@convex-dev/better-auth 0.9.10 → 0.10.0

package/package.json

@@ -6,7 +6,7 @@
   "bugs": {
     "url": "https://github.com/get-convex/better-auth/issues"
   },
-  "version": "0.9.10",
+  "version": "0.10.0",
   "license": "Apache-2.0",
   "keywords": [
     "convex",
@@ -20,7 +20,7 @@
   "scripts": {
     "dev": "cd examples/react && npm run dev",
     "clean": "rm -rf dist *.tsbuildinfo",
-    "build": "tsc --project ./tsconfig.build.json",
+    "build": "tsc --project tsconfig.build.json",
     "typecheck": "tsc --noEmit && tsc -p examples/next && tsc -p examples/next/convex && tsc -p examples/react && tsc -p examples/react/convex && tsc -p examples/tanstack && tsc -p examples/tanstack/convex",
     "lint": "eslint .",
     "all": "run-p -r 'dev' 'test:watch'",
@@ -59,6 +59,10 @@
       "types": "./dist/component/adapter.d.ts",
       "default": "./dist/component/adapter.js"
     },
+    "./auth-config": {
+      "types": "./dist/auth-config.d.ts",
+      "default": "./dist/auth-config.js"
+    },
     "./client/plugins": {
       "types": "./dist/client/plugins/index.d.ts",
       "default": "./dist/client/plugins/index.js"
@@ -67,6 +71,10 @@
       "types": "./dist/nextjs/index.d.ts",
       "default": "./dist/nextjs/index.js"
     },
+    "./nextjs/client": {
+      "types": "./dist/nextjs/client.d.ts",
+      "default": "./dist/nextjs/client.js"
+    },
     "./plugins": {
       "types": "./dist/plugins/index.d.ts",
       "default": "./dist/plugins/index.js"
@@ -93,26 +101,26 @@
     }
   },
   "peerDependencies": {
-    "better-auth": "1.3.34",
+    "better-auth": "1.4.7",
     "convex": "^1.25.0",
     "react": "^18.3.1 || ^19.0.0",
     "react-dom": "^18.3.1 || ^19.0.0"
   },
   "devDependencies": {
     "@better-fetch/fetch": "^1.1.18",
+    "@better-auth/passkey": "1.4.7",
     "@edge-runtime/vm": "5.0.0",
     "@eslint/eslintrc": "3.3.1",
     "@eslint/js": "9.39.1",
-    "@tanstack/react-start": "^1.132.37",
+    "@tanstack/react-start": "^1.140.1",
     "@types/common-tags": "^1.8.4",
     "@types/node": "20.19.24",
     "@types/react": "18.3.26",
     "@types/react-dom": "18.3.7",
     "@types/semver": "^7.7.0",
-    "@vitejs/plugin-react": "5.0.4",
-    "concurrently": "^9.2.0",
     "chokidar-cli": "3.0.0",
-    "convex": "^1.29.0",
+    "concurrently": "^9.2.0",
+    "convex": "^1.30.0",
     "convex-test": "0.0.41",
     "cpy-cli": "6.0.0",
     "eslint": "9.39.1",
@@ -120,16 +128,15 @@
     "eslint-plugin-react-hooks": "5.2.0",
     "eslint-plugin-react-refresh": "0.4.24",
     "globals": "15.14.0",
-    "next": "^15.1.8",
-    "npm-run-all2": "7.0.2",
+    "next": "^16.0.3",
+    "npm-run-all2": "8.0.4",
     "pkg-pr-new": "0.0.60",
     "prettier": "3.6.2",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "typescript": "5.9.3",
     "typescript-eslint": "8.46.4",
-    "vite": "^7.1.5",
-    "vitest": "3.2.4"
+    "vitest": "^4.0.15"
   },
   "types": "./dist/client/index.d.ts",
   "module": "./dist/client/index.js",
@@ -140,6 +147,6 @@
     "remeda": "^2.32.0",
     "semver": "^7.7.3",
     "type-fest": "^4.39.1",
-    "zod": "^3.24.4"
+    "zod": "^4.0.0"
   }
 }

package/src/auth-config.ts

@@ -0,0 +1,82 @@
+import type { JwtOptions } from "better-auth/plugins";
+import type { AuthProvider } from "convex/server";
+import type { JSONWebKeySet } from "jose";
+
+type JwksDoc = {
+  id: string;
+  publicKey: string;
+  privateKey: string;
+  createdAt: number;
+  expiresAt?: number;
+  alg?: string;
+  crv?: string;
+};
+
+export const createPublicJwks = (jwks: JwksDoc[], options?: JwtOptions) => {
+  /*
+  const now = Date.now();
+  const DEFAULT_GRACE_PERIOD = 60 * 60 * 24 * 30;
+  const gracePeriod =
+    (options?.jwks?.gracePeriod ?? DEFAULT_GRACE_PERIOD) * 1000;
+
+  const keys = jwks.filter((key) => {
+    if (!key.expiresAt) {
+      return true;
+    }
+    return new Date(key.expiresAt).getTime() + gracePeriod > now;
+  });
+  */
+  const keys = jwks;
+
+  const keyPairConfig = options?.jwks?.keyPairConfig;
+  const defaultCrv = keyPairConfig
+    ? "crv" in keyPairConfig
+      ? (keyPairConfig as { crv: string }).crv
+      : undefined
+    : undefined;
+  return {
+    keys: keys.map((keySet) => {
+      return {
+        alg: keySet.alg ?? options?.jwks?.keyPairConfig?.alg ?? "EdDSA",
+        crv: keySet.crv ?? defaultCrv,
+        ...JSON.parse(keySet.publicKey),
+        kid: keySet.id,
+      };
+    }),
+  } satisfies JSONWebKeySet as JSONWebKeySet;
+};
+
+export const getAuthConfigProvider = (opts?: {
+  basePath?: string;
+  /**
+   * @param jwks - Optional static JWKS to avoid fetching from the database.
+   *
+   * This should be a stringified document from the Better Auth JWKS table. You
+   * can create one in the console.
+   *
+   * Example:
+   * ```bash
+   * npx convex run auth:generateJwk | npx convex env set JWKS
+   * ```
+   *
+   * Then use it in your auth config:
+   * ```ts
+   * export default {
+   *   providers: [getAuthConfigProvider({ jwks: process.env.JWKS })],
+   * } satisfies AuthConfig;
+   * ```
+   *
+   */
+  jwks?: string;
+}) => {
+  const parsedJwks = opts?.jwks ? JSON.parse(opts.jwks) : undefined;
+  return {
+    type: "customJwt",
+    issuer: `${process.env.CONVEX_SITE_URL}`,
+    applicationID: "convex",
+    algorithm: "RS256",
+    jwks: parsedJwks
+      ? `data:text/plain;charset=utf-8;base64,${btoa(JSON.stringify(createPublicJwks(parsedJwks)))}`
+      : `${process.env.CONVEX_SITE_URL}${opts?.basePath ?? "/api/auth"}/convex/jwks`,
+  } satisfies AuthProvider;
+};

package/src/auth-options.ts

@@ -0,0 +1,54 @@
+import { type BetterAuthOptions } from "better-auth";
+import {
+  anonymous,
+  bearer,
+  emailOTP,
+  genericOAuth,
+  jwt,
+  magicLink,
+  oidcProvider,
+  oneTap,
+  oneTimeToken,
+  phoneNumber,
+  twoFactor,
+  username,
+} from "better-auth/plugins";
+import { passkey } from "@better-auth/passkey";
+import { convex } from "./plugins/convex/index.js";
+import { convexAdapter } from "./client/adapter.js";
+
+// This is the config used to generate the schema
+export const options = {
+  database: convexAdapter({} as any, {} as any),
+  rateLimit: {
+    storage: "database",
+  },
+  plugins: [
+    twoFactor(),
+    anonymous(),
+    username(),
+    phoneNumber(),
+    magicLink({ sendMagicLink: async () => {} }),
+    emailOTP({ sendVerificationOTP: async () => {} }),
+    passkey(),
+    genericOAuth({
+      config: [
+        {
+          clientId: "",
+          clientSecret: "",
+          providerId: "",
+        },
+      ],
+    }),
+    oneTap(),
+    oidcProvider({
+      loginPage: "/login",
+    }),
+    bearer(),
+    oneTimeToken(),
+    jwt(),
+    convex({
+      authConfig: { providers: [{ applicationID: "convex", domain: "" }] },
+    }),
+  ],
+} as BetterAuthOptions; // assert type to avoid overloading ts compiler

package/src/auth.ts

@@ -1,57 +1,4 @@
-import { betterAuth, type BetterAuthOptions } from "better-auth";
-import {
-  anonymous,
-  bearer,
-  emailOTP,
-  genericOAuth,
-  jwt,
-  magicLink,
-  oidcProvider,
-  oneTap,
-  oneTimeToken,
-  phoneNumber,
-  twoFactor,
-  username,
-} from "better-auth/plugins";
-import { convex } from "./plugins/convex/index.js";
-import { passkey } from "better-auth/plugins/passkey";
-import { convexAdapter } from "./client/adapter.js";
+import { betterAuth } from "better-auth";
+import { options } from "./auth-options.js";
 
-// This is the config used to generate the schema
-const options = {
-  logger: {
-    disabled: true,
-  },
-  database: convexAdapter({} as any, {} as any),
-  rateLimit: {
-    storage: "database",
-  },
-  plugins: [
-    twoFactor(),
-    anonymous(),
-    username(),
-    phoneNumber(),
-    magicLink({ sendMagicLink: async () => {} }),
-    emailOTP({ sendVerificationOTP: async () => {} }),
-    passkey(),
-    genericOAuth({
-      config: [
-        {
-          clientId: "",
-          clientSecret: "",
-          providerId: "",
-        },
-      ],
-    }),
-    oneTap(),
-    oidcProvider({
-      loginPage: "/login",
-    }),
-    bearer(),
-    oneTimeToken(),
-    jwt(),
-    convex(),
-  ],
-} as BetterAuthOptions; // assert type to avoid overloading ts compiler
-const config = betterAuth(options) as ReturnType<typeof betterAuth>;
-export { config as auth };
+export const auth = betterAuth(options);

package/src/client/adapter.ts

@@ -105,7 +105,7 @@ export const convexAdapter = <
 >(
   ctx: Ctx,
   api: {
-    adapter: SetOptional<ComponentApi["adapter"], "migrationRemoveUserId">;
+    adapter: ComponentApi["adapter"];
     adapterTest?: ComponentApi["adapterTest"];
   },
   config: {
@@ -130,10 +130,10 @@ export const convexAdapter = <
       mapKeysTransformOutput: {
         _id: "id",
       },
-      // With supportsDates: false, dates are stored as strings,
-      // we convert them to numbers here. This aligns with how
-      // Convex stores _creationTime, and avoids a breaking change.
+      // Dates provided as strings
       supportsDates: false,
+      // Convert dates to numbers. This aligns with how
+      // Convex stores _creationTime and avoids a breaking change.
       customTransformInput: ({ data, fieldAttributes }) => {
         if (data && fieldAttributes.type === "date") {
           return new Date(data).getTime();
@@ -156,7 +156,7 @@ export const convexAdapter = <
           isRunMutationCtx: isRunMutationCtx(ctx),
         },
         createSchema: async ({ file, tables }) => {
-          const { createSchema } = await import("./createSchema.js");
+          const { createSchema } = await import("./create-schema.js");
           return createSchema({ file, tables });
         },
         create: async ({ model, data, select }): Promise<any> => {

package/src/client/create-api.ts

@@ -0,0 +1,337 @@
+import {
+  type FunctionHandle,
+  type SchemaDefinition,
+  mutationGeneric,
+  paginationOptsValidator,
+  queryGeneric,
+} from "convex/server";
+import { type GenericId, v } from "convex/values";
+import { asyncMap } from "convex-helpers";
+import { partial } from "convex-helpers/validators";
+import {
+  adapterWhereValidator,
+  checkUniqueFields,
+  hasUniqueFields,
+  listOne,
+  paginate,
+  selectFields,
+} from "./adapter-utils.js";
+import { getAuthTables } from "better-auth/db";
+import { type TableNames } from "../component/_generated/dataModel.js";
+import type { BetterAuthOptions } from "better-auth";
+
+const whereValidator = (
+  schema: SchemaDefinition<any, any>,
+  tableName: TableNames
+) =>
+  v.object({
+    field: v.union(
+      ...Object.keys(schema.tables[tableName].validator.fields).map((field) =>
+        v.literal(field)
+      ),
+      v.literal("_id")
+    ),
+    operator: v.optional(
+      v.union(
+        v.literal("lt"),
+        v.literal("lte"),
+        v.literal("gt"),
+        v.literal("gte"),
+        v.literal("eq"),
+        v.literal("in"),
+        v.literal("not_in"),
+        v.literal("ne"),
+        v.literal("contains"),
+        v.literal("starts_with"),
+        v.literal("ends_with")
+      )
+    ),
+    value: v.union(
+      v.string(),
+      v.number(),
+      v.boolean(),
+      v.array(v.string()),
+      v.array(v.number()),
+      v.null()
+    ),
+    connector: v.optional(v.union(v.literal("AND"), v.literal("OR"))),
+  });
+
+export const createApi = <Schema extends SchemaDefinition<any, any>>(
+  schema: Schema,
+  createAuthOptions: (ctx: any) => BetterAuthOptions
+) => {
+  const betterAuthSchema = getAuthTables(createAuthOptions({} as any));
+  return {
+    create: mutationGeneric({
+      args: {
+        input: v.union(
+          ...Object.entries(schema.tables).map(([model, table]) =>
+            v.object({
+              model: v.literal(model),
+              data: v.object((table as any).validator.fields),
+            })
+          )
+        ),
+        select: v.optional(v.array(v.string())),
+        onCreateHandle: v.optional(v.string()),
+      },
+      handler: async (ctx, args) => {
+        await checkUniqueFields(
+          ctx,
+          schema,
+          betterAuthSchema,
+          args.input.model,
+          args.input.data
+        );
+        const id = await ctx.db.insert(
+          args.input.model as any,
+          args.input.data
+        );
+        const doc = await ctx.db.get(id);
+        if (!doc) {
+          throw new Error(`Failed to create ${args.input.model}`);
+        }
+        const result = selectFields(doc, args.select);
+        if (args.onCreateHandle) {
+          await ctx.runMutation(
+            args.onCreateHandle as FunctionHandle<"mutation">,
+            {
+              model: args.input.model,
+              doc,
+            }
+          );
+        }
+        return result;
+      },
+    }),
+    findOne: queryGeneric({
+      args: {
+        model: v.union(
+          ...Object.keys(schema.tables).map((model) => v.literal(model))
+        ),
+        where: v.optional(v.array(adapterWhereValidator)),
+        select: v.optional(v.array(v.string())),
+      },
+      handler: async (ctx, args) => {
+        return await listOne(ctx, schema, betterAuthSchema, args);
+      },
+    }),
+    findMany: queryGeneric({
+      args: {
+        model: v.union(
+          ...Object.keys(schema.tables).map((model) => v.literal(model))
+        ),
+        where: v.optional(v.array(adapterWhereValidator)),
+        limit: v.optional(v.number()),
+        sortBy: v.optional(
+          v.object({
+            direction: v.union(v.literal("asc"), v.literal("desc")),
+            field: v.string(),
+          })
+        ),
+        offset: v.optional(v.number()),
+        paginationOpts: paginationOptsValidator,
+      },
+      handler: async (ctx, args) => {
+        return await paginate(ctx, schema, betterAuthSchema, args);
+      },
+    }),
+    updateOne: mutationGeneric({
+      args: {
+        input: v.union(
+          ...Object.entries(schema.tables).map(
+            ([name, table]: [string, Schema["tables"][string]]) => {
+              const tableName = name as TableNames;
+              const fields = partial(table.validator.fields);
+              return v.object({
+                model: v.literal(tableName),
+                update: v.object(fields),
+                where: v.optional(v.array(whereValidator(schema, tableName))),
+              });
+            }
+          )
+        ),
+        onUpdateHandle: v.optional(v.string()),
+      },
+      handler: async (ctx, args) => {
+        const doc = await listOne(ctx, schema, betterAuthSchema, args.input);
+        if (!doc) {
+          throw new Error(`Failed to update ${args.input.model}`);
+        }
+        await checkUniqueFields(
+          ctx,
+          schema,
+          betterAuthSchema,
+          args.input.model,
+          args.input.update,
+          doc
+        );
+        await ctx.db.patch(
+          doc._id as GenericId<string>,
+          args.input.update as any
+        );
+        const updatedDoc = await ctx.db.get(doc._id as GenericId<string>);
+        if (!updatedDoc) {
+          throw new Error(`Failed to update ${args.input.model}`);
+        }
+        if (args.onUpdateHandle) {
+          await ctx.runMutation(
+            args.onUpdateHandle as FunctionHandle<"mutation">,
+            {
+              model: args.input.model,
+              newDoc: updatedDoc,
+              oldDoc: doc,
+            }
+          );
+        }
+        return updatedDoc;
+      },
+    }),
+    updateMany: mutationGeneric({
+      args: {
+        input: v.union(
+          ...Object.entries(schema.tables).map(
+            ([name, table]: [string, Schema["tables"][string]]) => {
+              const tableName = name as TableNames;
+              const fields = partial(table.validator.fields);
+              return v.object({
+                model: v.literal(tableName),
+                update: v.object(fields),
+                where: v.optional(v.array(whereValidator(schema, tableName))),
+              });
+            }
+          )
+        ),
+        paginationOpts: paginationOptsValidator,
+        onUpdateHandle: v.optional(v.string()),
+      },
+      handler: async (ctx, args) => {
+        const { page, ...result } = await paginate(
+          ctx,
+          schema,
+          betterAuthSchema,
+          {
+            ...args.input,
+            paginationOpts: args.paginationOpts,
+          }
+        );
+        if (args.input.update) {
+          if (
+            hasUniqueFields(
+              betterAuthSchema,
+              args.input.model,
+              args.input.update ?? {}
+            ) &&
+            page.length > 1
+          ) {
+            throw new Error(
+              `Attempted to set unique fields in multiple documents in ${args.input.model} with the same value. Fields: ${Object.keys(args.input.update ?? {}).join(", ")}`
+            );
+          }
+          await asyncMap(page, async (doc) => {
+            await checkUniqueFields(
+              ctx,
+              schema,
+              betterAuthSchema,
+              args.input.model,
+              args.input.update ?? {},
+              doc
+            );
+            await ctx.db.patch(
+              doc._id as GenericId<string>,
+              args.input.update as any
+            );
+
+            if (args.onUpdateHandle) {
+              await ctx.runMutation(
+                args.onUpdateHandle as FunctionHandle<"mutation">,
+                {
+                  model: args.input.model,
+                  newDoc: await ctx.db.get(doc._id as GenericId<string>),
+                  oldDoc: doc,
+                }
+              );
+            }
+          });
+        }
+        return {
+          ...result,
+          count: page.length,
+          ids: page.map((doc) => doc._id),
+        };
+      },
+    }),
+    deleteOne: mutationGeneric({
+      args: {
+        input: v.union(
+          ...Object.keys(schema.tables).map((name: string) => {
+            const tableName = name as TableNames;
+            return v.object({
+              model: v.literal(tableName),
+              where: v.optional(v.array(whereValidator(schema, tableName))),
+            });
+          })
+        ),
+        onDeleteHandle: v.optional(v.string()),
+      },
+      handler: async (ctx, args) => {
+        const doc = await listOne(ctx, schema, betterAuthSchema, args.input);
+        if (!doc) {
+          return;
+        }
+        await ctx.db.delete(doc._id as GenericId<string>);
+        if (args.onDeleteHandle) {
+          await ctx.runMutation(
+            args.onDeleteHandle as FunctionHandle<"mutation">,
+            { model: args.input.model, doc }
+          );
+        }
+        return doc;
+      },
+    }),
+    deleteMany: mutationGeneric({
+      args: {
+        input: v.union(
+          ...Object.keys(schema.tables).map((name: string) => {
+            const tableName = name as TableNames;
+            return v.object({
+              model: v.literal(tableName),
+              where: v.optional(v.array(whereValidator(schema, tableName))),
+            });
+          })
+        ),
+        paginationOpts: paginationOptsValidator,
+        onDeleteHandle: v.optional(v.string()),
+      },
+      handler: async (ctx, args) => {
+        const { page, ...result } = await paginate(
+          ctx,
+          schema,
+          betterAuthSchema,
+          {
+            ...args.input,
+            paginationOpts: args.paginationOpts,
+          }
+        );
+        await asyncMap(page, async (doc) => {
+          if (args.onDeleteHandle) {
+            await ctx.runMutation(
+              args.onDeleteHandle as FunctionHandle<"mutation">,
+              {
+                model: args.input.model,
+                doc,
+              }
+            );
+          }
+          await ctx.db.delete(doc._id as GenericId<string>);
+        });
+        return {
+          ...result,
+          count: page.length,
+          ids: page.map((doc) => doc._id),
+        };
+      },
+    }),
+  };
+};