@ingram-tech/nk-auth 0.2.0 → 0.3.0

package/README.md

@@ -73,6 +73,7 @@ per the prime directive. The presets carry the RLS-preserving bits.
 import { passkey } from "@better-auth/passkey";
 import { fromAddress, sendEmail } from "@ingram-tech/email";
 import {
+	authBasePath,
 	authEnv,
 	bcryptPassword,
 	makeEmailSenders,
@@ -93,7 +94,8 @@ export const auth = betterAuth({
 	database: new Pool({ connectionString: env.databaseUrl }),
 	secret: env.secret,
 	baseURL: env.baseURL,
-	advanced: { database: { generateId: uuidGenerateId } }, // UUID-shaped ids
+	basePath: authBasePath, // mount at /auth, not the framework default /api/auth
+	advanced: { database: { generateId: uuidGenerateId } }, // UUIDv7 ids
 	emailAndPassword: {
 		enabled: true,
 		password: bcryptPassword, // verifies migrated Supabase bcrypt hashes
@@ -114,7 +116,9 @@ export const auth = betterAuth({
 ```
 
 ```ts
-// app/api/auth/[...all]/route.ts — a standard Next.js route handler
+// app/auth/[...all]/route.ts — a standard Next.js route handler.
+// Lives at /auth (set via `basePath: authBasePath`), NOT /api/auth: auth is a
+// user-facing surface (sign-in, OAuth callbacks), not an internal machine API.
 import { auth } from "@/lib/auth";
 export const { GET, POST } = auth.handler;
 ```
@@ -153,6 +157,7 @@ preserved here too):
 ```tsx
 "use client";
 import {
+	authBasePath,
 	createAuthClient,
 	jwtClient,
 	passkeyClient,
@@ -160,6 +165,7 @@ import {
 
 export const authClient = createAuthClient({
 	baseURL: process.env.NEXT_PUBLIC_SITE_URL ?? "",
+	basePath: authBasePath, // matches the server: /auth
 	plugins: [jwtClient(), passkeyClient()],
 });
 // authClient.signIn.email(...), signIn.social(...), useSession(), passkey.*
@@ -169,7 +175,7 @@ export const authClient = createAuthClient({
 
 `auth.uid()` reads the `sub` claim of the JWT PostgREST receives. The `jwt`
 plugin (configured here) mints an asymmetric token with `sub` = the user's UUID
-and `role: "authenticated"`, exposed at `/api/auth/jwks`. Register that JWKS URL
+and `role: "authenticated"`, exposed at `/auth/jwks`. Register that JWKS URL
 as a Supabase **third-party auth** issuer, and every existing policy works
 unchanged. Full rationale and the HS256 fallback:
 [`docs/better-auth-migration.md`](../../docs/better-auth-migration.md).

package/dist/client.d.ts

@@ -20,4 +20,5 @@
 export { passkeyClient } from "@better-auth/passkey/client";
 export { jwtClient } from "better-auth/client/plugins";
 export { createAuthClient } from "better-auth/react";
+export { authBasePath } from "./paths";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC"}

package/dist/client.js

@@ -20,4 +20,6 @@
 export { passkeyClient } from "@better-auth/passkey/client";
 export { jwtClient } from "better-auth/client/plugins";
 export { createAuthClient } from "better-auth/react";
+// Re-exported here too so the client can set `basePath` without a server import.
+export { authBasePath } from "./paths";
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,iFAAiF;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.d.ts

@@ -2,6 +2,7 @@ export { type BackendJwtConfig, backendJwtOptions, rlsJwtOptions, verifyBackendJ
 export { type AuthEnv, authEnv, isConfigured } from "./keys";
 export { bcryptPassword, makeEmailSenders, makePasskeyOptions, type PasskeyConfig, type SendEmail, uuidGenerateId, } from "./options";
 export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { authBasePath } from "./paths";
 export { createAuthPool } from "./pool";
 export { createServerSupabase, type ServerSupabaseConfig, } from "./supabase";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EACN,KAAK,gBAAgB,EACrB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,KAAK,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,EACpB,KAAK,oBAAoB,GACzB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EACN,KAAK,gBAAgB,EACrB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,KAAK,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,EACpB,KAAK,oBAAoB,GACzB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -6,6 +6,7 @@ export { backendJwtOptions, rlsJwtOptions, verifyBackendJwt, } from "./jwt";
 export { authEnv, isConfigured } from "./keys";
 export { bcryptPassword, makeEmailSenders, makePasskeyOptions, uuidGenerateId, } from "./options";
 export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { authBasePath } from "./paths";
 export { createAuthPool } from "./pool";
 export { createServerSupabase, } from "./supabase";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AAExE,OAAO,EAEN,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAgB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAGlB,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,GAEpB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AAExE,OAAO,EAEN,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAgB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAGlB,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,GAEpB,MAAM,YAAY,CAAC"}

package/dist/options.d.ts

@@ -8,8 +8,9 @@ import type { PasskeyOptions } from "@better-auth/passkey";
  * site stays plain Better Auth, we just ship the shared config. JWT + org
  * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
  *
- * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
- * `auth.uid()::uuid` on RLS sites).
+ * `uuidGenerateId` keeps new-user ids UUID-shaped (so Supabase `auth.uid()::uuid`
+ * keeps working on RLS sites) — and specifically **UUIDv7**: time-ordered, so ids
+ * cluster by creation time for index locality instead of scattering like v4.
  */
 /**
  * `emailAndPassword.password` config. Verifies with bcrypt so passwords
@@ -22,7 +23,12 @@ export declare const bcryptPassword: {
         password: string;
     }) => Promise<boolean>;
 };
-/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
+/**
+ * `advanced.database.generateId` — mints a **UUIDv7** (RFC 9562): a 48-bit
+ * Unix-ms timestamp prefix + random tail, version `7`, variant `10`. Keeps ids
+ * UUID-shaped (Supabase `auth.uid()::uuid`) while staying time-ordered.
+ * Node/Bun's `randomUUID` is v4-only, so we lay the bytes out by hand.
+ */
 export declare const uuidGenerateId: () => string;
 export interface PasskeyConfig {
     /** Relying-party id: the registrable domain, e.g. "example.com". */

package/dist/options.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc;qBACT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;kCAItC;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KACjB,KAAG,OAAO,CAAC,OAAO,CAAC;CACpB,CAAC;AAEF,uEAAuE;AACvE,eAAO,MAAM,cAAc,QAAO,MAAsB,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC7B,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,GAAI,KAAK,aAAa,KAAG,cAItD,CAAC;AAEH,iFAAiF;AACjF,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,SAAS;wCAI5C;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;4CAMd;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;CAGhB,CAAC"}
+{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D;;;;;;;;;;;;GAYG;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc;qBACT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;kCAItC;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KACjB,KAAG,OAAO,CAAC,OAAO,CAAC;CACpB,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,MAAM,WAAW,aAAa;IAC7B,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,GAAI,KAAK,aAAa,KAAG,cAItD,CAAC;AAEH,iFAAiF;AACjF,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,SAAS;wCAI5C;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;4CAMd;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;CAGhB,CAAC"}

package/dist/options.js

@@ -1,4 +1,4 @@
-import { randomUUID } from "node:crypto";
+import { randomBytes } from "node:crypto";
 import bcrypt from "bcrypt";
 /**
  * Portable Better Auth building blocks for Ingram sites.
@@ -9,8 +9,9 @@ import bcrypt from "bcrypt";
  * site stays plain Better Auth, we just ship the shared config. JWT + org
  * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
  *
- * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
- * `auth.uid()::uuid` on RLS sites).
+ * `uuidGenerateId` keeps new-user ids UUID-shaped (so Supabase `auth.uid()::uuid`
+ * keeps working on RLS sites) — and specifically **UUIDv7**: time-ordered, so ids
+ * cluster by creation time for index locality instead of scattering like v4.
  */
 /**
  * `emailAndPassword.password` config. Verifies with bcrypt so passwords
@@ -20,8 +21,26 @@ export const bcryptPassword = {
     hash: (password) => bcrypt.hash(password, 10),
     verify: ({ hash, password, }) => bcrypt.compare(password, hash),
 };
-/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
-export const uuidGenerateId = () => randomUUID();
+/**
+ * `advanced.database.generateId` — mints a **UUIDv7** (RFC 9562): a 48-bit
+ * Unix-ms timestamp prefix + random tail, version `7`, variant `10`. Keeps ids
+ * UUID-shaped (Supabase `auth.uid()::uuid`) while staying time-ordered.
+ * Node/Bun's `randomUUID` is v4-only, so we lay the bytes out by hand.
+ */
+export const uuidGenerateId = () => {
+    const bytes = randomBytes(16);
+    const ts = Date.now();
+    bytes[0] = Math.floor(ts / 2 ** 40) & 0xff;
+    bytes[1] = Math.floor(ts / 2 ** 32) & 0xff;
+    bytes[2] = Math.floor(ts / 2 ** 24) & 0xff;
+    bytes[3] = Math.floor(ts / 2 ** 16) & 0xff;
+    bytes[4] = Math.floor(ts / 2 ** 8) & 0xff;
+    bytes[5] = ts & 0xff;
+    bytes[6] = ((bytes[6] ?? 0) & 0x0f) | 0x70; // version 7
+    bytes[8] = ((bytes[8] ?? 0) & 0x3f) | 0x80; // variant 10
+    const hex = bytes.toString("hex");
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+};
 /** Build `passkey` plugin options. Use as `passkey(makePasskeyOptions(cfg))`. */
 export const makePasskeyOptions = (cfg) => ({
     rpID: cfg.rpId,

package/dist/options.js.map

@@ -1 +1 @@
-{"version":3,"file":"options.js","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC7B,IAAI,EAAE,CAAC,QAAgB,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;IACtE,MAAM,EAAE,CAAC,EACR,IAAI,EACJ,QAAQ,GAIR,EAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;CACtD,CAAC;AAEF,uEAAuE;AACvE,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE,CAAC,UAAU,EAAE,CAAC;AAWzD,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAkB,EAAkB,EAAE,CAAC,CAAC;IAC1E,IAAI,EAAE,GAAG,CAAC,IAAI;IACd,MAAM,EAAE,GAAG,CAAC,MAAM;IAClB,MAAM,EAAE,GAAG,CAAC,MAAM;CAClB,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,IAAe,EAAE,EAAE,CAAC,CAAC;IACrD,iBAAiB,EAAE,KAAK,EAAE,EACzB,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,qBAAqB,EAAE,KAAK,EAAE,EAC7B,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;CACD,CAAC,CAAC"}
+{"version":3,"file":"options.js","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;;GAYG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC7B,IAAI,EAAE,CAAC,QAAgB,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;IACtE,MAAM,EAAE,CAAC,EACR,IAAI,EACJ,QAAQ,GAIR,EAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;CACtD,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE;IAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC1C,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,YAAY;IACxD,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,aAAa;IACzD,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC5G,CAAC,CAAC;AAWF,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAkB,EAAkB,EAAE,CAAC,CAAC;IAC1E,IAAI,EAAE,GAAG,CAAC,IAAI;IACd,MAAM,EAAE,GAAG,CAAC,MAAM;IAClB,MAAM,EAAE,GAAG,CAAC,MAAM;CAClB,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,IAAe,EAAE,EAAE,CAAC,CAAC;IACrD,iBAAiB,EAAE,KAAK,EAAE,EACzB,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,qBAAqB,EAAE,KAAK,EAAE,EAC7B,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;CACD,CAAC,CAAC"}

package/dist/paths.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Where Better Auth mounts in an Ingram site: **`/auth`**, not the framework
+ * default `/api/auth`. Auth is a first-class user-facing surface — sign-in,
+ * OAuth callbacks, the JWKS — not an internal machine API, so it lives at the
+ * site root alongside the other pages.
+ *
+ * Use it on both ends so server and client agree:
+ *
+ *   betterAuth({ basePath: authBasePath, ... })
+ *   createAuthClient({ baseURL, basePath: authBasePath, ... })
+ *
+ * and mount the catch-all at `app/auth/[...all]/route.ts`. OAuth redirect URIs
+ * then become `<site>/auth/callback/<provider>` and the JWKS `<site>/auth/jwks`.
+ */
+export declare const authBasePath = "/auth";
+//# sourceMappingURL=paths.d.ts.map

package/dist/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../src/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,UAAU,CAAC"}

package/dist/paths.js

@@ -0,0 +1,16 @@
+/**
+ * Where Better Auth mounts in an Ingram site: **`/auth`**, not the framework
+ * default `/api/auth`. Auth is a first-class user-facing surface — sign-in,
+ * OAuth callbacks, the JWKS — not an internal machine API, so it lives at the
+ * site root alongside the other pages.
+ *
+ * Use it on both ends so server and client agree:
+ *
+ *   betterAuth({ basePath: authBasePath, ... })
+ *   createAuthClient({ baseURL, basePath: authBasePath, ... })
+ *
+ * and mount the catch-all at `app/auth/[...all]/route.ts`. OAuth redirect URIs
+ * then become `<site>/auth/callback/<provider>` and the JWKS `<site>/auth/jwks`.
+ */
+export const authBasePath = "/auth";
+//# sourceMappingURL=paths.js.map

package/dist/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../src/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAC"}

package/dist/pool.d.ts

@@ -1,9 +1,16 @@
 import { Pool } from "pg";
 /**
- * A `pg` Pool for Better Auth's direct database connection, with optional
- * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
- * of the connection string — `pg` discards the `ssl` object when the URL
- * carries SSL settings.
+ * A `pg` Pool for Better Auth's direct database connection, with the right TLS
+ * for each kind of host:
+ *
+ *   - `caCert` set → verify the server cert + hostname against it
+ *     (equivalent to `sslmode=verify-full`).
+ *   - local (`127.0.0.1`/`localhost`) → no TLS.
+ *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
+ *     verification. Supabase's cert chain isn't in Node's trust store, so plain
+ *     verification fails with "self-signed certificate in certificate chain";
+ *     the connection is still encrypted. `sslmode` is stripped from the URL
+ *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
  */
 export declare const createAuthPool: (config: {
     connectionString: string;

package/dist/pool.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAMD,CAAC"}
+{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAK1B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAgBH,CAAC"}

package/dist/pool.js

@@ -1,14 +1,33 @@
 import { Pool } from "pg";
+const isLocal = (connectionString) => connectionString.includes("127.0.0.1") || connectionString.includes("localhost");
 /**
- * A `pg` Pool for Better Auth's direct database connection, with optional
- * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
- * of the connection string — `pg` discards the `ssl` object when the URL
- * carries SSL settings.
+ * A `pg` Pool for Better Auth's direct database connection, with the right TLS
+ * for each kind of host:
+ *
+ *   - `caCert` set → verify the server cert + hostname against it
+ *     (equivalent to `sslmode=verify-full`).
+ *   - local (`127.0.0.1`/`localhost`) → no TLS.
+ *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
+ *     verification. Supabase's cert chain isn't in Node's trust store, so plain
+ *     verification fails with "self-signed certificate in certificate chain";
+ *     the connection is still encrypted. `sslmode` is stripped from the URL
+ *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
  */
-export const createAuthPool = (config) => new Pool({
-    connectionString: config.connectionString,
-    ssl: config.caCert
-        ? { ca: config.caCert, rejectUnauthorized: true }
-        : undefined,
-});
+export const createAuthPool = (config) => {
+    if (config.caCert) {
+        return new Pool({
+            connectionString: config.connectionString,
+            ssl: { ca: config.caCert, rejectUnauthorized: true },
+        });
+    }
+    if (isLocal(config.connectionString)) {
+        return new Pool({ connectionString: config.connectionString });
+    }
+    const url = new URL(config.connectionString);
+    url.searchParams.delete("sslmode");
+    return new Pool({
+        connectionString: url.toString(),
+        ssl: { rejectUnauthorized: false },
+    });
+};
 //# sourceMappingURL=pool.js.map

package/dist/pool.js.map

@@ -1 +1 @@
-{"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B;;;;;GAKG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE,CACV,IAAI,IAAI,CAAC;IACR,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;IACzC,GAAG,EAAE,MAAM,CAAC,MAAM;QACjB,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE;QACjD,CAAC,CAAC,SAAS;CACZ,CAAC,CAAC"}
+{"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B,MAAM,OAAO,GAAG,CAAC,gBAAwB,EAAW,EAAE,CACrD,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAElF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE;IACV,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,IAAI,IAAI,CAAC;YACf,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,GAAG,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE;SACpD,CAAC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,IAAI,CAAC,EAAE,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC7C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,IAAI,IAAI,CAAC;QACf,gBAAgB,EAAE,GAAG,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE;KAClC,CAAC,CAAC;AACJ,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/nk-auth",
-	"version": "0.2.0",
+	"version": "0.3.0",
 	"description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.",
 	"license": "MIT",
 	"type": "module",
@@ -33,6 +33,10 @@
 			"types": "./dist/pool.d.ts",
 			"import": "./dist/pool.js"
 		},
+		"./paths": {
+			"types": "./dist/paths.d.ts",
+			"import": "./dist/paths.js"
+		},
 		"./client": {
 			"types": "./dist/client.d.ts",
 			"import": "./dist/client.js"
@@ -72,7 +76,7 @@
 	},
 	"devDependencies": {
 		"@better-auth/passkey": "^1.6.0",
-		"@ingram-tech/typescript-config": "0.1.0",
+		"@ingram-tech/typescript-config": "workspace:*",
 		"@supabase/supabase-js": "^2.45.0",
 		"@types/bcrypt": "^5.0.2",
 		"@types/node": "^20.0.0",