", err);
+						options?.onChallengeFailed?.(err instanceof Error ? err : new Error(String(err)));
+						return context;
+					}
+				},
+				async onRequest(context) {
+					if (context.body) {
+						const ctx = context;
+						ctx._originalBody = context.body;
+					}
+					return context;
+				}
+			}
+		}]
+	};
+};
+//#endregion
+export { dashClient, sentinelNativeClient };

package/dist/pow-BUuN_EKw.mjs

@@ -0,0 +1,131 @@
+import "./constants-DdWGfvz1.mjs";
+//#region src/dash-client.ts
+function resolveDashUserId(input, options) {
+	return input.userId || options?.resolveUserId?.({
+		userId: input.userId,
+		user: input.user,
+		session: input.session
+	}) || input.user?.id || input.session?.user?.id || void 0;
+}
+const dashClient = (options) => {
+	return {
+		id: "dash",
+		getActions: ($fetch) => ({ dash: { getAuditLogs: async (input = {}) => {
+			const userId = resolveDashUserId(input, options);
+			return $fetch("/events/audit-logs", {
+				method: "GET",
+				query: {
+					limit: input.limit,
+					offset: input.offset,
+					organizationId: input.organizationId,
+					identifier: input.identifier,
+					eventType: input.eventType,
+					userId
+				}
+			});
+		} } }),
+		pathMethods: { "/events/audit-logs": "GET" }
+	};
+};
+//#endregion
+//#region src/crypto.ts
+function randomBytes(length) {
+	const bytes = new Uint8Array(length);
+	crypto.getRandomValues(bytes);
+	return bytes;
+}
+function bytesToHex(bytes) {
+	return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hash(message) {
+	const msgBuffer = new TextEncoder().encode(message);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
+	return bytesToHex(new Uint8Array(hashBuffer));
+}
+//#endregion
+//#region src/abort-signal.ts
+/**
+* Returns an AbortSignal that aborts after `ms`.
+* Uses `AbortSignal.timeout` when present; otherwise `AbortController` + `setTimeout`
+* for React Native / older runtimes where `.timeout` is missing.
+*/
+function timeout(ms) {
+	if (typeof AbortSignal.timeout === "function") return AbortSignal.timeout(ms);
+	const controller = new AbortController();
+	setTimeout(() => controller.abort(), ms);
+	return controller.signal;
+}
+//#endregion
+//#region src/identification-client.ts
+function generateRequestId() {
+	const hex = bytesToHex(randomBytes(16));
+	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+}
+async function identify(baseURL, payload, signal) {
+	const base = baseURL.replace(/\/$/, "");
+	await fetch(`${base}/identify`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: signal ?? timeout(5e3)
+	});
+}
+//#endregion
+//#region src/sentinel/pow.ts
+function hasLeadingZeroBits(hash, bits) {
+	const fullHexChars = Math.floor(bits / 4);
+	const remainingBits = bits % 4;
+	for (let i = 0; i < fullHexChars; i++) if (hash[i] !== "0") return false;
+	if (remainingBits > 0 && fullHexChars < hash.length) {
+		if (parseInt(hash[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
+	}
+	return true;
+}
+async function solvePoWChallenge(challenge) {
+	const { nonce, difficulty } = challenge;
+	let counter = 0;
+	while (true) {
+		if (hasLeadingZeroBits(await hash(`${nonce}:${counter}`), difficulty)) return {
+			nonce,
+			counter
+		};
+		counter++;
+		if (counter % 1e3 === 0) await new Promise((resolve) => setTimeout(resolve, 0));
+		if (counter > 1e8) throw new Error("PoW challenge took too long to solve");
+	}
+}
+function decodeBase64ToUtf8(encoded) {
+	if (typeof globalThis.atob === "function") return globalThis.atob(encoded);
+	throw new Error("[Sentinel] Base64 decode requires atob (browser, Hermes, or Bun)");
+}
+function encodeUtf8ToBase64(str) {
+	if (typeof globalThis.btoa === "function") return globalThis.btoa(str);
+	const bytes = new TextEncoder().encode(str);
+	const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	let out = "";
+	for (let i = 0; i < bytes.length; i += 3) {
+		const b0 = bytes[i];
+		const b1 = bytes[i + 1] ?? 0;
+		const b2 = bytes[i + 2] ?? 0;
+		const triple = b0 << 16 | b1 << 8 | b2;
+		const pad = i + 2 >= bytes.length ? i + 1 >= bytes.length ? 2 : 1 : 0;
+		out += chars[triple >> 18 & 63];
+		out += chars[triple >> 12 & 63];
+		out += pad < 2 ? chars[triple >> 6 & 63] : "=";
+		out += pad < 1 ? chars[triple & 63] : "=";
+	}
+	return out;
+}
+function decodePoWChallenge(encoded) {
+	try {
+		const decoded = decodeBase64ToUtf8(encoded);
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+}
+function encodePoWSolution(solution) {
+	return encodeUtf8ToBase64(JSON.stringify(solution));
+}
+//#endregion
+export { identify as a, dashClient as c, generateRequestId as i, encodePoWSolution as n, bytesToHex as o, solvePoWChallenge as r, hash as s, decodePoWChallenge as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/infra",
-  "version": "0.1.14",
+  "version": "0.2.1",
   "description": "Dashboard and analytics plugin for Better Auth",
   "type": "module",
   "main": "dist/index.mjs",
@@ -30,6 +30,11 @@
       "types": "./dist/email.d.mts",
       "import": "./dist/email.mjs",
       "default": "./dist/email.mjs"
+    },
+    "./native": {
+      "types": "./dist/native.d.mts",
+      "import": "./dist/native.mjs",
+      "default": "./dist/native.mjs"
     }
   },
   "files": [
@@ -62,8 +67,9 @@
     "@types/bun": "latest",
     "@types/node": "catalog:",
     "better-auth": "catalog:",
+    "expo-crypto": "^14.0.2",
     "happy-dom": "^20.8.9",
-    "msw": "^2.12.14",
+    "msw": "^2.13.0",
     "tsdown": "^0.21.1",
     "typescript": "catalog:",
     "zod": "catalog:"
@@ -78,6 +84,25 @@
     "better-auth": ">=1.4.0",
     "zod": ">=4.1.12",
     "@better-auth/core": ">=1.4.0",
-    "@better-auth/sso": ">=1.4.0"
+    "@better-auth/sso": ">=1.4.0",
+    "react-native": ">=0.74.0",
+    "@react-native-async-storage/async-storage": ">=1.21.0",
+    "expo-constants": ">=16.0.0",
+    "expo-crypto": ">=13.0.0",
+    "expo-device": ">=6.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@react-native-async-storage/async-storage": {
+      "optional": true
+    },
+    "expo-constants": {
+      "optional": true
+    },
+    "expo-crypto": {
+      "optional": true
+    },
+    "expo-device": {
+      "optional": true
+    }
   }
 }

package/dist/identification-DF2nvmng.mjs

@@ -1,178 +0,0 @@
-import { n as INFRA_KV_URL, r as KV_TIMEOUT_MS } from "./constants-DdWGfvz1.mjs";
-import { logger } from "better-auth";
-import { createAuthMiddleware } from "better-auth/api";
-//#region src/crypto.ts
-function randomBytes(length) {
-	const bytes = new Uint8Array(length);
-	crypto.getRandomValues(bytes);
-	return bytes;
-}
-function bytesToHex(bytes) {
-	return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function hash(message) {
-	const msgBuffer = new TextEncoder().encode(message);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
-	return bytesToHex(new Uint8Array(hashBuffer));
-}
-//#endregion
-//#region src/identification.ts
-/**
-* Identification Service
-*
-* Fetches identification data from the durable-kv service
-* when a request includes an X-Request-Id header.
-*/
-const IDENTIFICATION_COOKIE_NAME = "__infra-rid";
-const identificationCache = /* @__PURE__ */ new Map();
-const CACHE_TTL_MS = 6e4;
-const CACHE_MAX_SIZE = 1e3;
-let lastCleanup = Date.now();
-function cleanupCache() {
-	const now = Date.now();
-	for (const [key, value] of identificationCache.entries()) if (now - value.timestamp > CACHE_TTL_MS) identificationCache.delete(key);
-	lastCleanup = now;
-}
-function maybeCleanup() {
-	if (Date.now() - lastCleanup > CACHE_TTL_MS || identificationCache.size > CACHE_MAX_SIZE) cleanupCache();
-}
-/**
-* Fetch identification data from durable-kv by requestId
-*/
-async function getIdentification(requestId, apiKey, kvUrl) {
-	maybeCleanup();
-	const cached = identificationCache.get(requestId);
-	if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) return cached.data;
-	const baseUrl = kvUrl || INFRA_KV_URL;
-	const maxRetries = 3;
-	const retryDelays = [
-		50,
-		100,
-		200
-	];
-	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
-		const response = await fetch(`${baseUrl}/identify/${requestId}`, {
-			method: "GET",
-			headers: { "x-api-key": apiKey },
-			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
-		});
-		if (response.ok) {
-			const data = await response.json();
-			identificationCache.set(requestId, {
-				data,
-				timestamp: Date.now()
-			});
-			return data;
-		}
-		if (response.status === 404 && attempt < maxRetries) {
-			await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt]));
-			continue;
-		}
-		if (response.status !== 404) identificationCache.set(requestId, {
-			data: null,
-			timestamp: Date.now()
-		});
-		return null;
-	} catch (error) {
-		if (attempt === maxRetries) {
-			logger.error("[Dash] Failed to fetch identification:", error);
-			return null;
-		}
-		await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt] || 50));
-	}
-	return null;
-}
-function generateRequestId() {
-	const hex = bytesToHex(randomBytes(16));
-	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
-}
-async function identify(baseURL, payload, signal) {
-	const base = baseURL.replace(/\/$/, "");
-	await fetch(`${base}/identify`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify(payload),
-		signal: signal ?? AbortSignal.timeout(5e3)
-	});
-}
-/**
-* Extract identification headers from a request
-*/
-function extractIdentificationHeaders(request) {
-	if (!request) return {
-		visitorId: null,
-		requestId: null
-	};
-	return {
-		visitorId: request.headers.get("X-Visitor-Id"),
-		requestId: request.headers.get("X-Request-Id")
-	};
-}
-/**
-* Early middleware that loads identification data
-*/
-function createIdentificationMiddleware(options) {
-	return createAuthMiddleware(async (ctx) => {
-		const { visitorId, requestId: headerRequestId } = extractIdentificationHeaders(ctx.request);
-		const requestId = headerRequestId ?? ctx.getCookie("__infra-rid") ?? null;
-		ctx.context.visitorId = visitorId;
-		ctx.context.requestId = requestId;
-		if (requestId) ctx.context.identification = ctx.context.identification ?? await getIdentification(requestId, options.apiKey, options.kvUrl) ?? null;
-		else ctx.context.identification = null;
-		const ipConfig = ctx.context.options?.advanced?.ipAddress;
-		if (ipConfig?.disableIpTracking === true) {
-			ctx.context.location = void 0;
-			return;
-		}
-		const identification = ctx.context.identification;
-		if (requestId && identification) {
-			const loc = getLocation(identification);
-			ctx.context.location = {
-				ipAddress: identification.ip || void 0,
-				city: loc?.city || void 0,
-				country: loc?.country?.name || void 0,
-				countryCode: loc?.country?.code || void 0
-			};
-			return;
-		}
-		const ipAddress = getClientIpFromRequest(ctx.request, ipConfig?.ipAddressHeaders || null);
-		const countryCode = getCountryCodeFromRequest(ctx.request);
-		if (ipAddress || countryCode) {
-			ctx.context.location = {
-				ipAddress,
-				countryCode
-			};
-			return;
-		}
-		ctx.context.location = void 0;
-	});
-}
-/**
-* Get the visitor's location
-*/
-function getLocation(identification) {
-	if (!identification) return null;
-	return identification.location;
-}
-function getClientIpFromRequest(request, ipAddressHeaders) {
-	if (!request) return void 0;
-	const headers = ipAddressHeaders?.length ? ipAddressHeaders : [
-		"cf-connecting-ip",
-		"x-forwarded-for",
-		"x-real-ip",
-		"x-vercel-forwarded-for"
-	];
-	for (const headerName of headers) {
-		const value = request.headers.get(headerName);
-		if (!value) continue;
-		const ip = value.split(",")[0]?.trim();
-		if (ip) return ip;
-	}
-}
-function getCountryCodeFromRequest(request) {
-	if (!request) return void 0;
-	const cc = request.headers.get("cf-ipcountry") ?? request.headers.get("x-vercel-ip-country");
-	return cc ? cc.toUpperCase() : void 0;
-}
-//#endregion
-export { hash as a, identify as i, createIdentificationMiddleware as n, generateRequestId as r, IDENTIFICATION_COOKIE_NAME as t };