npm - @juspay/neurolink - Versions diffs - 9.31.2 → 9.32.0 - Mend

@juspay/neurolink 9.31.2 → 9.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (161) hide show

package/CHANGELOG.md +6 -0
package/dist/auth/AuthProviderFactory.d.ts +71 -0
package/dist/auth/AuthProviderFactory.js +111 -0
package/dist/auth/AuthProviderRegistry.d.ts +33 -0
package/dist/auth/AuthProviderRegistry.js +190 -0
package/dist/auth/RequestContext.d.ts +23 -0
package/dist/auth/RequestContext.js +78 -0
package/dist/auth/authContext.d.ts +198 -0
package/dist/auth/authContext.js +314 -0
package/dist/auth/errors.d.ts +63 -0
package/dist/auth/errors.js +39 -0
package/dist/auth/index.d.ts +20 -8
package/dist/auth/index.js +35 -7
package/dist/auth/middleware/AuthMiddleware.d.ts +181 -0
package/dist/auth/middleware/AuthMiddleware.js +519 -0
package/dist/auth/middleware/rateLimitByUser.d.ts +282 -0
package/dist/auth/middleware/rateLimitByUser.js +554 -0
package/dist/auth/providers/BaseAuthProvider.d.ts +259 -0
package/dist/auth/providers/BaseAuthProvider.js +723 -0
package/dist/auth/providers/CognitoProvider.d.ts +61 -0
package/dist/auth/providers/CognitoProvider.js +304 -0
package/dist/auth/providers/KeycloakProvider.d.ts +61 -0
package/dist/auth/providers/KeycloakProvider.js +393 -0
package/dist/auth/providers/auth0.d.ts +59 -0
package/dist/auth/providers/auth0.js +274 -0
package/dist/auth/providers/betterAuth.d.ts +51 -0
package/dist/auth/providers/betterAuth.js +182 -0
package/dist/auth/providers/clerk.d.ts +65 -0
package/dist/auth/providers/clerk.js +317 -0
package/dist/auth/providers/custom.d.ts +64 -0
package/dist/auth/providers/custom.js +112 -0
package/dist/auth/providers/firebase.d.ts +63 -0
package/dist/auth/providers/firebase.js +226 -0
package/dist/auth/providers/jwt.d.ts +68 -0
package/dist/auth/providers/jwt.js +212 -0
package/dist/auth/providers/oauth2.d.ts +73 -0
package/dist/auth/providers/oauth2.js +303 -0
package/dist/auth/providers/supabase.d.ts +63 -0
package/dist/auth/providers/supabase.js +259 -0
package/dist/auth/providers/workos.d.ts +61 -0
package/dist/auth/providers/workos.js +284 -0
package/dist/auth/serverBridge.d.ts +14 -0
package/dist/auth/serverBridge.js +25 -0
package/dist/auth/sessionManager.d.ts +142 -0
package/dist/auth/sessionManager.js +437 -0
package/dist/cli/commands/authProviders.d.ts +43 -0
package/dist/cli/commands/authProviders.js +399 -0
package/dist/cli/factories/authCommandFactory.d.ts +23 -5
package/dist/cli/factories/authCommandFactory.js +108 -5
package/dist/cli/parser.js +1 -1
package/dist/client/auth/AuthProviderFactory.js +111 -0
package/dist/client/auth/AuthProviderRegistry.js +190 -0
package/dist/client/auth/RequestContext.js +78 -0
package/dist/client/auth/accountPool.js +178 -0
package/dist/client/auth/authContext.js +314 -0
package/dist/client/auth/errors.js +39 -0
package/dist/client/auth/index.js +61 -0
package/dist/client/auth/middleware/AuthMiddleware.js +519 -0
package/dist/client/auth/middleware/rateLimitByUser.js +554 -0
package/dist/client/auth/providers/BaseAuthProvider.js +723 -0
package/dist/client/auth/providers/CognitoProvider.js +304 -0
package/dist/client/auth/providers/KeycloakProvider.js +393 -0
package/dist/client/auth/providers/auth0.js +274 -0
package/dist/client/auth/providers/betterAuth.js +182 -0
package/dist/client/auth/providers/clerk.js +317 -0
package/dist/client/auth/providers/custom.js +112 -0
package/dist/client/auth/providers/firebase.js +226 -0
package/dist/client/auth/providers/jwt.js +212 -0
package/dist/client/auth/providers/oauth2.js +303 -0
package/dist/client/auth/providers/supabase.js +259 -0
package/dist/client/auth/providers/workos.js +284 -0
package/dist/client/auth/serverBridge.js +25 -0
package/dist/client/auth/sessionManager.js +437 -0
package/dist/client/core/infrastructure/baseRegistry.js +5 -1
package/dist/client/index.js +25 -0
package/dist/client/mcp/toolRegistry.js +11 -1
package/dist/client/neurolink.js +218 -0
package/dist/client/rag/ChunkerRegistry.js +2 -2
package/dist/client/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/client/rag/reranker/RerankerRegistry.js +2 -2
package/dist/client/server/routes/agentRoutes.js +20 -2
package/dist/client/types/authTypes.js +2 -1
package/dist/core/infrastructure/baseRegistry.d.ts +3 -1
package/dist/core/infrastructure/baseRegistry.js +5 -1
package/dist/index.d.ts +1 -0
package/dist/index.js +25 -0
package/dist/lib/auth/AuthProviderFactory.d.ts +71 -0
package/dist/lib/auth/AuthProviderFactory.js +112 -0
package/dist/lib/auth/AuthProviderRegistry.d.ts +33 -0
package/dist/lib/auth/AuthProviderRegistry.js +191 -0
package/dist/lib/auth/RequestContext.d.ts +23 -0
package/dist/lib/auth/RequestContext.js +79 -0
package/dist/lib/auth/authContext.d.ts +198 -0
package/dist/lib/auth/authContext.js +315 -0
package/dist/lib/auth/errors.d.ts +63 -0
package/dist/lib/auth/errors.js +40 -0
package/dist/lib/auth/index.d.ts +20 -8
package/dist/lib/auth/index.js +35 -7
package/dist/lib/auth/middleware/AuthMiddleware.d.ts +181 -0
package/dist/lib/auth/middleware/AuthMiddleware.js +520 -0
package/dist/lib/auth/middleware/rateLimitByUser.d.ts +282 -0
package/dist/lib/auth/middleware/rateLimitByUser.js +555 -0
package/dist/lib/auth/providers/BaseAuthProvider.d.ts +259 -0
package/dist/lib/auth/providers/BaseAuthProvider.js +724 -0
package/dist/lib/auth/providers/CognitoProvider.d.ts +61 -0
package/dist/lib/auth/providers/CognitoProvider.js +305 -0
package/dist/lib/auth/providers/KeycloakProvider.d.ts +61 -0
package/dist/lib/auth/providers/KeycloakProvider.js +394 -0
package/dist/lib/auth/providers/auth0.d.ts +59 -0
package/dist/lib/auth/providers/auth0.js +275 -0
package/dist/lib/auth/providers/betterAuth.d.ts +51 -0
package/dist/lib/auth/providers/betterAuth.js +183 -0
package/dist/lib/auth/providers/clerk.d.ts +65 -0
package/dist/lib/auth/providers/clerk.js +318 -0
package/dist/lib/auth/providers/custom.d.ts +64 -0
package/dist/lib/auth/providers/custom.js +113 -0
package/dist/lib/auth/providers/firebase.d.ts +63 -0
package/dist/lib/auth/providers/firebase.js +227 -0
package/dist/lib/auth/providers/jwt.d.ts +68 -0
package/dist/lib/auth/providers/jwt.js +213 -0
package/dist/lib/auth/providers/oauth2.d.ts +73 -0
package/dist/lib/auth/providers/oauth2.js +304 -0
package/dist/lib/auth/providers/supabase.d.ts +63 -0
package/dist/lib/auth/providers/supabase.js +260 -0
package/dist/lib/auth/providers/workos.d.ts +61 -0
package/dist/lib/auth/providers/workos.js +285 -0
package/dist/lib/auth/serverBridge.d.ts +14 -0
package/dist/lib/auth/serverBridge.js +26 -0
package/dist/lib/auth/sessionManager.d.ts +142 -0
package/dist/lib/auth/sessionManager.js +438 -0
package/dist/lib/core/infrastructure/baseRegistry.d.ts +3 -1
package/dist/lib/core/infrastructure/baseRegistry.js +5 -1
package/dist/lib/index.d.ts +1 -0
package/dist/lib/index.js +25 -0
package/dist/lib/mcp/toolRegistry.js +11 -1
package/dist/lib/neurolink.d.ts +42 -1
package/dist/lib/neurolink.js +218 -0
package/dist/lib/rag/ChunkerRegistry.js +2 -2
package/dist/lib/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/lib/rag/reranker/RerankerRegistry.js +2 -2
package/dist/lib/server/routes/agentRoutes.js +20 -2
package/dist/lib/types/authTypes.d.ts +937 -1
package/dist/lib/types/authTypes.js +2 -1
package/dist/lib/types/configTypes.d.ts +46 -0
package/dist/lib/types/generateTypes.d.ts +6 -0
package/dist/lib/types/index.d.ts +1 -0
package/dist/lib/types/streamTypes.d.ts +6 -0
package/dist/mcp/toolRegistry.js +11 -1
package/dist/neurolink.d.ts +42 -1
package/dist/neurolink.js +218 -0
package/dist/rag/ChunkerRegistry.js +2 -2
package/dist/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/rag/reranker/RerankerRegistry.js +2 -2
package/dist/server/routes/agentRoutes.js +20 -2
package/dist/types/authTypes.d.ts +937 -1
package/dist/types/authTypes.js +2 -1
package/dist/types/configTypes.d.ts +46 -0
package/dist/types/generateTypes.d.ts +6 -0
package/dist/types/index.d.ts +1 -0
package/dist/types/streamTypes.d.ts +6 -0
package/package.json +2 -1

package/dist/lib/auth/providers/auth0.js ADDED Viewed

@@ -0,0 +1,275 @@
+// src/lib/auth/providers/auth0.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Auth0 Authentication Provider
+ *
+ * Supports JWT validation with JWKS for Auth0-issued tokens.
+ * Uses jose library for JWT verification against Auth0's JWKS endpoint.
+ *
+ * Features:
+ * - JWT validation with JWKS
+ * - User profile fetching (requires Management API token)
+ * - Role and permission extraction from token claims
+ *
+ * @example
+ * ```typescript
+ * const auth0 = new Auth0Provider({
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ *   audience: "https://your-api.example.com"
+ * });
+ *
+ * const result = await auth0.authenticateToken(bearerToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class Auth0Provider extends BaseAuthProvider {
+    type = "auth0";
+    domain;
+    clientId;
+    audience;
+    rolesNamespace;
+    permissionsNamespace;
+    jwks = null;
+    constructor(config) {
+        super(config);
+        if (!config.domain) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Auth0 domain is required", { details: { missingFields: ["domain"] } });
+        }
+        if (!config.clientId) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Auth0 clientId is required", { details: { missingFields: ["clientId"] } });
+        }
+        this.domain = config.domain;
+        this.clientId = config.clientId;
+        this.audience = config.audience;
+        // Allow custom namespaces for roles/permissions claims.
+        // If no namespace is configured, fall back to standard "roles" / "permissions" claims.
+        this.rolesNamespace = config.options?.rolesNamespace;
+        this.permissionsNamespace = config.options?.permissionsNamespace;
+    }
+    /**
+     * Initialize JWKS for JWT verification
+     */
+    async initialize() {
+        try {
+            const jwksUrl = new URL(`https://${this.domain}/.well-known/jwks.json`);
+            this.jwks = jose.createRemoteJWKSet(jwksUrl);
+            logger.debug(`Auth0 provider initialized for domain: ${this.domain}`);
+        }
+        catch (error) {
+            throw AuthError.create("PROVIDER_INIT_FAILED", "Failed to initialize Auth0 JWKS", { cause: error instanceof Error ? error : new Error(String(error)) });
+        }
+    }
+    /**
+     * Validate Auth0 JWT token
+     */
+    async authenticateToken(token, _context) {
+        if (!this.jwks) {
+            await this.initialize();
+        }
+        try {
+            if (!this.jwks) {
+                return {
+                    valid: false,
+                    error: "Auth0 JWKS not initialized",
+                };
+            }
+            const { payload } = await jose.jwtVerify(token, this.jwks, {
+                issuer: `https://${this.domain}/`,
+                audience: this.audience,
+            });
+            const auth0Payload = payload;
+            // Validate audience / authorized party against clientId
+            if (this.audience) {
+                const aud = auth0Payload.aud;
+                const audArray = Array.isArray(aud) ? aud : [aud];
+                if (!audArray.includes(this.audience)) {
+                    return {
+                        valid: false,
+                        error: `Token audience does not match expected audience: ${this.audience}`,
+                    };
+                }
+            }
+            if (this.clientId) {
+                const aud = auth0Payload.aud;
+                const azp = payload.azp;
+                const audArray = Array.isArray(aud) ? aud : [aud];
+                if (azp) {
+                    if (azp !== this.clientId) {
+                        return {
+                            valid: false,
+                            error: `Token azp claim "${azp}" does not match clientId "${this.clientId}"`,
+                        };
+                    }
+                }
+                else if (!audArray.includes(this.clientId)) {
+                    return {
+                        valid: false,
+                        error: `Token audience does not include clientId "${this.clientId}"`,
+                    };
+                }
+            }
+            // Extract roles: use custom namespace if configured, otherwise standard "roles" claim
+            const rolesKey = this.rolesNamespace ?? "roles";
+            const permissionsKey = this.permissionsNamespace ?? "permissions";
+            const roles = payload[rolesKey] || auth0Payload.roles || [];
+            const permissions = payload[permissionsKey] || auth0Payload.permissions || [];
+            // Extract user information from token
+            const user = {
+                id: auth0Payload.sub,
+                email: auth0Payload.email,
+                name: auth0Payload.name,
+                picture: auth0Payload.picture,
+                emailVerified: auth0Payload.email_verified,
+                roles,
+                permissions,
+                metadata: {
+                    iss: auth0Payload.iss,
+                    aud: auth0Payload.aud,
+                },
+            };
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: new Date(auth0Payload.exp * 1000),
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.warn("Auth0 token validation failed:", message);
+            return {
+                valid: false,
+                error: message,
+            };
+        }
+    }
+    /**
+     * Fetch user profile from Auth0 Management API
+     * Note: Requires AUTH0_MANAGEMENT_TOKEN environment variable
+     */
+    async getUser(userId) {
+        const managementToken = process.env.AUTH0_MANAGEMENT_TOKEN;
+        if (!managementToken) {
+            logger.warn("AUTH0_MANAGEMENT_TOKEN not set, cannot fetch user profile");
+            return null;
+        }
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://${this.domain}/api/v2/users/${encodeURIComponent(userId)}`, {
+                headers: {
+                    Authorization: `Bearer ${managementToken}`,
+                },
+            });
+            if (!response.ok) {
+                if (response.status === 404) {
+                    return null;
+                }
+                throw AuthError.create("PROVIDER_ERROR", `Auth0 API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const data = (await response.json());
+            return {
+                id: data.user_id,
+                email: data.email,
+                name: data.name,
+                picture: data.picture,
+                emailVerified: data.email_verified,
+                roles: data.app_metadata?.roles ||
+                    [],
+                permissions: data.app_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_login
+                    ? new Date(data.last_login)
+                    : undefined,
+                metadata: data.user_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Auth0 user:", error);
+            throw error;
+        }
+    }
+    /**
+     * Get user by email from Auth0 Management API
+     */
+    async getUserByEmail(email) {
+        const managementToken = process.env.AUTH0_MANAGEMENT_TOKEN;
+        if (!managementToken) {
+            logger.warn("AUTH0_MANAGEMENT_TOKEN not set, cannot fetch user by email");
+            return null;
+        }
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://${this.domain}/api/v2/users-by-email?email=${encodeURIComponent(email)}`, {
+                headers: {
+                    Authorization: `Bearer ${managementToken}`,
+                },
+            });
+            if (!response.ok) {
+                throw AuthError.create("PROVIDER_ERROR", `Auth0 API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const users = (await response.json());
+            if (users.length === 0) {
+                return null;
+            }
+            const data = users[0];
+            return {
+                id: data.user_id,
+                email: data.email,
+                name: data.name,
+                picture: data.picture,
+                emailVerified: data.email_verified,
+                roles: data.app_metadata?.roles ||
+                    [],
+                permissions: data.app_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_login
+                    ? new Date(data.last_login)
+                    : undefined,
+                metadata: data.user_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Auth0 user by email:", error);
+            throw error;
+        }
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://${this.domain}/.well-known/openid-configuration`);
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+                error: response.ok ? undefined : `HTTP ${response.status}`,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=auth0.js.map

package/dist/lib/auth/providers/betterAuth.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import type { AuthProviderConfig, BetterAuthConfig, TokenValidationResult, AuthRequestContext, AuthHealthCheck } from "../../types/authTypes.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Better Auth Provider
+ *
+ * Supports Better Auth, a self-hosted open-source authentication solution.
+ * Validates session tokens and JWTs issued by Better Auth server.
+ *
+ * Features:
+ * - JWT validation using HMAC secret
+ * - Session validation via Better Auth API
+ * - Social provider support (GitHub, Google, Discord)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const betterAuth = new BetterAuthProvider({
+ *   type: "better-auth",
+ *   secret: "your-better-auth-secret",
+ *   baseUrl: "https://your-app.com"
+ * });
+ *
+ * const result = await betterAuth.authenticateToken(sessionToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export declare class BetterAuthProvider extends BaseAuthProvider {
+    readonly type: "better-auth";
+    private secret;
+    private baseUrl;
+    private secretKey;
+    constructor(config: AuthProviderConfig & BetterAuthConfig);
+    /**
+     * Validate Better Auth token (session or JWT)
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Validate JWT using the secret
+     */
+    private validateJWT;
+    /**
+     * Validate session via Better Auth API
+     */
+    private validateSessionViaAPI;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}

package/dist/lib/auth/providers/betterAuth.js ADDED Viewed

@@ -0,0 +1,183 @@
+// src/lib/auth/providers/betterAuth.ts
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import { AuthError } from "../errors.js";
+import * as jose from "jose";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Better Auth Provider
+ *
+ * Supports Better Auth, a self-hosted open-source authentication solution.
+ * Validates session tokens and JWTs issued by Better Auth server.
+ *
+ * Features:
+ * - JWT validation using HMAC secret
+ * - Session validation via Better Auth API
+ * - Social provider support (GitHub, Google, Discord)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const betterAuth = new BetterAuthProvider({
+ *   type: "better-auth",
+ *   secret: "your-better-auth-secret",
+ *   baseUrl: "https://your-app.com"
+ * });
+ *
+ * const result = await betterAuth.authenticateToken(sessionToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class BetterAuthProvider extends BaseAuthProvider {
+    type = "better-auth";
+    secret;
+    baseUrl;
+    secretKey;
+    constructor(config) {
+        super(config);
+        if (!config.secret) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Better Auth secret is required", { details: { provider: "better-auth", missingFields: ["secret"] } });
+        }
+        if (!config.baseUrl) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Better Auth baseUrl is required", { details: { provider: "better-auth", missingFields: ["baseUrl"] } });
+        }
+        this.secret = config.secret;
+        this.baseUrl = config.baseUrl.replace(/\/$/, ""); // Remove trailing slash
+        this.secretKey = new TextEncoder().encode(this.secret);
+    }
+    /**
+     * Validate Better Auth token (session or JWT)
+     */
+    async authenticateToken(token, _context) {
+        // Try JWT validation first (if it looks like a JWT)
+        if (token.includes(".") && token.split(".").length === 3) {
+            const jwtResult = await this.validateJWT(token);
+            if (jwtResult.valid) {
+                return jwtResult;
+            }
+        }
+        // Fall back to session validation via API
+        return this.validateSessionViaAPI(token);
+    }
+    /**
+     * Validate JWT using the secret
+     */
+    async validateJWT(token) {
+        try {
+            const { payload } = await jose.jwtVerify(token, this.secretKey);
+            if (!payload.sub) {
+                return {
+                    valid: false,
+                    error: "Token missing required 'sub' claim",
+                };
+            }
+            const user = {
+                id: payload.sub,
+                email: payload.email,
+                name: payload.name,
+                picture: payload.picture,
+                emailVerified: payload.email_verified,
+                roles: payload.roles || [],
+                permissions: payload.permissions || [],
+                metadata: payload.metadata,
+            };
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Validate session via Better Auth API
+     */
+    async validateSessionViaAPI(sessionToken) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`${this.baseUrl}/api/auth/session`, {
+                headers: {
+                    Cookie: `better-auth.session_token=${sessionToken}`,
+                },
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok) {
+                return {
+                    valid: false,
+                    error: `Session validation failed: HTTP ${response.status}`,
+                };
+            }
+            const session = (await response.json());
+            if (!session.user) {
+                return {
+                    valid: false,
+                    error: "Invalid session",
+                };
+            }
+            const user = {
+                id: session.user.id,
+                email: session.user.email,
+                name: session.user.name,
+                picture: session.user.image,
+                emailVerified: session.user.emailVerified,
+                roles: session.user.roles || [],
+                permissions: session.user.permissions || [],
+                createdAt: session.user.createdAt
+                    ? new Date(session.user.createdAt)
+                    : undefined,
+                metadata: session.user,
+            };
+            return {
+                valid: true,
+                payload: session,
+                user,
+                expiresAt: session.session?.expiresAt
+                    ? new Date(session.session.expiresAt)
+                    : undefined,
+                tokenType: "session",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            const proxyFetch = createProxyFetch();
+            // Better Auth typically exposes session endpoint that we can check
+            const response = await proxyFetch(`${this.baseUrl}/api/auth/session`, {
+                signal: AbortSignal.timeout(5000),
+            });
+            // Even a 401 means the endpoint is working
+            const isReachable = response.status < 500;
+            return {
+                healthy: isReachable,
+                providerConnected: isReachable,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=betterAuth.js.map

package/dist/lib/auth/providers/clerk.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import type { AuthProviderConfig, ClerkConfig, AuthUser, TokenValidationResult, AuthRequestContext, AuthHealthCheck, AuthProviderType } from "../../types/authTypes.js";
+/**
+ * Clerk Authentication Provider
+ *
+ * Supports Clerk's session-based and JWT authentication.
+ * Can validate both JWT tokens and session tokens via Clerk API.
+ *
+ * Features:
+ * - JWT validation using Clerk's JWKS
+ * - Session token validation via Clerk API
+ * - User profile fetching
+ * - Organization support for multi-tenant apps
+ *
+ * @example
+ * ```typescript
+ * const clerk = new ClerkProvider({
+ *   type: "clerk",
+ *   publishableKey: "pk_test_...",
+ *   secretKey: "sk_test_..."
+ * });
+ *
+ * const result = await clerk.authenticateToken(sessionToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export declare class ClerkProvider extends BaseAuthProvider {
+    readonly type: AuthProviderType;
+    private secretKey;
+    private jwtKey?;
+    private publishableKey?;
+    private jwks;
+    private localKey;
+    constructor(config: AuthProviderConfig & ClerkConfig);
+    /**
+     * Initialize Clerk JWKS
+     */
+    initialize(): Promise<void>;
+    /**
+     * Validate Clerk session token or JWT
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Validate JWT using local jwtKey (if configured) or JWKS
+     */
+    private validateJWT;
+    /**
+     * Validate session token via Clerk API
+     */
+    private validateSessionToken;
+    /**
+     * Get user by ID from Clerk API
+     */
+    getUser(userId: string): Promise<AuthUser | null>;
+    /**
+     * Get user by email from Clerk API
+     */
+    getUserByEmail(email: string): Promise<AuthUser | null>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}