@invect/user-auth 0.0.1

package/dist/backend/index.mjs

@@ -0,0 +1,1164 @@
+import { i as AUTH_VISIBLE_ROLES, n as AUTH_ASSIGNABLE_ROLES, o as isAuthAssignableRole, r as AUTH_DEFAULT_ROLE, s as isAuthVisibleRole, t as AUTH_ADMIN_ROLE } from "../roles-CZuKFEpJ.mjs";
+//#region src/backend/plugin.ts
+const DEFAULT_PREFIX = "auth";
+/**
+* Default role mapping: keep admin/RBAC roles aligned and fall back to default.
+*/
+function defaultMapRole(role) {
+	if (!role) return AUTH_DEFAULT_ROLE;
+	if (role === "viewer" || role === "readonly") return "viewer";
+	if (isAuthVisibleRole(role)) return role;
+	return AUTH_DEFAULT_ROLE;
+}
+/**
+* Default user → identity mapping.
+*/
+function defaultMapUser(user, _session, mapRole) {
+	const resolvedRole = mapRole(user.role);
+	return {
+		id: user.id,
+		name: user.name ?? user.email ?? void 0,
+		role: resolvedRole,
+		permissions: resolvedRole === "admin" ? ["admin:*"] : void 0,
+		resourceAccess: resolvedRole === "admin" ? {
+			flows: "*",
+			credentials: "*"
+		} : void 0
+	};
+}
+/**
+* Simple in-memory sliding-window rate limiter.
+*
+* Keyed by IP address (or a fallback identifier). Tracks request timestamps
+* per window and rejects requests that exceed the limit with HTTP 429.
+*
+* Only applied to authentication-sensitive endpoints (sign-in, sign-up,
+* password reset) to prevent brute-force attacks. Session reads (GET) are
+* not rate-limited.
+*/
+var RateLimiter = class {
+	windows = /* @__PURE__ */ new Map();
+	maxRequests;
+	windowMs;
+	constructor(maxRequests = 10, windowMs = 6e4) {
+		this.maxRequests = maxRequests;
+		this.windowMs = windowMs;
+	}
+	/**
+	* Returns `true` if the request should be rejected (over limit).
+	*/
+	isRateLimited(key) {
+		const now = Date.now();
+		const windowStart = now - this.windowMs;
+		let timestamps = this.windows.get(key);
+		if (!timestamps) {
+			timestamps = [];
+			this.windows.set(key, timestamps);
+		}
+		const valid = timestamps.filter((t) => t > windowStart);
+		this.windows.set(key, valid);
+		if (valid.length >= this.maxRequests) {
+			const retryAfterMs = (valid[0] ?? now) + this.windowMs - now;
+			return {
+				limited: true,
+				retryAfterMs: Math.max(retryAfterMs, 1e3)
+			};
+		}
+		valid.push(now);
+		return { limited: false };
+	}
+	/** Periodic cleanup of stale keys to prevent memory leaks. */
+	cleanup() {
+		const now = Date.now();
+		for (const [key, timestamps] of this.windows) {
+			const valid = timestamps.filter((t) => t > now - this.windowMs);
+			if (valid.length === 0) this.windows.delete(key);
+			else this.windows.set(key, valid);
+		}
+	}
+};
+/** Auth-sensitive path segments that should be rate-limited. */
+const RATE_LIMITED_AUTH_PATHS = [
+	"/sign-in/",
+	"/sign-up/",
+	"/forgot-password",
+	"/reset-password"
+];
+/**
+* Convert a Node.js-style `IncomingHttpHeaders` record or a `Headers` instance
+* to a standard `Headers` object for passing to better-auth.
+*/
+function toHeaders(raw) {
+	if (raw instanceof Headers) return raw;
+	const headers = new Headers();
+	for (const [key, value] of Object.entries(raw)) if (value !== void 0) headers.set(key, value);
+	return headers;
+}
+/**
+* Resolve the session from a better-auth instance using request headers.
+*/
+async function resolveSession(auth, headers) {
+	if (!auth) return null;
+	const h = toHeaders(headers);
+	try {
+		console.log("[auth-debug] resolveSession: cookie header =", h.get("cookie")?.slice(0, 80));
+		const result = await auth.api.getSession({ headers: h });
+		console.log("[auth-debug] resolveSession: result keys =", result ? Object.keys(result) : "null");
+		if (result?.session && result?.user) return {
+			session: result.session,
+			user: result.user
+		};
+		return null;
+	} catch (err) {
+		console.error("[auth-debug] resolveSession threw:", err?.message ?? err);
+		return null;
+	}
+}
+async function callBetterAuthHandler(auth, request, path, init) {
+	if (!auth) return null;
+	const basePath = auth.options?.basePath ?? "/api/auth";
+	const targetUrl = new URL(`${basePath}${path}`, request.url);
+	for (const [key, value] of Object.entries(init?.query ?? {})) if (value !== void 0) targetUrl.searchParams.set(key, value);
+	const headers = new Headers(request.headers);
+	const hasBody = init?.body !== void 0;
+	if (hasBody && !headers.has("content-type")) headers.set("content-type", "application/json");
+	const authRequest = new Request(targetUrl.toString(), {
+		method: init?.method ?? "GET",
+		headers,
+		body: hasBody ? JSON.stringify(init?.body) : void 0
+	});
+	const response = await auth.handler(authRequest);
+	const text = await response.text();
+	if (!text) return {
+		status: response.status,
+		body: null
+	};
+	try {
+		return {
+			status: response.status,
+			body: JSON.parse(text)
+		};
+	} catch {
+		return {
+			status: response.status,
+			body: text
+		};
+	}
+}
+async function getAuthContext(auth) {
+	if (!auth) return null;
+	try {
+		return await auth.$context ?? null;
+	} catch {
+		return null;
+	}
+}
+function isBetterAuthUser(value) {
+	return !!value && typeof value === "object" && "id" in value && typeof value.id === "string";
+}
+function unwrapFoundUser(result) {
+	if (!result) return null;
+	if (typeof result === "object" && "user" in result) {
+		const nestedUser = result.user;
+		if (isBetterAuthUser(nestedUser)) return nestedUser;
+		return null;
+	}
+	if (isBetterAuthUser(result)) return result;
+	return null;
+}
+function toAuthApiErrorResponse(fallbackError, error) {
+	if (error instanceof Response) return {
+		status: error.status || 500,
+		body: {
+			error: fallbackError,
+			message: error.statusText || fallbackError
+		}
+	};
+	const status = error && typeof error === "object" && "status" in error && typeof error.status === "number" ? error.status ?? 500 : error && typeof error === "object" && "statusCode" in error && typeof error.statusCode === "number" ? error.statusCode ?? 500 : 500;
+	const message = error && typeof error === "object" && "message" in error && typeof error.message === "string" ? error.message || fallbackError : fallbackError;
+	const code = error && typeof error === "object" && "code" in error && typeof error.code === "string" ? error.code : void 0;
+	return {
+		status,
+		body: {
+			error: fallbackError,
+			message,
+			...code ? { code } : {}
+		}
+	};
+}
+function sanitizeForLogging(value) {
+	if (Array.isArray(value)) return value.map((item) => sanitizeForLogging(item));
+	if (value && typeof value === "object") return Object.fromEntries(Object.entries(value).map(([key, nestedValue]) => {
+		if (/password|token|secret/i.test(key)) return [key, "[REDACTED]"];
+		return [key, sanitizeForLogging(nestedValue)];
+	}));
+	return value;
+}
+function getErrorLogDetails(error) {
+	if (error instanceof Response) return {
+		type: "Response",
+		status: error.status,
+		statusText: error.statusText
+	};
+	if (error instanceof Error) return {
+		name: error.name,
+		message: error.message,
+		stack: error.stack,
+		...error && typeof error === "object" && "cause" in error ? { cause: sanitizeForLogging(error.cause) } : {},
+		...error && typeof error === "object" && "code" in error ? { code: error.code } : {},
+		...error && typeof error === "object" && "status" in error ? { status: error.status } : {},
+		...error && typeof error === "object" && "statusCode" in error ? { statusCode: error.statusCode } : {}
+	};
+	if (error && typeof error === "object") return sanitizeForLogging(error);
+	return { value: error };
+}
+/**
+* Abstract schema for better-auth's database tables.
+*
+* These definitions allow the Invect CLI (`npx invect generate`) to include
+* the better-auth tables when generating Drizzle/Prisma schema files.
+*
+* The shapes match better-auth's default table structure. If your better-auth
+* config adds extra fields (e.g., via plugins like `twoFactor`, `organization`),
+* you can extend these in your own config.
+*/
+const BETTER_AUTH_SCHEMA = {
+	user: {
+		tableName: "user",
+		order: 1,
+		fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			name: {
+				type: "string",
+				required: true
+			},
+			email: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			emailVerified: {
+				type: "boolean",
+				required: true,
+				defaultValue: false
+			},
+			image: {
+				type: "string",
+				required: false
+			},
+			role: {
+				type: "string",
+				required: false,
+				defaultValue: AUTH_DEFAULT_ROLE
+			},
+			banned: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
+			banReason: {
+				type: "string",
+				required: false
+			},
+			banExpires: {
+				type: "date",
+				required: false
+			},
+			createdAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			updatedAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			}
+		}
+	},
+	session: {
+		tableName: "session",
+		order: 2,
+		fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			expiresAt: {
+				type: "date",
+				required: true
+			},
+			token: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			createdAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			updatedAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			ipAddress: {
+				type: "string",
+				required: false
+			},
+			userAgent: {
+				type: "string",
+				required: false
+			},
+			impersonatedBy: {
+				type: "string",
+				required: false
+			},
+			userId: {
+				type: "string",
+				required: true,
+				references: {
+					table: "user",
+					field: "id",
+					onDelete: "cascade"
+				}
+			}
+		}
+	},
+	account: {
+		tableName: "account",
+		order: 2,
+		fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			accountId: {
+				type: "string",
+				required: true
+			},
+			providerId: {
+				type: "string",
+				required: true
+			},
+			userId: {
+				type: "string",
+				required: true,
+				references: {
+					table: "user",
+					field: "id",
+					onDelete: "cascade"
+				}
+			},
+			accessToken: {
+				type: "string",
+				required: false
+			},
+			refreshToken: {
+				type: "string",
+				required: false
+			},
+			idToken: {
+				type: "string",
+				required: false
+			},
+			accessTokenExpiresAt: {
+				type: "date",
+				required: false
+			},
+			refreshTokenExpiresAt: {
+				type: "date",
+				required: false
+			},
+			scope: {
+				type: "string",
+				required: false
+			},
+			password: {
+				type: "string",
+				required: false
+			},
+			createdAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			updatedAt: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			}
+		}
+	},
+	verification: {
+		tableName: "verification",
+		order: 2,
+		fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			identifier: {
+				type: "string",
+				required: true
+			},
+			value: {
+				type: "string",
+				required: true
+			},
+			expiresAt: {
+				type: "date",
+				required: true
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			},
+			updatedAt: {
+				type: "date",
+				required: false
+			}
+		}
+	}
+};
+/**
+* Create a better-auth instance internally using Invect's database config.
+*
+* Dynamically imports `better-auth` (a required peer dependency) and creates
+* a fully-configured instance with email/password auth, the admin plugin,
+* and session caching.
+*
+* Database resolution order:
+* 1. Explicit `options.database` (any value `betterAuth({ database })` accepts)
+* 2. Auto-created client from Invect's `baseDatabaseConfig.connectionString`
+*/
+async function createInternalBetterAuth(invectConfig, options, logger) {
+	let betterAuthFn;
+	let adminPlugin;
+	try {
+		betterAuthFn = (await import("better-auth")).betterAuth;
+	} catch {
+		throw new Error("Could not import \"better-auth\". It is a required peer dependency of @invect/user-auth. Install it with: npm install better-auth");
+	}
+	try {
+		adminPlugin = (await import("better-auth/plugins")).admin;
+	} catch {
+		throw new Error("Could not import \"better-auth/plugins\". Ensure better-auth is properly installed.");
+	}
+	let database = options.database;
+	if (!database) {
+		const dbConfig = invectConfig.baseDatabaseConfig;
+		if (!dbConfig?.connectionString) throw new Error("Cannot create internal better-auth instance: no database configuration found. Either provide `auth` (a better-auth instance), `database`, or ensure Invect baseDatabaseConfig has a connectionString.");
+		const connStr = dbConfig.connectionString;
+		const dbType = (dbConfig.type ?? "sqlite").toLowerCase();
+		if (dbType === "sqlite") database = await createSQLiteClient(connStr, logger);
+		else if (dbType === "pg" || dbType === "postgresql") database = await createPostgresPool(connStr);
+		else if (dbType === "mysql") database = await createMySQLPool(connStr);
+		else throw new Error(`Unsupported database type for internal better-auth: "${dbType}". Supported: sqlite, pg, mysql. Alternatively, provide your own better-auth instance via \`auth\`.`);
+	}
+	const baseURL = options.baseURL ?? process.env.BETTER_AUTH_URL ?? `http://localhost:${process.env.PORT ?? "3000"}`;
+	const trustedOrigins = options.trustedOrigins ?? ((request) => {
+		const trusted = new Set([
+			baseURL,
+			"http://localhost:5173",
+			"http://localhost:5174"
+		]);
+		try {
+			if (request) trusted.add(new URL(request.url).origin);
+		} catch {}
+		return Array.from(trusted);
+	});
+	const passthrough = options.betterAuthOptions ?? {};
+	const emailAndPassword = {
+		enabled: true,
+		...passthrough.emailAndPassword
+	};
+	const session = {
+		cookieCache: {
+			enabled: true,
+			maxAge: 300
+		},
+		...passthrough.session,
+		...passthrough.session?.cookieCache ? { cookieCache: {
+			enabled: true,
+			maxAge: 300,
+			...passthrough.session.cookieCache
+		} } : {}
+	};
+	logger.info?.("Creating internal better-auth instance");
+	return betterAuthFn({
+		baseURL,
+		database,
+		emailAndPassword,
+		plugins: [adminPlugin({
+			defaultRole: AUTH_DEFAULT_ROLE,
+			adminRoles: [AUTH_ADMIN_ROLE]
+		})],
+		session,
+		trustedOrigins,
+		...passthrough.socialProviders ? { socialProviders: passthrough.socialProviders } : {},
+		...passthrough.account ? { account: passthrough.account } : {},
+		...passthrough.rateLimit ? { rateLimit: passthrough.rateLimit } : {},
+		...passthrough.advanced ? { advanced: passthrough.advanced } : {},
+		...passthrough.databaseHooks ? { databaseHooks: passthrough.databaseHooks } : {},
+		...passthrough.hooks ? { hooks: passthrough.hooks } : {},
+		...passthrough.disabledPaths ? { disabledPaths: passthrough.disabledPaths } : {},
+		...passthrough.secret ? { secret: passthrough.secret } : {},
+		...passthrough.secrets ? { secrets: passthrough.secrets } : {}
+	});
+}
+/** Create a SQLite client using better-sqlite3. */
+async function createSQLiteClient(connectionString, logger) {
+	try {
+		const { default: Database } = await import("better-sqlite3");
+		const { Kysely, SqliteDialect, CamelCasePlugin } = await import("kysely");
+		logger.debug?.(`Using better-sqlite3 for internal better-auth database`);
+		let dbPath = connectionString.replace(/^file:/, "");
+		if (dbPath === "") dbPath = ":memory:";
+		return {
+			db: new Kysely({
+				dialect: new SqliteDialect({ database: new Database(dbPath) }),
+				plugins: [new CamelCasePlugin()]
+			}),
+			type: "sqlite"
+		};
+	} catch (err) {
+		if (err instanceof Error && err.message.includes("better-sqlite3")) throw new Error("Cannot create SQLite database for internal better-auth: install better-sqlite3 (npm install better-sqlite3). Alternatively, provide your own better-auth instance via the `auth` option.");
+		throw err;
+	}
+}
+/** Create a PostgreSQL pool from a connection string. */
+async function createPostgresPool(connectionString) {
+	try {
+		const { Pool } = await import("pg");
+		return new Pool({ connectionString });
+	} catch {
+		throw new Error("Cannot create PostgreSQL pool for internal better-auth: install the \"pg\" package. Alternatively, provide your own better-auth instance via the `auth` option.");
+	}
+}
+/** Create a MySQL pool from a connection string. */
+async function createMySQLPool(connectionString) {
+	try {
+		return (await import("mysql2/promise")).createPool(connectionString);
+	} catch {
+		throw new Error("Cannot create MySQL pool for internal better-auth: install the \"mysql2\" package. Alternatively, provide your own better-auth instance via the `auth` option.");
+	}
+}
+/**
+* Create an Invect plugin that wraps a better-auth instance.
+*
+* This plugin:
+*
+* 1. **Proxies better-auth routes** — All of better-auth's HTTP endpoints
+*    (sign-in, sign-up, sign-out, OAuth callbacks, session, etc.) are mounted
+*    under the plugin endpoint space at `/plugins/auth/api/auth/*` (configurable).
+*
+* 2. **Resolves sessions → identities** — On every Invect API request, the
+*    `onRequest` hook reads the session cookie / bearer token via
+*    `auth.api.getSession()` and populates `InvectIdentity`.
+*
+* 3. **Handles authorization** — The `onAuthorize` hook lets better-auth's
+*    session decide whether a request is allowed.
+*
+* @example
+* ```ts
+* // Simple: let the plugin manage better-auth internally
+* import { betterAuthPlugin } from '@invect/user-auth';
+*
+* app.use('/invect', createInvectRouter({
+*   databaseUrl: 'file:./dev.db',
+*   plugins: [betterAuthPlugin({
+*     globalAdmins: [{ email: 'admin@co.com', pw: 'secret' }],
+*   })],
+* }));
+* ```
+*
+* @example
+* ```ts
+* // Advanced: provide your own better-auth instance
+* import { betterAuth } from 'better-auth';
+* import { betterAuthPlugin } from '@invect/user-auth';
+*
+* const auth = betterAuth({
+*   database: { ... },
+*   emailAndPassword: { enabled: true },
+*   // ... your better-auth config
+* });
+*
+* app.use('/invect', createInvectRouter({
+*   databaseUrl: 'file:./dev.db',
+*   plugins: [betterAuthPlugin({ auth })],
+* }));
+* ```
+*/
+function betterAuthPlugin(options) {
+	const { prefix = DEFAULT_PREFIX, mapUser: customMapUser, mapRole = defaultMapRole, publicPaths = [], onSessionError = "throw", globalAdmins = [] } = options;
+	let auth = options.auth ?? null;
+	let endpointLogger = console;
+	let betterAuthBasePath = "/api/auth";
+	/**
+	* Resolve an identity from a request's headers.
+	*/
+	async function getIdentityFromHeaders(headers) {
+		if (!auth) return null;
+		const result = await resolveSession(auth, headers);
+		if (!result) return null;
+		if (customMapUser) return customMapUser(result.user, result.session);
+		return defaultMapUser(result.user, result.session, mapRole);
+	}
+	async function getIdentityFromRequest(request) {
+		if (!auth) return null;
+		const body = (await callBetterAuthHandler(auth, request, "/get-session"))?.body;
+		if (!body?.session || !body?.user) return null;
+		if (customMapUser) return customMapUser(body.user, body.session);
+		return defaultMapUser(body.user, body.session, mapRole);
+	}
+	async function resolveEndpointIdentity(ctx) {
+		if (ctx.identity) return ctx.identity;
+		return getIdentityFromRequest(ctx.request);
+	}
+	const authRateLimiter = new RateLimiter(10, 6e4);
+	setInterval(() => authRateLimiter.cleanup(), 5 * 6e4).unref?.();
+	const endpoints = [
+		"GET",
+		"POST",
+		"PUT",
+		"PATCH",
+		"DELETE"
+	].map((method) => ({
+		method,
+		path: `/${prefix}/*`,
+		isPublic: true,
+		handler: async (ctx) => {
+			const incomingUrl = new URL(ctx.request.url);
+			endpointLogger.debug?.(`[auth-proxy] ${method} ${incomingUrl.pathname}`);
+			const pluginPrefixPattern = `/plugins/${prefix}`;
+			let authPath = incomingUrl.pathname;
+			const prefixIdx = authPath.indexOf(pluginPrefixPattern);
+			if (prefixIdx !== -1) authPath = authPath.slice(prefixIdx + pluginPrefixPattern.length);
+			if (!authPath.startsWith("/")) authPath = "/" + authPath;
+			if (method === "POST" && RATE_LIMITED_AUTH_PATHS.some((p) => authPath.includes(p))) {
+				const clientIp = ctx.headers["x-forwarded-for"]?.split(",")[0]?.trim() || ctx.headers["x-real-ip"] || "unknown";
+				const { limited, retryAfterMs } = authRateLimiter.isRateLimited(clientIp);
+				if (limited) return new Response(JSON.stringify({
+					error: "Too Many Requests",
+					message: "Too many authentication attempts. Please try again later."
+				}), {
+					status: 429,
+					headers: {
+						"content-type": "application/json",
+						"retry-after": String(Math.ceil((retryAfterMs ?? 6e4) / 1e3))
+					}
+				});
+			}
+			const authUrl = new URL(`${incomingUrl.origin}${authPath}${incomingUrl.search}`);
+			endpointLogger.debug?.(`[auth-proxy] Forwarding to better-auth: ${method} ${authUrl.pathname}`);
+			const authRequest = new Request(authUrl.toString(), {
+				method: ctx.request.method,
+				headers: ctx.request.headers,
+				body: method !== "GET" && method !== "DELETE" ? ctx.request.body : void 0,
+				duplex: method !== "GET" && method !== "DELETE" ? "half" : void 0
+			});
+			const response = await auth.handler(authRequest);
+			endpointLogger.debug?.(`[auth-proxy] Response: ${response.status} ${response.statusText}`, {
+				setCookie: response.headers.get("set-cookie") ? "present" : "absent",
+				contentType: response.headers.get("content-type")
+			});
+			return response;
+		}
+	}));
+	return {
+		id: "better-auth",
+		name: "Better Auth",
+		schema: BETTER_AUTH_SCHEMA,
+		requiredTables: [
+			"user",
+			"session",
+			"account",
+			"verification"
+		],
+		setupInstructions: "Run `npx invect generate` to add the better-auth tables to your schema, then `npx drizzle-kit push` (or `npx invect migrate`) to apply.",
+		endpoints: [
+			{
+				method: "GET",
+				path: `/${prefix}/me`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					const permissions = ctx.core.getPermissions(identity);
+					const resolvedRole = identity ? ctx.core.getResolvedRole(identity) : null;
+					return {
+						status: 200,
+						body: {
+							identity: identity ? {
+								id: identity.id,
+								name: identity.name,
+								role: identity.role,
+								resolvedRole
+							} : null,
+							permissions,
+							isAuthenticated: !!identity
+						}
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: `/${prefix}/roles`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const roles = ctx.core.getAvailableRoles();
+					const missingRoles = AUTH_VISIBLE_ROLES.filter((role) => !roles.some((entry) => entry.role === role)).map((role) => ({
+						role,
+						permissions: []
+					}));
+					return {
+						status: 200,
+						body: { roles: [...roles, ...missingRoles] }
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: `/${prefix}/users`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					try {
+						const api = auth.api;
+						const headers = toHeaders(ctx.headers);
+						if (typeof api.listUsers === "function") {
+							const listUsers = api.listUsers;
+							const result = await listUsers({
+								headers,
+								query: {
+									limit: ctx.query.limit ?? "100",
+									offset: ctx.query.offset ?? "0"
+								}
+							});
+							return {
+								status: 200,
+								body: { users: Array.isArray(result) ? result : result?.users ?? [] }
+							};
+						}
+						const fallbackResult = await callBetterAuthHandler(auth, ctx.request, "/admin/list-users", {
+							method: "GET",
+							query: {
+								limit: ctx.query.limit ?? "100",
+								offset: ctx.query.offset ?? "0"
+							}
+						});
+						if (fallbackResult && fallbackResult.status >= 200 && fallbackResult.status < 300) return {
+							status: 200,
+							body: fallbackResult.body
+						};
+						return {
+							status: 200,
+							body: {
+								users: [],
+								message: "User listing requires the better-auth admin plugin. Add `admin()` to your better-auth plugins config."
+							}
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to list users", {
+							identity: sanitizeForLogging(identity),
+							query: sanitizeForLogging(ctx.query),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to list users", err);
+					}
+				}
+			},
+			{
+				method: "POST",
+				path: `/${prefix}/users`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					const { email, password, name, role } = ctx.body;
+					if (!email || !password) return {
+						status: 400,
+						body: { error: "email and password are required" }
+					};
+					if (role !== void 0 && !isAuthAssignableRole(role)) return {
+						status: 400,
+						body: { error: "role must be one of: " + AUTH_ASSIGNABLE_ROLES.join(", ") }
+					};
+					try {
+						const api = auth.api;
+						const headers = toHeaders(ctx.headers);
+						let result = null;
+						if (typeof api.createUser === "function") {
+							const createUser = api.createUser;
+							result = await createUser({
+								headers,
+								body: {
+									email,
+									password,
+									name: name ?? email.split("@")[0],
+									role: role ?? "default"
+								}
+							});
+						} else if (typeof api.signUpEmail === "function") {
+							const signUpEmail = api.signUpEmail;
+							result = await signUpEmail({
+								headers,
+								body: {
+									email,
+									password,
+									name: name ?? email.split("@")[0],
+									role: role ?? "default"
+								}
+							});
+						} else {
+							const fallbackResult = await callBetterAuthHandler(auth, ctx.request, "/admin/create-user", {
+								method: "POST",
+								body: {
+									email,
+									password,
+									name: name ?? email.split("@")[0],
+									role: role ?? "default"
+								}
+							});
+							if (fallbackResult && fallbackResult.status >= 200 && fallbackResult.status < 300) result = fallbackResult.body;
+						}
+						if (!result && typeof api.createUser !== "function" && typeof api.signUpEmail !== "function") return {
+							status: 500,
+							body: { error: "Auth API does not support user creation" }
+						};
+						if (!result?.user) return {
+							status: 400,
+							body: {
+								error: "Failed to create user",
+								message: "User may already exist"
+							}
+						};
+						return {
+							status: 201,
+							body: { user: {
+								id: result.user.id,
+								email: result.user.email,
+								name: result.user.name,
+								role: result.user.role
+							} }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to create user", {
+							identity: sanitizeForLogging(identity),
+							body: sanitizeForLogging({
+								email,
+								name,
+								role
+							}),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to create user", err);
+					}
+				}
+			},
+			{
+				method: "PATCH",
+				path: `/${prefix}/users/:userId/role`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					const { userId } = ctx.params;
+					const { role } = ctx.body;
+					if (!isAuthAssignableRole(role)) return {
+						status: 400,
+						body: { error: "role must be one of: " + AUTH_ASSIGNABLE_ROLES.join(", ") }
+					};
+					try {
+						const api = auth.api;
+						const headers = toHeaders(ctx.headers);
+						if (typeof api.setRole === "function") {
+							const setRole = api.setRole;
+							await setRole({
+								headers,
+								body: {
+									userId,
+									role
+								}
+							});
+							return {
+								status: 200,
+								body: {
+									success: true,
+									userId,
+									role
+								}
+							};
+						}
+						const fallbackResult = await callBetterAuthHandler(auth, ctx.request, "/admin/set-role", {
+							method: "POST",
+							body: {
+								userId,
+								role
+							}
+						});
+						if (fallbackResult && fallbackResult.status >= 200 && fallbackResult.status < 300) return {
+							status: 200,
+							body: {
+								success: true,
+								userId,
+								role
+							}
+						};
+						if (typeof api.updateUser === "function") {
+							const updateUser = api.updateUser;
+							await updateUser({
+								headers,
+								body: { role },
+								params: { id: userId }
+							});
+							return {
+								status: 200,
+								body: {
+									success: true,
+									userId,
+									role
+								}
+							};
+						}
+						return {
+							status: 501,
+							body: { error: "Role update requires the better-auth admin plugin. Add `admin()` to your better-auth plugins config." }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to update role", {
+							identity: sanitizeForLogging(identity),
+							params: sanitizeForLogging(ctx.params),
+							body: sanitizeForLogging({ role }),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to update role", err);
+					}
+				}
+			},
+			{
+				method: "DELETE",
+				path: `/${prefix}/users/:userId`,
+				isPublic: false,
+				handler: async (ctx) => {
+					const identity = await resolveEndpointIdentity(ctx);
+					if (!identity || identity.role !== "admin") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Admin access required"
+						}
+					};
+					const { userId } = ctx.params;
+					if (identity.id === userId) return {
+						status: 400,
+						body: { error: "Cannot delete your own account" }
+					};
+					try {
+						const api = auth.api;
+						const headers = toHeaders(ctx.headers);
+						if (typeof api.removeUser === "function") {
+							const removeUser = api.removeUser;
+							await removeUser({
+								headers,
+								body: { userId }
+							});
+							return {
+								status: 200,
+								body: {
+									success: true,
+									userId
+								}
+							};
+						}
+						const fallbackResult = await callBetterAuthHandler(auth, ctx.request, "/admin/remove-user", {
+							method: "POST",
+							body: { userId }
+						});
+						if (fallbackResult && fallbackResult.status >= 200 && fallbackResult.status < 300) return {
+							status: 200,
+							body: {
+								success: true,
+								userId
+							}
+						};
+						if (typeof api.deleteUser === "function") {
+							const deleteUser = api.deleteUser;
+							await deleteUser({
+								headers,
+								body: { userId }
+							});
+							return {
+								status: 200,
+								body: {
+									success: true,
+									userId
+								}
+							};
+						}
+						return {
+							status: 501,
+							body: { error: "User deletion requires the better-auth admin plugin. Add `admin()` to your better-auth plugins config." }
+						};
+					} catch (err) {
+						endpointLogger.error("Failed to delete user", {
+							identity: sanitizeForLogging(identity),
+							params: sanitizeForLogging(ctx.params),
+							error: getErrorLogDetails(err)
+						});
+						return toAuthApiErrorResponse("Failed to delete user", err);
+					}
+				}
+			},
+			...endpoints
+		],
+		hooks: {
+			onRequest: async (request, context) => {
+				if (isBetterAuthRoute(context.path, prefix, betterAuthBasePath)) return;
+				if (publicPaths.some((p) => context.path.startsWith(p))) return;
+				const headersRecord = {};
+				request.headers.forEach((value, key) => {
+					headersRecord[key] = value;
+				});
+				endpointLogger.debug?.(`[auth-onRequest] ${context.method} ${context.path}`, {
+					hasCookie: !!headersRecord["cookie"],
+					hasAuth: !!headersRecord["authorization"]
+				});
+				const identity = await getIdentityFromHeaders(headersRecord);
+				endpointLogger.debug?.(`[auth-onRequest] Identity resolved:`, {
+					authenticated: !!identity,
+					userId: identity?.id,
+					role: identity?.role
+				});
+				context.identity = identity;
+				if (!identity && onSessionError === "throw") return { response: new Response(JSON.stringify({
+					error: "Unauthorized",
+					message: "Valid session required. Sign in via better-auth."
+				}), {
+					status: 401,
+					headers: { "content-type": "application/json" }
+				}) };
+			},
+			onAuthorize: async (context) => {
+				if (context.identity) return;
+				return {
+					allowed: false,
+					reason: "No valid better-auth session"
+				};
+			}
+		},
+		init: async (pluginContext) => {
+			endpointLogger = pluginContext.logger;
+			if (!auth) auth = await createInternalBetterAuth(pluginContext.config, options, pluginContext.logger);
+			betterAuthBasePath = auth.options?.basePath ?? "/api/auth";
+			pluginContext.logger.info(`Better Auth plugin initialized (prefix: ${prefix}, basePath: ${betterAuthBasePath})`);
+			if (globalAdmins.length === 0) {
+				pluginContext.logger.debug("No global admins configured. Pass `globalAdmins` to betterAuthPlugin(...) to seed admin access.");
+				return;
+			}
+			for (const configuredAdmin of globalAdmins) {
+				const adminEmail = configuredAdmin.email?.trim();
+				const adminPassword = configuredAdmin.pw;
+				const adminName = configuredAdmin.name?.trim() || "Admin";
+				if (!adminEmail || !adminPassword) {
+					pluginContext.logger.debug("Skipping invalid global admin config: both email and pw are required.");
+					continue;
+				}
+				try {
+					const authContext = await getAuthContext(auth);
+					const existingAdminUser = unwrapFoundUser(await authContext?.internalAdapter?.findUserByEmail(adminEmail));
+					if (existingAdminUser) {
+						if (existingAdminUser.role !== "admin") {
+							await authContext?.internalAdapter?.updateUser(existingAdminUser.id, { role: "admin" });
+							pluginContext.logger.info(`Admin user promoted: ${adminEmail}`);
+						} else pluginContext.logger.debug(`Admin user already configured: ${adminEmail}`);
+						continue;
+					}
+					const api = auth.api;
+					let result = null;
+					if (typeof api.createUser === "function") {
+						const createUser = api.createUser;
+						result = await createUser({
+							headers: new Headers(),
+							body: {
+								email: adminEmail,
+								password: adminPassword,
+								name: adminName,
+								role: "admin"
+							}
+						}).catch((err) => {
+							pluginContext.logger.error?.(`createUser failed for ${adminEmail}: ${err instanceof Error ? err.message : String(err)}`);
+							return null;
+						});
+					} else if (typeof api.signUpEmail === "function") {
+						const signUpEmail = api.signUpEmail;
+						result = await signUpEmail({ body: {
+							email: adminEmail,
+							password: adminPassword,
+							name: adminName
+						} }).catch((err) => {
+							pluginContext.logger.error?.(`signUpEmail failed for ${adminEmail}: ${err instanceof Error ? err.message : String(err)}`);
+							return null;
+						});
+					} else {
+						pluginContext.logger.debug(`Could not create global admin ${adminEmail}: auth.api.createUser/signUpEmail are unavailable.`);
+						continue;
+					}
+					if (result?.user) {
+						const createdAuthContext = authContext ?? await getAuthContext(auth);
+						const createdAdminUser = unwrapFoundUser(await createdAuthContext?.internalAdapter?.findUserByEmail(adminEmail)) ?? result.user;
+						if (createdAdminUser?.id && createdAdminUser.role !== "admin") await createdAuthContext?.internalAdapter?.updateUser(createdAdminUser.id, { role: "admin" });
+						pluginContext.logger.info(`Admin user created: ${adminEmail}`);
+					} else pluginContext.logger.debug(`Admin user already exists or could not be created: ${adminEmail}`);
+				} catch (seedErr) {
+					pluginContext.logger.debug(`Could not seed admin user (tables may not exist yet): ${adminEmail} — ${seedErr instanceof Error ? seedErr.message : String(seedErr)}`);
+				}
+			}
+		},
+		$ERROR_CODES: {
+			"auth:session_expired": {
+				message: "Session has expired. Please sign in again.",
+				status: 401
+			},
+			"auth:session_not_found": {
+				message: "No valid session found.",
+				status: 401
+			}
+		}
+	};
+}
+/**
+* Check if a path is a better-auth proxy route (should skip session checks).
+* Only matches the actual better-auth API proxy routes, not custom plugin endpoints.
+*/
+function isBetterAuthRoute(path, prefix, basePath) {
+	return path.startsWith(`/plugins/${prefix}${basePath}`);
+}
+//#endregion
+export { BETTER_AUTH_SCHEMA, betterAuthPlugin };
+
+//# sourceMappingURL=index.mjs.map