@invect/user-auth 0.0.1 → 0.0.3

package/dist/backend/index.mjs

@@ -213,16 +213,16 @@ function getErrorLogDetails(error) {
 	return { value: error };
 }
 /**
-* Abstract schema for better-auth's database tables.
+* Abstract schema for the user-auth plugin's database tables.
 *
-* These definitions allow the Invect CLI (`npx invect generate`) to include
-* the better-auth tables when generating Drizzle/Prisma schema files.
+* These definitions allow the Invect CLI (`npx invect-cli generate`) to include
+* the auth tables when generating Drizzle/Prisma schema files.
 *
-* The shapes match better-auth's default table structure. If your better-auth
+* The shapes match Better Auth's default table structure. If your Better Auth
 * config adds extra fields (e.g., via plugins like `twoFactor`, `organization`),
 * you can extend these in your own config.
 */
-const BETTER_AUTH_SCHEMA = {
+const USER_AUTH_SCHEMA = {
 	user: {
 		tableName: "user",
 		order: 1,
@@ -423,10 +423,161 @@ const BETTER_AUTH_SCHEMA = {
 				required: false
 			}
 		}
+	},
+	flowAccess: {
+		tableName: "flow_access",
+		order: 3,
+		fields: {
+			id: {
+				type: "uuid",
+				primaryKey: true,
+				defaultValue: "uuid()"
+			},
+			flowId: {
+				type: "string",
+				required: true,
+				references: {
+					table: "flows",
+					field: "id",
+					onDelete: "cascade"
+				}
+			},
+			userId: {
+				type: "string",
+				required: false
+			},
+			teamId: {
+				type: "string",
+				required: false
+			},
+			permission: {
+				type: "string",
+				required: true,
+				defaultValue: "viewer"
+			},
+			grantedBy: {
+				type: "string",
+				required: false
+			},
+			grantedAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			expiresAt: {
+				type: "date",
+				required: false
+			}
+		}
 	}
 };
 /**
-* Create a better-auth instance internally using Invect's database config.
+* Abstract schema for the Better Auth API Key plugin's `apikey` table.
+*
+* Only merged into the plugin schema when `apiKey` is enabled.
+*
+* @see https://better-auth.com/docs/plugins/api-key/reference#schema
+*/
+const API_KEY_SCHEMA = { apikey: {
+	tableName: "apikey",
+	order: 3,
+	fields: {
+		id: {
+			type: "string",
+			primaryKey: true
+		},
+		configId: {
+			type: "string",
+			required: true,
+			defaultValue: "default"
+		},
+		name: {
+			type: "string",
+			required: false
+		},
+		start: {
+			type: "string",
+			required: false
+		},
+		prefix: {
+			type: "string",
+			required: false
+		},
+		key: {
+			type: "string",
+			required: true
+		},
+		referenceId: {
+			type: "string",
+			required: true
+		},
+		refillInterval: {
+			type: "number",
+			required: false
+		},
+		refillAmount: {
+			type: "number",
+			required: false
+		},
+		lastRefillAt: {
+			type: "date",
+			required: false
+		},
+		enabled: {
+			type: "boolean",
+			required: false,
+			defaultValue: true
+		},
+		rateLimitEnabled: {
+			type: "boolean",
+			required: false
+		},
+		rateLimitTimeWindow: {
+			type: "number",
+			required: false
+		},
+		rateLimitMax: {
+			type: "number",
+			required: false
+		},
+		requestCount: {
+			type: "number",
+			required: false
+		},
+		remaining: {
+			type: "number",
+			required: false
+		},
+		lastRequest: {
+			type: "date",
+			required: false
+		},
+		expiresAt: {
+			type: "date",
+			required: false
+		},
+		createdAt: {
+			type: "date",
+			required: true,
+			defaultValue: "now()"
+		},
+		updatedAt: {
+			type: "date",
+			required: true,
+			defaultValue: "now()"
+		},
+		permissions: {
+			type: "string",
+			required: false
+		},
+		metadata: {
+			type: "string",
+			required: false
+		}
+	}
+} };
+/**
+* Create a Better Auth instance internally using Invect's database config.
 *
 * Dynamically imports `better-auth` (a required peer dependency) and creates
 * a fully-configured instance with email/password auth, the admin plugin,
@@ -434,7 +585,7 @@ const BETTER_AUTH_SCHEMA = {
 *
 * Database resolution order:
 * 1. Explicit `options.database` (any value `betterAuth({ database })` accepts)
-* 2. Auto-created client from Invect's `baseDatabaseConfig.connectionString`
+* 2. Auto-created client from Invect's `database.connectionString`
 */
 async function createInternalBetterAuth(invectConfig, options, logger) {
 	let betterAuthFn;
@@ -451,14 +602,14 @@ async function createInternalBetterAuth(invectConfig, options, logger) {
 	}
 	let database = options.database;
 	if (!database) {
-		const dbConfig = invectConfig.baseDatabaseConfig;
-		if (!dbConfig?.connectionString) throw new Error("Cannot create internal better-auth instance: no database configuration found. Either provide `auth` (a better-auth instance), `database`, or ensure Invect baseDatabaseConfig has a connectionString.");
+		const dbConfig = invectConfig.database;
+		if (!dbConfig?.connectionString) throw new Error("Cannot create internal Better Auth instance: no database configuration found. Either provide `auth` (a Better Auth instance), `database`, or ensure Invect database has a connectionString.");
 		const connStr = dbConfig.connectionString;
 		const dbType = (dbConfig.type ?? "sqlite").toLowerCase();
 		if (dbType === "sqlite") database = await createSQLiteClient(connStr, logger);
 		else if (dbType === "pg" || dbType === "postgresql") database = await createPostgresPool(connStr);
 		else if (dbType === "mysql") database = await createMySQLPool(connStr);
-		else throw new Error(`Unsupported database type for internal better-auth: "${dbType}". Supported: sqlite, pg, mysql. Alternatively, provide your own better-auth instance via \`auth\`.`);
+		else throw new Error(`Unsupported database type for internal Better Auth: "${dbType}". Supported: sqlite, pg, mysql. Alternatively, provide your own Better Auth instance via \`auth\`.`);
 	}
 	const baseURL = options.baseURL ?? process.env.BETTER_AUTH_URL ?? `http://localhost:${process.env.PORT ?? "3000"}`;
 	const trustedOrigins = options.trustedOrigins ?? ((request) => {
@@ -489,26 +640,53 @@ async function createInternalBetterAuth(invectConfig, options, logger) {
 			...passthrough.session.cookieCache
 		} } : {}
 	};
-	logger.info?.("Creating internal better-auth instance");
+	let resolvedSecret = passthrough.secret;
+	const resolvedSecrets = passthrough.secrets;
+	if (!resolvedSecret && !resolvedSecrets) {
+		const envKey = process.env.INVECT_ENCRYPTION_KEY;
+		if (envKey) {
+			resolvedSecret = envKey;
+			logger.debug?.("Using INVECT_ENCRYPTION_KEY as Better Auth secret (no explicit secret/secrets provided)");
+		}
+	}
+	const apiKeyOpt = options.apiKey ?? passthrough.apiKey;
+	const betterAuthPlugins = [adminPlugin({
+		defaultRole: AUTH_DEFAULT_ROLE,
+		adminRoles: [AUTH_ADMIN_ROLE]
+	})];
+	if (apiKeyOpt) {
+		let apiKeyPluginFn;
+		try {
+			apiKeyPluginFn = (await import("@better-auth/api-key")).apiKey;
+		} catch {
+			throw new Error("Could not import \"@better-auth/api-key\". Install it with: npm install @better-auth/api-key");
+		}
+		const apiKeyConfig = typeof apiKeyOpt === "object" ? { ...apiKeyOpt } : {};
+		if (apiKeyConfig.apiKeyHeaders === void 0) apiKeyConfig.apiKeyHeaders = "x-invect-token";
+		if (apiKeyConfig.enableSessionForAPIKeys === void 0) apiKeyConfig.enableSessionForAPIKeys = true;
+		betterAuthPlugins.push(apiKeyPluginFn(apiKeyConfig));
+		logger.info?.("Better Auth API Key plugin enabled");
+	}
+	logger.info?.("Creating internal Better Auth instance");
 	return betterAuthFn({
 		baseURL,
 		database,
 		emailAndPassword,
-		plugins: [adminPlugin({
-			defaultRole: AUTH_DEFAULT_ROLE,
-			adminRoles: [AUTH_ADMIN_ROLE]
-		})],
+		plugins: betterAuthPlugins,
 		session,
 		trustedOrigins,
 		...passthrough.socialProviders ? { socialProviders: passthrough.socialProviders } : {},
 		...passthrough.account ? { account: passthrough.account } : {},
 		...passthrough.rateLimit ? { rateLimit: passthrough.rateLimit } : {},
-		...passthrough.advanced ? { advanced: passthrough.advanced } : {},
+		advanced: {
+			cookiePrefix: "invect",
+			...passthrough.advanced
+		},
 		...passthrough.databaseHooks ? { databaseHooks: passthrough.databaseHooks } : {},
 		...passthrough.hooks ? { hooks: passthrough.hooks } : {},
 		...passthrough.disabledPaths ? { disabledPaths: passthrough.disabledPaths } : {},
-		...passthrough.secret ? { secret: passthrough.secret } : {},
-		...passthrough.secrets ? { secrets: passthrough.secrets } : {}
+		...resolvedSecret ? { secret: resolvedSecret } : {},
+		...resolvedSecrets ? { secrets: resolvedSecrets } : {}
 	});
 }
 /** Create a SQLite client using better-sqlite3. */
@@ -516,7 +694,7 @@ async function createSQLiteClient(connectionString, logger) {
 	try {
 		const { default: Database } = await import("better-sqlite3");
 		const { Kysely, SqliteDialect, CamelCasePlugin } = await import("kysely");
-		logger.debug?.(`Using better-sqlite3 for internal better-auth database`);
+		logger.debug?.(`Using better-sqlite3 for internal Better Auth database`);
 		let dbPath = connectionString.replace(/^file:/, "");
 		if (dbPath === "") dbPath = ":memory:";
 		return {
@@ -527,7 +705,7 @@ async function createSQLiteClient(connectionString, logger) {
 			type: "sqlite"
 		};
 	} catch (err) {
-		if (err instanceof Error && err.message.includes("better-sqlite3")) throw new Error("Cannot create SQLite database for internal better-auth: install better-sqlite3 (npm install better-sqlite3). Alternatively, provide your own better-auth instance via the `auth` option.");
+		if (err instanceof Error && err.message.includes("better-sqlite3")) throw new Error("Cannot create SQLite database for internal Better Auth: install better-sqlite3 (npm install better-sqlite3). Alternatively, provide your own Better Auth instance via the `auth` option.");
 		throw err;
 	}
 }
@@ -537,7 +715,7 @@ async function createPostgresPool(connectionString) {
 		const { Pool } = await import("pg");
 		return new Pool({ connectionString });
 	} catch {
-		throw new Error("Cannot create PostgreSQL pool for internal better-auth: install the \"pg\" package. Alternatively, provide your own better-auth instance via the `auth` option.");
+		throw new Error("Cannot create PostgreSQL pool for internal Better Auth: install the \"pg\" package. Alternatively, provide your own Better Auth instance via the `auth` option.");
 	}
 }
 /** Create a MySQL pool from a connection string. */
@@ -545,15 +723,15 @@ async function createMySQLPool(connectionString) {
 	try {
 		return (await import("mysql2/promise")).createPool(connectionString);
 	} catch {
-		throw new Error("Cannot create MySQL pool for internal better-auth: install the \"mysql2\" package. Alternatively, provide your own better-auth instance via the `auth` option.");
+		throw new Error("Cannot create MySQL pool for internal Better Auth: install the \"mysql2\" package. Alternatively, provide your own Better Auth instance via the `auth` option.");
 	}
 }
 /**
-* Create an Invect plugin that wraps a better-auth instance.
+* Create the Invect user-auth plugin (a light wrapper around Better Auth).
 *
 * This plugin:
 *
-* 1. **Proxies better-auth routes** — All of better-auth's HTTP endpoints
+* 1. **Proxies Better Auth routes** — All of Better Auth's HTTP endpoints
 *    (sign-in, sign-up, sign-out, OAuth callbacks, session, etc.) are mounted
 *    under the plugin endpoint space at `/plugins/auth/api/auth/*` (configurable).
 *
@@ -561,17 +739,17 @@ async function createMySQLPool(connectionString) {
 *    `onRequest` hook reads the session cookie / bearer token via
 *    `auth.api.getSession()` and populates `InvectIdentity`.
 *
-* 3. **Handles authorization** — The `onAuthorize` hook lets better-auth's
+* 3. **Handles authorization** — The `onAuthorize` hook lets Better Auth's
 *    session decide whether a request is allowed.
 *
 * @example
 * ```ts
-* // Simple: let the plugin manage better-auth internally
-* import { betterAuthPlugin } from '@invect/user-auth';
+* // Simple: let the plugin manage Better Auth internally
+* import { authentication } from '@invect/user-auth';
 *
 * app.use('/invect', createInvectRouter({
 *   databaseUrl: 'file:./dev.db',
-*   plugins: [betterAuthPlugin({
+*   plugins: [authentication({
 *     globalAdmins: [{ email: 'admin@co.com', pw: 'secret' }],
 *   })],
 * }));
@@ -581,7 +759,7 @@ async function createMySQLPool(connectionString) {
 * ```ts
 * // Advanced: provide your own better-auth instance
 * import { betterAuth } from 'better-auth';
-* import { betterAuthPlugin } from '@invect/user-auth';
+* import { authentication } from '@invect/user-auth';
 *
 * const auth = betterAuth({
 *   database: { ... },
@@ -591,13 +769,18 @@ async function createMySQLPool(connectionString) {
 *
 * app.use('/invect', createInvectRouter({
 *   databaseUrl: 'file:./dev.db',
-*   plugins: [betterAuthPlugin({ auth })],
+*   plugins: [authentication({ auth })],
 * }));
 * ```
 */
-function betterAuthPlugin(options) {
+function authentication(options) {
 	const { prefix = DEFAULT_PREFIX, mapUser: customMapUser, mapRole = defaultMapRole, publicPaths = [], onSessionError = "throw", globalAdmins = [] } = options;
 	let auth = options.auth ?? null;
+	/** Narrow `auth` for call-sites that run only after init. */
+	function requireAuth() {
+		if (!auth) throw new Error("Auth plugin not initialized");
+		return auth;
+	}
 	let endpointLogger = console;
 	let betterAuthBasePath = "/api/auth";
 	/**
@@ -663,7 +846,7 @@ function betterAuthPlugin(options) {
 				body: method !== "GET" && method !== "DELETE" ? ctx.request.body : void 0,
 				duplex: method !== "GET" && method !== "DELETE" ? "half" : void 0
 			});
-			const response = await auth.handler(authRequest);
+			const response = await requireAuth().handler(authRequest);
 			endpointLogger.debug?.(`[auth-proxy] Response: ${response.status} ${response.statusText}`, {
 				setCookie: response.headers.get("set-cookie") ? "present" : "absent",
 				contentType: response.headers.get("content-type")
@@ -671,17 +854,25 @@ function betterAuthPlugin(options) {
 			return response;
 		}
 	}));
+	const apiKeyEnabled = !!(options.apiKey ?? options.betterAuthOptions?.apiKey);
+	const schema = apiKeyEnabled ? {
+		...USER_AUTH_SCHEMA,
+		...API_KEY_SCHEMA
+	} : USER_AUTH_SCHEMA;
+	const requiredTables = [
+		"user",
+		"session",
+		"account",
+		"verification",
+		"flow_access"
+	];
+	if (apiKeyEnabled) requiredTables.push("apikey");
 	return {
-		id: "better-auth",
-		name: "Better Auth",
-		schema: BETTER_AUTH_SCHEMA,
-		requiredTables: [
-			"user",
-			"session",
-			"account",
-			"verification"
-		],
-		setupInstructions: "Run `npx invect generate` to add the better-auth tables to your schema, then `npx drizzle-kit push` (or `npx invect migrate`) to apply.",
+		id: "user-auth",
+		name: "User Auth",
+		schema,
+		requiredTables,
+		setupInstructions: "Run `npx invect-cli generate` to add the better-auth tables to your schema, then `npx drizzle-kit push` (or `npx invect-cli migrate`) to apply.",
 		endpoints: [
 			{
 				method: "GET",
@@ -722,6 +913,145 @@ function betterAuthPlugin(options) {
 					};
 				}
 			},
+			{
+				method: "GET",
+				path: `/${prefix}/info`,
+				isPublic: false,
+				handler: async (ctx) => {
+					if (!await resolveEndpointIdentity(ctx)) return {
+						status: 401,
+						body: { error: "Unauthorized" }
+					};
+					return {
+						status: 200,
+						body: { apiKeysEnabled: apiKeyEnabled }
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: `/${prefix}/api-keys`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					if (!apiKeyEnabled) return {
+						status: 400,
+						body: { error: "API keys are not enabled" }
+					};
+					try {
+						const result = await callBetterAuthHandler(auth, ctx.request, "/api-key/list", {
+							method: "GET",
+							query: ctx.query
+						});
+						if (result && result.status >= 200 && result.status < 300) return {
+							status: 200,
+							body: result.body
+						};
+						return {
+							status: result?.status ?? 500,
+							body: result?.body ?? { error: "Failed to list API keys" }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to list API keys", {
+							identity: sanitizeForLogging(identity),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to list API keys", err);
+					}
+				}
+			},
+			{
+				method: "POST",
+				path: `/${prefix}/api-keys`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					if (!apiKeyEnabled) return {
+						status: 400,
+						body: { error: "API keys are not enabled" }
+					};
+					const { name, expiresIn, prefix: keyPrefix } = ctx.body;
+					try {
+						const result = await callBetterAuthHandler(auth, ctx.request, "/api-key/create", {
+							method: "POST",
+							body: {
+								name: name || void 0,
+								expiresIn: expiresIn || void 0,
+								prefix: keyPrefix || void 0
+							}
+						});
+						if (result && result.status >= 200 && result.status < 300) return {
+							status: 201,
+							body: result.body
+						};
+						return {
+							status: result?.status ?? 500,
+							body: result?.body ?? { error: "Failed to create API key" }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to create API key", {
+							identity: sanitizeForLogging(identity),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to create API key", err);
+					}
+				}
+			},
+			{
+				method: "DELETE",
+				path: `/${prefix}/api-keys/:keyId`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					if (!apiKeyEnabled) return {
+						status: 400,
+						body: { error: "API keys are not enabled" }
+					};
+					const { keyId } = ctx.params;
+					try {
+						const result = await callBetterAuthHandler(auth, ctx.request, "/api-key/delete", {
+							method: "POST",
+							body: { keyId }
+						});
+						if (result && result.status >= 200 && result.status < 300) return {
+							status: 200,
+							body: { success: true }
+						};
+						return {
+							status: result?.status ?? 500,
+							body: result?.body ?? { error: "Failed to delete API key" }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to delete API key", {
+							identity: sanitizeForLogging(identity),
+							params: sanitizeForLogging(ctx.params),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to delete API key", err);
+					}
+				}
+			},
 			{
 				method: "GET",
 				path: `/${prefix}/users`,
@@ -736,7 +1066,7 @@ function betterAuthPlugin(options) {
 						}
 					};
 					try {
-						const api = auth.api;
+						const api = requireAuth().api;
 						const headers = toHeaders(ctx.headers);
 						if (typeof api.listUsers === "function") {
 							const listUsers = api.listUsers;
@@ -803,7 +1133,7 @@ function betterAuthPlugin(options) {
 						body: { error: "role must be one of: " + AUTH_ASSIGNABLE_ROLES.join(", ") }
 					};
 					try {
-						const api = auth.api;
+						const api = requireAuth().api;
 						const headers = toHeaders(ctx.headers);
 						let result = null;
 						if (typeof api.createUser === "function") {
@@ -894,7 +1224,7 @@ function betterAuthPlugin(options) {
 						body: { error: "role must be one of: " + AUTH_ASSIGNABLE_ROLES.join(", ") }
 					};
 					try {
-						const api = auth.api;
+						const api = requireAuth().api;
 						const headers = toHeaders(ctx.headers);
 						if (typeof api.setRole === "function") {
 							const setRole = api.setRole;
@@ -979,7 +1309,7 @@ function betterAuthPlugin(options) {
 						body: { error: "Cannot delete your own account" }
 					};
 					try {
-						const api = auth.api;
+						const api = requireAuth().api;
 						const headers = toHeaders(ctx.headers);
 						if (typeof api.removeUser === "function") {
 							const removeUser = api.removeUser;
@@ -1077,7 +1407,7 @@ function betterAuthPlugin(options) {
 			betterAuthBasePath = auth.options?.basePath ?? "/api/auth";
 			pluginContext.logger.info(`Better Auth plugin initialized (prefix: ${prefix}, basePath: ${betterAuthBasePath})`);
 			if (globalAdmins.length === 0) {
-				pluginContext.logger.debug("No global admins configured. Pass `globalAdmins` to betterAuthPlugin(...) to seed admin access.");
+				pluginContext.logger.debug("No global admins configured. Pass `globalAdmins` to authentication(...) to seed admin access.");
 				return;
 			}
 			for (const configuredAdmin of globalAdmins) {
@@ -1098,7 +1428,7 @@ function betterAuthPlugin(options) {
 						} else pluginContext.logger.debug(`Admin user already configured: ${adminEmail}`);
 						continue;
 					}
-					const api = auth.api;
+					const api = requireAuth().api;
 					let result = null;
 					if (typeof api.createUser === "function") {
 						const createUser = api.createUser;
@@ -1110,11 +1440,12 @@ function betterAuthPlugin(options) {
 								name: adminName,
 								role: "admin"
 							}
-						}).catch((err) => {
-							pluginContext.logger.error?.(`createUser failed for ${adminEmail}: ${err instanceof Error ? err.message : String(err)}`);
+						}).catch((_err) => {
+							pluginContext.logger.debug?.(`createUser API requires auth, falling back to signUpEmail for ${adminEmail}`);
 							return null;
 						});
-					} else if (typeof api.signUpEmail === "function") {
+					}
+					if (!result?.user && typeof api.signUpEmail === "function") {
 						const signUpEmail = api.signUpEmail;
 						result = await signUpEmail({ body: {
 							email: adminEmail,
@@ -1124,7 +1455,8 @@ function betterAuthPlugin(options) {
 							pluginContext.logger.error?.(`signUpEmail failed for ${adminEmail}: ${err instanceof Error ? err.message : String(err)}`);
 							return null;
 						});
-					} else {
+					}
+					if (!result?.user && typeof api.createUser !== "function" && typeof api.signUpEmail !== "function") {
 						pluginContext.logger.debug(`Could not create global admin ${adminEmail}: auth.api.createUser/signUpEmail are unavailable.`);
 						continue;
 					}
@@ -1159,6 +1491,29 @@ function isBetterAuthRoute(path, prefix, basePath) {
 	return path.startsWith(`/plugins/${prefix}${basePath}`);
 }
 //#endregion
-export { BETTER_AUTH_SCHEMA, betterAuthPlugin };
+//#region src/backend/index.ts
+/**
+* Create the auth plugin definition for Invect config.
+*
+* @example
+* ```ts
+* // Express (backend only):
+* auth({ adminEmail: '...' })
+*
+* // Next.js (with frontend):
+* import { authFrontend } from '@invect/user-auth/ui';
+* auth({ adminEmail: '...', frontend: authFrontend })
+* ```
+*/
+function auth(options) {
+	return {
+		id: "user-auth",
+		name: "User Authentication",
+		backend: authentication(options),
+		frontend: options.frontend
+	};
+}
+//#endregion
+export { USER_AUTH_SCHEMA, auth, authentication };
 
 //# sourceMappingURL=index.mjs.map