@checkstack/auth-common 0.5.7 → 0.6.1

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @checkstack/auth-common
 
+## 0.6.1
+
+### Patch Changes
+
+- Updated dependencies [d1a2796]
+  - @checkstack/common@0.6.5
+
+## 0.6.0
+
+### Minor Changes
+
+- c0c0ed2: Introduce generic "Login Flows" to allow authentication strategies to define their own interaction patterns (form, redirect, or oauth) during registration. This fixes an issue where LDAP login attempts were incorrectly routed through the standard social login flow by instead providing a dedicated credential collection form for LDAP.
+
+### Patch Changes
+
+- c0c0ed2: Refactor manual session creation to use a secure, bridged oRPC endpoint. This ensures that custom authentication strategies (LDAP, SAML) leverage Better-Auth's native session establishment utilities, including cryptographic signing and reliable cookie attribute management.
+
 ## 0.5.7
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-common",
-  "version": "0.5.7",
+  "version": "0.6.1",
   "type": "module",
   "exports": {
     ".": {
@@ -9,14 +9,14 @@
     }
   },
   "dependencies": {
-    "@checkstack/common": "0.6.3",
+    "@checkstack/common": "0.6.4",
     "@orpc/contract": "^1.13.14",
     "zod": "^4.0.0"
   },
   "devDependencies": {
-    "@checkstack/tsconfig": "0.0.3",
+    "@checkstack/tsconfig": "0.0.5",
     "typescript": "^5.7.2",
-    "@checkstack/scripts": "0.1.1"
+    "@checkstack/scripts": "0.1.2"
   },
   "scripts": {
     "typecheck": "tsc --noEmit",

package/src/rpc-contract.ts

@@ -45,9 +45,28 @@ const EnabledStrategyDtoSchema = z.object({
   id: z.string(),
   displayName: z.string(),
   description: z.string().optional(),
-  type: z.enum(["credential", "social"]),
+  type: z.enum(["credential", "social", "ldap", "saml"]), // Kept for backward compatibility, but we should use clientFlow
   icon: lucideIconSchema.optional(),
   requiresManualRegistration: z.boolean(),
+  clientFlow: z
+    .discriminatedUnion("type", [
+      z.object({ type: z.literal("oauth") }),
+      z.object({ type: z.literal("redirect"), target: z.string() }),
+      z.object({
+        type: z.literal("form"),
+        target: z.string(),
+        fields: z.array(
+          z.object({
+            name: z.string(),
+            label: z.string(),
+            type: z.enum(["text", "password"]),
+            placeholder: z.string().optional(),
+          }),
+        ),
+      }),
+      z.object({ type: z.literal("credential") }),
+    ])
+    .optional(),
 });
 
 const RegistrationStatusSchema = z.object({
@@ -81,8 +100,8 @@ const UpsertExternalUserOutputSchema = z.object({
 
 const CreateSessionInputSchema = z.object({
   userId: z.string(),
-  token: z.string(),
-  expiresAt: z.coerce.date(),
+  ipAddress: z.string().optional().nullable(),
+  userAgent: z.string().optional().nullable(),
 });
 
 const CreateCredentialUserInputSchema = z.object({
@@ -337,7 +356,7 @@ export const authContract = {
     access: [],
   })
     .input(CreateSessionInputSchema)
-    .output(z.object({ sessionId: z.string() })),
+    .output(z.object({ sessionId: z.string(), setCookie: z.string() })),
 
   getUserById: proc({
     operationType: "query",
@@ -669,6 +688,12 @@ export const authContract = {
   })
     .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
     .output(z.void()),
+
+  getOwnStrategyConfig: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  }).output(z.object({ config: z.record(z.string(), z.unknown()) })),
 };
 
 // Export contract type