@convex-dev/better-auth 0.11.3 → 0.11.5

package/src/client/adapter.test.ts

@@ -1,11 +1,26 @@
 /// <reference types="vite/client" />
 
-import { describe } from "vitest";
+import { describe, it } from "vitest";
 import { convexTest } from "convex-test";
 import { api } from "../component/_generated/api.js";
 import schema from "../component/testProfiles/schema.profile-plugin-table.js";
 
-describe("Better Auth Adapter Tests", async () => {
-  const t = convexTest(schema, import.meta.glob("../component/**/*.*s"));
-  await t.action(api.adapterTest.runTests, {});
-});
+const MIN_NODE_MAJOR = 24;
+const currentNodeMajor = Number.parseInt(
+  process.versions.node.split(".")[0] ?? "0",
+  10
+);
+
+if (currentNodeMajor < MIN_NODE_MAJOR) {
+  describe("Better Auth Adapter Tests", () => {
+    it.skip(
+      `requires Node ${MIN_NODE_MAJOR}+ (adapter test-utils uses explicit resource management syntax)`,
+      () => {}
+    );
+  });
+} else {
+  describe("Better Auth Adapter Tests", async () => {
+    const t = convexTest(schema, import.meta.glob("../component/**/*.*s"));
+    await t.action(api.adapterTest.runTests, {});
+  });
+}

package/src/client/create-client.test.ts

@@ -109,6 +109,46 @@ describe("createClient route registration", () => {
     expect(createAuth).toHaveBeenCalledTimes(2);
   });
 
+  it("restores preserved forwarded host headers before calling auth.handler", async () => {
+    const client = createClient(component);
+    const http = httpRouter();
+    const handler = vi.fn(async (_request: Request) => new Response("ok"));
+    const createAuth = vi.fn(() => ({
+      handler,
+      options: {
+        trustedOrigins: ["https://app.example.com"],
+      },
+      $context: Promise.resolve({
+        options: {
+          trustedOrigins: ["https://app.example.com"],
+        },
+      }),
+    }));
+
+    client.registerRoutes(http, createAuth);
+
+    const getHandler = getRouteHandler(http, "/api/auth/test", "GET");
+    expect(getHandler).toBeTruthy();
+    await getHandler!._handler(
+      {},
+      new Request("https://adjective-animal-123.convex.site/api/auth/test", {
+        method: "GET",
+        headers: {
+          host: "deployment.convex.site",
+          "x-forwarded-host": "deployment.convex.site",
+          "x-forwarded-proto": "https",
+          "x-better-auth-forwarded-host": "app.example.com",
+          "x-better-auth-forwarded-proto": "https",
+        },
+      })
+    );
+
+    const forwardedRequest = handler.mock.calls[0]?.[0];
+    expect(forwardedRequest).toBeInstanceOf(Request);
+    expect(forwardedRequest.headers.get("x-forwarded-host")).toBe("app.example.com");
+    expect(forwardedRequest.headers.get("x-forwarded-proto")).toBe("https");
+  });
+
   it("registerRoutesLazy resolves trustedOrigins lazily when needed", async () => {
     const client = createClient(component);
     const http = httpRouter();

package/src/client/create-client.ts

@@ -87,6 +87,27 @@ type RegisterRoutesLazyOptions = {
   cors?: RouteCorsOptions;
 };
 
+const restoreOriginalForwardedHeaders = (request: Request) => {
+  const originalHost = request.headers.get("x-better-auth-forwarded-host");
+  const originalProto = request.headers.get("x-better-auth-forwarded-proto");
+
+  if (!originalHost && !originalProto) {
+    return request;
+  }
+
+  const headers = new Headers(request.headers);
+
+  if (originalHost) {
+    headers.set("x-forwarded-host", originalHost);
+  }
+
+  if (originalProto) {
+    headers.set("x-forwarded-proto", originalProto);
+  }
+
+  return new Request(request, { headers });
+};
+
 /**
  * Backend API for the Better Auth component.
  * Responsible for exposing the `client` and `triggers` APIs to the client, http
@@ -375,7 +396,8 @@ export const createClient = <
           console.log("request headers", request.headers);
         }
         const auth = createAuth(ctx as any);
-        const response = await auth.handler(request);
+        const normalizedRequest = restoreOriginalForwardedHeaders(request);
+        const response = await auth.handler(normalizedRequest);
         if (config?.verbose) {
           // eslint-disable-next-line no-console
           console.log("response headers", response.headers);
@@ -494,7 +516,8 @@ export const createClient = <
           console.log("request headers", request.headers);
         }
         const auth = createAuth(ctx as any);
-        const response = await auth.handler(request);
+        const normalizedRequest = restoreOriginalForwardedHeaders(request);
+        const response = await auth.handler(normalizedRequest);
         if (config?.verbose) {
           // eslint-disable-next-line no-console
           console.log("response headers", response.headers);

package/src/component/_generated/component.ts

@@ -1825,7 +1825,6 @@ export type ComponentApi<Name extends string | undefined = string | undefined> =
       >;
     };
     adapterTest: {
-      runCustomTests: FunctionReference<"action", "internal", any, any, Name>;
       runTests: FunctionReference<"action", "internal", any, any, Name>;
     };
     testProfiles: {

package/src/component/_generated/server.ts

@@ -107,11 +107,6 @@ export const internalAction: ActionBuilder<DataModel, "internal"> =
  */
 export const httpAction: HttpActionBuilder = httpActionGeneric;
 
-type GenericCtx =
-  | GenericActionCtx<DataModel>
-  | GenericMutationCtx<DataModel>
-  | GenericQueryCtx<DataModel>;
-
 /**
  * A set of services for use within Convex query functions.
  *

package/src/component/adapterTest.ts

@@ -13,11 +13,18 @@ import type { ComponentApi } from "./_generated/component.js";
 // globals are available through dynamic imports.
 
 const NORMAL_DISABLED_TESTS = [
+  // dynamic-schema-plugin-table/dynamic-schema-additional-fields:
+  // Convex validators are static in this harness, so runtime schema mutation
+  // tests are validated in dedicated profiles instead.
   "create - should apply default values to fields",
   "create - should return null for nullable foreign keys",
   "create - should support arrays",
   "create - should support json",
+  // convex-id-generation:
+  // Convex controls generated IDs at write time.
   "create - should use generateId if provided",
+  // offset-unsupported:
+  // Convex adapter rejects offset pagination.
   "findMany - should be able to perform a complex limited join",
   "findMany - should find many models with limit and offset",
   "findMany - should find many models with offset",
@@ -32,6 +39,8 @@ const NORMAL_DISABLED_TESTS = [
   "findMany - should return empty array when base records don't exist with joins",
   "findMany - should return null for one-to-one join when joined records don't exist",
   "findMany - should select fields with one-to-one join",
+  // profile-specific coverage:
+  // These are intentionally exercised in dedicated profile suites.
   "findOne - backwards join with modified field name (session base, users-table join)",
   "findOne - multiple joins should return result even when some joined tables have no matching rows",
   "findOne - should find a model with modified field name",
@@ -102,7 +111,9 @@ const organizationJoinsProfileApi = profileApi("adapterOrganizationJoins");
 export const runTests = action(
   async (ctx: GenericActionCtx<DataModel>, _args: EmptyObject) => {
     const testUtilsImport = "@better-auth/test-utils/adapter";
-    const { testAdapter } = await import(testUtilsImport);
+    const { testAdapter, transactionsTestSuite, uuidTestSuite } = await import(
+      testUtilsImport
+    );
     const adapterFactoryImport = "../test/adapter-factory/index.js";
     const {
       coreNormalTestSuite,
@@ -114,8 +125,6 @@ export const runTests = action(
       renameModelUserCustomTestSuite,
       renameModelUserTableTestSuite,
       multiJoinsMissingRowsTestSuite,
-      transactionsTestSuite,
-      uuidTestSuite,
       convexCustomTestSuite,
     } = await import(adapterFactoryImport);
 
@@ -264,26 +273,3 @@ export const runTests = action(
     await executeOrganizationJoinsProfile();
   }
 );
-
-// Keep this export during migration to avoid breaking generated component types.
-export const runCustomTests = action(
-  async (ctx: GenericActionCtx<DataModel>, _args: EmptyObject) => {
-    const testUtilsImport = "@better-auth/test-utils/adapter";
-    const { testAdapter } = await import(testUtilsImport);
-    const adapterFactoryImport = "../test/adapter-factory/index.js";
-    const { convexCustomTestSuite } = await import(adapterFactoryImport);
-    const authComponent = createClient<DataModel>(baseProfileApi, {
-      verbose: false,
-    });
-
-    const { execute } = await testAdapter({
-      adapter: () => {
-        return authComponent.adapter(ctx);
-      },
-      runMigrations: () => {},
-      overrideBetterAuthOptions: getOverrideBetterAuthOptions,
-      tests: [convexCustomTestSuite()],
-    });
-    await execute();
-  }
-);

package/src/nextjs/index.ts

@@ -46,6 +46,10 @@ const handler = (request: Request, siteUrl: string) => {
   const newRequest = new Request(nextUrl, request);
   newRequest.headers.set("accept-encoding", "application/json");
   newRequest.headers.set("host", new URL(siteUrl).host);
+  newRequest.headers.set("x-forwarded-host", requestUrl.host);
+  newRequest.headers.set("x-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
+  newRequest.headers.set("x-better-auth-forwarded-host", requestUrl.host);
+  newRequest.headers.set("x-better-auth-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
   return fetch(newRequest, { method: request.method, redirect: "manual" });
 };
 

package/src/react-start/index.ts

@@ -65,6 +65,10 @@ const handler = (request: Request, opts: { convexSiteUrl: string }) => {
   const headers = new Headers(request.headers);
   headers.set("accept-encoding", "application/json");
   headers.set("host", new URL(opts.convexSiteUrl).host);
+  headers.set("x-forwarded-host", requestUrl.host);
+  headers.set("x-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
+  headers.set("x-better-auth-forwarded-host", requestUrl.host);
+  headers.set("x-better-auth-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
   return fetch(nextUrl, {
     method: request.method,
     headers,

package/src/test/adapter-factory/auth-flow.ts

@@ -1,170 +1,156 @@
 import type { Session, User } from "@better-auth/core/db";
-import { createTestSuite } from "@better-auth/test-utils/adapter";
+import type { createTestSuite } from "@better-auth/test-utils/adapter";
 import { setCookieToHeader } from "better-auth/cookies";
 import { expect } from "vitest";
 
 export const AUTH_FLOW_DEFAULT_BETTER_AUTH_OPTIONS = {
-	emailAndPassword: {
-		enabled: true,
-		password: {
-			hash: async (password: string) => password,
-			async verify(data: { hash: string; password: string }) {
-				return data.hash === data.password;
-			},
-		},
-	},
+  emailAndPassword: {
+    enabled: true,
+    password: {
+      hash: async (password: string) => password,
+      async verify(data: { hash: string; password: string }) {
+        return data.hash === data.password;
+      },
+    },
+  },
 };
 
 export const getAuthFlowSuiteTests = (
-	{
-		generate,
-		getAuth,
-		modifyBetterAuthOptions,
-		tryCatch,
-	}: Parameters<Parameters<typeof createTestSuite>[2]>[0],
+  {
+    generate,
+    getAuth,
+    modifyBetterAuthOptions,
+    tryCatch,
+  }: Parameters<Parameters<typeof createTestSuite>[2]>[0],
 ) => ({
-	"should successfully sign up": async () => {
-		const auth = await getAuth();
-		const user = await generate("user");
-		const result = await auth.api.signUpEmail({
-			body: {
-				email: user.email,
-				password: crypto.randomUUID(),
-				name: user.name,
-				image: user.image || "",
-			},
-		});
-		expect(result.user).toBeDefined();
-		expect(result.user.email).toBe(user.email);
-		expect(result.user.name).toBe(user.name);
-		expect(result.user.image).toBe(user.image || "");
-		expect(result.user.emailVerified).toBe(false);
-		expect(result.user.createdAt).toBeDefined();
-		expect(result.user.updatedAt).toBeDefined();
-	},
-	"should successfully sign in": async () => {
-		const auth = await getAuth();
-		const user = await generate("user");
-		const password = crypto.randomUUID();
-		const signUpResult = await auth.api.signUpEmail({
-			body: {
-				email: user.email,
-				password: password,
-				name: user.name,
-				image: user.image || "",
-			},
-		});
-		const result = await auth.api.signInEmail({
-			body: { email: user.email, password: password },
-		});
-		expect(result.user).toBeDefined();
-		expect(result.user.id).toBe(signUpResult.user.id);
-	},
-	"should successfully get session": async () => {
-		const auth = await getAuth();
-		const user = await generate("user");
-		const password = crypto.randomUUID();
-		const response = await auth.api.signUpEmail({
-			body: {
-				email: user.email,
-				password: password,
-				name: user.name,
-				image: user.image || "",
-			},
-			asResponse: true,
-		});
-		const headers = new Headers();
-		setCookieToHeader(headers)({ response });
-		const result = await auth.api.getSession({
-			headers,
-		});
-		const signUpResult = (await response.json()) as {
-			user: User;
-			session: Session;
-		};
-		signUpResult.user.createdAt = new Date(signUpResult.user.createdAt).getTime() as unknown as Date;
-		signUpResult.user.updatedAt = new Date(signUpResult.user.updatedAt).getTime() as unknown as Date;
-		expect(result?.user).toBeDefined();
-		expect(result?.user).toStrictEqual(signUpResult.user);
-		expect(result?.session).toBeDefined();
-	},
-	"should not sign in with invalid email": async () => {
-		const auth = await getAuth();
-		const user = await generate("user");
-		const { data, error } = await tryCatch(
-			auth.api.signInEmail({
-				body: { email: user.email, password: crypto.randomUUID() },
-			}),
-		);
-		expect(data).toBeNull();
-		expect(error).toBeDefined();
-	},
-	"should store and retrieve timestamps correctly across timezones": async () => {
-		using _ = recoverProcessTZ();
-		const auth = await getAuth();
-		const user = await generate("user");
-		const password = crypto.randomUUID();
-		const userSignUp = await auth.api.signUpEmail({
-			body: {
-				email: user.email,
-				password: password,
-				name: user.name,
-				image: user.image || "",
-			},
-		});
-		process.env.TZ = "Europe/London";
-		const userSignIn = await auth.api.signInEmail({
-			body: { email: user.email, password: password },
-		});
-		process.env.TZ = "America/Los_Angeles";
-		expect(userSignUp.user.createdAt).toStrictEqual(
-			userSignIn.user.createdAt,
-		);
-	},
-	"should sign up with additional fields": async () => {
-		await modifyBetterAuthOptions(
-			{ user: { additionalFields: { dateField: { type: "date" } } } },
-			true,
-		);
-		const auth = await getAuth();
-		const user = await generate("user");
-		const dateField = new Date();
-		const response = await auth.api.signUpEmail({
-			body: {
-				email: user.email,
-				name: user.name,
-				password: crypto.randomUUID(),
-				//@ts-expect-error - we are testing with additional fields
-				dateField: dateField.toISOString(), // using iso string to simulate client to server communication
-			},
-			asResponse: true,
-		});
-		const headers = new Headers();
-		setCookieToHeader(headers)({ response });
-		const result = await auth.api.getSession({
-			headers,
-		});
-		//@ts-expect-error - we are testing with additional fields
-		expect(result?.user.dateField).toStrictEqual(dateField.getTime());
-	},
+  "should successfully sign up": async () => {
+    const auth = await getAuth();
+    const user = await generate("user");
+    const result = await auth.api.signUpEmail({
+      body: {
+        email: user.email,
+        password: crypto.randomUUID(),
+        name: user.name,
+        image: user.image || "",
+      },
+    });
+    expect(result.user).toBeDefined();
+    expect(result.user.email).toBe(user.email);
+    expect(result.user.name).toBe(user.name);
+    expect(result.user.image).toBe(user.image || "");
+    expect(result.user.emailVerified).toBe(false);
+    expect(result.user.createdAt).toBeDefined();
+    expect(result.user.updatedAt).toBeDefined();
+  },
+  "should successfully sign in": async () => {
+    const auth = await getAuth();
+    const user = await generate("user");
+    const password = crypto.randomUUID();
+    const signUpResult = await auth.api.signUpEmail({
+      body: {
+        email: user.email,
+        password,
+        name: user.name,
+        image: user.image || "",
+      },
+    });
+    const result = await auth.api.signInEmail({
+      body: { email: user.email, password },
+    });
+    expect(result.user).toBeDefined();
+    expect(result.user.id).toBe(signUpResult.user.id);
+  },
+  "should successfully get session": async () => {
+    const auth = await getAuth();
+    const user = await generate("user");
+    const password = crypto.randomUUID();
+    const response = await auth.api.signUpEmail({
+      body: {
+        email: user.email,
+        password,
+        name: user.name,
+        image: user.image || "",
+      },
+      asResponse: true,
+    });
+    const headers = new Headers();
+    setCookieToHeader(headers)({ response });
+    const result = await auth.api.getSession({
+      headers,
+    });
+    const signUpResult = (await response.json()) as {
+      user: User;
+      session: Session;
+    };
+    signUpResult.user.createdAt = new Date(signUpResult.user.createdAt).getTime() as unknown as Date;
+    signUpResult.user.updatedAt = new Date(signUpResult.user.updatedAt).getTime() as unknown as Date;
+    expect(result?.user).toBeDefined();
+    expect(result?.user).toStrictEqual(signUpResult.user);
+    expect(result?.session).toBeDefined();
+  },
+  "should not sign in with invalid email": async () => {
+    const auth = await getAuth();
+    const user = await generate("user");
+    const { data, error } = await tryCatch(
+      auth.api.signInEmail({
+        body: { email: user.email, password: crypto.randomUUID() },
+      }),
+    );
+    expect(data).toBeNull();
+    expect(error).toBeDefined();
+  },
+  "should store and retrieve timestamps correctly across timezones": async () => {
+    const originalTZ = process.env.TZ;
+    try {
+      const auth = await getAuth();
+      const user = await generate("user");
+      const password = crypto.randomUUID();
+      const userSignUp = await auth.api.signUpEmail({
+        body: {
+          email: user.email,
+          password,
+          name: user.name,
+          image: user.image || "",
+        },
+      });
+      process.env.TZ = "Europe/London";
+      const userSignIn = await auth.api.signInEmail({
+        body: { email: user.email, password },
+      });
+      process.env.TZ = "America/Los_Angeles";
+      expect(userSignUp.user.createdAt).toStrictEqual(userSignIn.user.createdAt);
+    } finally {
+      if (originalTZ === undefined) {
+        delete process.env.TZ;
+      } else {
+        process.env.TZ = originalTZ;
+      }
+    }
+  },
+  "should sign up with additional fields": async () => {
+    await modifyBetterAuthOptions(
+      { user: { additionalFields: { dateField: { type: "date" } } } },
+      true,
+    );
+    const auth = await getAuth();
+    const user = await generate("user");
+    const dateField = new Date();
+    const response = await auth.api.signUpEmail({
+      body: {
+        email: user.email,
+        name: user.name,
+        password: crypto.randomUUID(),
+        //@ts-expect-error - we are testing with additional fields
+        dateField: dateField.toISOString(),
+      },
+      asResponse: true,
+    });
+    const headers = new Headers();
+    setCookieToHeader(headers)({ response });
+    const result = await auth.api.getSession({
+      headers,
+    });
+    //@ts-expect-error - we are testing with additional fields
+    expect(result?.user.dateField).toStrictEqual(dateField.getTime());
+  },
 });
-
-/**
- * This test suite tests basic authentication flow using the adapter.
- */
-export const authFlowTestSuite = createTestSuite(
-	"auth-flow",
-	{
-		defaultBetterAuthOptions: AUTH_FLOW_DEFAULT_BETTER_AUTH_OPTIONS,
-	},
-	(helpers) => getAuthFlowSuiteTests(helpers),
-);
-
-function recoverProcessTZ() {
-	const originalTZ = process.env.TZ;
-	return {
-		[Symbol.dispose]: () => {
-			process.env.TZ = originalTZ;
-		},
-	};
-}