@hammadj/better-auth 1.5.0-beta.9

package/dist/plugins/admin/access/statement.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement.mjs","names":[],"sources":["../../../../src/plugins/admin/access/statement.ts"],"sourcesContent":["import { createAccessControl } from \"../../access\";\n\nexport const defaultStatements = {\n\tuser: [\n\t\t\"create\",\n\t\t\"list\",\n\t\t\"set-role\",\n\t\t\"ban\",\n\t\t\"impersonate\",\n\t\t\"delete\",\n\t\t\"set-password\",\n\t\t\"get\",\n\t\t\"update\",\n\t],\n\tsession: [\"list\", \"revoke\", \"delete\"],\n} as const;\n\nexport const defaultAc = createAccessControl(defaultStatements);\n\nexport const adminAc = defaultAc.newRole({\n\tuser: [\n\t\t\"create\",\n\t\t\"list\",\n\t\t\"set-role\",\n\t\t\"ban\",\n\t\t\"impersonate\",\n\t\t\"delete\",\n\t\t\"set-password\",\n\t\t\"get\",\n\t\t\"update\",\n\t],\n\tsession: [\"list\", \"revoke\", \"delete\"],\n});\n\nexport const userAc = defaultAc.newRole({\n\tuser: [],\n\tsession: [],\n});\n\nexport const defaultRoles = {\n\tadmin: adminAc,\n\tuser: userAc,\n};\n"],"mappings":";;;;AAEA,MAAa,oBAAoB;CAChC,MAAM;EACL;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACD,SAAS;EAAC;EAAQ;EAAU;EAAS;CACrC;AAED,MAAa,YAAY,oBAAoB,kBAAkB;AAE/D,MAAa,UAAU,UAAU,QAAQ;CACxC,MAAM;EACL;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACD,SAAS;EAAC;EAAQ;EAAU;EAAS;CACrC,CAAC;AAEF,MAAa,SAAS,UAAU,QAAQ;CACvC,MAAM,EAAE;CACR,SAAS,EAAE;CACX,CAAC;AAEF,MAAa,eAAe;CAC3B,OAAO;CACP,MAAM;CACN"}

package/dist/plugins/admin/admin.d.mts

@@ -0,0 +1,14 @@
+import { AdminOptions } from "./types.mjs";
+
+//#region src/plugins/admin/admin.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    admin: {
+      creator: typeof admin;
+    };
+  }
+}
+declare const admin: <O extends AdminOptions>(options?: O | undefined) => BetterAuthPlugin;
+//#endregion
+export { admin };
+//# sourceMappingURL=admin.d.mts.map

package/dist/plugins/admin/admin.mjs

@@ -0,0 +1,95 @@
+import { mergeSchema } from "../../db/schema.mjs";
+import { defaultRoles } from "./access/statement.mjs";
+import "./access/index.mjs";
+import { ADMIN_ERROR_CODES } from "./error-codes.mjs";
+import { getEndpointResponse } from "../../utils/plugin-helper.mjs";
+import { adminUpdateUser, banUser, createUser, getUser, impersonateUser, listUserSessions, listUsers, removeUser, revokeUserSession, revokeUserSessions, setRole, setUserPassword, stopImpersonating, unbanUser, userHasPermission } from "./routes.mjs";
+import { schema } from "./schema.mjs";
+import { APIError, BetterAuthError } from "@better-auth/core/error";
+import { createAuthMiddleware } from "@better-auth/core/api";
+
+//#region src/plugins/admin/admin.ts
+const admin = (options) => {
+	const opts = {
+		...options || {},
+		defaultRole: options?.defaultRole ?? "user",
+		adminRoles: options?.adminRoles ?? ["admin"],
+		bannedUserMessage: options?.bannedUserMessage ?? "You have been banned from this application. Please contact support if you believe this is an error."
+	};
+	if (options?.adminRoles) {
+		const invalidRoles = (Array.isArray(options.adminRoles) ? options.adminRoles : [...options.adminRoles.split(",")]).filter((role) => !Object.keys(options?.roles || defaultRoles).map((r) => r.toLowerCase()).includes(role.toLowerCase()));
+		if (invalidRoles.length > 0) throw new BetterAuthError(`Invalid admin roles: ${invalidRoles.join(", ")}. Admin roles must be defined in the 'roles' configuration.`);
+	}
+	return {
+		id: "admin",
+		init() {
+			return { options: { databaseHooks: {
+				user: { create: { async before(user) {
+					return { data: {
+						role: options?.defaultRole ?? "user",
+						...user
+					} };
+				} } },
+				session: { create: { async before(session, ctx) {
+					if (!ctx) return;
+					const user = await ctx.context.internalAdapter.findUserById(session.userId);
+					if (user.banned) {
+						if (user.banExpires && new Date(user.banExpires).getTime() < Date.now()) {
+							await ctx.context.internalAdapter.updateUser(session.userId, {
+								banned: false,
+								banReason: null,
+								banExpires: null
+							});
+							return;
+						}
+						if (ctx && (ctx.path.startsWith("/callback") || ctx.path.startsWith("/oauth2/callback"))) {
+							const redirectURI = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+							throw ctx.redirect(`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`);
+						}
+						throw APIError.from("FORBIDDEN", {
+							message: opts.bannedUserMessage,
+							code: "BANNED_USER"
+						});
+					}
+				} } }
+			} } };
+		},
+		hooks: { after: [{
+			matcher(context) {
+				return context.path === "/list-sessions";
+			},
+			handler: createAuthMiddleware(async (ctx) => {
+				const response = await getEndpointResponse(ctx);
+				if (!response) return;
+				const newJson = response.filter((session) => {
+					return !session.impersonatedBy;
+				});
+				return ctx.json(newJson);
+			})
+		}] },
+		endpoints: {
+			setRole: setRole(opts),
+			getUser: getUser(opts),
+			createUser: createUser(opts),
+			adminUpdateUser: adminUpdateUser(opts),
+			listUsers: listUsers(opts),
+			listUserSessions: listUserSessions(opts),
+			unbanUser: unbanUser(opts),
+			banUser: banUser(opts),
+			impersonateUser: impersonateUser(opts),
+			stopImpersonating: stopImpersonating(),
+			revokeUserSession: revokeUserSession(opts),
+			revokeUserSessions: revokeUserSessions(opts),
+			removeUser: removeUser(opts),
+			setUserPassword: setUserPassword(opts),
+			userHasPermission: userHasPermission(opts)
+		},
+		$ERROR_CODES: ADMIN_ERROR_CODES,
+		schema: mergeSchema(schema, opts.schema),
+		options
+	};
+};
+
+//#endregion
+export { admin };
+//# sourceMappingURL=admin.mjs.map

package/dist/plugins/admin/admin.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.mjs","names":[],"sources":["../../../src/plugins/admin/admin.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport { createAuthMiddleware } from \"@better-auth/core/api\";\nimport { APIError, BetterAuthError } from \"@better-auth/core/error\";\nimport { mergeSchema } from \"../../db/schema\";\nimport { getEndpointResponse } from \"../../utils/plugin-helper\";\nimport { defaultRoles } from \"./access\";\nimport { ADMIN_ERROR_CODES } from \"./error-codes\";\nimport {\n\tadminUpdateUser,\n\tbanUser,\n\tcreateUser,\n\tgetUser,\n\timpersonateUser,\n\tlistUserSessions,\n\tlistUsers,\n\tremoveUser,\n\trevokeUserSession,\n\trevokeUserSessions,\n\tsetRole,\n\tsetUserPassword,\n\tstopImpersonating,\n\tunbanUser,\n\tuserHasPermission,\n} from \"./routes\";\nimport { schema } from \"./schema\";\nimport type {\n\tAdminOptions,\n\tSessionWithImpersonatedBy,\n\tUserWithRole,\n} from \"./types\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\tadmin: {\n\t\t\tcreator: typeof admin;\n\t\t};\n\t}\n}\n\nexport const admin = <O extends AdminOptions>(options?: O | undefined) => {\n\tconst opts = {\n\t\t...(options || {}),\n\t\tdefaultRole: options?.defaultRole ?? \"user\",\n\t\tadminRoles: options?.adminRoles ?? [\"admin\"],\n\t\tbannedUserMessage:\n\t\t\toptions?.bannedUserMessage ??\n\t\t\t\"You have been banned from this application. Please contact support if you believe this is an error.\",\n\t} as O &\n\t\tRequired<\n\t\t\tPick<AdminOptions, \"defaultRole\" | \"adminRoles\" | \"bannedUserMessage\">\n\t\t>;\n\n\tif (options?.adminRoles) {\n\t\tconst adminRoles = Array.isArray(options.adminRoles)\n\t\t\t? options.adminRoles\n\t\t\t: [...options.adminRoles.split(\",\")];\n\t\tconst invalidRoles = adminRoles.filter(\n\t\t\t(role) =>\n\t\t\t\t!Object.keys(options?.roles || defaultRoles)\n\t\t\t\t\t.map((r) => r.toLowerCase())\n\t\t\t\t\t.includes(role.toLowerCase()),\n\t\t);\n\t\tif (invalidRoles.length > 0) {\n\t\t\tthrow new BetterAuthError(\n\t\t\t\t`Invalid admin roles: ${invalidRoles.join(\", \")}. Admin roles must be defined in the 'roles' configuration.`,\n\t\t\t);\n\t\t}\n\t}\n\n\treturn {\n\t\tid: \"admin\",\n\t\tinit() {\n\t\t\treturn {\n\t\t\t\toptions: {\n\t\t\t\t\tdatabaseHooks: {\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tcreate: {\n\t\t\t\t\t\t\t\tasync before(user) {\n\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\t\t\t\t\trole: options?.defaultRole ?? \"user\",\n\t\t\t\t\t\t\t\t\t\t\t...user,\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\tcreate: {\n\t\t\t\t\t\t\t\tasync before(session, ctx) {\n\t\t\t\t\t\t\t\t\tif (!ctx) {\n\t\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\tconst user = (await ctx.context.internalAdapter.findUserById(\n\t\t\t\t\t\t\t\t\t\tsession.userId,\n\t\t\t\t\t\t\t\t\t)) as UserWithRole;\n\n\t\t\t\t\t\t\t\t\tif (user.banned) {\n\t\t\t\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\t\t\t\tuser.banExpires &&\n\t\t\t\t\t\t\t\t\t\t\tnew Date(user.banExpires).getTime() < Date.now()\n\t\t\t\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\t\t\t\tawait ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\t\t\t\t\t\t\tsession.userId,\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\tbanned: false,\n\t\t\t\t\t\t\t\t\t\t\t\t\tbanReason: null,\n\t\t\t\t\t\t\t\t\t\t\t\t\tbanExpires: null,\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\t\t\t\tctx &&\n\t\t\t\t\t\t\t\t\t\t\t(ctx.path.startsWith(\"/callback\") ||\n\t\t\t\t\t\t\t\t\t\t\t\tctx.path.startsWith(\"/oauth2/callback\"))\n\t\t\t\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\t\t\t\tconst redirectURI =\n\t\t\t\t\t\t\t\t\t\t\t\tctx.context.options.onAPIError?.errorURL ||\n\t\t\t\t\t\t\t\t\t\t\t\t`${ctx.context.baseURL}/error`;\n\t\t\t\t\t\t\t\t\t\t\tthrow ctx.redirect(\n\t\t\t\t\t\t\t\t\t\t\t\t`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`,\n\t\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\tthrow APIError.from(\"FORBIDDEN\", {\n\t\t\t\t\t\t\t\t\t\t\tmessage: opts.bannedUserMessage,\n\t\t\t\t\t\t\t\t\t\t\tcode: \"BANNED_USER\",\n\t\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(context) {\n\t\t\t\t\t\treturn context.path === \"/list-sessions\";\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst response =\n\t\t\t\t\t\t\tawait getEndpointResponse<SessionWithImpersonatedBy[]>(ctx);\n\n\t\t\t\t\t\tif (!response) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst newJson = response.filter((session) => {\n\t\t\t\t\t\t\treturn !session.impersonatedBy;\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\treturn ctx.json(newJson);\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tendpoints: {\n\t\t\tsetRole: setRole(opts),\n\t\t\tgetUser: getUser(opts),\n\t\t\tcreateUser: createUser(opts),\n\t\t\tadminUpdateUser: adminUpdateUser(opts),\n\t\t\tlistUsers: listUsers(opts),\n\t\t\tlistUserSessions: listUserSessions(opts),\n\t\t\tunbanUser: unbanUser(opts),\n\t\t\tbanUser: banUser(opts),\n\t\t\timpersonateUser: impersonateUser(opts),\n\t\t\tstopImpersonating: stopImpersonating(),\n\t\t\trevokeUserSession: revokeUserSession(opts),\n\t\t\trevokeUserSessions: revokeUserSessions(opts),\n\t\t\tremoveUser: removeUser(opts),\n\t\t\tsetUserPassword: setUserPassword(opts),\n\t\t\tuserHasPermission: userHasPermission(opts as O),\n\t\t},\n\t\t$ERROR_CODES: ADMIN_ERROR_CODES,\n\t\tschema: mergeSchema(schema, opts.schema),\n\t\toptions: options as NoInfer<O>,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;AAuCA,MAAa,SAAiC,YAA4B;CACzE,MAAM,OAAO;EACZ,GAAI,WAAW,EAAE;EACjB,aAAa,SAAS,eAAe;EACrC,YAAY,SAAS,cAAc,CAAC,QAAQ;EAC5C,mBACC,SAAS,qBACT;EACD;AAKD,KAAI,SAAS,YAAY;EAIxB,MAAM,gBAHa,MAAM,QAAQ,QAAQ,WAAW,GACjD,QAAQ,aACR,CAAC,GAAG,QAAQ,WAAW,MAAM,IAAI,CAAC,EACL,QAC9B,SACA,CAAC,OAAO,KAAK,SAAS,SAAS,aAAa,CAC1C,KAAK,MAAM,EAAE,aAAa,CAAC,CAC3B,SAAS,KAAK,aAAa,CAAC,CAC/B;AACD,MAAI,aAAa,SAAS,EACzB,OAAM,IAAI,gBACT,wBAAwB,aAAa,KAAK,KAAK,CAAC,6DAChD;;AAIH,QAAO;EACN,IAAI;EACJ,OAAO;AACN,UAAO,EACN,SAAS,EACR,eAAe;IACd,MAAM,EACL,QAAQ,EACP,MAAM,OAAO,MAAM;AAClB,YAAO,EACN,MAAM;MACL,MAAM,SAAS,eAAe;MAC9B,GAAG;MACH,EACD;OAEF,EACD;IACD,SAAS,EACR,QAAQ,EACP,MAAM,OAAO,SAAS,KAAK;AAC1B,SAAI,CAAC,IACJ;KAED,MAAM,OAAQ,MAAM,IAAI,QAAQ,gBAAgB,aAC/C,QAAQ,OACR;AAED,SAAI,KAAK,QAAQ;AAChB,UACC,KAAK,cACL,IAAI,KAAK,KAAK,WAAW,CAAC,SAAS,GAAG,KAAK,KAAK,EAC/C;AACD,aAAM,IAAI,QAAQ,gBAAgB,WACjC,QAAQ,QACR;QACC,QAAQ;QACR,WAAW;QACX,YAAY;QACZ,CACD;AACD;;AAGD,UACC,QACC,IAAI,KAAK,WAAW,YAAY,IAChC,IAAI,KAAK,WAAW,mBAAmB,GACvC;OACD,MAAM,cACL,IAAI,QAAQ,QAAQ,YAAY,YAChC,GAAG,IAAI,QAAQ,QAAQ;AACxB,aAAM,IAAI,SACT,GAAG,YAAY,kCAAkC,KAAK,oBACtD;;AAGF,YAAM,SAAS,KAAK,aAAa;OAChC,SAAS,KAAK;OACd,MAAM;OACN,CAAC;;OAGJ,EACD;IACD,EACD,EACD;;EAEF,OAAO,EACN,OAAO,CACN;GACC,QAAQ,SAAS;AAChB,WAAO,QAAQ,SAAS;;GAEzB,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,WACL,MAAM,oBAAiD,IAAI;AAE5D,QAAI,CAAC,SACJ;IAED,MAAM,UAAU,SAAS,QAAQ,YAAY;AAC5C,YAAO,CAAC,QAAQ;MACf;AAEF,WAAO,IAAI,KAAK,QAAQ;KACvB;GACF,CACD,EACD;EACD,WAAW;GACV,SAAS,QAAQ,KAAK;GACtB,SAAS,QAAQ,KAAK;GACtB,YAAY,WAAW,KAAK;GAC5B,iBAAiB,gBAAgB,KAAK;GACtC,WAAW,UAAU,KAAK;GAC1B,kBAAkB,iBAAiB,KAAK;GACxC,WAAW,UAAU,KAAK;GAC1B,SAAS,QAAQ,KAAK;GACtB,iBAAiB,gBAAgB,KAAK;GACtC,mBAAmB,mBAAmB;GACtC,mBAAmB,kBAAkB,KAAK;GAC1C,oBAAoB,mBAAmB,KAAK;GAC5C,YAAY,WAAW,KAAK;GAC5B,iBAAiB,gBAAgB,KAAK;GACtC,mBAAmB,kBAAkB,KAAU;GAC/C;EACD,cAAc;EACd,QAAQ,YAAY,QAAQ,KAAK,OAAO;EAC/B;EACT"}

package/dist/plugins/admin/client.d.mts

@@ -0,0 +1,14 @@
+import { AccessControl, Role } from "../access/types.mjs";
+import "../access/index.mjs";
+import { ADMIN_ERROR_CODES } from "./error-codes.mjs";
+import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "./types.mjs";
+
+//#region src/plugins/admin/client.d.ts
+interface AdminClientOptions {
+  ac?: AccessControl | undefined;
+  roles?: { [key in string]: Role } | undefined;
+}
+declare const adminClient: <O extends AdminClientOptions>(options?: O | undefined) => BetterAuthClientPlugin;
+//#endregion
+export { adminClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/admin/client.mjs

@@ -0,0 +1,36 @@
+import { adminAc, userAc } from "./access/statement.mjs";
+import "./access/index.mjs";
+import { ADMIN_ERROR_CODES } from "./error-codes.mjs";
+import { hasPermission } from "./has-permission.mjs";
+
+//#region src/plugins/admin/client.ts
+const adminClient = (options) => {
+	const roles = {
+		admin: adminAc,
+		user: userAc,
+		...options?.roles
+	};
+	return {
+		id: "admin-client",
+		$InferServerPlugin: {},
+		getActions: () => ({ admin: { checkRolePermission: (data) => {
+			return hasPermission({
+				role: data.role,
+				options: {
+					ac: options?.ac,
+					roles
+				},
+				permissions: data.permissions ?? data.permission
+			});
+		} } }),
+		pathMethods: {
+			"/admin/list-users": "GET",
+			"/admin/stop-impersonating": "POST"
+		},
+		$ERROR_CODES: ADMIN_ERROR_CODES
+	};
+};
+
+//#endregion
+export { adminClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/admin/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/admin/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { AccessControl, Role } from \"../access\";\nimport type { defaultStatements } from \"./access\";\nimport { adminAc, userAc } from \"./access\";\nimport type { admin } from \"./admin\";\nimport { ADMIN_ERROR_CODES } from \"./error-codes\";\nimport { hasPermission } from \"./has-permission\";\n\nexport * from \"./error-codes\";\n\ninterface AdminClientOptions {\n\tac?: AccessControl | undefined;\n\troles?:\n\t\t| {\n\t\t\t\t[key in string]: Role;\n\t\t  }\n\t\t| undefined;\n}\n\nexport const adminClient = <O extends AdminClientOptions>(\n\toptions?: O | undefined,\n) => {\n\ttype DefaultStatements = typeof defaultStatements;\n\ttype Statements =\n\t\tO[\"ac\"] extends AccessControl<infer S> ? S : DefaultStatements;\n\ttype PermissionType = {\n\t\t[key in keyof Statements]?: Array<\n\t\t\tStatements[key] extends readonly unknown[]\n\t\t\t\t? Statements[key][number]\n\t\t\t\t: never\n\t\t>;\n\t};\n\ttype PermissionExclusive =\n\t\t| {\n\t\t\t\t/**\n\t\t\t\t * @deprecated Use `permissions` instead\n\t\t\t\t */\n\t\t\t\tpermission: PermissionType;\n\t\t\t\tpermissions?: never | undefined;\n\t\t  }\n\t\t| {\n\t\t\t\tpermissions: PermissionType;\n\t\t\t\tpermission?: never | undefined;\n\t\t  };\n\n\tconst roles = {\n\t\tadmin: adminAc,\n\t\tuser: userAc,\n\t\t...options?.roles,\n\t};\n\n\treturn {\n\t\tid: \"admin-client\",\n\t\t$InferServerPlugin: {} as ReturnType<\n\t\t\ttypeof admin<{\n\t\t\t\tac: O[\"ac\"] extends AccessControl\n\t\t\t\t\t? O[\"ac\"]\n\t\t\t\t\t: AccessControl<DefaultStatements>;\n\t\t\t\troles: O[\"roles\"] extends Record<string, Role>\n\t\t\t\t\t? O[\"roles\"]\n\t\t\t\t\t: {\n\t\t\t\t\t\t\tadmin: Role;\n\t\t\t\t\t\t\tuser: Role;\n\t\t\t\t\t\t};\n\t\t\t}>\n\t\t>,\n\t\tgetActions: () => ({\n\t\t\tadmin: {\n\t\t\t\tcheckRolePermission: <\n\t\t\t\t\tR extends O extends { roles: any }\n\t\t\t\t\t\t? keyof O[\"roles\"]\n\t\t\t\t\t\t: \"admin\" | \"user\",\n\t\t\t\t>(\n\t\t\t\t\tdata: PermissionExclusive & {\n\t\t\t\t\t\trole: R;\n\t\t\t\t\t},\n\t\t\t\t) => {\n\t\t\t\t\tconst isAuthorized = hasPermission({\n\t\t\t\t\t\trole: data.role as string,\n\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\tac: options?.ac,\n\t\t\t\t\t\t\troles: roles,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tpermissions: (data.permissions ?? data.permission) as any,\n\t\t\t\t\t});\n\t\t\t\t\treturn isAuthorized;\n\t\t\t\t},\n\t\t\t},\n\t\t}),\n\t\tpathMethods: {\n\t\t\t\"/admin/list-users\": \"GET\",\n\t\t\t\"/admin/stop-impersonating\": \"POST\",\n\t\t},\n\t\t$ERROR_CODES: ADMIN_ERROR_CODES,\n\t} satisfies BetterAuthClientPlugin;\n};\n\nexport type * from \"./types\";\n"],"mappings":";;;;;;AAmBA,MAAa,eACZ,YACI;CAwBJ,MAAM,QAAQ;EACb,OAAO;EACP,MAAM;EACN,GAAG,SAAS;EACZ;AAED,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EAatB,mBAAmB,EAClB,OAAO,EACN,sBAKC,SAGI;AASJ,UARqB,cAAc;IAClC,MAAM,KAAK;IACX,SAAS;KACR,IAAI,SAAS;KACN;KACP;IACD,aAAc,KAAK,eAAe,KAAK;IACvC,CAAC;KAGH,EACD;EACD,aAAa;GACZ,qBAAqB;GACrB,6BAA6B;GAC7B;EACD,cAAc;EACd"}

package/dist/plugins/admin/error-codes.d.mts

@@ -0,0 +1,5 @@
+//#region src/plugins/admin/error-codes.d.ts
+declare const ADMIN_ERROR_CODES: any;
+//#endregion
+export { ADMIN_ERROR_CODES };
+//# sourceMappingURL=error-codes.d.mts.map

package/dist/plugins/admin/error-codes.mjs

@@ -0,0 +1,30 @@
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/admin/error-codes.ts
+const ADMIN_ERROR_CODES = defineErrorCodes({
+	FAILED_TO_CREATE_USER: "Failed to create user",
+	USER_ALREADY_EXISTS: "User already exists.",
+	USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL: "User already exists. Use another email.",
+	YOU_CANNOT_BAN_YOURSELF: "You cannot ban yourself",
+	YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE: "You are not allowed to change users role",
+	YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS: "You are not allowed to create users",
+	YOU_ARE_NOT_ALLOWED_TO_LIST_USERS: "You are not allowed to list users",
+	YOU_ARE_NOT_ALLOWED_TO_LIST_USERS_SESSIONS: "You are not allowed to list users sessions",
+	YOU_ARE_NOT_ALLOWED_TO_BAN_USERS: "You are not allowed to ban users",
+	YOU_ARE_NOT_ALLOWED_TO_IMPERSONATE_USERS: "You are not allowed to impersonate users",
+	YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS: "You are not allowed to revoke users sessions",
+	YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS: "You are not allowed to delete users",
+	YOU_ARE_NOT_ALLOWED_TO_SET_USERS_PASSWORD: "You are not allowed to set users password",
+	BANNED_USER: "You have been banned from this application",
+	YOU_ARE_NOT_ALLOWED_TO_GET_USER: "You are not allowed to get user",
+	NO_DATA_TO_UPDATE: "No data to update",
+	YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS: "You are not allowed to update users",
+	YOU_CANNOT_REMOVE_YOURSELF: "You cannot remove yourself",
+	YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: "You are not allowed to set a non-existent role value",
+	YOU_CANNOT_IMPERSONATE_ADMINS: "You cannot impersonate admins",
+	INVALID_ROLE_TYPE: "Invalid role type"
+});
+
+//#endregion
+export { ADMIN_ERROR_CODES };
+//# sourceMappingURL=error-codes.mjs.map

package/dist/plugins/admin/error-codes.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/admin/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils/error-codes\";\n\nexport const ADMIN_ERROR_CODES = defineErrorCodes({\n\tFAILED_TO_CREATE_USER: \"Failed to create user\",\n\tUSER_ALREADY_EXISTS: \"User already exists.\",\n\tUSER_ALREADY_EXISTS_USE_ANOTHER_EMAIL:\n\t\t\"User already exists. Use another email.\",\n\tYOU_CANNOT_BAN_YOURSELF: \"You cannot ban yourself\",\n\tYOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE:\n\t\t\"You are not allowed to change users role\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_USERS: \"You are not allowed to create users\",\n\tYOU_ARE_NOT_ALLOWED_TO_LIST_USERS: \"You are not allowed to list users\",\n\tYOU_ARE_NOT_ALLOWED_TO_LIST_USERS_SESSIONS:\n\t\t\"You are not allowed to list users sessions\",\n\tYOU_ARE_NOT_ALLOWED_TO_BAN_USERS: \"You are not allowed to ban users\",\n\tYOU_ARE_NOT_ALLOWED_TO_IMPERSONATE_USERS:\n\t\t\"You are not allowed to impersonate users\",\n\tYOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS:\n\t\t\"You are not allowed to revoke users sessions\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_USERS: \"You are not allowed to delete users\",\n\tYOU_ARE_NOT_ALLOWED_TO_SET_USERS_PASSWORD:\n\t\t\"You are not allowed to set users password\",\n\tBANNED_USER: \"You have been banned from this application\",\n\tYOU_ARE_NOT_ALLOWED_TO_GET_USER: \"You are not allowed to get user\",\n\tNO_DATA_TO_UPDATE: \"No data to update\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS: \"You are not allowed to update users\",\n\tYOU_CANNOT_REMOVE_YOURSELF: \"You cannot remove yourself\",\n\tYOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE:\n\t\t\"You are not allowed to set a non-existent role value\",\n\tYOU_CANNOT_IMPERSONATE_ADMINS: \"You cannot impersonate admins\",\n\tINVALID_ROLE_TYPE: \"Invalid role type\",\n});\n"],"mappings":";;;AAEA,MAAa,oBAAoB,iBAAiB;CACjD,uBAAuB;CACvB,qBAAqB;CACrB,uCACC;CACD,yBAAyB;CACzB,0CACC;CACD,qCAAqC;CACrC,mCAAmC;CACnC,4CACC;CACD,kCAAkC;CAClC,0CACC;CACD,8CACC;CACD,qCAAqC;CACrC,2CACC;CACD,aAAa;CACb,iCAAiC;CACjC,mBAAmB;CACnB,qCAAqC;CACrC,4BAA4B;CAC5B,+CACC;CACD,+BAA+B;CAC/B,mBAAmB;CACnB,CAAC"}

package/dist/plugins/admin/has-permission.mjs

@@ -0,0 +1,16 @@
+import { defaultRoles } from "./access/statement.mjs";
+import "./access/index.mjs";
+
+//#region src/plugins/admin/has-permission.ts
+const hasPermission = (input) => {
+	if (input.userId && input.options?.adminUserIds?.includes(input.userId)) return true;
+	if (!input.permissions && !input.permission) return false;
+	const roles = (input.role || input.options?.defaultRole || "user").split(",");
+	const acRoles = input.options?.roles || defaultRoles;
+	for (const role of roles) if ((acRoles[role]?.authorize(input.permission ?? input.permissions))?.success) return true;
+	return false;
+};
+
+//#endregion
+export { hasPermission };
+//# sourceMappingURL=has-permission.mjs.map

package/dist/plugins/admin/has-permission.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"has-permission.mjs","names":[],"sources":["../../../src/plugins/admin/has-permission.ts"],"sourcesContent":["import { defaultRoles } from \"./access\";\nimport type { AdminOptions } from \"./types\";\n\ntype PermissionExclusive =\n\t| {\n\t\t\t/**\n\t\t\t * @deprecated Use `permissions` instead\n\t\t\t */\n\t\t\tpermission: { [key: string]: string[] };\n\t\t\tpermissions?: never | undefined;\n\t  }\n\t| {\n\t\t\tpermissions: { [key: string]: string[] };\n\t\t\tpermission?: never | undefined;\n\t  };\n\nexport const hasPermission = (\n\tinput: {\n\t\tuserId?: string | undefined;\n\t\trole?: string | undefined;\n\t\toptions?: AdminOptions | undefined;\n\t} & PermissionExclusive,\n) => {\n\tif (input.userId && input.options?.adminUserIds?.includes(input.userId)) {\n\t\treturn true;\n\t}\n\tif (!input.permissions && !input.permission) {\n\t\treturn false;\n\t}\n\tconst roles = (input.role || input.options?.defaultRole || \"user\").split(\",\");\n\tconst acRoles = input.options?.roles || defaultRoles;\n\tfor (const role of roles) {\n\t\tconst _role = acRoles[role as keyof typeof acRoles];\n\t\tconst result = _role?.authorize(input.permission ?? input.permissions);\n\t\tif (result?.success) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n};\n"],"mappings":";;;;AAgBA,MAAa,iBACZ,UAKI;AACJ,KAAI,MAAM,UAAU,MAAM,SAAS,cAAc,SAAS,MAAM,OAAO,CACtE,QAAO;AAER,KAAI,CAAC,MAAM,eAAe,CAAC,MAAM,WAChC,QAAO;CAER,MAAM,SAAS,MAAM,QAAQ,MAAM,SAAS,eAAe,QAAQ,MAAM,IAAI;CAC7E,MAAM,UAAU,MAAM,SAAS,SAAS;AACxC,MAAK,MAAM,QAAQ,MAGlB,MAFc,QAAQ,OACA,UAAU,MAAM,cAAc,MAAM,YAAY,GAC1D,QACX,QAAO;AAGT,QAAO"}

package/dist/plugins/admin/index.d.mts

@@ -0,0 +1,3 @@
+import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "./types.mjs";
+import { admin } from "./admin.mjs";
+export { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole, admin };

package/dist/plugins/admin/index.mjs

@@ -0,0 +1,3 @@
+import { admin } from "./admin.mjs";
+
+export { admin };