@classytic/arc 2.11.3 → 2.13.1

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
-import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-gd_aUWrR.mjs";
-import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
-import { t as ArcError } from "../errors-D5c-5BJL.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-DwxtK3uG.mjs";
+import { d as createDomainError, l as UnauthorizedError, p as isArcError, t as ArcError } from "../errors-j4aJm1Wg.mjs";
+import { _ as requireOrgMembership, v as requireOrgRole, x as requireTeamMembership } from "../permissions-ohQyv50e.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-D57iXYb8.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi--M_i87dQ.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -88,17 +88,17 @@ const authPlugin = async (fastify, opts = {}) => {
 				const token = resolveToken(request);
 				if (token) {
 					const decoded = jwtContext.verify(token);
-					if (decoded.type === "refresh") throw new Error("Refresh tokens cannot be used for authentication");
-					if (strictTokenType && decoded.type !== "access") throw new Error("Invalid token type: expected access token");
+					if (decoded.type === "refresh") throw createDomainError("arc.auth.invalid_token_type", "Refresh tokens cannot be used for authentication", 401);
+					if (strictTokenType && decoded.type !== "access") throw createDomainError("arc.auth.invalid_token_type", "Invalid token type: expected access token", 401);
 					user = decoded;
 				}
-			} else throw new Error("No authenticator configured. Provide auth.authenticate function or auth.jwt.secret.");
-			if (!user) throw new Error("Authentication required");
+			} else throw createDomainError("arc.auth.misconfigured", "No authenticator configured. Provide auth.authenticate function or auth.jwt.secret.", 500);
+			if (!user) throw new UnauthorizedError("Authentication required");
 			if (isRevoked) try {
-				if (await isRevoked(user)) throw new Error("Token has been revoked");
+				if (await isRevoked(user)) throw createDomainError("arc.auth.token_revoked", "Token has been revoked", 401);
 			} catch (revokeErr) {
-				if (revokeErr instanceof Error && revokeErr.message === "Token has been revoked") throw revokeErr;
-				throw new Error("Token revocation check failed");
+				if (isArcError(revokeErr) && revokeErr.code === "arc.auth.token_revoked") throw revokeErr;
+				throw createDomainError("arc.auth.revocation_check_failed", "Token revocation check failed", 401);
 			}
 			const reqRecord = request;
 			reqRecord.user = user;
@@ -126,11 +126,20 @@ const authPlugin = async (fastify, opts = {}) => {
 				await onFailure(request, reply, error);
 				return;
 			}
+			if (isArcError(error)) {
+				const message = exposeAuthErrors ? error.message : "Authentication required";
+				reply.code(error.statusCode).send({
+					code: error.code,
+					message,
+					status: error.statusCode
+				});
+				return;
+			}
 			const message = exposeAuthErrors ? error.message : "Authentication required";
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message
+				code: "arc.unauthorized",
+				message,
+				status: 401
 			});
 		}
 	};
@@ -193,7 +202,7 @@ const authPlugin = async (fastify, opts = {}) => {
 	* App calls this after validating credentials (login, OAuth, etc.)
 	*/
 	const issueTokens = (payload, options) => {
-		if (!jwtContext) throw new Error("JWT not configured. Provide auth.jwt.secret to use issueTokens.");
+		if (!jwtContext) throw createDomainError("arc.auth.misconfigured", "JWT not configured. Provide auth.jwt.secret to use issueTokens.", 500);
 		const accessTtl = options?.expiresIn ?? accessExpiresIn;
 		const refreshTtl = options?.refreshExpiresIn ?? refreshExpiresIn;
 		const accessToken = jwtContext.sign({
@@ -228,9 +237,9 @@ const authPlugin = async (fastify, opts = {}) => {
 	* App calls this in refresh endpoint
 	*/
 	const verifyRefreshToken = (token) => {
-		if (!jwtContext) throw new Error("JWT not configured. Provide auth.jwt.secret to use verifyRefreshToken.");
+		if (!jwtContext) throw createDomainError("arc.auth.misconfigured", "JWT not configured. Provide auth.jwt.secret to use verifyRefreshToken.", 500);
 		const decoded = fastify.jwt.verify(token, { ...refreshSecret !== jwtConfig?.secret ? { key: refreshSecret } : {} });
-		if (decoded.type !== "refresh") throw new Error("Invalid token type: expected refresh token");
+		if (decoded.type !== "refresh") throw createDomainError("arc.auth.invalid_token_type", "Invalid token type: expected refresh token", 401);
 		return decoded;
 	};
 	/**
@@ -246,9 +255,9 @@ const authPlugin = async (fastify, opts = {}) => {
 			const user = reqRecord[userProperty] ?? reqRecord.user;
 			if (!user) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No user context"
+					code: "arc.unauthorized",
+					message: "No user context",
+					status: 401
 				});
 				return;
 			}
@@ -256,9 +265,9 @@ const authPlugin = async (fastify, opts = {}) => {
 			if (allowedRoles.length === 1 && allowedRoles[0] === "*") return;
 			if (!allowedRoles.some((role) => userRoles.includes(role))) {
 				reply.code(403).send({
-					success: false,
-					error: "Forbidden",
-					message: `Requires one of: ${allowedRoles.join(", ")}`
+					code: "arc.forbidden",
+					message: `Requires one of: ${allowedRoles.join(", ")}`,
+					status: 403
 				});
 				return;
 			}
@@ -334,65 +343,84 @@ async function sendFetchResponse(response, reply) {
 	}
 }
 /**
-* Try to get session via Better Auth's direct JS API.
-* Returns null if the API method is not available (older Better Auth versions).
+* Resolve the current session via Better Auth's direct JS API.
+*
+* Throws `ArcError(BETTER_AUTH_API_MISSING)` when `auth.api.getSession` is
+* absent — this surfaces immediately and clearly when an integrator passes a
+* stub handler instead of a real `betterAuth()` instance.
 */
-async function tryDirectGetSession(auth, headers) {
+async function getSessionDirect(auth, headers) {
 	const api = auth.api;
-	if (!api || typeof api.getSession !== "function") return null;
-	try {
-		const result = await api.getSession({ headers });
-		if (result?.user) return result;
-		return null;
-	} catch {
-		return null;
-	}
+	if (!api || typeof api.getSession !== "function") throw new ArcError("Better Auth instance is missing `api.getSession` — arc 2.13+ requires the in-process API map. Pass a real `betterAuth()` instance or supply an `api: { getSession }` stub.", {
+		code: "BETTER_AUTH_API_MISSING",
+		statusCode: 500
+	});
+	const result = await api.getSession({ headers });
+	return result?.user ? result : null;
 }
 /**
-* Try to get active org member via direct JS API.
-* Returns roles array or null if not available.
+* Read a method from `auth.api` — supports both the flat shape that real
+* `betterAuth()` instances expose (`api.getActiveMember`) and the nested
+* shape some test mocks / older builds use (`api.organization.getActiveMember`).
+*
+* Real Better Auth 1.6.x flattens every plugin endpoint onto the top-level
+* `api` object. The nested form is kept as a fallback for hand-rolled stubs.
 */
-async function tryDirectGetActiveMember(auth, headers) {
-	const getActiveMember = auth.api?.organization?.getActiveMember;
-	if (typeof getActiveMember !== "function") return null;
+function pickApiMethod(auth, name, group) {
+	const api = auth.api;
+	if (!api) return void 0;
+	const flat = api[name];
+	if (typeof flat === "function") return flat;
+	if (group) {
+		const nested = api[group]?.[name];
+		if (typeof nested === "function") return nested;
+	}
+}
+/** Resolve org roles for the active member (session.activeOrganizationId path). */
+async function getActiveMemberRoles(auth, headers) {
+	const fn = pickApiMethod(auth, "getActiveMember", "organization");
+	if (!fn) return null;
 	try {
-		const memberData = await getActiveMember({ headers });
-		if (memberData) return extractRolesFromMembership(memberData);
-		return null;
+		const memberData = await fn({ headers });
+		return memberData ? extractRolesFromMembership(memberData) : null;
 	} catch {
 		return null;
 	}
 }
 /**
-* Look up member role by explicit organizationId (query param).
+* Resolve org roles for an explicit organizationId.
 *
-* Better Auth's `getActiveMemberRole` endpoint accepts an `organizationId`
-* query parameter, bypassing the session's `activeOrganizationId`.
-* This is essential for API key auth where the synthetic session has no
-* active organization set — callers pass org context via `x-organization-id` header.
+* Required for API key auth where the synthetic session lacks
+* `activeOrganizationId` — callers pass org context via the
+* `x-organization-id` header.
 */
-async function tryDirectGetMemberRole(auth, headers, organizationId) {
-	const getActiveMemberRole = auth.api?.organization?.getActiveMemberRole;
-	if (typeof getActiveMemberRole !== "function") return null;
+async function getMemberRolesByOrg(auth, headers, organizationId) {
+	const fn = pickApiMethod(auth, "getActiveMemberRole", "organization");
+	if (!fn) return null;
 	try {
-		const result = await getActiveMemberRole({
+		const result = await fn({
 			headers,
 			query: { organizationId }
 		});
-		if (result?.role) return normalizeRoles(result.role);
-		return null;
+		return result?.role ? normalizeRoles(result.role) : null;
 	} catch {
 		return null;
 	}
 }
 /**
-* Try to list teams via direct JS API.
+* List teams the current user is a member of. Used to validate
+* `activeTeamId` against the membership set before binding it to scope.
+*
+* Better Auth 1.6+ exposes this as `auth.api.listUserTeams` (path:
+* `/organization/list-user-teams`). Older 1.5.x exposed
+* `auth.api.listTeams` — kept as a fallback so stubs/older versions still
+* work.
 */
-async function tryDirectListTeams(auth, headers) {
-	const listTeams = auth.api?.organization?.listTeams;
-	if (typeof listTeams !== "function") return null;
+async function listTeamsDirect(auth, headers) {
+	const fn = pickApiMethod(auth, "listUserTeams", "organization") ?? pickApiMethod(auth, "listTeams", "organization");
+	if (!fn) return null;
 	try {
-		const result = await listTeams({ headers });
+		const result = await fn({ headers });
 		const teams = Array.isArray(result) ? result : result?.teams;
 		return Array.isArray(teams) ? teams : null;
 	} catch {
@@ -432,61 +460,6 @@ function extractRolesFromMembership(membership) {
 	}
 	return [];
 }
-/** Match an organization membership entry against the active org id */
-function membershipMatchesOrg(membership, activeOrgId) {
-	return [
-		normalizeId(membership.organizationId),
-		normalizeId(membership.orgId),
-		normalizeId(membership.id),
-		normalizeId(membership.organization?._id),
-		normalizeId(membership.organization?.id),
-		normalizeId(membership.organization?.organizationId)
-	].filter(Boolean).includes(activeOrgId);
-}
-/**
-* Resolve org roles with fallback chain:
-* 1) GET /organization/get-active-member (requires activeOrganizationId in session)
-* 2) GET /organization/get-active-member-role?organizationId=... (explicit org — works for API key auth)
-* 3) GET /organization/list (fallback for type mismatch/legacy ID storage)
-*/
-async function resolveOrgRoles(auth, protocol, host, normalizedBase, headers, activeOrgId) {
-	const memberUrl = `${protocol}://${host}${normalizedBase}/organization/get-active-member`;
-	const memberRequest = new Request(memberUrl, {
-		method: "GET",
-		headers
-	});
-	const memberResponse = await auth.handler(memberRequest);
-	if (memberResponse.ok) {
-		const memberData = await memberResponse.json();
-		if (memberData) return extractRolesFromMembership(memberData);
-	}
-	const roleUrl = `${protocol}://${host}${normalizedBase}/organization/get-active-member-role?organizationId=${encodeURIComponent(activeOrgId)}`;
-	const roleRequest = new Request(roleUrl, {
-		method: "GET",
-		headers
-	});
-	const roleResponse = await auth.handler(roleRequest);
-	if (roleResponse.ok) {
-		const roleData = await roleResponse.json();
-		if (roleData?.role) return normalizeRoles(roleData.role);
-	}
-	const listUrl = `${protocol}://${host}${normalizedBase}/organization/list`;
-	const listRequest = new Request(listUrl, {
-		method: "GET",
-		headers
-	});
-	const listResponse = await auth.handler(listRequest);
-	if (!listResponse.ok) return null;
-	const listData = await listResponse.json();
-	const memberships = Array.isArray(listData) ? listData : listData?.organizations ?? listData?.data ?? [];
-	if (!Array.isArray(memberships)) return null;
-	const target = memberships.find((entry) => {
-		if (!entry || typeof entry !== "object") return false;
-		return membershipMatchesOrg(entry, activeOrgId);
-	});
-	if (!target) return null;
-	return extractRolesFromMembership(target);
-}
 /**
 * Create a Better Auth adapter for Arc/Fastify.
 *
@@ -527,33 +500,13 @@ function createBetterAuthAdapter(options) {
 	*/
 	const authenticate = async (request, reply) => {
 		try {
-			const protocol = request.protocol ?? "http";
-			const host = request.hostname ?? "localhost";
 			const headers = buildHeaders(request);
-			let sessionData = null;
-			sessionData = await tryDirectGetSession(auth, headers);
-			if (!sessionData) {
-				const sessionUrl = `${protocol}://${host}${normalizedBase}/get-session`;
-				const sessionRequest = new Request(sessionUrl, {
-					method: "GET",
-					headers
-				});
-				const sessionResponse = await auth.handler(sessionRequest);
-				if (!sessionResponse.ok) {
-					reply.code(401).send({
-						success: false,
-						error: "Unauthorized",
-						message: "Invalid or expired session"
-					});
-					return;
-				}
-				sessionData = await sessionResponse.json();
-			}
+			const sessionData = await getSessionDirect(auth, headers);
 			if (!sessionData?.user) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No active session"
+					code: "arc.unauthorized",
+					message: "Invalid or expired session",
+					status: 401
 				});
 				return;
 			}
@@ -572,9 +525,8 @@ function createBetterAuthAdapter(options) {
 				const session = sessionData.session;
 				const activeOrgId = session?.activeOrganizationId || request.headers["x-organization-id"];
 				if (activeOrgId) {
-					let orgRoles = await tryDirectGetActiveMember(auth, headers);
-					if (!orgRoles) orgRoles = await tryDirectGetMemberRole(auth, headers, activeOrgId);
-					if (!orgRoles) orgRoles = await resolveOrgRoles(auth, protocol, host, normalizedBase, headers, activeOrgId);
+					let orgRoles = await getActiveMemberRoles(auth, headers);
+					if (!orgRoles) orgRoles = await getMemberRolesByOrg(auth, headers, activeOrgId);
 					if (orgRoles) {
 						const scope = {
 							kind: "member",
@@ -585,21 +537,7 @@ function createBetterAuthAdapter(options) {
 						};
 						const activeTeamId = session?.activeTeamId;
 						if (activeTeamId) {
-							let teams = await tryDirectListTeams(auth, headers);
-							if (!teams) {
-								const teamsUrl = `${protocol}://${host}${normalizedBase}/organization/list-teams`;
-								const teamsRequest = new Request(teamsUrl, {
-									method: "GET",
-									headers
-								});
-								const teamsResponse = await auth.handler(teamsRequest);
-								if (teamsResponse.ok) {
-									const teamsData = await teamsResponse.json();
-									const teamsList = Array.isArray(teamsData) ? teamsData : teamsData?.teams;
-									teams = Array.isArray(teamsList) ? teamsList : [];
-								}
-							}
-							if (teams?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
+							if ((await listTeamsDirect(auth, headers))?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
 						}
 						req.scope = scope;
 					}
@@ -608,9 +546,9 @@ function createBetterAuthAdapter(options) {
 		} catch (err) {
 			const message = exposeAuthErrors ? err instanceof Error ? err.message : String(err) : "Authentication required";
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message
+				code: "arc.unauthorized",
+				message,
+				status: 401
 			});
 		}
 	};
@@ -625,17 +563,7 @@ function createBetterAuthAdapter(options) {
 	const optionalAuthenticate = async (request, _reply) => {
 		try {
 			const headers = buildHeaders(request);
-			let sessionData = null;
-			sessionData = await tryDirectGetSession(auth, headers);
-			if (!sessionData) {
-				const sessionUrl = `${request.protocol ?? "http"}://${request.hostname ?? "localhost"}${normalizedBase}/get-session`;
-				const sessionRequest = new Request(sessionUrl, {
-					method: "GET",
-					headers
-				});
-				const sessionResponse = await auth.handler(sessionRequest);
-				if (sessionResponse.ok) sessionData = await sessionResponse.json();
-			}
+			const sessionData = await getSessionDirect(auth, headers);
 			if (!sessionData?.user) return;
 			const req = request;
 			req.user = sessionData.user;
@@ -651,9 +579,8 @@ function createBetterAuthAdapter(options) {
 			if (orgEnabled) {
 				const activeOrgId = sessionData.session?.activeOrganizationId || request.headers["x-organization-id"];
 				if (activeOrgId) {
-					let orgRoles = await tryDirectGetActiveMember(auth, headers);
-					if (!orgRoles) orgRoles = await tryDirectGetMemberRole(auth, headers, activeOrgId);
-					if (!orgRoles) orgRoles = await resolveOrgRoles(auth, request.protocol ?? "http", request.hostname ?? "localhost", normalizedBase, headers, activeOrgId);
+					let orgRoles = await getActiveMemberRoles(auth, headers);
+					if (!orgRoles) orgRoles = await getMemberRolesByOrg(auth, headers, activeOrgId);
 					if (orgRoles) req.scope = {
 						kind: "member",
 						userId: optUserId,
@@ -684,7 +611,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-DwxtK3uG.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi--M_i87dQ.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields
@@ -1006,18 +933,17 @@ function createSessionManager(options) {
 		const session = request.session;
 		if (!session) {
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message: "Authentication required"
+				code: "arc.unauthorized",
+				message: "Authentication required",
+				status: 401
 			});
 			return;
 		}
 		if (Date.now() - session.updatedAt > freshAgeMs) {
 			reply.code(403).send({
-				success: false,
-				error: "SessionNotFresh",
+				code: "arc.forbidden",
 				message: "Session is not fresh. Please re-authenticate to perform this action.",
-				code: "SESSION_NOT_FRESH"
+				status: 403
 			});
 			return;
 		}
@@ -1028,9 +954,9 @@ function createSessionManager(options) {
 			const signedValue = parseCookies(typeof cookieHeader === "string" ? cookieHeader : void 0).get(cookieName);
 			if (!signedValue) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No session cookie"
+					code: "arc.unauthorized",
+					message: "No session cookie",
+					status: 401
 				});
 				return;
 			}
@@ -1038,9 +964,9 @@ function createSessionManager(options) {
 			if (!sessionId) {
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Invalid session"
+					code: "arc.unauthorized",
+					message: "Invalid session",
+					status: 401
 				});
 				return;
 			}
@@ -1048,9 +974,9 @@ function createSessionManager(options) {
 			if (!session) {
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Session expired or revoked"
+					code: "arc.unauthorized",
+					message: "Session expired or revoked",
+					status: 401
 				});
 				return;
 			}
@@ -1058,9 +984,9 @@ function createSessionManager(options) {
 				await store.delete(sessionId);
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Session expired"
+					code: "arc.unauthorized",
+					message: "Session expired",
+					status: 401
 				});
 				return;
 			}

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-D-oNWHz3.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-C4Le_UB3.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/{betterAuthOpenApi-DwxtK3uG.mjs → betterAuthOpenApi--M_i87dQ.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as toJsonSchema } from "./schemaConverter-B0oKLuqI.mjs";
+import { a as toJsonSchema } from "./schemaConverter-De34B1ZG.mjs";
 //#region src/auth/betterAuthOpenApi.ts
 var betterAuthOpenApi_exports = /* @__PURE__ */ __exportAll({ extractBetterAuthOpenApi: () => extractBetterAuthOpenApi });
 /**