@inkeep/agents-core 0.0.0-dev-20251219001549 → 0.0.0-dev-20251219041014
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/auth.d.ts +134 -38
- package/dist/auth/auth.d.ts.map +1 -1
- package/dist/auth/auth.js +6 -2
- package/dist/auth/auth.js.map +1 -1
- package/dist/auth/permissions.d.ts +13 -13
- package/dist/auth/permissions.d.ts.map +1 -1
- package/dist/auth-schema.d.ts +82 -82
- package/dist/auth-schema.d.ts.map +1 -1
- package/dist/auth-validation-schemas.d.ts +129 -129
- package/dist/auth-validation-schemas.d.ts.map +1 -1
- package/dist/client.d.ts +187 -187
- package/dist/client.d.ts.map +1 -1
- package/dist/env.js +2 -1
- package/dist/env.js.map +1 -1
- package/package.json +1 -1
package/dist/auth/auth.d.ts
CHANGED
|
@@ -5,9 +5,10 @@ import "../schema-conversion.js";
|
|
|
5
5
|
import * as _better_auth_sso0 from "@better-auth/sso";
|
|
6
6
|
import * as better_auth0 from "better-auth";
|
|
7
7
|
import { BetterAuthAdvancedOptions } from "better-auth";
|
|
8
|
-
import * as
|
|
9
|
-
import * as
|
|
8
|
+
import * as better_auth_plugins20 from "better-auth/plugins";
|
|
9
|
+
import * as better_auth_social_providers0 from "better-auth/social-providers";
|
|
10
10
|
import { GoogleOptions } from "better-auth/social-providers";
|
|
11
|
+
import * as zod0 from "zod";
|
|
11
12
|
|
|
12
13
|
//#region src/auth/auth.d.ts
|
|
13
14
|
interface OIDCProviderConfig {
|
|
@@ -85,7 +86,51 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
85
86
|
autoSignIn: true;
|
|
86
87
|
};
|
|
87
88
|
socialProviders: {
|
|
88
|
-
google:
|
|
89
|
+
google: {
|
|
90
|
+
redirectURI?: string | undefined;
|
|
91
|
+
clientId: string;
|
|
92
|
+
accessType?: ("offline" | "online") | undefined;
|
|
93
|
+
display?: ("page" | "popup" | "touch" | "wap") | undefined;
|
|
94
|
+
hd?: string | undefined;
|
|
95
|
+
clientSecret?: string | undefined;
|
|
96
|
+
scope?: string[] | undefined;
|
|
97
|
+
disableDefaultScope?: boolean | undefined;
|
|
98
|
+
clientKey?: string | undefined;
|
|
99
|
+
disableIdTokenSignIn?: boolean | undefined;
|
|
100
|
+
verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
|
|
101
|
+
getUserInfo?: ((token: better_auth0.OAuth2Tokens) => Promise<{
|
|
102
|
+
user: {
|
|
103
|
+
id: string;
|
|
104
|
+
name?: string;
|
|
105
|
+
email?: string | null;
|
|
106
|
+
image?: string;
|
|
107
|
+
emailVerified: boolean;
|
|
108
|
+
[key: string]: any;
|
|
109
|
+
};
|
|
110
|
+
data: any;
|
|
111
|
+
}>) | undefined;
|
|
112
|
+
refreshAccessToken?: ((refreshToken: string) => Promise<better_auth0.OAuth2Tokens>) | undefined;
|
|
113
|
+
mapProfileToUser?: ((profile: better_auth_social_providers0.GoogleProfile) => {
|
|
114
|
+
id?: string;
|
|
115
|
+
name?: string;
|
|
116
|
+
email?: string | null;
|
|
117
|
+
image?: string;
|
|
118
|
+
emailVerified?: boolean;
|
|
119
|
+
[key: string]: any;
|
|
120
|
+
} | Promise<{
|
|
121
|
+
id?: string;
|
|
122
|
+
name?: string;
|
|
123
|
+
email?: string | null;
|
|
124
|
+
image?: string;
|
|
125
|
+
emailVerified?: boolean;
|
|
126
|
+
[key: string]: any;
|
|
127
|
+
}>) | undefined;
|
|
128
|
+
disableImplicitSignUp?: boolean | undefined;
|
|
129
|
+
disableSignUp?: boolean | undefined;
|
|
130
|
+
prompt?: ("select_account" | "consent" | "login" | "none" | "select_account consent") | undefined;
|
|
131
|
+
responseMode?: ("query" | "form_post") | undefined;
|
|
132
|
+
overrideUserInfoOnSignIn?: boolean | undefined;
|
|
133
|
+
};
|
|
89
134
|
} | undefined;
|
|
90
135
|
session: {
|
|
91
136
|
expiresIn: number;
|
|
@@ -726,32 +771,83 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
726
771
|
enabled: true;
|
|
727
772
|
};
|
|
728
773
|
};
|
|
774
|
+
}, {
|
|
775
|
+
id: "oauth-proxy";
|
|
776
|
+
options: better_auth_plugins20.OAuthProxyOptions | undefined;
|
|
777
|
+
endpoints: {
|
|
778
|
+
oAuthProxy: better_auth0.StrictEndpoint<"/oauth-proxy-callback", {
|
|
779
|
+
method: "GET";
|
|
780
|
+
operationId: string;
|
|
781
|
+
query: zod0.ZodObject<{
|
|
782
|
+
callbackURL: zod0.ZodString;
|
|
783
|
+
cookies: zod0.ZodString;
|
|
784
|
+
}, better_auth0.$strip>;
|
|
785
|
+
use: ((inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>)[];
|
|
786
|
+
metadata: {
|
|
787
|
+
openapi: {
|
|
788
|
+
operationId: string;
|
|
789
|
+
description: string;
|
|
790
|
+
parameters: {
|
|
791
|
+
in: "query";
|
|
792
|
+
name: string;
|
|
793
|
+
required: true;
|
|
794
|
+
description: string;
|
|
795
|
+
}[];
|
|
796
|
+
responses: {
|
|
797
|
+
302: {
|
|
798
|
+
description: string;
|
|
799
|
+
headers: {
|
|
800
|
+
Location: {
|
|
801
|
+
description: string;
|
|
802
|
+
schema: {
|
|
803
|
+
type: string;
|
|
804
|
+
};
|
|
805
|
+
};
|
|
806
|
+
};
|
|
807
|
+
};
|
|
808
|
+
};
|
|
809
|
+
};
|
|
810
|
+
};
|
|
811
|
+
} & {
|
|
812
|
+
use: any[];
|
|
813
|
+
}, never>;
|
|
814
|
+
};
|
|
815
|
+
hooks: {
|
|
816
|
+
before: {
|
|
817
|
+
matcher(context: better_auth0.HookEndpointContext): boolean;
|
|
818
|
+
handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
|
|
819
|
+
}[];
|
|
820
|
+
after: {
|
|
821
|
+
matcher(context: better_auth0.HookEndpointContext): boolean;
|
|
822
|
+
handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
|
|
823
|
+
}[];
|
|
824
|
+
};
|
|
729
825
|
}, {
|
|
730
826
|
id: "organization";
|
|
731
|
-
endpoints:
|
|
827
|
+
endpoints: better_auth_plugins20.OrganizationEndpoints<{
|
|
732
828
|
allowUserToCreateOrganization: true;
|
|
733
|
-
ac:
|
|
829
|
+
ac: better_auth_plugins20.AccessControl;
|
|
734
830
|
roles: {
|
|
735
831
|
member: {
|
|
736
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
737
|
-
actions:
|
|
832
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
833
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
738
834
|
connector: "OR" | "AND";
|
|
739
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
740
|
-
statements:
|
|
835
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
836
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
741
837
|
};
|
|
742
838
|
admin: {
|
|
743
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
744
|
-
actions:
|
|
839
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
840
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
745
841
|
connector: "OR" | "AND";
|
|
746
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
747
|
-
statements:
|
|
842
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
843
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
748
844
|
};
|
|
749
845
|
owner: {
|
|
750
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
751
|
-
actions:
|
|
846
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
847
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
752
848
|
connector: "OR" | "AND";
|
|
753
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
754
|
-
statements:
|
|
849
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
850
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
755
851
|
};
|
|
756
852
|
};
|
|
757
853
|
membershipLimit: number;
|
|
@@ -761,9 +857,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
761
857
|
id: string;
|
|
762
858
|
role: string;
|
|
763
859
|
email: string;
|
|
764
|
-
organization:
|
|
765
|
-
invitation:
|
|
766
|
-
inviter:
|
|
860
|
+
organization: better_auth_plugins20.Organization;
|
|
861
|
+
invitation: better_auth_plugins20.Invitation;
|
|
862
|
+
inviter: better_auth_plugins20.Member & {
|
|
767
863
|
user: better_auth0.User;
|
|
768
864
|
};
|
|
769
865
|
}): Promise<void>;
|
|
@@ -896,7 +992,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
896
992
|
organizationId: string;
|
|
897
993
|
email: string;
|
|
898
994
|
role: "member" | "admin" | "owner";
|
|
899
|
-
status:
|
|
995
|
+
status: better_auth_plugins20.InvitationStatus;
|
|
900
996
|
inviterId: string;
|
|
901
997
|
expiresAt: Date;
|
|
902
998
|
createdAt: Date;
|
|
@@ -935,7 +1031,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
935
1031
|
organizationId: string;
|
|
936
1032
|
email: string;
|
|
937
1033
|
role: "member" | "admin" | "owner";
|
|
938
|
-
status:
|
|
1034
|
+
status: better_auth_plugins20.InvitationStatus;
|
|
939
1035
|
inviterId: string;
|
|
940
1036
|
expiresAt: Date;
|
|
941
1037
|
createdAt: Date;
|
|
@@ -1009,28 +1105,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
1009
1105
|
};
|
|
1010
1106
|
options: {
|
|
1011
1107
|
allowUserToCreateOrganization: true;
|
|
1012
|
-
ac:
|
|
1108
|
+
ac: better_auth_plugins20.AccessControl;
|
|
1013
1109
|
roles: {
|
|
1014
1110
|
member: {
|
|
1015
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
1016
|
-
actions:
|
|
1111
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
1112
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
1017
1113
|
connector: "OR" | "AND";
|
|
1018
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
1019
|
-
statements:
|
|
1114
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
1115
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
1020
1116
|
};
|
|
1021
1117
|
admin: {
|
|
1022
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
1023
|
-
actions:
|
|
1118
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
1119
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
1024
1120
|
connector: "OR" | "AND";
|
|
1025
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
1026
|
-
statements:
|
|
1121
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
1122
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
1027
1123
|
};
|
|
1028
1124
|
owner: {
|
|
1029
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
1030
|
-
actions:
|
|
1125
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key] | {
|
|
1126
|
+
actions: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>[key];
|
|
1031
1127
|
connector: "OR" | "AND";
|
|
1032
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
1033
|
-
statements:
|
|
1128
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
|
|
1129
|
+
statements: better_auth_plugins20.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins20.Statements>;
|
|
1034
1130
|
};
|
|
1035
1131
|
};
|
|
1036
1132
|
membershipLimit: number;
|
|
@@ -1040,9 +1136,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
1040
1136
|
id: string;
|
|
1041
1137
|
role: string;
|
|
1042
1138
|
email: string;
|
|
1043
|
-
organization:
|
|
1044
|
-
invitation:
|
|
1045
|
-
inviter:
|
|
1139
|
+
organization: better_auth_plugins20.Organization;
|
|
1140
|
+
invitation: better_auth_plugins20.Invitation;
|
|
1141
|
+
inviter: better_auth_plugins20.Member & {
|
|
1046
1142
|
user: better_auth0.User;
|
|
1047
1143
|
};
|
|
1048
1144
|
}): Promise<void>;
|
package/dist/auth/auth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;UAYiB,kBAAA;;;;;;;;;;EAAA,OAAA,CAAA,EAAA;IAoBA,EAAA,CAAA,EAAA,MAAA;IAoBA,KAAA,CAAA,EAAA,MAAA;IASA,aAAA,CAAA,EAAgB,MAAA;IAGrB,IAAA,CAAA,EAAA,MAAA;IACK,KAAA,CAAA,EAAA,MAAA;IAEJ,WAAA,CAAA,EAvCK,MAuCL,CAAA,MAAA,EAAA,MAAA,CAAA;EAEA,CAAA;;AAGI,UAxCA,kBAAA,CAwCc;EACd,UAAA,EAAA,MAAA;EAEJ,IAAA,EAAA,MAAA;EAEA,WAAA,EAAA,MAAA;EAAyB,QAAA,CAAA,EAAA,MAAA;EA0FtB,oBAAU,CAAA,EAAA,OAAA;EAAS,kBAAA,CAAA,EAAA,MAAA;EAAgB,eAAA,CAAA,EAAA,MAAA;;;IAiHuxhB,EAAA,CAAA,EAAA,MAAA;IAAA,KAAA,CAAA,EAAA,MAAA;;;;;kBAxOxzhB;;;UAID,iBAAA,CAoOu1vJ;EAAA,UAAA,EAAA,MAAA;;;;eA/Nz1vJ;eACA;;UAGE,gBAAA;;;YAGL;iBACK;;aAEJ;;aAEA;;UAGI,cAAA;iBACA;;aAEJ;;aAEA;;iBA0FG,UAAA,SAAmB,gCAAgB;;;sBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;0DAiHuxhB;6BAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA4jrI;;;6BAAA,YAAA,CAAA;;;;;gCAAk+C,YAAA;;;;;;;;;yBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAjHrzvJ,WAAA,EAAA,MAAA;wBAAA,CAAA;wBAgHN,WAAA,EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAAhC,MAAsB,kBAAkB"}
|
package/dist/auth/auth.js
CHANGED
|
@@ -9,7 +9,7 @@ import { eq } from "drizzle-orm";
|
|
|
9
9
|
import { sso } from "@better-auth/sso";
|
|
10
10
|
import { betterAuth } from "better-auth";
|
|
11
11
|
import { drizzleAdapter } from "better-auth/adapters/drizzle";
|
|
12
|
-
import { bearer, deviceAuthorization, organization } from "better-auth/plugins";
|
|
12
|
+
import { bearer, deviceAuthorization, oAuthProxy, organization } from "better-auth/plugins";
|
|
13
13
|
|
|
14
14
|
//#region src/auth/auth.ts
|
|
15
15
|
/**
|
|
@@ -69,7 +69,10 @@ function createAuth(config) {
|
|
|
69
69
|
requireEmailVerification: false,
|
|
70
70
|
autoSignIn: true
|
|
71
71
|
},
|
|
72
|
-
socialProviders: config.socialProviders?.google && { google:
|
|
72
|
+
socialProviders: config.socialProviders?.google && { google: {
|
|
73
|
+
...config.socialProviders.google,
|
|
74
|
+
...env.OAUTH_PROXY_PRODUCTION_URL && { redirectURI: `${env.OAUTH_PROXY_PRODUCTION_URL}/api/auth/callback/google` }
|
|
75
|
+
} },
|
|
73
76
|
session: {
|
|
74
77
|
expiresIn: 3600 * 24 * 7,
|
|
75
78
|
updateAge: 3600 * 24,
|
|
@@ -102,6 +105,7 @@ function createAuth(config) {
|
|
|
102
105
|
plugins: [
|
|
103
106
|
bearer(),
|
|
104
107
|
sso(),
|
|
108
|
+
oAuthProxy({ productionURL: env.OAUTH_PROXY_PRODUCTION_URL || config.baseURL }),
|
|
105
109
|
organization({
|
|
106
110
|
allowUserToCreateOrganization: true,
|
|
107
111
|
ac,
|
package/dist/auth/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: config.socialProviders.google,\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n membershipLimit: 300,\n invitationLimit: 300,\n invitationExpiresIn: 7 * 24 * 60 * 60, // 7 days (in seconds)\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ,OAAO,gBAAgB,QAChC;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB,QAAc;IACnC,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}
|
|
1
|
+
{"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, oAuthProxy, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: {\n ...config.socialProviders.google,\n // For local/preview env, redirect to production URL registered in Google Console\n ...(env.OAUTH_PROXY_PRODUCTION_URL && {\n redirectURI: `${env.OAUTH_PROXY_PRODUCTION_URL}/api/auth/callback/google`,\n }),\n },\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n oAuthProxy({\n productionURL: env.OAUTH_PROXY_PRODUCTION_URL || config.baseURL,\n }),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n membershipLimit: 300,\n invitationLimit: 300,\n invitationExpiresIn: 7 * 24 * 60 * 60, // 7 days (in seconds)\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ;GACN,GAAG,OAAO,gBAAgB;GAE1B,GAAI,IAAI,8BAA8B,EACpC,aAAa,GAAG,IAAI,2BAA2B,4BAChD;GACF,EACF;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,WAAW,EACT,eAAe,IAAI,8BAA8B,OAAO,SACzD,CAAC;GACF,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB,QAAc;IACnC,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}
|
|
@@ -1,28 +1,28 @@
|
|
|
1
|
-
import * as
|
|
1
|
+
import * as better_auth_plugins0 from "better-auth/plugins";
|
|
2
2
|
import { AccessControl } from "better-auth/plugins/access";
|
|
3
3
|
|
|
4
4
|
//#region src/auth/permissions.d.ts
|
|
5
5
|
declare const ac: AccessControl;
|
|
6
6
|
declare const memberRole: {
|
|
7
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
8
|
-
actions:
|
|
7
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
|
|
8
|
+
actions: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key];
|
|
9
9
|
connector: "OR" | "AND";
|
|
10
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
11
|
-
statements:
|
|
10
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
11
|
+
statements: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>;
|
|
12
12
|
};
|
|
13
13
|
declare const adminRole: {
|
|
14
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
15
|
-
actions:
|
|
14
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
|
|
15
|
+
actions: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key];
|
|
16
16
|
connector: "OR" | "AND";
|
|
17
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
18
|
-
statements:
|
|
17
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
18
|
+
statements: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>;
|
|
19
19
|
};
|
|
20
20
|
declare const ownerRole: {
|
|
21
|
-
authorize<K_1 extends "function" | "organization" | "
|
|
22
|
-
actions:
|
|
21
|
+
authorize<K_1 extends "function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
|
|
22
|
+
actions: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>[key];
|
|
23
23
|
connector: "OR" | "AND";
|
|
24
|
-
} | undefined } : never, connector?: "OR" | "AND"):
|
|
25
|
-
statements:
|
|
24
|
+
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
25
|
+
statements: better_auth_plugins0.Subset<"function" | "organization" | "member" | "invitation" | "agent" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "team", better_auth_plugins0.Statements>;
|
|
26
26
|
};
|
|
27
27
|
//#endregion
|
|
28
28
|
export { ac, adminRole, memberRole, ownerRole };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permissions.d.ts","names":[],"sources":["../../src/auth/permissions.ts"],"sourcesContent":[],"mappings":";;;;cAwBa,IAAuC;cAEvC;;IAFA,OAAoD,
|
|
1
|
+
{"version":3,"file":"permissions.d.ts","names":[],"sources":["../../src/auth/permissions.ts"],"sourcesContent":[],"mappings":";;;;cAwBa,IAAuC;cAEvC;;IAFA,OAAoD,6BAAA,CAAA,UAAA,GAAA,cAAA,GAAA,QAAA,GAAA,YAAA,GAAA,OAAA,GAAA,SAAA,GAAA,WAAA,GAAA,MAAA,GAAA,SAAA,GAAA,YAAA,GAAA,gBAAA,GAAA,oBAAA,GAAA,gBAAA,GAAA,gBAAA,GAAA,IAAA,GAAA,MAAA,kCAAA,IAAA,CAAA;IAEpD,SAaX,EAAA,IAAA,GAAA,KAAA;;;;cAEW;;;;;;;cAeA;;;IAfA,SAaX,EAAA,IAAA,GAAA,KAAA"}
|