@contentgrowth/content-auth 0.2.9 → 0.3.1

package/dist/backend/index.d.ts

@@ -6,6 +6,47 @@ import { Context, Hono } from 'hono';
 export { Hono } from 'hono';
 import * as drizzle_orm_sqlite_core from 'drizzle-orm/sqlite-core';
 
+/**
+ * Cloudflare Turnstile Verification Utility
+ *
+ * Verifies Turnstile tokens on the server-side using Cloudflare's Siteverify API.
+ * @see https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
+ */
+interface VerifyResult {
+    success: boolean;
+    error?: string;
+    hostname?: string;
+}
+/**
+ * Verifies a Turnstile token with Cloudflare's Siteverify API.
+ *
+ * @param secretKey - Your Turnstile secret key
+ * @param token - The token from the client-side Turnstile widget (cf-turnstile-response)
+ * @param remoteIp - Optional: The visitor's IP address for additional validation
+ * @returns Verification result with success status and any error messages
+ */
+declare function verifyTurnstile(secretKey: string, token: string, remoteIp?: string): Promise<VerifyResult>;
+
+/**
+ * Email Normalization Utilities
+ *
+ * Normalizes email addresses to prevent duplicate accounts through
+ * the "Gmail dot trick" and plus-addressing.
+ */
+/**
+ * Normalizes an email address for duplicate detection.
+ * - Gmail addresses: strips dots and plus-addressing, normalizes googlemail.com
+ * - Other addresses: lowercases only
+ *
+ * @param email - The email address to normalize
+ * @returns The normalized email address
+ */
+declare function normalizeEmail(email: string): string;
+/**
+ * Checks if an email is a Gmail address (including googlemail.com)
+ */
+declare function isGmailAddress(email: string): boolean;
+
 declare const users: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
     name: "users";
     schema: undefined;
@@ -1084,6 +1125,16 @@ declare function getInvitationLink(data: any, baseUrl: string): {
  */
 declare function getSessionToken(req: Request): string | null;
 
+interface TurnstileConfig {
+    /** Cloudflare Turnstile secret key */
+    secretKey: string;
+}
+interface EmailNormalizationConfig {
+    /** Enable email normalization for duplicate detection. Default: false */
+    enabled: boolean;
+    /** Column name in users table. Default: 'normalized_email' */
+    columnName?: string;
+}
 interface AuthConfig {
     /**
      * The database instance or D1 binding.
@@ -1121,6 +1172,16 @@ interface AuthConfig {
             token: string;
         }, request: any) => Promise<void> | void;
     };
+    /**
+     * Cloudflare Turnstile configuration for bot protection on email signups.
+     * When configured, the AuthForm frontend will show a Turnstile challenge.
+     */
+    turnstile?: TurnstileConfig;
+    /**
+     * Email normalization for duplicate prevention (Gmail dot trick, plus-addressing).
+     * Requires a 'normalized_email' column in the users table.
+     */
+    emailNormalization?: EmailNormalizationConfig;
     [key: string]: any;
 }
 declare const createAuth: (config: AuthConfig) => better_auth.Auth<any>;
@@ -1130,4 +1191,4 @@ declare const createAuthApp: (config: AuthConfig) => {
     auth: better_auth.Auth<any>;
 };
 
-export { type AuthConfig, authMiddleware, createAuth, createAuthApp, getInvitationLink, getSessionToken, schema };
+export { type AuthConfig, type EmailNormalizationConfig, type TurnstileConfig, authMiddleware, createAuth, createAuthApp, getInvitationLink, getSessionToken, isGmailAddress, normalizeEmail, schema, verifyTurnstile };

package/dist/backend/index.js

@@ -5,8 +5,11 @@ import {
   createAuthApp,
   getInvitationLink,
   getSessionToken,
-  schema_exports
-} from "../chunk-N5OK3XPK.js";
+  isGmailAddress,
+  normalizeEmail,
+  schema_exports,
+  verifyTurnstile
+} from "../chunk-H37QRFRH.js";
 import "../chunk-R5U7XKVJ.js";
 export {
   Hono,
@@ -15,5 +18,8 @@ export {
   createAuthApp,
   getInvitationLink,
   getSessionToken,
-  schema_exports as schema
+  isGmailAddress,
+  normalizeEmail,
+  schema_exports as schema,
+  verifyTurnstile
 };

package/dist/{chunk-EU3UKKTM.js → chunk-6MYNRK2N.js}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-NKDKDBM2.js";
 
 // src/frontend/components/AuthForm.tsx
-import React, { useState } from "react";
+import { useState, useRef, useEffect } from "react";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 var AuthForm = ({
   client = authClient,
@@ -19,7 +19,8 @@ var AuthForm = ({
   onSwitchMode,
   defaultEmail = "",
   lockEmail = false,
-  forgotPasswordUrl
+  forgotPasswordUrl,
+  turnstileSiteKey
 }) => {
   const [isLogin, setIsLogin] = useState(view !== "signup");
   const [email, setEmail] = useState(defaultEmail);
@@ -27,13 +28,37 @@ var AuthForm = ({
   const [name, setName] = useState("");
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState(null);
+  const [turnstileToken, setTurnstileToken] = useState(null);
+  const turnstileRef = useRef(null);
+  const [TurnstileComponent, setTurnstileComponent] = useState(null);
   const [mounted, setMounted] = useState(false);
-  React.useEffect(() => {
+  useEffect(() => {
     setMounted(true);
     setIsLogin(view !== "signup");
-  }, [view]);
+    if (turnstileSiteKey) {
+      import("@marsidev/react-turnstile").then((module) => setTurnstileComponent(() => module.Turnstile)).catch(() => setTurnstileComponent(null));
+    }
+  }, [view, turnstileSiteKey]);
+  const turnstileEnabled = turnstileSiteKey && TurnstileComponent;
+  const turnstileRequired = turnstileEnabled && !isLogin;
+  const canSubmit = !turnstileRequired || !!turnstileToken;
+  const handleTurnstileSuccess = (token) => {
+    setTurnstileToken(token);
+  };
+  const handleTurnstileError = () => {
+    setTurnstileToken(null);
+    setError("Security verification failed. Please try again.");
+  };
+  const handleTurnstileExpire = () => {
+    setTurnstileToken(null);
+    turnstileRef.current?.reset();
+  };
   const handleSubmit = async (e) => {
     e.preventDefault();
+    if (turnstileRequired && !turnstileToken) {
+      setError("Please complete the security challenge");
+      return;
+    }
     setLoading(true);
     setError(null);
     try {
@@ -45,16 +70,24 @@ var AuthForm = ({
         });
         if (response.error) throw response.error;
       } else {
-        response = await client.signUp.email({
+        const signupData = {
           email,
           password,
           name
-        });
+        };
+        if (turnstileToken) {
+          signupData.turnstileToken = turnstileToken;
+        }
+        response = await client.signUp.email(signupData);
         if (response.error) throw response.error;
       }
       onSuccess?.(response.data);
     } catch (err) {
       setError(err.message || "An error occurred");
+      if (turnstileRef.current) {
+        turnstileRef.current.reset();
+        setTurnstileToken(null);
+      }
     } finally {
       setLoading(false);
     }
@@ -77,6 +110,26 @@ var AuthForm = ({
   else if (width === "wide") widthClass = "ca-width-wide";
   else widthClass = "ca-width-default";
   const containerClass = `ca-container ${layout === "split" ? "ca-layout-split" : ""} ${widthClass} ${className || ""}`;
+  const renderTurnstile = () => {
+    if (!turnstileEnabled || isLogin) return null;
+    return /* @__PURE__ */ jsxs("div", { className: "ca-turnstile", children: [
+      /* @__PURE__ */ jsx(
+        TurnstileComponent,
+        {
+          ref: turnstileRef,
+          siteKey: turnstileSiteKey,
+          onSuccess: handleTurnstileSuccess,
+          onError: handleTurnstileError,
+          onExpire: handleTurnstileExpire,
+          options: {
+            theme: "light",
+            size: "normal"
+          }
+        }
+      ),
+      !turnstileToken && /* @__PURE__ */ jsx("p", { className: "ca-turnstile-hint", children: "Please complete the security check above" })
+    ] });
+  };
   const renderSocials = () => (
     // Hide social logins when email is locked (e.g., invitation flow)
     !lockEmail && socialProviders.length > 0 && /* @__PURE__ */ jsx("div", { className: socialClass, children: socialProviders.map((provider) => /* @__PURE__ */ jsxs(
@@ -154,8 +207,17 @@ var AuthForm = ({
           }
         )
       ] }),
+      renderTurnstile(),
       error && /* @__PURE__ */ jsx("div", { className: "ca-error", children: error }),
-      /* @__PURE__ */ jsx("button", { type: "submit", className: "ca-button", disabled: loading, children: loading ? "Loading..." : isLogin ? "Sign In" : "Sign Up" })
+      /* @__PURE__ */ jsx(
+        "button",
+        {
+          type: "submit",
+          className: "ca-button",
+          disabled: loading || !canSubmit,
+          children: loading ? "Loading..." : isLogin ? "Sign In" : "Sign Up"
+        }
+      )
     ] });
   };
   const renderFooter = () => /* @__PURE__ */ jsxs("div", { className: "ca-footer", children: [
@@ -170,6 +232,10 @@ var AuthForm = ({
           } else {
             setIsLogin(!isLogin);
           }
+          if (turnstileRef.current) {
+            turnstileRef.current.reset();
+            setTurnstileToken(null);
+          }
         },
         type: "button",
         children: isLogin ? "Sign up" : "Sign in"
@@ -411,7 +477,7 @@ var ResetPasswordForm = ({
 };
 
 // src/frontend/components/Organization.tsx
-import { useState as useState4, useEffect } from "react";
+import { useState as useState4, useEffect as useEffect2 } from "react";
 import { jsx as jsx4, jsxs as jsxs4 } from "react/jsx-runtime";
 var CreateOrganizationForm = ({
   client = authClient,
@@ -484,7 +550,7 @@ var OrganizationSwitcher = ({
 }) => {
   const [orgs, setOrgs] = useState4([]);
   const [loading, setLoading] = useState4(true);
-  useEffect(() => {
+  useEffect2(() => {
     const fetchOrgs = async () => {
       const { data } = await client.organization.list({});
       if (data) setOrgs(data);
@@ -576,7 +642,7 @@ var InviteMemberForm = ({
 };
 
 // src/frontend/components/ProfileEditor.tsx
-import { useState as useState5, useEffect as useEffect2 } from "react";
+import { useState as useState5, useEffect as useEffect3 } from "react";
 import { jsx as jsx5, jsxs as jsxs5 } from "react/jsx-runtime";
 var ProfileEditor = ({
   client = authClient,
@@ -589,7 +655,7 @@ var ProfileEditor = ({
   const [name, setName] = useState5(defaultName);
   const [image, setImage] = useState5(defaultImage);
   const [loading, setLoading] = useState5(false);
-  useEffect2(() => {
+  useEffect3(() => {
     if (defaultName) setName(defaultName);
     if (defaultImage) setImage(defaultImage);
   }, [defaultName, defaultImage]);
@@ -661,7 +727,7 @@ var ProfileEditor = ({
 };
 
 // src/frontend/components/PasswordChanger.tsx
-import React6, { useState as useState6 } from "react";
+import { useState as useState6 } from "react";
 import { jsx as jsx6, jsxs as jsxs6 } from "react/jsx-runtime";
 var PasswordChanger = ({
   client = authClient,
@@ -674,26 +740,6 @@ var PasswordChanger = ({
   const [newPassword, setNewPassword] = useState6("");
   const [confirmPassword, setConfirmPassword] = useState6("");
   const [loading, setLoading] = useState6(false);
-  const [canChangePassword, setCanChangePassword] = useState6(true);
-  const [authMessage, setAuthMessage] = useState6(null);
-  React6.useEffect(() => {
-    const checkAccounts = async () => {
-      try {
-        const accounts = await client.listAccounts();
-        if (accounts?.data) {
-          const hasCredential = accounts.data.some((acc) => acc.providerId === "credential");
-          if (!hasCredential) {
-            setCanChangePassword(false);
-            const providers = accounts.data.map((acc) => acc.providerId).join(", ");
-            setAuthMessage(`You are signed in via ${providers}. You cannot change your password here because you don't have a password set.`);
-          }
-        }
-      } catch (e) {
-        console.warn("Failed to list accounts", e);
-      }
-    };
-    checkAccounts();
-  }, [client]);
   const handleSubmit = async (e) => {
     e.preventDefault();
     if (newPassword !== confirmPassword) {
@@ -715,9 +761,7 @@ var PasswordChanger = ({
       onSuccess?.(res?.data);
     } catch (err) {
       if (err?.code === "CREDENTIAL_ACCOUNT_NOT_FOUND" || err?.message?.includes("Credential account not found")) {
-        setCanChangePassword(false);
-        setAuthMessage("You are logged in via a social provider and do not have a password set.");
-        onError?.("Password change unavailable for social logins.");
+        onError?.("You are logged in via a social provider (e.g. GitHub, Google) and do not have a password set.");
       } else {
         onError?.(err.message || "Failed to change password");
       }
@@ -725,12 +769,6 @@ var PasswordChanger = ({
       setLoading(false);
     }
   };
-  if (!canChangePassword) {
-    return /* @__PURE__ */ jsx6("div", { className: `ca-form ${className || ""}`, children: /* @__PURE__ */ jsxs6("div", { className: "ca-info-message", style: { textAlign: "center", padding: "2rem", background: "#f9fafb", borderRadius: "8px", border: "1px solid #e5e7eb" }, children: [
-      /* @__PURE__ */ jsx6("p", { style: { color: "#6b7280", marginBottom: "0.5rem" }, children: "Password Change Unavailable" }),
-      /* @__PURE__ */ jsx6("p", { style: { color: "#374151", fontSize: "0.95rem" }, children: authMessage || "Your account is managed by a third-party provider." })
-    ] }) });
-  }
   return /* @__PURE__ */ jsxs6("form", { onSubmit: handleSubmit, className: `ca-form ${className || ""}`, children: [
     /* @__PURE__ */ jsxs6("div", { className: "ca-input-group", children: [
       /* @__PURE__ */ jsx6("label", { className: "ca-label", htmlFor: "current-password", children: "Current Password" }),

package/dist/{chunk-N5OK3XPK.js → chunk-H37QRFRH.js}

@@ -9,6 +9,87 @@ import { drizzle } from "drizzle-orm/d1";
 import { Hono } from "hono";
 export * from "better-auth";
 
+// src/backend/turnstile.ts
+async function verifyTurnstile(secretKey, token, remoteIp) {
+  if (!secretKey) {
+    console.warn("[Turnstile] No secret key configured, skipping verification");
+    return { success: true };
+  }
+  if (!token) {
+    return { success: false, error: "Missing Turnstile token" };
+  }
+  try {
+    const formData = new URLSearchParams();
+    formData.append("secret", secretKey);
+    formData.append("response", token);
+    if (remoteIp) {
+      formData.append("remoteip", remoteIp);
+    }
+    const response = await fetch("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formData.toString()
+    });
+    if (!response.ok) {
+      console.error(`[Turnstile] Siteverify API error: ${response.status}`);
+      return { success: false, error: `API error: ${response.status}` };
+    }
+    const result = await response.json();
+    if (result.success) {
+      return { success: true, hostname: result.hostname };
+    } else {
+      const errorCodes = result["error-codes"] || [];
+      console.warn(`[Turnstile] Verification failed: ${errorCodes.join(", ")}`);
+      return {
+        success: false,
+        error: mapTurnstileError(errorCodes)
+      };
+    }
+  } catch (error) {
+    console.error(`[Turnstile] Verification error: ${error.message}`);
+    return { success: false, error: "Verification service unavailable" };
+  }
+}
+function mapTurnstileError(codes) {
+  if (codes.includes("timeout-or-duplicate")) {
+    return "Challenge expired or already used. Please try again.";
+  }
+  if (codes.includes("invalid-input-response")) {
+    return "Invalid challenge response. Please try again.";
+  }
+  if (codes.includes("bad-request")) {
+    return "Invalid request. Please refresh and try again.";
+  }
+  if (codes.includes("internal-error")) {
+    return "Verification service error. Please try again later.";
+  }
+  return "Challenge verification failed. Please try again.";
+}
+
+// src/backend/email-normalize.ts
+function normalizeEmail(email) {
+  const lowerEmail = email.toLowerCase().trim();
+  const atIndex = lowerEmail.indexOf("@");
+  if (atIndex === -1) {
+    return lowerEmail;
+  }
+  const local = lowerEmail.substring(0, atIndex);
+  const domain = lowerEmail.substring(atIndex + 1);
+  const normalizedDomain = domain === "googlemail.com" ? "gmail.com" : domain;
+  if (normalizedDomain === "gmail.com") {
+    const localWithoutPlus = local.split("+")[0];
+    const normalizedLocal = localWithoutPlus.replace(/\./g, "");
+    return `${normalizedLocal}@gmail.com`;
+  }
+  return lowerEmail;
+}
+function isGmailAddress(email) {
+  const lowerEmail = email.toLowerCase();
+  return lowerEmail.endsWith("@gmail.com") || lowerEmail.endsWith("@googlemail.com");
+}
+
 // src/backend/schema.ts
 var schema_exports = {};
 __export(schema_exports, {
@@ -195,13 +276,24 @@ function getSessionToken(req) {
 // src/backend/index.ts
 var createAuth = (config) => {
   let db;
+  let rawDb = config.database;
   let provider = config.provider || "sqlite";
   if (config.database && typeof config.database.prepare === "function") {
     db = drizzle(config.database, { schema: schema_exports });
   } else {
     db = config.database;
   }
-  const { database, secret, baseUrl, provider: _, useCloudflareNativeHashing = true, emailVerification, ...rest } = config;
+  const {
+    database,
+    secret,
+    baseUrl,
+    provider: _,
+    useCloudflareNativeHashing = true,
+    emailVerification,
+    turnstile: turnstileConfig,
+    emailNormalization,
+    ...rest
+  } = config;
   let adapterOptions = {
     provider,
     schema: {
@@ -215,7 +307,7 @@ var createAuth = (config) => {
     }
   };
   const emailConfig = rest.emailAndPassword || { enabled: true };
-  const { emailAndPassword, ...otherOptions } = rest;
+  const { emailAndPassword, hooks: userHooks, ...otherOptions } = rest;
   const emailPasswordOptions = {
     ...emailConfig
   };
@@ -225,6 +317,99 @@ var createAuth = (config) => {
       verify: verifyPassword
     };
   }
+  const normalizedEmailColumn = emailNormalization?.columnName || "normalized_email";
+  const contentAuthHooks = {
+    before: async (context) => {
+      const path = context.path || "";
+      if (path.includes("/sign-up/email")) {
+        try {
+          let body;
+          if (context.body) {
+            body = context.body;
+          } else {
+            try {
+              body = await context.request.clone().json();
+            } catch (e) {
+            }
+          }
+          if (body) {
+            if (turnstileConfig?.secretKey) {
+              const turnstileToken = body.turnstileToken;
+              if (!turnstileToken) {
+                console.warn("[ContentAuth] Email signup missing Turnstile token");
+                return {
+                  status: 400,
+                  body: JSON.stringify({
+                    success: false,
+                    code: "TURNSTILE_REQUIRED",
+                    message: "Please complete the security challenge"
+                  }),
+                  headers: { "Content-Type": "application/json" }
+                };
+              }
+              const { success, error } = await verifyTurnstile(turnstileConfig.secretKey, turnstileToken);
+              if (!success) {
+                console.warn(`[ContentAuth] Turnstile verification failed: ${error}`);
+                return {
+                  status: 400,
+                  body: JSON.stringify({
+                    success: false,
+                    code: "TURNSTILE_FAILED",
+                    message: error || "Security challenge failed. Please try again."
+                  }),
+                  headers: { "Content-Type": "application/json" }
+                };
+              }
+            }
+            if (emailNormalization?.enabled && body.email && rawDb?.prepare) {
+              const normalized = normalizeEmail(body.email);
+              const existing = await rawDb.prepare(
+                `SELECT id FROM users WHERE ${normalizedEmailColumn} = ?`
+              ).bind(normalized).first();
+              if (existing) {
+                console.warn(`[ContentAuth] Duplicate normalized email detected: ${normalized}`);
+                return {
+                  status: 400,
+                  body: JSON.stringify({
+                    success: false,
+                    code: "EMAIL_EXISTS",
+                    message: "An account with this email already exists"
+                  }),
+                  headers: { "Content-Type": "application/json" }
+                };
+              }
+            }
+          }
+        } catch (e) {
+          console.error("[ContentAuth] Email signup hook error:", e.message);
+        }
+      }
+      if (userHooks?.before) {
+        return userHooks.before(context);
+      }
+      return;
+    },
+    after: async (context) => {
+      const path = context.path || "";
+      const user = context.user || context.response?.user || context.data?.user || context.context?.returned?.user || context.context?.newSession?.user;
+      if (emailNormalization?.enabled && rawDb?.prepare) {
+        if ((path.includes("/sign-up") || path.includes("/callback")) && user?.id && user?.email) {
+          try {
+            const normalized = normalizeEmail(user.email);
+            await rawDb.prepare(
+              `UPDATE users SET ${normalizedEmailColumn} = ? WHERE id = ? AND (${normalizedEmailColumn} IS NULL OR ${normalizedEmailColumn} != ?)`
+            ).bind(normalized, user.id, normalized).run();
+          } catch (e) {
+            console.error(`[ContentAuth] Failed to set normalized_email: ${e.message}`);
+          }
+        }
+      }
+      if (userHooks?.after) {
+        return userHooks.after(context);
+      }
+      return {};
+    }
+  };
   const auth = betterAuth({
     database: drizzleAdapter(db, adapterOptions),
     secret,
@@ -232,6 +417,8 @@ var createAuth = (config) => {
     emailAndPassword: emailPasswordOptions,
     // Pass emailVerification config if provided
     ...emailVerification ? { emailVerification } : {},
+    // Merge content-auth hooks with user hooks
+    hooks: contentAuthHooks,
     ...otherOptions
   });
   return auth;
@@ -251,6 +438,9 @@ var createAuthApp = (config) => {
 };
 
 export {
+  verifyTurnstile,
+  normalizeEmail,
+  isGmailAddress,
   schema_exports,
   getInvitationLink,
   getSessionToken,

package/dist/frontend/index.d.ts

@@ -24,6 +24,8 @@ interface AuthFormProps {
     lockEmail?: boolean;
     /** URL for the forgot password page (shows link on login form if provided) */
     forgotPasswordUrl?: string;
+    /** Cloudflare Turnstile site key. When set, shows Turnstile widget on signup. */
+    turnstileSiteKey?: string;
 }
 declare const AuthForm: React.FC<AuthFormProps>;
 

package/dist/frontend/index.js

@@ -7,7 +7,7 @@ import {
   PasswordChanger,
   ProfileEditor,
   ResetPasswordForm
-} from "../chunk-EU3UKKTM.js";
+} from "../chunk-6MYNRK2N.js";
 import {
   authClient,
   createClient

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-export { AuthConfig, authMiddleware, createAuth, createAuthApp, getInvitationLink, getSessionToken, schema } from './backend/index.js';
+export { AuthConfig, EmailNormalizationConfig, TurnstileConfig, authMiddleware, createAuth, createAuthApp, getInvitationLink, getSessionToken, isGmailAddress, normalizeEmail, schema, verifyTurnstile } from './backend/index.js';
 export { AuthForm, CreateOrganizationForm, ForgotPasswordForm, InviteMemberForm, OrganizationSwitcher, PasswordChanger, PasswordChangerProps, ProfileEditor, ProfileEditorProps, ResetPasswordForm } from './frontend/index.js';
 export { authClient, createClient } from './frontend/client.js';
 export * from 'better-auth';

package/dist/index.js

@@ -5,8 +5,11 @@ import {
   createAuthApp,
   getInvitationLink,
   getSessionToken,
-  schema_exports
-} from "./chunk-N5OK3XPK.js";
+  isGmailAddress,
+  normalizeEmail,
+  schema_exports,
+  verifyTurnstile
+} from "./chunk-H37QRFRH.js";
 import {
   AuthForm,
   CreateOrganizationForm,
@@ -16,7 +19,7 @@ import {
   PasswordChanger,
   ProfileEditor,
   ResetPasswordForm
-} from "./chunk-EU3UKKTM.js";
+} from "./chunk-6MYNRK2N.js";
 import {
   authClient,
   createClient
@@ -39,5 +42,8 @@ export {
   createClient,
   getInvitationLink,
   getSessionToken,
-  schema_exports as schema
+  isGmailAddress,
+  normalizeEmail,
+  schema_exports as schema,
+  verifyTurnstile
 };

package/dist/styles.css

@@ -346,4 +346,27 @@ button[type="submit"]:disabled {
     flex-direction: column;
     justify-content: center;
   }
+}
+
+/* Turnstile Widget */
+.ca-turnstile {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 0.5rem;
+  margin: 0.5rem 0;
+}
+
+.ca-turnstile-hint {
+  font-size: 0.8125rem;
+  color: #6b7280;
+  text-align: center;
+  margin: 0;
+}
+
+/* Locked Input */
+.ca-input-locked {
+  background-color: #f3f4f6;
+  color: #6b7280;
+  cursor: not-allowed;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@contentgrowth/content-auth",
-    "version": "0.2.9",
-    "description": "Better Auth wrapper with UI components for Cloudflare Workers & Pages",
+    "version": "0.3.1",
+    "description": "Better Auth wrapper with UI components for Cloudflare Workers & Pages. Includes Turnstile bot protection and email normalization.",
     "type": "module",
     "main": "./dist/index.js",
     "module": "./dist/index.js",
@@ -50,9 +50,15 @@
     "author": "Content Growth",
     "license": "MIT",
     "peerDependencies": {
+        "@marsidev/react-turnstile": ">=0.5.0",
         "react": ">=18.2.0",
         "react-dom": ">=18.2.0"
     },
+    "peerDependenciesMeta": {
+        "@marsidev/react-turnstile": {
+            "optional": true
+        }
+    },
     "dependencies": {
         "better-auth": "^1.4.9",
         "cac": "^6.7.14",
@@ -61,6 +67,7 @@
     },
     "devDependencies": {
         "@cloudflare/workers-types": "^4.20251231.0",
+        "@marsidev/react-turnstile": "^1.4.1",
         "@types/node": "^25.0.3",
         "@types/react": "^19.2.7",
         "@types/react-dom": "^19.2.3",

package/schema/auth.sql

@@ -27,6 +27,8 @@ CREATE TABLE IF NOT EXISTS users (
     image TEXT,
     createdAt TIMESTAMP NOT NULL,
     updatedAt TIMESTAMP NOT NULL
+    -- Optional: For Gmail duplicate prevention (see docs)
+    -- normalized_email TEXT
 );
 
 -- Sessions