@delmaredigital/payload-better-auth 0.4.0 → 0.4.2

package/dist/plugin/index.js

@@ -5,6 +5,7 @@
  */ import { detectAuthConfig } from '../utils/detectAuthConfig.js';
 import { detectEnabledPlugins } from '../utils/detectEnabledPlugins.js';
 import { buildAvailableScopes, scopesToPermissions } from '../utils/generateScopes.js';
+import { hasAnyRole, normalizeRoles } from '../utils/access.js';
 // Track auth instance for HMR
 let authInstance = null;
 // Store API key scopes config for access by management views
@@ -115,7 +116,7 @@ let apiKeyScopesConfig = undefined;
 }
 /**
  * Creates the auth endpoint handler that proxies requests to Better Auth.
- */ function createAuthEndpointHandler() {
+ */ function createAuthEndpointHandler(adminOptions) {
     return async (req)=>{
         const payloadWithAuth = req.payload;
         const auth = payloadWithAuth.betterAuth;
@@ -170,6 +171,45 @@ let apiKeyScopesConfig = undefined;
                     }
                 }
             }
+            // Guard API key mutation endpoints — require admin role
+            const isApiKeyMutation = req.method === 'POST' && (pathname.endsWith('/api-key/create') || pathname.endsWith('/api-key/update') || pathname.endsWith('/api-key/delete'));
+            if (isApiKeyMutation) {
+                const session = await auth.api.getSession({
+                    headers: req.headers
+                });
+                if (!session?.user?.id) {
+                    return new Response(JSON.stringify({
+                        error: 'Unauthorized'
+                    }), {
+                        status: 401,
+                        headers: {
+                            'Content-Type': 'application/json'
+                        }
+                    });
+                }
+                // Resolve required role: apiKey config > login config > default 'admin'
+                const requiredRole = apiKeyScopesConfig?.requiredRole ?? adminOptions?.login?.requiredRole ?? 'admin';
+                if (requiredRole !== null) {
+                    // Find the auth collection slug from Payload's config
+                    const authSlug = req.payload.config.collections.find((c)=>typeof c.auth === 'object' || c.auth === true)?.slug ?? 'users';
+                    const user = await req.payload.findByID({
+                        collection: authSlug,
+                        id: session.user.id,
+                        depth: 0,
+                        overrideAccess: true
+                    });
+                    if (!hasAnyRole(user, normalizeRoles(requiredRole))) {
+                        return new Response(JSON.stringify({
+                            error: 'Forbidden: insufficient permissions to manage API keys'
+                        }), {
+                            status: 403,
+                            headers: {
+                                'Content-Type': 'application/json'
+                            }
+                        });
+                    }
+                }
+            }
             // Intercept API key creation requests with scopes
             // Better Auth's API key create endpoint is POST /api-key/create
             const isApiKeyCreate = req.method === 'POST' && pathname.endsWith('/api-key/create') && parsedBody?.scopes && Array.isArray(parsedBody.scopes);
@@ -199,8 +239,8 @@ let apiKeyScopesConfig = undefined;
 }
 /**
  * Generates Payload endpoints for Better Auth.
- */ function generateAuthEndpoints(basePath) {
-    const handler = createAuthEndpointHandler();
+ */ function generateAuthEndpoints(basePath, adminOptions) {
+    const handler = createAuthEndpointHandler(adminOptions);
     const methods = [
         'get',
         'post',
@@ -274,6 +314,9 @@ let apiKeyScopesConfig = undefined;
 }
 /**
  * Injects management UI components into the Payload config based on enabled plugins.
+ *
+ * - 2FA and Passkeys are injected as `ui` fields on the auth collection (per-user settings)
+ * - API Keys remain as a sidebar admin view (admin-level feature)
  */ function injectManagementComponents(config, options) {
     const adminOptions = options.admin ?? {};
     // Skip if management UI is disabled
@@ -284,55 +327,72 @@ let apiKeyScopesConfig = undefined;
     const enabledPlugins = detectEnabledPlugins(adminOptions.betterAuthOptions);
     // Get custom paths or use defaults
     const paths = {
-        twoFactor: adminOptions.managementPaths?.twoFactor ?? '/security/two-factor',
-        apiKeys: adminOptions.managementPaths?.apiKeys ?? '/security/api-keys',
-        passkeys: adminOptions.managementPaths?.passkeys ?? '/security/passkeys'
+        apiKeys: adminOptions.managementPaths?.apiKeys ?? '/security/api-keys'
     };
     const existingComponents = config.admin?.components ?? {};
     const existingViews = existingComponents.views ?? {};
     const existingAfterNavLinks = existingComponents.afterNavLinks ?? [];
-    // Build management views based on enabled plugins
-    // Note: Sessions and passkeys use Payload's default collection views
+    // Build management views — only API Keys stays as a sidebar view
     const managementViews = {};
-    // Two-factor (if enabled)
-    if (enabledPlugins.hasTwoFactor) {
-        managementViews.securityTwoFactor = {
-            Component: '@delmaredigital/payload-better-auth/rsc#TwoFactorView',
-            path: paths.twoFactor
-        };
-    }
-    // API keys (if enabled)
     if (enabledPlugins.hasApiKey) {
         managementViews.securityApiKeys = {
             Component: '@delmaredigital/payload-better-auth/rsc#ApiKeysView',
             path: paths.apiKeys
         };
     }
-    // Passkeys (if enabled)
-    if (enabledPlugins.hasPasskey) {
-        managementViews.securityPasskeys = {
-            Component: '@delmaredigital/payload-better-auth/rsc#PasskeysView',
-            path: paths.passkeys
-        };
-    }
-    // Only add nav links if at least one plugin is enabled
-    const hasAnyPlugin = enabledPlugins.hasTwoFactor || enabledPlugins.hasApiKey || enabledPlugins.hasPasskey;
-    // Add SecurityNavLinks to afterNavLinks with clientProps for enabled plugins
-    const afterNavLinks = hasAnyPlugin ? [
+    // Only add nav links if API Keys is enabled
+    const afterNavLinks = enabledPlugins.hasApiKey ? [
         ...Array.isArray(existingAfterNavLinks) ? existingAfterNavLinks : [
             existingAfterNavLinks
         ],
         {
             path: '@delmaredigital/payload-better-auth/components/management#SecurityNavLinks',
             clientProps: {
-                showTwoFactor: enabledPlugins.hasTwoFactor,
-                showApiKeys: enabledPlugins.hasApiKey,
-                showPasskeys: enabledPlugins.hasPasskey
+                showApiKeys: enabledPlugins.hasApiKey
             }
         }
     ] : existingAfterNavLinks;
+    // Inject 2FA and Passkeys as ui fields on the auth collection
+    const securityFields = [];
+    if (enabledPlugins.hasTwoFactor) {
+        securityFields.push({
+            type: 'ui',
+            name: 'twoFactorManagement',
+            label: 'Two-Factor Authentication',
+            admin: {
+                components: {
+                    Field: '@delmaredigital/payload-better-auth/components#TwoFactorField'
+                }
+            }
+        });
+    }
+    if (enabledPlugins.hasPasskey) {
+        securityFields.push({
+            type: 'ui',
+            name: 'passkeysManagement',
+            label: 'Passkeys',
+            admin: {
+                components: {
+                    Field: '@delmaredigital/payload-better-auth/components#PasskeysField'
+                }
+            }
+        });
+    }
+    // Add ui fields to the auth collection
+    const collections = (config.collections ?? []).map((collection)=>{
+        const isAuthCollection = collection.auth === true || typeof collection.auth === 'object' && collection.auth.disableLocalStrategy;
+        if (!isAuthCollection || securityFields.length === 0) return collection;
+        return {
+            ...collection,
+            fields: [
+                ...collection.fields ?? [],
+                ...securityFields
+            ]
+        };
+    });
     return {
         ...config,
+        collections,
         admin: {
             ...config.admin,
             components: {
@@ -384,7 +444,7 @@ let apiKeyScopesConfig = undefined;
         // Inject management UI components
         config = injectManagementComponents(config, options);
         // Generate auth endpoints if enabled
-        const authEndpoints = autoRegisterEndpoints ? generateAuthEndpoints(authBasePath) : [];
+        const authEndpoints = autoRegisterEndpoints ? generateAuthEndpoints(authBasePath, options.admin) : [];
         // Merge endpoints
         const existingEndpoints = config.endpoints ?? [];
         // Get existing onInit

package/dist/types/apiKey.d.ts

@@ -50,6 +50,14 @@ export type ApiKeyScopesConfig = {
      * If not provided, keys without scopes will have no permissions.
      */
     defaultScopes?: string[];
+    /**
+     * Role(s) required to create, update, and delete API keys.
+     * - string: Single role required (e.g., 'admin')
+     * - string[]: Any matching role grants access
+     * - null: Allow any authenticated user (not recommended)
+     * @default Inherits from admin.login.requiredRole, or 'admin' if unset
+     */
+    requiredRole?: string | string[] | null;
 };
 /**
  * Scope data passed to the API keys management client component.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delmaredigital/payload-better-auth",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Better Auth adapter and plugins for Payload CMS",
   "type": "module",
   "license": "MIT",