@convex-dev/better-auth 0.11.2 → 0.11.4

package/src/client/adapter.test.ts

@@ -1,11 +1,26 @@
 /// <reference types="vite/client" />
 
-import { describe } from "vitest";
+import { describe, it } from "vitest";
 import { convexTest } from "convex-test";
 import { api } from "../component/_generated/api.js";
 import schema from "../component/testProfiles/schema.profile-plugin-table.js";
 
-describe("Better Auth Adapter Tests", async () => {
-  const t = convexTest(schema, import.meta.glob("../component/**/*.*s"));
-  await t.action(api.adapterTest.runTests, {});
-});
+const MIN_NODE_MAJOR = 24;
+const currentNodeMajor = Number.parseInt(
+  process.versions.node.split(".")[0] ?? "0",
+  10
+);
+
+if (currentNodeMajor < MIN_NODE_MAJOR) {
+  describe("Better Auth Adapter Tests", () => {
+    it.skip(
+      `requires Node ${MIN_NODE_MAJOR}+ (adapter test-utils uses explicit resource management syntax)`,
+      () => {}
+    );
+  });
+} else {
+  describe("Better Auth Adapter Tests", async () => {
+    const t = convexTest(schema, import.meta.glob("../component/**/*.*s"));
+    await t.action(api.adapterTest.runTests, {});
+  });
+}

package/src/client/create-client.test.ts

@@ -0,0 +1,149 @@
+import { describe, expect, it, vi } from "vitest";
+import { httpRouter } from "convex/server";
+import { createClient } from "./create-client.js";
+
+const component = {
+  adapter: {
+    create: "create",
+    findOne: "findOne",
+    findMany: "findMany",
+    updateOne: "updateOne",
+    updateMany: "updateMany",
+    deleteOne: "deleteOne",
+    deleteMany: "deleteMany",
+  },
+} as any;
+
+const getRouteHandler = (
+  http: ReturnType<typeof httpRouter>,
+  path: string,
+  method: "GET" | "POST" | "OPTIONS"
+) => {
+  const route = http.lookup(path, method);
+  if (!route) {
+    return null;
+  }
+  return route[0] as unknown as {
+    _handler: (ctx: unknown, request: Request) => Promise<Response>;
+  };
+};
+
+describe("createClient route registration", () => {
+  it("registerRoutes eagerly initializes auth and infers basePath", () => {
+    const client = createClient(component);
+    const http = httpRouter();
+    const createAuth = vi.fn(() => ({
+      handler: async () => new Response("ok"),
+      options: {
+        basePath: "/custom/auth",
+        trustedOrigins: ["https://app.example.com"],
+      },
+      $context: Promise.resolve({
+        options: {
+          trustedOrigins: ["https://app.example.com"],
+        },
+      }),
+    }));
+
+    client.registerRoutes(http, createAuth);
+
+    expect(createAuth).toHaveBeenCalledTimes(1);
+    expect(getRouteHandler(http, "/custom/auth/test", "GET")).toBeTruthy();
+    expect(
+      getRouteHandler(http, "/.well-known/openid-configuration", "GET")
+    ).toBeTruthy();
+  });
+
+  it("registerRoutes uses auth options for CORS and basePath", async () => {
+    const client = createClient(component);
+    const http = httpRouter();
+    const createAuth = vi.fn(() => ({
+      handler: async () => new Response("ok"),
+      options: {
+        basePath: "/custom/auth",
+        trustedOrigins: ["https://app.example.com"],
+      },
+      $context: Promise.resolve({
+        options: {
+          trustedOrigins: ["https://app.example.com"],
+        },
+      }),
+    }));
+
+    client.registerRoutes(http, createAuth, { cors: true });
+
+    expect(createAuth).toHaveBeenCalledTimes(1);
+    expect(getRouteHandler(http, "/custom/auth/test", "GET")).toBeTruthy();
+    expect(getRouteHandler(http, "/custom/auth/test", "OPTIONS")).toBeTruthy();
+
+    const optionsHandler = getRouteHandler(
+      http,
+      "/custom/auth/test",
+      "OPTIONS"
+    );
+    expect(optionsHandler).toBeTruthy();
+    const response = await optionsHandler!._handler(
+      {},
+      new Request("https://deployment.convex.site/custom/auth/test", {
+        method: "OPTIONS",
+        headers: {
+          origin: "https://app.example.com",
+          "access-control-request-method": "GET",
+        },
+      })
+    );
+
+    expect(response.headers.get("access-control-allow-origin")).toBe(
+      "https://app.example.com"
+    );
+    expect(createAuth).toHaveBeenCalledTimes(1);
+
+    const getHandler = getRouteHandler(http, "/custom/auth/test", "GET");
+    expect(getHandler).toBeTruthy();
+    await getHandler!._handler(
+      {},
+      new Request("https://deployment.convex.site/custom/auth/test", {
+        method: "GET",
+      })
+    );
+    expect(createAuth).toHaveBeenCalledTimes(2);
+  });
+
+  it("registerRoutesLazy resolves trustedOrigins lazily when needed", async () => {
+    const client = createClient(component);
+    const http = httpRouter();
+    const createAuth = vi.fn(() => ({
+      handler: async () => new Response("ok"),
+      options: {
+        trustedOrigins: ["https://fallback.example.com"],
+      },
+      $context: Promise.resolve({
+        options: {
+          trustedOrigins: ["https://fallback.example.com"],
+        },
+      }),
+    }));
+
+    client.registerRoutesLazy(http, createAuth, { cors: true });
+    expect(createAuth).not.toHaveBeenCalled();
+    expect(getRouteHandler(http, "/api/auth/test", "GET")).toBeTruthy();
+
+    const optionsHandler = getRouteHandler(http, "/api/auth/test", "OPTIONS");
+    expect(optionsHandler).toBeTruthy();
+    const response = await optionsHandler!._handler(
+      {},
+      new Request("https://deployment.convex.site/api/auth/test", {
+        method: "OPTIONS",
+        headers: {
+          origin: "https://fallback.example.com",
+          "access-control-request-method": "GET",
+        },
+      })
+    );
+
+    expect(response.headers.get("access-control-allow-origin")).toBe(
+      "https://fallback.example.com"
+    );
+    expect(createAuth).toHaveBeenCalledTimes(1);
+  });
+});

package/src/client/create-client.ts

@@ -19,6 +19,7 @@ import { corsRouter } from "convex-helpers/server/cors";
 import type defaultSchema from "../component/schema.js";
 import type { ComponentApi } from "../component/_generated/component.js";
 import type { CreateAuth, GenericCtx } from "./index.js";
+import type { TrustedOriginsOption } from "../utils/index.js";
 
 export type AuthFunctions = {
   onCreate?: FunctionReference<"mutation", "internal", { [key: string]: any }>;
@@ -72,6 +73,20 @@ type SlimComponentApi = {
   adapterTest?: ComponentApi["adapterTest"];
 };
 
+type RouteCorsOptions =
+  | boolean
+  | {
+      allowedOrigins?: string[];
+      allowedHeaders?: string[];
+      exposedHeaders?: string[];
+    };
+
+type RegisterRoutesLazyOptions = {
+  basePath?: string;
+  trustedOrigins?: TrustedOriginsOption;
+  cors?: RouteCorsOptions;
+};
+
 /**
  * Backend API for the Better Auth component.
  * Responsible for exposing the `client` and `triggers` APIs to the client, http
@@ -456,5 +471,117 @@ export const createClient = <
         handler: authRequestHandler,
       });
     },
+
+    registerRoutesLazy: <T extends CreateAuth<DataModel>>(
+      http: HttpRouter,
+      createAuth: T,
+      opts: RegisterRoutesLazyOptions = {}
+    ) => {
+      let registrationAuth: ReturnType<T> | undefined;
+      const getRegistrationAuth = (): ReturnType<T> => {
+        registrationAuth =
+          registrationAuth ?? (createAuth({} as any) as ReturnType<T>);
+        return registrationAuth;
+      };
+
+      const path = opts.basePath ?? "/api/auth";
+      let trustedOriginsOption = opts.trustedOrigins;
+      const authRequestHandler = httpActionGeneric(async (ctx, request) => {
+        if (config?.verbose) {
+          // eslint-disable-next-line no-console
+          console.log("options.baseURL", getRegistrationAuth().options.baseURL);
+          // eslint-disable-next-line no-console
+          console.log("request headers", request.headers);
+        }
+        const auth = createAuth(ctx as any);
+        const response = await auth.handler(request);
+        if (config?.verbose) {
+          // eslint-disable-next-line no-console
+          console.log("response headers", response.headers);
+        }
+        return response;
+      });
+      const wellKnown = http.lookup("/.well-known/openid-configuration", "GET");
+
+      // If registerRoutes is used multiple times, this may already be defined
+      if (!wellKnown) {
+        // Redirect root well-known to api well-known
+        http.route({
+          path: "/.well-known/openid-configuration",
+          method: "GET",
+          handler: httpActionGeneric(async () => {
+            const url = `${process.env.CONVEX_SITE_URL}${path}/convex/.well-known/openid-configuration`;
+            return Response.redirect(url);
+          }),
+        });
+      }
+
+      if (!opts.cors) {
+        http.route({
+          pathPrefix: `${path}/`,
+          method: "GET",
+          handler: authRequestHandler,
+        });
+
+        http.route({
+          pathPrefix: `${path}/`,
+          method: "POST",
+          handler: authRequestHandler,
+        });
+
+        return;
+      }
+
+      const corsOpts =
+        typeof opts.cors === "boolean"
+          ? { allowedOrigins: [], allowedHeaders: [], exposedHeaders: [] }
+          : opts.cors;
+      const cors = corsRouter(http, {
+        allowedOrigins: async (request) => {
+          const resolvedTrustedOrigins =
+            trustedOriginsOption ??
+            (await getRegistrationAuth().$context).options.trustedOrigins ??
+            [];
+          trustedOriginsOption = resolvedTrustedOrigins;
+          const rawOrigins = Array.isArray(resolvedTrustedOrigins)
+            ? resolvedTrustedOrigins
+            : await resolvedTrustedOrigins(request);
+          const trustedOrigins = rawOrigins.filter(
+            (origin): origin is string => typeof origin === "string"
+          );
+          return trustedOrigins
+            .map((origin) =>
+              // Strip trailing wildcards, unsupported for allowedOrigins
+              origin.endsWith("*") && origin.length > 1
+                ? origin.slice(0, -1)
+                : origin
+            )
+            .concat(corsOpts.allowedOrigins ?? []);
+        },
+        allowCredentials: true,
+        allowedHeaders: [
+          "Content-Type",
+          "Better-Auth-Cookie",
+          "Authorization",
+        ].concat(corsOpts.allowedHeaders ?? []),
+        exposedHeaders: ["Set-Better-Auth-Cookie"].concat(
+          corsOpts.exposedHeaders ?? []
+        ),
+        debug: config?.verbose,
+        enforceAllowOrigins: false,
+      });
+
+      cors.route({
+        pathPrefix: `${path}/`,
+        method: "GET",
+        handler: authRequestHandler,
+      });
+
+      cors.route({
+        pathPrefix: `${path}/`,
+        method: "POST",
+        handler: authRequestHandler,
+      });
+    },
   };
 };

package/src/component/_generated/component.ts

@@ -1825,7 +1825,6 @@ export type ComponentApi<Name extends string | undefined = string | undefined> =
       >;
     };
     adapterTest: {
-      runCustomTests: FunctionReference<"action", "internal", any, any, Name>;
       runTests: FunctionReference<"action", "internal", any, any, Name>;
     };
     testProfiles: {

package/src/component/adapterTest.ts

@@ -13,11 +13,18 @@ import type { ComponentApi } from "./_generated/component.js";
 // globals are available through dynamic imports.
 
 const NORMAL_DISABLED_TESTS = [
+  // dynamic-schema-plugin-table/dynamic-schema-additional-fields:
+  // Convex validators are static in this harness, so runtime schema mutation
+  // tests are validated in dedicated profiles instead.
   "create - should apply default values to fields",
   "create - should return null for nullable foreign keys",
   "create - should support arrays",
   "create - should support json",
+  // convex-id-generation:
+  // Convex controls generated IDs at write time.
   "create - should use generateId if provided",
+  // offset-unsupported:
+  // Convex adapter rejects offset pagination.
   "findMany - should be able to perform a complex limited join",
   "findMany - should find many models with limit and offset",
   "findMany - should find many models with offset",
@@ -32,6 +39,8 @@ const NORMAL_DISABLED_TESTS = [
   "findMany - should return empty array when base records don't exist with joins",
   "findMany - should return null for one-to-one join when joined records don't exist",
   "findMany - should select fields with one-to-one join",
+  // profile-specific coverage:
+  // These are intentionally exercised in dedicated profile suites.
   "findOne - backwards join with modified field name (session base, users-table join)",
   "findOne - multiple joins should return result even when some joined tables have no matching rows",
   "findOne - should find a model with modified field name",
@@ -102,7 +111,9 @@ const organizationJoinsProfileApi = profileApi("adapterOrganizationJoins");
 export const runTests = action(
   async (ctx: GenericActionCtx<DataModel>, _args: EmptyObject) => {
     const testUtilsImport = "@better-auth/test-utils/adapter";
-    const { testAdapter } = await import(testUtilsImport);
+    const { testAdapter, transactionsTestSuite, uuidTestSuite } = await import(
+      testUtilsImport
+    );
     const adapterFactoryImport = "../test/adapter-factory/index.js";
     const {
       coreNormalTestSuite,
@@ -114,8 +125,6 @@ export const runTests = action(
       renameModelUserCustomTestSuite,
       renameModelUserTableTestSuite,
       multiJoinsMissingRowsTestSuite,
-      transactionsTestSuite,
-      uuidTestSuite,
       convexCustomTestSuite,
     } = await import(adapterFactoryImport);
 
@@ -264,26 +273,3 @@ export const runTests = action(
     await executeOrganizationJoinsProfile();
   }
 );
-
-// Keep this export during migration to avoid breaking generated component types.
-export const runCustomTests = action(
-  async (ctx: GenericActionCtx<DataModel>, _args: EmptyObject) => {
-    const testUtilsImport = "@better-auth/test-utils/adapter";
-    const { testAdapter } = await import(testUtilsImport);
-    const adapterFactoryImport = "../test/adapter-factory/index.js";
-    const { convexCustomTestSuite } = await import(adapterFactoryImport);
-    const authComponent = createClient<DataModel>(baseProfileApi, {
-      verbose: false,
-    });
-
-    const { execute } = await testAdapter({
-      adapter: () => {
-        return authComponent.adapter(ctx);
-      },
-      runMigrations: () => {},
-      overrideBetterAuthOptions: getOverrideBetterAuthOptions,
-      tests: [convexCustomTestSuite()],
-    });
-    await execute();
-  }
-);

package/src/component/testProfiles/auth-options.profile-rename-joins.ts

@@ -1,5 +1,5 @@
 import type { BetterAuthOptions } from "better-auth/minimal";
-import { organization } from "better-auth/plugins";
+import { organization } from "better-auth/plugins/organization";
 import { options } from "../../auth-options.js";
 
 const renamedOneToOnePlugin = {

package/src/plugins/convex/index.ts

@@ -5,12 +5,10 @@ import {
   createAuthMiddleware,
   sessionMiddleware,
 } from "better-auth/api";
-import {
-  jwt as jwtPlugin,
-  bearer as bearerPlugin,
-  oidcProvider as oidcProviderPlugin,
-} from "better-auth/plugins";
-import type { JwtOptions, Jwk } from "better-auth/plugins";
+import { bearer as bearerPlugin } from "better-auth/plugins/bearer";
+import { jwt as jwtPlugin } from "better-auth/plugins/jwt";
+import type { JwtOptions, Jwk } from "better-auth/plugins/jwt";
+import { oidcProvider as oidcProviderPlugin } from "better-auth/plugins/oidc-provider";
 import { omit } from "convex-helpers";
 import type { AuthConfig, AuthProvider } from "convex/server";
 

package/src/plugins/cross-domain/index.ts

@@ -2,7 +2,7 @@ import type { BetterAuthPlugin } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { generateRandomString } from "better-auth/crypto";
 import { createAuthEndpoint, createAuthMiddleware } from "better-auth/api";
-import { oneTimeToken as oneTimeTokenPlugin } from "better-auth/plugins";
+import { oneTimeToken as oneTimeTokenPlugin } from "better-auth/plugins/one-time-token";
 import { z } from "zod";
 
 export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {