@checkstack/auth-backend 0.4.9 → 0.4.11

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @checkstack/auth-backend
 
+## 0.4.11
+
+### Patch Changes
+
+- 67158e2: Standardize package metadata, unify AJV versions to 8.18.0, and enforce monorepo architecture rules via updated ESLint configuration. This ensures consistent package discovery and runtime dependency safety across the platform.
+- b839ccb: Security: Hardened production Docker image by upgrading Alpine system libraries, migrating to Drizzle beta (v1.0.0-beta.21), and implementing aggressive binary pruning to eliminate vulnerable build-time tools (esbuild/drizzle-kit).
+- Updated dependencies [67158e2]
+  - @checkstack/auth-common@0.5.7
+  - @checkstack/backend-api@0.8.2
+  - @checkstack/command-backend@0.1.13
+  - @checkstack/common@0.6.4
+  - @checkstack/notification-common@0.2.7
+
+## 0.4.10
+
+### Patch Changes
+
+- eb353a4: Fix TypeError in better-auth initialization when LDAP or SAML strategies are enabled. Non-social strategies are now correctly filtered out from the socialProviders configuration, and standard social providers (GitHub) are correctly initialized using their respective factory functions.
+
 ## 0.4.9
 
 ### Patch Changes

package/package.json

@@ -1,8 +1,11 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.4.9",
+  "version": "0.4.11",
   "type": "module",
   "main": "src/index.ts",
+  "checkstack": {
+    "type": "backend"
+  },
   "scripts": {
     "typecheck": "tsc --noEmit",
     "generate": "drizzle-kit generate",
@@ -11,24 +14,23 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/auth-common": "0.5.5",
-    "@checkstack/backend-api": "0.8.0",
-    "@checkstack/notification-common": "0.2.5",
-    "@checkstack/command-backend": "0.1.11",
+    "@checkstack/auth-common": "0.5.6",
+    "@checkstack/backend-api": "0.8.1",
+    "@checkstack/notification-common": "0.2.6",
+    "@checkstack/command-backend": "0.1.12",
     "better-auth": "^1.4.7",
-    "drizzle-orm": "^0.45.1",
-    "hono": "^4.0.0",
+    "drizzle-orm": "^0.45.0",
+    "hono": "^4.12.14",
     "jose": "^6.1.3",
     "zod": "^4.2.1",
-    "@checkstack/common": "0.6.2"
+    "@checkstack/common": "0.6.3",
+    "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.3",
     "@checkstack/scripts": "0.1.1",
     "@checkstack/tsconfig": "0.0.3",
-    "@orpc/server": "^1.13.2",
     "@types/node": "^20.0.0",
-    "drizzle-kit": "^0.31.8",
     "typescript": "^5.0.0"
   }
 }

package/src/index.ts

@@ -1,4 +1,5 @@
 import { betterAuth } from "better-auth";
+import * as socialProviderFactories from "better-auth/social-providers";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { APIError } from "better-auth/api";
 import {
@@ -19,7 +20,7 @@ import { NotificationApi } from "@checkstack/notification-common";
 import * as schema from "./schema";
 import { eq, inArray } from "drizzle-orm";
 import { SafeDatabase } from "@checkstack/backend-api";
-import { User } from "better-auth/types";
+import { BetterAuthOptions, User } from "better-auth/types";
 import { verifyPassword } from "better-auth/crypto";
 import { createExtensionPoint } from "@checkstack/backend-api";
 import { enrichUser } from "./utils/user";
@@ -515,10 +516,23 @@ export default createBackendPlugin({
                 strategy.id
               }: ${Object.keys(strategyConfig || {}).join(", ")}`,
             );
-            socialProviders[strategy.id] = strategyConfig;
-            logger.debug(
-              `[auth-backend]    -> ✅ Added ${strategy.id} to socialProviders`,
-            );
+
+            const providerFactory = (
+              socialProviderFactories as Record<string, unknown>
+            )[strategy.id];
+
+            if (typeof providerFactory === "function") {
+              socialProviders[strategy.id] = (
+                providerFactory as (options: unknown) => unknown
+              )(strategyConfig);
+              logger.debug(
+                `[auth-backend]    -> ✅ Added ${strategy.id} to socialProviders`,
+              );
+            } else {
+              logger.debug(
+                `[auth-backend]    -> Strategy ${strategy.id} is not a standard social provider, skipping better-auth registration`,
+              );
+            }
           }
 
           // Check if credential strategy is enabled from meta config
@@ -550,7 +564,7 @@ export default createBackendPlugin({
             } social providers: ${Object.keys(socialProviders).join(", ")}`,
           );
 
-          return betterAuth({
+          const authOptions: BetterAuthOptions = {
             database: drizzleAdapter(database, {
               provider: "pg",
               schema: { ...schema },
@@ -572,10 +586,13 @@ export default createBackendPlugin({
                 const resetToken = parsedUrl.searchParams.get("token");
                 if (!resetToken) {
                   throw new APIError("BAD_REQUEST", {
-                    message: "Malformed password reset URL: missing token parameter",
+                    message:
+                      "Malformed password reset URL: missing token parameter",
                   });
                 }
-                const resetUrl = `${frontendUrl}/auth/reset-password?token=${encodeURIComponent(resetToken)}`;
+                const resetUrl = `${frontendUrl}/auth/reset-password?token=${encodeURIComponent(
+                  resetToken,
+                )}`;
 
                 void notificationClient.sendTransactional({
                   userId: user.id,
@@ -634,7 +651,9 @@ export default createBackendPlugin({
                 },
               },
             },
-          });
+          };
+
+          return betterAuth(authOptions);
         };
 
         // Initialize better-auth