@delmaredigital/payload-better-auth 0.7.5 → 0.7.7

package/README.md

@@ -178,7 +178,7 @@ export default async function Dashboard() {
 
 ---
 
-For MongoDB setup, API reference, customization, access control helpers, API key scopes, plugin compatibility, UI components (2FA, passkeys, password reset), recipes, and types — see the **[full documentation](https://delmaredigital.github.io/payload-better-auth/)**.
+For MongoDB setup, API reference, customization, access control helpers, API key scopes, plugin compatibility, UI components (2FA, passkeys, password reset, passwordless login via magic-link & email-OTP), recipes, and types — see the **[full documentation](https://delmaredigital.github.io/payload-better-auth/)**.
 
 ## License
 

package/dist/components/LoginView.js

@@ -25,7 +25,7 @@ import { useConfig } from '@payloadcms/ui';
 export function LoginView({ authClient: providedClient, logo, title = 'Login', afterLoginPath = '/admin', requiredRole = 'admin', requireAllRoles = false, enablePasskey = 'auto', enableSignUp = 'auto', defaultSignUpRole = 'user', enableForgotPassword = 'auto', resetPasswordUrl, enablePassword = 'auto', enableMagicLink = 'auto', enableEmailOtp = 'auto', magicLinkCallbackURL }) {
     const router = useRouter();
     // Payload Config
-    const { config: { routes: { admin: adminRoute, api: apiRoute } } } = useConfig();
+    const { config: { routes: { admin: adminRoute } } } = useConfig();
     // View state
     const [viewMode, setViewMode] = useState('login');
     // Form fields
@@ -40,16 +40,18 @@ export function LoginView({ authClient: providedClient, logo, title = 'Login', a
     const [passkeyLoading, setPasskeyLoading] = useState(false);
     const [checkingSession, setCheckingSession] = useState(true);
     const [accessDenied, setAccessDenied] = useState(false);
-    // Feature availability
-    const [passkeyAvailable, setPasskeyAvailable] = useState(enablePasskey === true);
-    const [signUpAvailable, setSignUpAvailable] = useState(enableSignUp === true);
-    const [forgotPasswordAvailable, setForgotPasswordAvailable] = useState(enableForgotPassword === true);
-    // Probe results for the new methods (null = not yet probed).
-    // Password is optimistic (shown until a 404 proves the strategy is disabled);
-    // magic-link and email-OTP stay hidden until a probe confirms availability.
-    const [passwordProbe, setPasswordProbe] = useState(true);
-    const [magicLinkProbe, setMagicLinkProbe] = useState(null);
-    const [emailOtpProbe, setEmailOtpProbe] = useState(null);
+    // Which methods to show. LoginViewWrapper resolves these server-side from the
+    // Better Auth instance's options and passes concrete booleans. For standalone
+    // <LoginView> use, an unresolved 'auto' falls back to safe defaults: password
+    // shown, optional methods hidden. We no longer probe endpoints — Better Auth
+    // answers every OPTIONS request with 200 (CORS preflight), so probing could
+    // never tell whether a method was actually enabled.
+    const passwordAvailable = resolveAvailability(enablePassword, true);
+    const passkeyAvailable = resolveAvailability(enablePasskey, false);
+    const signUpAvailable = resolveAvailability(enableSignUp, false);
+    const forgotPasswordAvailable = resolveAvailability(enableForgotPassword, false);
+    const magicLinkAvailable = resolveAvailability(enableMagicLink, false);
+    const emailOtpAvailable = resolveAvailability(enableEmailOtp, false);
     // Email-OTP code entry state
     const [otp, setOtp] = useState('');
     const [otpLoading, setOtpLoading] = useState(false);
@@ -101,97 +103,6 @@ export function LoginView({ authClient: providedClient, logo, title = 'Login', a
         requireAllRoles,
         router
     ]);
-    // Auto-detect passkey availability if set to 'auto'
-    useEffect(()=>{
-        if (enablePasskey === 'auto') {
-            // Check if passkey endpoint exists (GET request)
-            // Better Auth passkey routes are at /passkey/* (singular)
-            fetch(`${apiRoute}/auth/passkey/generate-authenticate-options`, {
-                method: 'GET',
-                credentials: 'include'
-            }).then((res)=>{
-                // If we get a response (even 400/401 for not authenticated), passkey is available
-                // 404 means passkey plugin is not installed
-                setPasskeyAvailable(res.status !== 404);
-            }).catch(()=>{
-                setPasskeyAvailable(false);
-            });
-        } else {
-            setPasskeyAvailable(enablePasskey === true);
-        }
-    }, [
-        enablePasskey
-    ]);
-    // Auto-detect sign up availability if set to 'auto'
-    useEffect(()=>{
-        if (enableSignUp === 'auto') {
-            // Check if sign-up endpoint exists
-            fetch(`${apiRoute}/auth/sign-up/email`, {
-                method: 'OPTIONS',
-                credentials: 'include'
-            }).then((res)=>{
-                // 404 means sign-up is not available
-                setSignUpAvailable(res.status !== 404);
-            }).catch(()=>{
-                // If OPTIONS fails, try a HEAD or just assume it's available since it's a core endpoint
-                setSignUpAvailable(true);
-            });
-        } else {
-            setSignUpAvailable(enableSignUp === true);
-        }
-    }, [
-        enableSignUp
-    ]);
-    // Auto-detect forgot password availability if set to 'auto'
-    useEffect(()=>{
-        if (enableForgotPassword === 'auto') {
-            // Check if request-password-reset endpoint exists
-            fetch(`${apiRoute}/auth/request-password-reset`, {
-                method: 'OPTIONS',
-                credentials: 'include'
-            }).then((res)=>{
-                // 404 means request-password-reset is not available
-                setForgotPasswordAvailable(res.status !== 404);
-            }).catch(()=>{
-                // If OPTIONS fails, assume it's available since it's a core endpoint
-                setForgotPasswordAvailable(true);
-            });
-        } else {
-            setForgotPasswordAvailable(enableForgotPassword === true);
-        }
-    }, [
-        enableForgotPassword
-    ]);
-    // Auto-detect password (email) sign-in availability if set to 'auto'
-    useEffect(()=>{
-        if (enablePassword !== 'auto') return;
-        fetch(`${apiRoute}/auth/sign-in/email`, {
-            method: 'OPTIONS',
-            credentials: 'include'
-        }).then((res)=>setPasswordProbe(res.status !== 404)).catch(()=>setPasswordProbe(true)); // core method: assume available on probe error
-    }, [
-        enablePassword
-    ]);
-    // Auto-detect magic-link availability if set to 'auto'
-    useEffect(()=>{
-        if (enableMagicLink !== 'auto') return;
-        fetch(`${apiRoute}/auth/sign-in/magic-link`, {
-            method: 'OPTIONS',
-            credentials: 'include'
-        }).then((res)=>setMagicLinkProbe(res.status !== 404)).catch(()=>setMagicLinkProbe(false)); // optional method: assume unavailable on error
-    }, [
-        enableMagicLink
-    ]);
-    // Auto-detect email-OTP availability if set to 'auto'
-    useEffect(()=>{
-        if (enableEmailOtp !== 'auto') return;
-        fetch(`${apiRoute}/auth/email-otp/send-verification-otp`, {
-            method: 'OPTIONS',
-            credentials: 'include'
-        }).then((res)=>setEmailOtpProbe(res.status !== 404)).catch(()=>setEmailOtpProbe(false));
-    }, [
-        enableEmailOtp
-    ]);
     /**
    * Shared post-authentication tail: re-fetch the session for complete user data
    * (e.g. roles applied by hooks), enforce the role gate, and redirect on success.
@@ -1430,10 +1341,7 @@ export function LoginView({ authClient: providedClient, logo, title = 'Login', a
             })
         });
     }
-    // Resolve which methods are available and which owns the primary action
-    const passwordAvailable = resolveAvailability(enablePassword, passwordProbe);
-    const magicLinkAvailable = resolveAvailability(enableMagicLink, magicLinkProbe);
-    const emailOtpAvailable = resolveAvailability(enableEmailOtp, emailOtpProbe);
+    // Which method owns the primary submit button (availability resolved above)
     const primaryMethod = pickPrimaryMethod({
         password: passwordAvailable,
         magicLink: magicLinkAvailable,

package/dist/components/LoginViewWrapper.d.ts

@@ -2,8 +2,15 @@ import type { AdminViewProps } from 'payload';
 type LoginViewWrapperProps = AdminViewProps;
 /**
  * Server component wrapper for LoginView.
- * Reads login configuration from payload.config.custom.betterAuth.login
- * and passes it as props to the client LoginView component.
+ *
+ * Reads login configuration from `payload.config.custom.betterAuth.login` and
+ * resolves each `'auto'` option against the Better Auth instance's resolved
+ * `options` (server-side), passing concrete booleans to the client LoginView.
+ *
+ * This replaces the old client-side `OPTIONS` endpoint probing: Better Auth
+ * answers every `OPTIONS` request with 200 (CORS preflight), so probing could
+ * never determine whether a method was actually enabled. The server `options`
+ * are authoritative.
  */
 export declare function LoginViewWrapper({ initPageResult }: LoginViewWrapperProps): Promise<import("react").JSX.Element>;
 export default LoginViewWrapper;

package/dist/components/LoginViewWrapper.js

@@ -1,26 +1,51 @@
 import { jsx as _jsx } from "react/jsx-runtime";
 import { LoginView } from './LoginView.js';
+import { detectEnabledMethods, resolveAvailability } from '../utils/loginMethods.js';
+/**
+ * Fallback used when the Better Auth instance isn't available on `payload` yet.
+ * Show password (so admins are never locked out) and hide the optional methods
+ * (so we never render a button for a plugin that may be absent).
+ */ const FALLBACK_DETECTED = {
+    password: true,
+    signup: false,
+    forgotPassword: false,
+    passkey: false,
+    magicLink: false,
+    emailOtp: false
+};
 /**
  * Server component wrapper for LoginView.
- * Reads login configuration from payload.config.custom.betterAuth.login
- * and passes it as props to the client LoginView component.
+ *
+ * Reads login configuration from `payload.config.custom.betterAuth.login` and
+ * resolves each `'auto'` option against the Better Auth instance's resolved
+ * `options` (server-side), passing concrete booleans to the client LoginView.
+ *
+ * This replaces the old client-side `OPTIONS` endpoint probing: Better Auth
+ * answers every `OPTIONS` request with 200 (CORS preflight), so probing could
+ * never determine whether a method was actually enabled. The server `options`
+ * are authoritative.
  */ export async function LoginViewWrapper({ initPageResult }) {
     const { req } = initPageResult;
     const { payload } = req;
     // Read login config from payload.config.custom.betterAuth.login
     const loginConfig = payload.config.custom?.betterAuth?.login ?? {};
+    // Detect which methods Better Auth actually has enabled, from its resolved options.
+    const authOptions = payload.betterAuth?.options;
+    const detected = authOptions ? detectEnabledMethods(authOptions) : FALLBACK_DETECTED;
+    // Resolve each option: explicit boolean wins; 'auto' (or unset) uses detection.
+    const resolve = (setting, detectedValue)=>resolveAvailability(setting ?? 'auto', detectedValue);
     return /*#__PURE__*/ _jsx(LoginView, {
         afterLoginPath: loginConfig.afterLoginPath,
         requiredRole: loginConfig.requiredRole,
         requireAllRoles: loginConfig.requireAllRoles,
-        enablePasskey: loginConfig.enablePasskey,
-        enableSignUp: loginConfig.enableSignUp,
+        enablePassword: resolve(loginConfig.enablePassword, detected.password),
+        enableSignUp: resolve(loginConfig.enableSignUp, detected.signup),
         defaultSignUpRole: loginConfig.defaultSignUpRole,
-        enableForgotPassword: loginConfig.enableForgotPassword,
+        enableForgotPassword: resolve(loginConfig.enableForgotPassword, detected.forgotPassword),
+        enablePasskey: resolve(loginConfig.enablePasskey, detected.passkey),
+        enableMagicLink: resolve(loginConfig.enableMagicLink, detected.magicLink),
+        enableEmailOtp: resolve(loginConfig.enableEmailOtp, detected.emailOtp),
         resetPasswordUrl: loginConfig.resetPasswordUrl,
-        enablePassword: loginConfig.enablePassword,
-        enableMagicLink: loginConfig.enableMagicLink,
-        enableEmailOtp: loginConfig.enableEmailOtp,
         magicLinkCallbackURL: loginConfig.magicLinkCallbackURL,
         title: loginConfig.title
     });

package/dist/exports/client.js

@@ -53,6 +53,10 @@ export { twoFactorClient } from 'better-auth/client/plugins';
  * })
  * ```
  */ export function createPayloadAuthClient(options) {
+    // `payloadAuthPlugins` is intentionally widened to `BetterAuthClientPlugin[]` for
+    // declaration-emit portability. That widening makes the inferred return type drop
+    // some base-client methods (e.g. `refreshToken`, present at runtime) relative to the
+    // zero-arg `ReturnType<typeof createAuthClient>`, so we cast back to the stable type.
     return createAuthClient({
         baseURL: options?.baseURL ?? (typeof window !== 'undefined' ? window.location.origin : ''),
         plugins: [

package/dist/utils/loginMethods.d.ts

@@ -24,3 +24,38 @@ export declare function pickPrimaryMethod(available: {
     magicLink: boolean;
     emailOtp: boolean;
 }): PrimaryMethod | null;
+/** Which sign-in methods a Better Auth instance actually has enabled. */
+export interface DetectedMethods {
+    password: boolean;
+    signup: boolean;
+    forgotPassword: boolean;
+    passkey: boolean;
+    magicLink: boolean;
+    emailOtp: boolean;
+}
+/**
+ * Minimal structural shape of the Better Auth resolved options we read.
+ * Declared locally (not imported from better-auth) so this stays dependency-free
+ * and unit-testable.
+ */
+export interface AuthOptionsLike {
+    emailAndPassword?: {
+        enabled?: boolean;
+        disableSignUp?: boolean;
+        sendResetPassword?: unknown;
+    };
+    plugins?: Array<{
+        id?: string;
+    } | null | undefined>;
+}
+/**
+ * Determine which sign-in methods are enabled from a Better Auth instance's
+ * resolved `options`. This is the authoritative, server-side replacement for the
+ * old client-side endpoint probing: Better Auth answers every `OPTIONS` request
+ * with 200 (CORS preflight), so probing `OPTIONS /sign-in/*` could never tell
+ * whether a method was actually enabled.
+ *
+ * `forgotPassword` requires a configured `sendResetPassword` callback, since the
+ * reset flow can't email a link without it.
+ */
+export declare function detectEnabledMethods(options: AuthOptionsLike | null | undefined): DetectedMethods;

package/dist/utils/loginMethods.js

@@ -22,3 +22,25 @@
     if (available.emailOtp) return 'emailOtp';
     return null;
 }
+/**
+ * Determine which sign-in methods are enabled from a Better Auth instance's
+ * resolved `options`. This is the authoritative, server-side replacement for the
+ * old client-side endpoint probing: Better Auth answers every `OPTIONS` request
+ * with 200 (CORS preflight), so probing `OPTIONS /sign-in/*` could never tell
+ * whether a method was actually enabled.
+ *
+ * `forgotPassword` requires a configured `sendResetPassword` callback, since the
+ * reset flow can't email a link without it.
+ */ export function detectEnabledMethods(options) {
+    const ep = options?.emailAndPassword;
+    const password = !!ep?.enabled;
+    const pluginIds = new Set((options?.plugins ?? []).map((p)=>p?.id).filter((id)=>typeof id === 'string'));
+    return {
+        password,
+        signup: password && !ep?.disableSignUp,
+        forgotPassword: password && !!ep?.sendResetPassword,
+        passkey: pluginIds.has('passkey'),
+        magicLink: pluginIds.has('magic-link'),
+        emailOtp: pluginIds.has('email-otp')
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delmaredigital/payload-better-auth",
-  "version": "0.7.5",
+  "version": "0.7.7",
   "description": "Better Auth adapter and plugins for Payload CMS",
   "type": "module",
   "license": "MIT",
@@ -113,9 +113,9 @@
     }
   },
   "devDependencies": {
-    "@better-auth/api-key": "^1.6.17",
-    "@better-auth/oauth-provider": "^1.6.17",
-    "@better-auth/passkey": "^1.6.17",
+    "@better-auth/api-key": "^1.6.18",
+    "@better-auth/oauth-provider": "^1.6.18",
+    "@better-auth/passkey": "^1.6.18",
     "@payloadcms/next": "^3.85.0",
     "@payloadcms/ui": "^3.85.0",
     "@swc/cli": "^0.6.0",
@@ -123,7 +123,7 @@
     "@types/node": "^24.12.2",
     "@types/react": "^19.2.14",
     "@vitest/coverage-v8": "^4.1.8",
-    "better-auth": "^1.6.17",
+    "better-auth": "^1.6.18",
     "next": "^16.2.5",
     "payload": "^3.85.0",
     "react": "^19.2.5",