npm - @cfast/auth - Versions diffs - 0.0.1 → 0.1.0 - Mend

@cfast/auth 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { a as AuthConfig, b as AuthEnvConfig, c as AuthInstance } from './types-ghXti5CW.js';
-export { d as AuthContext, A as AuthUser, e as AuthenticatedContext } from './types-ghXti5CW.js';
-import '@cfast/permissions';
+import { a as AuthConfig, b as AuthEnvConfig, c as AuthInstance, A as AuthUser } from './types-ghXti5CW.js';
+export { d as AuthContext, e as AuthenticatedContext } from './types-ghXti5CW.js';
+import { Grant } from '@cfast/permissions';
 /**
  * Creates a pre-configured auth factory for Cloudflare Workers.
@@ -164,4 +164,43 @@ declare function createAuthRouteHandlers(getAuth: () => AuthInstance): {
     }) => Promise<Response>;
 };
-export { AuthConfig, AuthEnvConfig, AuthInstance, createAuth, createAuthRouteHandlers, createImpersonationManager, createRoleManager };
+/**
+ * Adapter type matching @cfast/admin's AdminAuthConfig interface.
+ * Duplicated here to avoid a circular dependency on @cfast/admin.
+ */
+type AdminAuthBridge = {
+    requireUser(request: Request): Promise<{
+        user: AuthUser;
+        grants: Grant[];
+    }>;
+    hasRole(user: {
+        roles: string[];
+    }, role: string): boolean;
+    getRoles(userId: string): Promise<string[]>;
+    setRole(userId: string, role: string): Promise<void>;
+    removeRole(userId: string, role: string): Promise<void>;
+    setRoles(userId: string, roles: string[]): Promise<void>;
+};
+/**
+ * Creates an admin auth adapter from a cfast auth instance factory.
+ *
+ * Replaces ~150 lines of manual adapter boilerplate with a single call.
+ * The factory is called per-operation to ensure fresh env bindings on Workers.
+ *
+ * @param getAuth - Factory that returns an initialized AuthInstance.
+ * @returns An object satisfying `@cfast/admin`'s `AdminAuthConfig` interface.
+ *
+ * @example
+ * ```ts
+ * import { createAdminAuth } from "@cfast/auth";
+ *
+ * const auth = createAdminAuth(() =>
+ *   initAuth({ d1: env.get().DB, appUrl: env.get().APP_URL })
+ * );
+ *
+ * const admin = createAdmin({ auth, db: createDbForAdmin, schema });
+ * ```
+ */
+declare function createAdminAuth(getAuth: () => AuthInstance): AdminAuthBridge;
+export { AuthConfig, AuthEnvConfig, AuthInstance, AuthUser, createAdminAuth, createAuth, createAuthRouteHandlers, createImpersonationManager, createRoleManager };

package/dist/index.js CHANGED Viewed

@@ -252,7 +252,33 @@ function createAuthRouteHandlers(getAuth) {
   }
   return { loader: handleRequest, action: handleRequest };
 }
+// src/admin-auth.ts
+function createAdminAuth(getAuth) {
+  return {
+    async requireUser(request) {
+      const ctx = await getAuth().requireUser(request);
+      return { user: ctx.user, grants: ctx.grants };
+    },
+    hasRole(user, role) {
+      return user.roles.includes(role);
+    },
+    async getRoles(userId) {
+      return getAuth().getRoles(userId);
+    },
+    async setRole(userId, role) {
+      await getAuth().setRole(userId, role);
+    },
+    async removeRole(userId, role) {
+      await getAuth().removeRole(userId, role);
+    },
+    async setRoles(userId, roles) {
+      await getAuth().setRoles(userId, roles);
+    }
+  };
+}
 export {
+  createAdminAuth,
   createAuth,
   createAuthRouteHandlers,
   createImpersonationManager,

package/llms.txt ADDED Viewed

@@ -0,0 +1,188 @@
+# @cfast/auth
+> Authentication for Cloudflare Workers: magic email links, passkeys, roles, impersonation. Built on Better Auth.
+## When to use
+Use `@cfast/auth` to add authentication to a cfast app. It handles login (magic link + passkeys), session management, role assignment, and user impersonation. It produces the `user` and `grants` objects that `@cfast/db` needs for permission-aware queries.
+## Key concepts
+- **Two-phase initialization.** `createAuth(config)` returns an `initAuth` factory. Call `initAuth({ d1, appUrl })` per-request to get an `AuthInstance`.
+- **Roles bridge auth and permissions.** Auth assigns roles to users. `@cfast/permissions` defines what roles can do. The `grants` from auth feed directly into `createDb()`.
+- **Cookie-based redirect-back.** Unauthenticated users get a `cfast_redirect_to` cookie before redirecting to `/login`. After login, the cookie restores their intended destination.
+## API Reference
+### Server: createAuth(config) => initAuth
+```typescript
+import { createAuth } from "@cfast/auth";
+export const initAuth = createAuth({
+  permissions: Permissions,            // from definePermissions()
+  magicLink?: {
+    sendMagicLink: (params: { email: string; url: string }) => Promise<void>,
+  },
+  passkeys?: { rpName: string; rpId: string },
+  session?: { expiresIn?: string },    // e.g. "30d"
+  redirects?: { afterLogin?: string; loginPath?: string },
+  anonymousRoles?: string[],
+  defaultRoles?: string[],             // default: ["reader"]
+  roleGrants?: Record<string, string[]>,  // who can assign which roles
+  impersonation?: { allowedRoles?: string[] },
+  templates?: { magicLink?: (props: { url: string; email: string }) => string },
+});
+```
+### initAuth(env) => AuthInstance
+```typescript
+const auth: AuthInstance = initAuth({ d1: env.DB, appUrl: "https://myapp.com" });
+```
+### AuthInstance methods
+```typescript
+auth.createContext(request): Promise<AuthContext>
+// { user: AuthUser | null, grants: Grant[] }
+auth.requireUser(request): Promise<AuthenticatedContext>
+// { user: AuthUser, grants: Grant[] }  -- throws 302 redirect if not authenticated
+auth.getRoles(userId): Promise<string[]>
+auth.setRole(userId, role, caller?): Promise<void>
+auth.setRoles(userId, roles, caller?): Promise<void>
+auth.removeRole(userId, role): Promise<void>
+auth.impersonate(adminUserId, targetUserId): Promise<void>
+auth.stopImpersonating(adminUserId): Promise<void>
+auth.sendMagicLink({ email, callbackURL? }): Promise<void>
+auth.handler(request): Promise<Response>   // forwards to Better Auth
+```
+### AuthUser type
+```typescript
+type AuthUser = {
+  id: string;
+  email: string;
+  name: string;
+  avatarUrl: string | null;
+  roles: string[];
+  isImpersonating?: boolean;
+  realUser?: { id: string; name: string };
+};
+```
+### createAdminAuth(getAuth): AdminAuthBridge
+```typescript
+import { createAdminAuth } from "@cfast/auth";
+function createAdminAuth(getAuth: () => AuthInstance): AdminAuthBridge
+```
+Creates an admin auth adapter from a cfast auth instance factory. Replaces ~150 lines of manual adapter boilerplate with a single call. The factory is called per-operation to ensure fresh env bindings on Workers.
+Returns an object satisfying `@cfast/admin`'s `AdminAuthConfig` interface with: `requireUser`, `hasRole`, `getRoles`, `setRole`, `removeRole`, `setRoles`.
+```typescript
+const auth = createAdminAuth(() =>
+  initAuth({ d1: env.get().DB, appUrl: env.get().APP_URL })
+);
+const admin = createAdmin({ auth, db: createDbForAdmin, schema });
+```
+### Client exports (`@cfast/auth/client`)
+```typescript
+// Providers
+<AuthClientProvider authClient={authClient}>   // wraps app root
+<AuthProvider user={user}>                      // wraps layout routes
+<AuthGuard user={user}>                         // layout component, provides user to children
+// Hooks
+useCurrentUser(): AuthUser | null              // user from nearest AuthGuard/AuthProvider
+useAuth(): UseAuthReturn                       // { signOut, registerPasskey, deletePasskey, stopImpersonating, authClient }
+// Login
+<LoginPage authClient={authClient} components? title? subtitle? />
+createAuthClient(): AuthClientInstance
+```
+### LoginComponents slots
+```typescript
+type LoginComponents = {
+  Layout?, EmailInput?, PasskeyButton?, MagicLinkButton?,
+  SuccessMessage?, ErrorMessage?,
+};
+```
+### Route plugin (`@cfast/auth/plugin`)
+```typescript
+import { authRoutes } from "@cfast/auth/plugin";
+// In routes.ts:
+export default [...authRoutes({ handlerFile: "routes/auth.$.tsx" }), ...otherRoutes];
+```
+### Schema (`@cfast/auth/schema`)
+Drizzle tables: `user`, `session`, `passkey`, `role`, `impersonation_log`.
+## Usage Examples
+### Protect a layout route
+```typescript
+// routes/_protected.tsx
+import { AuthGuard } from "@cfast/auth/client";
+export async function loader({ request, context }) {
+  const auth = initAuth({ d1: context.env.DB, appUrl: context.env.APP_URL });
+  const { user, grants } = await auth.requireUser(request);
+  return { user };
+}
+export default function ProtectedLayout() {
+  const { user } = useLoaderData<typeof loader>();
+  return <AuthGuard user={user}><Outlet /></AuthGuard>;
+}
+```
+### Auth -> Db flow in a loader
+```typescript
+export async function loader({ request, context }) {
+  const auth = initAuth({ d1: context.env.DB, appUrl: context.env.APP_URL });
+  const { user, grants } = await auth.requireUser(request);
+  const db = createDb({ d1: context.env.DB, schema, grants, user });
+  const posts = await db.query(postsTable).findMany().run({});
+  return { user, posts };
+}
+```
+### Role management
+```typescript
+await auth.setRole(userId, "editor");
+await auth.setRoles(userId, ["editor", "moderator"]);
+await auth.removeRole(userId, "editor");
+```
+## Integration
+- **@cfast/permissions** -- `createAuth({ permissions })` takes the permissions config. Roles defined in permissions are the same roles assigned to users. `auth.requireUser()` returns `grants` resolved from the user's roles.
+- **@cfast/db** -- Pass `{ user, grants }` from `auth.requireUser()` directly to `createDb()`. Role changes via `auth.setRole()` take effect on the next request.
+- **@cfast/ui/joy** -- Provides `joyLoginComponents` for Joy UI styled login page slots.
+## Common Mistakes
+- **Calling `createAuth()` per-request** -- `createAuth()` is called once at module level. Only `initAuth()` is called per-request with the D1 binding.
+- **Forgetting to add auth routes** -- The magic link callback and passkey endpoints need `authRoutes()` in your `routes.ts`.
+- **Using `unsafe()` instead of roles for admin** -- Admins should have a proper role with grants, not bypass permissions entirely.
+- **Not wrapping the app with `AuthClientProvider`** -- `useAuth()` and `LoginPage` require the provider at the app root.

package/package.json CHANGED Viewed

@@ -1,7 +1,14 @@
 {
   "name": "@cfast/auth",
-  "version": "0.0.1",
+  "version": "0.1.0",
   "description": "Authentication for Cloudflare Workers: magic email, passkeys, roles, and impersonation",
+  "keywords": [
+    "cfast",
+    "cloudflare-workers",
+    "authentication",
+    "passkeys",
+    "magic-link"
+  ],
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -30,19 +37,27 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "llms.txt"
   ],
   "sideEffects": false,
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "build": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts",
+    "dev": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/"
+  },
   "peerDependencies": {
     "better-auth": ">=1",
     "drizzle-orm": ">=0.35",
     "react": ">=18"
   },
   "dependencies": {
-    "@cfast/permissions": "0.0.1"
+    "@cfast/permissions": "workspace:*"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260305.1",
@@ -55,12 +70,5 @@
     "tsup": "^8",
     "typescript": "^5.7",
     "vitest": "^4.1.0"
-  },
-  "scripts": {
-    "build": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts",
-    "dev": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts --watch",
-    "test": "vitest run",
-    "typecheck": "tsc --noEmit",
-    "lint": "eslint src/"
   }
-}
+}

package/LICENSE DELETED Viewed

@@ -1,21 +0,0 @@
-MIT License
-Copyright (c) 2026 Daniel Schmidt
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/dist/types-19GeiMs4.d.ts DELETED Viewed

@@ -1,64 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-8eZilolN.d.ts DELETED Viewed

@@ -1,63 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DZ7AeznW.d.ts DELETED Viewed

@@ -1,74 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-    roleGrants?: Record<string, string[]>;
-    impersonation?: {
-        allowedRoles?: string[];
-    };
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string, caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    setRoles: (userId: string, roles: string[], caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
-    stopImpersonating: (adminUserId: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DdbPIOVK.d.ts DELETED Viewed

@@ -1,85 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-    roleGrants?: Record<string, string[]>;
-    impersonation?: {
-        allowedRoles?: string[];
-    };
-    templates?: {
-        magicLink?: (props: {
-            url: string;
-            email: string;
-        }) => string;
-    };
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string, caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    setRoles: (userId: string, roles: string[], caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
-    stopImpersonating: (adminUserId: string) => Promise<void>;
-    /** Send a magic link email to the given address */
-    sendMagicLink: (params: {
-        email: string;
-        callbackURL?: string;
-    }) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DrnTPiku.d.ts DELETED Viewed

@@ -1,62 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };