npm - @lenne.tech/nest-server - Versions diffs - 11.11.0 → 11.12.0 - Mend

@lenne.tech/nest-server 11.11.0 → 11.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/src/core/modules/better-auth/core-better-auth-web.helper.ts CHANGED Viewed

@@ -2,12 +2,18 @@ import { Logger } from '@nestjs/common';
 import * as crypto from 'crypto';
 import { Request, Response } from 'express';
+import { isSessionToken } from './core-better-auth-token.helper';
 /**
  * Cookie names used by Better Auth and nest-server
+ *
+ * ## Cookie Strategy (v11.12+)
+ *
+ * Only the minimum required cookies are used:
+ * - `{basePath}.session_token` (e.g., `iam.session_token`) - Better-Auth native (ALWAYS)
+ * - `token` - Legacy compatibility (only if Legacy Auth active)
  */
 export const BETTER_AUTH_COOKIE_NAMES = {
-  /** Better Auth's default session token cookie */
-  BETTER_AUTH_SESSION: 'better-auth.session_token',
   /** Legacy nest-server token cookie */
   TOKEN: 'token',
 } as const;
@@ -37,30 +43,35 @@ export interface ToWebRequestOptions {
 /**
  * Extracts the session token from Express request cookies or Authorization header.
  *
- * Checks multiple cookie names for compatibility with different configurations:
- * 1. `{basePath}.session_token` - Based on configured basePath (e.g., iam.session_token)
- * 2. `better-auth.session_token` - Better Auth default
+ * Cookie priority (v11.12+):
+ * 1. Authorization: Bearer header (if session token, not JWT)
+ * 2. `{basePath}.session_token` (e.g., `iam.session_token`) - Better-Auth native
  * 3. `token` - Legacy nest-server cookie
- * 4. Authorization: Bearer header
  *
  * @param req - Express request
  * @param basePath - Base path for cookie names (e.g., '/iam' or 'iam')
  * @returns Session token or null if not found
  */
 export function extractSessionToken(req: Request, basePath: string = 'iam'): null | string {
-  // Check Authorization header first
+  // Check Authorization header for session tokens (but NOT JWTs).
+  // JWTs (3 dot-separated parts) are handled separately by the session middleware.
+  // Returning a JWT here would cause toWebRequest() to overwrite valid session
+  // cookies with the JWT, breaking Better Auth's session lookup.
   const authHeader = req.headers.authorization;
   if (authHeader?.startsWith('Bearer ')) {
-    return authHeader.substring(7);
+    const bearerToken = authHeader.substring(7);
+    if (isSessionToken(bearerToken)) {
+      return bearerToken;
+    }
   }
   // Normalize basePath (remove leading slash, replace slashes with dots)
   const normalizedBasePath = basePath.replace(/^\//, '').replace(/\//g, '.');
   // Cookie names to check (in order of priority)
+  // v11.12+: Only native Better-Auth cookie and legacy token
   const cookieNames = [
-    `${normalizedBasePath}.session_token`, // Based on configured basePath
-    BETTER_AUTH_COOKIE_NAMES.BETTER_AUTH_SESSION, // Better Auth default
+    `${normalizedBasePath}.session_token`, // Better-Auth native (PRIMARY)
     BETTER_AUTH_COOKIE_NAMES.TOKEN, // Legacy nest-server cookie
   ];
@@ -70,6 +81,11 @@ export function extractSessionToken(req: Request, basePath: string = 'iam'): nul
   for (const name of cookieNames) {
     const token = cookies?.[name];
     if (token && typeof token === 'string') {
+      // If the cookie value is signed (TOKEN.SIGNATURE format), extract the raw token.
+      // Better Auth signs session cookies; the DB stores only the raw token.
+      if (isAlreadySigned(token)) {
+        return token.split('.')[0];
+      }
       return token;
     }
   }
@@ -137,7 +153,14 @@ export function parseCookieHeader(cookieHeader: string | undefined): Record<stri
   for (const pair of pairs) {
     const [name, ...valueParts] = pair.trim().split('=');
     if (name && valueParts.length > 0) {
-      cookies[name.trim()] = valueParts.join('=').trim();
+      const rawValue = valueParts.join('=').trim();
+      // URL-decode cookie values (standard behavior matching cookie-parser/npm cookie package)
+      // Express's res.cookie() URL-encodes values, so we must decode them when parsing
+      try {
+        cookies[name.trim()] = decodeURIComponent(rawValue);
+      } catch {
+        cookies[name.trim()] = rawValue;
+      }
     }
   }
@@ -157,11 +180,23 @@ export async function sendWebResponse(res: Response, webResponse: globalThis.Res
   // Set status code
   res.status(webResponse.status);
-  // Copy headers
+  // Handle Set-Cookie headers separately
+  // Headers.forEach() either combines Set-Cookie values (invalid for browsers)
+  // or overwrites previous values with setHeader(). Use getSetCookie() instead.
+  // IMPORTANT: Merge with any existing Set-Cookie headers (e.g., from res.cookie() calls)
+  // to avoid overwriting compatibility cookies set before sendWebResponse is called.
+  const setCookieHeaders = webResponse.headers.getSetCookie?.() || [];
+  if (setCookieHeaders.length > 0) {
+    const existing = res.getHeader('set-cookie');
+    const existingHeaders = existing ? (Array.isArray(existing) ? existing.map(String) : [String(existing)]) : [];
+    res.setHeader('set-cookie', [...existingHeaders, ...setCookieHeaders]);
+  }
+  // Copy other headers
   webResponse.headers.forEach((value, key) => {
     // Skip certain headers that Express handles differently
     const lowerKey = key.toLowerCase();
-    if (lowerKey === 'content-encoding' || lowerKey === 'transfer-encoding') {
+    if (lowerKey === 'set-cookie' || lowerKey === 'content-encoding' || lowerKey === 'transfer-encoding') {
       return;
     }
     res.setHeader(key, value);
@@ -192,20 +227,20 @@ export async function sendWebResponse(res: Response, webResponse: globalThis.Res
  *
  * @param value - The raw cookie value to sign
  * @param secret - The secret to use for signing
- * @returns The signed cookie value (URL-encoded)
+ * @param urlEncode - Whether to URL-encode the result (default: false)
+ *                    Set to true when building cookie header strings manually.
+ *                    Set to false when using Express res.cookie() which encodes automatically.
+ * @returns The signed cookie value
  * @throws Error if secret is not provided
  */
-export function signCookieValue(value: string, secret: string): string {
+export function signCookieValue(value: string, secret: string, urlEncode = false): string {
   if (!secret) {
     throw new Error('Cannot sign cookie: Better Auth secret is not configured');
   }
-  const signature = crypto
-    .createHmac('sha256', secret)
-    .update(value)
-    .digest('base64');
+  const signature = crypto.createHmac('sha256', secret).update(value).digest('base64');
   const signedValue = `${value}.${signature}`;
-  return encodeURIComponent(signedValue);
+  return urlEncode ? encodeURIComponent(signedValue) : signedValue;
 }
 /**
@@ -215,16 +250,22 @@ export function signCookieValue(value: string, secret: string): string {
  *
  * @param value - The cookie value to potentially sign
  * @param secret - The secret to use for signing
+ * @param urlEncode - Whether to URL-encode the result (default: true for backwards compatibility)
+ *                    Set to true when building cookie header strings manually.
+ *                    Set to false when using Express res.cookie() which encodes automatically.
  * @param logger - Optional logger for debug output
- * @returns The signed cookie value (URL-encoded) or the original if already signed
+ * @returns The signed cookie value or the original if already signed
  */
-export function signCookieValueIfNeeded(value: string, secret: string, logger?: Logger): string {
+export function signCookieValueIfNeeded(value: string, secret: string, urlEncode = true, logger?: Logger): string {
   if (isAlreadySigned(value)) {
     logger?.debug?.('Cookie value appears to be already signed, skipping signing');
-    // Return URL-encoded to match signCookieValue behavior
-    return value.includes('%') ? value : encodeURIComponent(value);
+    // Return URL-encoded if requested and not already encoded
+    if (urlEncode) {
+      return value.includes('%') ? value : encodeURIComponent(value);
+    }
+    return value.includes('%') ? decodeURIComponent(value) : value;
   }
-  return signCookieValue(value, secret);
+  return signCookieValue(value, secret, urlEncode);
 }
 /**
@@ -264,30 +305,26 @@ export async function toWebRequest(req: Request, options: ToWebRequestOptions):
     // Sign the session token for Better Auth (if secret is provided)
     // IMPORTANT: Only sign if not already signed to prevent double-signing
+    // URL-encode because we're building the cookie header string manually
     let signedToken: string;
     if (secret) {
-      signedToken = signCookieValueIfNeeded(sessionToken, secret, logger);
+      signedToken = signCookieValueIfNeeded(sessionToken, secret, true, logger);
     } else {
       logger?.warn('No Better Auth secret configured - cookies will not be signed');
       signedToken = sessionToken;
     }
-    // Cookie names that need signed tokens
+    // Primary cookie name for Better-Auth (e.g., 'iam.session_token')
     const primaryCookieName = `${normalizedBasePath}.session_token`;
-    const sessionCookieNames = [
-      primaryCookieName,
-      BETTER_AUTH_COOKIE_NAMES.BETTER_AUTH_SESSION,
-    ];
     // Parse existing cookies
     const existingCookies = parseCookieHeader(existingCookieString);
-    // Replace session token cookies with signed versions
-    for (const cookieName of sessionCookieNames) {
-      existingCookies[cookieName] = signedToken;
-    }
+    // Set the signed session token on the primary cookie
+    // This is the ONLY cookie Better-Auth needs
+    existingCookies[primaryCookieName] = signedToken;
-    // Keep the unsigned token cookie for nest-server compatibility
+    // Keep the unsigned token cookie for legacy nest-server compatibility
     if (!existingCookies[BETTER_AUTH_COOKIE_NAMES.TOKEN]) {
       existingCookies[BETTER_AUTH_COOKIE_NAMES.TOKEN] = sessionToken;
     }

package/src/core/modules/better-auth/core-better-auth.controller.ts CHANGED Viewed

@@ -22,6 +22,7 @@ import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { ConfigService } from '../../common/services/config.service';
 import { ErrorCode } from '../error-code/error-codes';
 import { BetterAuthSignInResponse, hasSession, hasUser, requires2FA } from './better-auth.types';
+import { BetterAuthCookieHelper, createCookieHelper } from './core-better-auth-cookie.helper';
 import { BetterAuthSessionUser, CoreBetterAuthUserMapper } from './core-better-auth-user.mapper';
 import { sendWebResponse, toWebRequest } from './core-better-auth-web.helper';
 import { CoreBetterAuthService } from './core-better-auth.service';
@@ -182,12 +183,32 @@ export class CoreBetterAuthSignUpInput {
 @Roles(RoleEnum.ADMIN)
 export class CoreBetterAuthController {
   protected readonly logger = new Logger(CoreBetterAuthController.name);
+  protected readonly cookieHelper: BetterAuthCookieHelper;
   constructor(
     protected readonly betterAuthService: CoreBetterAuthService,
     protected readonly userMapper: CoreBetterAuthUserMapper,
     protected readonly configService: ConfigService,
-  ) {}
+  ) {
+    // Detect if Legacy Auth is active (for < 11.7.0 compatibility)
+    // Legacy Auth is active when JWT secret is configured
+    const jwtConfig = this.configService.getFastButReadOnly('jwt');
+    const legacyAuthEnabled = !!(jwtConfig?.secret || jwtConfig?.secretOrPrivateKey);
+    // Get Better-Auth secret for cookie signing
+    // CRITICAL: Cookies must be signed for Passkey/2FA to work
+    const betterAuthConfig = this.betterAuthService.getConfig();
+    // Initialize cookie helper with Legacy Auth detection and secret
+    this.cookieHelper = createCookieHelper(
+      this.betterAuthService.getBasePath(),
+      {
+        legacyCookieEnabled: legacyAuthEnabled,
+        secret: betterAuthConfig?.secret,
+      },
+      this.logger,
+    );
+  }
   // ===================================================================================================================
   // Authentication Endpoints
@@ -435,7 +456,7 @@ export class CoreBetterAuthController {
    * Sign out (logout)
    *
    * **Why Custom Implementation (not hooks):**
-   * - Must clear multiple cookies (token, session, better-auth.session_token, etc.)
+   * - Must clear session cookies (basePath.session_token + optional legacy token)
    * - Hooks cannot modify response or set/clear cookies
    *
    * NOTE: Better-Auth uses POST for sign-out (matches better-auth convention)
@@ -564,6 +585,11 @@ export class CoreBetterAuthController {
   /**
    * Extract session token from request
+   *
+   * Cookie priority (v11.12+):
+   * 1. Authorization: Bearer header
+   * 2. `{basePath}.session_token` (e.g., `iam.session_token`) - Better-Auth native
+   * 3. `token` - Legacy compatibility (only if Legacy Auth might be active)
    */
   protected extractSessionToken(req: Request): null | string {
     // Check Authorization header
@@ -572,10 +598,10 @@ export class CoreBetterAuthController {
       return authHeader.substring(7);
     }
-    // Check cookies
+    // Check cookies - Better-Auth native cookie first, then legacy token
     const basePath = this.betterAuthService.getBasePath().replace(/^\//, '').replace(/\//g, '.');
     const cookieName = `${basePath}.session_token`;
-    return req.cookies?.[cookieName] || req.cookies?.['better-auth.session_token'] || null;
+    return req.cookies?.[cookieName] || req.cookies?.['token'] || null;
   }
   /**
@@ -626,90 +652,38 @@ export class CoreBetterAuthController {
   /**
    * Process cookies for response
    *
-   * Sets multiple cookies for authentication compatibility:
-   *
-   * | Cookie Name | Purpose |
-   * |-------------|---------|
-   * | `token` | Primary session token (nest-server compatibility) |
-   * | `{basePath}.session_token` | Better Auth's native cookie for plugins (e.g., `iam.session_token`) |
-   * | `better-auth.session_token` | Legacy Better Auth cookie name (backwards compatibility) |
-   * | `{configured}` | Custom cookie name if configured via `options.advanced.cookies.session_token.name` |
-   * | `session` | Session ID for reference/debugging |
+   * Sets multiple cookies for authentication compatibility using the centralized cookie helper.
+   * See BetterAuthCookieHelper for the complete cookie strategy.
    *
    * IMPORTANT: Better Auth's sign-in returns a session token in `result.token`.
    * This is NOT a JWT - it's the session token stored in the database.
    * The JWT plugin generates JWTs separately via the /token endpoint when needed.
    *
-   * For plugins like Passkey to work, the session token must be available in a cookie
-   * that Better Auth's plugin system recognizes (default: `{basePath}.session_token`).
-   *
    * @param res - Express Response object
    * @param result - The CoreBetterAuthResponse to return
    * @param sessionToken - Optional session token to set in cookies (if not provided, uses result.token)
    */
   protected processCookies(res: Response, result: CoreBetterAuthResponse, sessionToken?: string): CoreBetterAuthResponse {
-    // Check if cookie handling is activated
-    if (this.configService.getFastButReadOnly('cookies')) {
-      const cookieOptions = { httpOnly: true, sameSite: 'lax' as const, secure: process.env.NODE_ENV === 'production' };
-      // Use provided sessionToken or fall back to result.token
-      const tokenToSet = sessionToken || result.token;
-      if (tokenToSet) {
-        // Set the primary token cookie (for nest-server compatibility)
-        res.cookie('token', tokenToSet, cookieOptions);
-        // Set Better Auth's native session token cookies for plugin compatibility
-        // This is CRITICAL for Passkey/WebAuthn to work
-        const basePath = this.betterAuthService.getBasePath().replace(/^\//, '').replace(/\//g, '.');
-        const defaultCookieName = `${basePath}.session_token`;
-        res.cookie(defaultCookieName, tokenToSet, cookieOptions);
-        // Also set the legacy cookie name for backwards compatibility
-        res.cookie('better-auth.session_token', tokenToSet, cookieOptions);
-        // Get configured cookie name and set if different from defaults
-        const betterAuthConfig = this.configService.getFastButReadOnly('betterAuth');
-        const configuredCookieName = betterAuthConfig?.options?.advanced?.cookies?.session_token?.name;
-        if (configuredCookieName && configuredCookieName !== 'token' && configuredCookieName !== defaultCookieName) {
-          res.cookie(configuredCookieName, tokenToSet, cookieOptions);
-        }
+    const cookiesEnabled = this.configService.getFastButReadOnly('cookies') !== false;
-        // Remove token from response body (it's now in cookies)
-        if (result.token) {
-          delete result.token;
-        }
-      }
-      // Set session ID cookie (for reference/debugging)
-      if (result.session) {
-        res.cookie('session', result.session.id, cookieOptions);
+    // If a specific session token is provided, use it directly
+    if (sessionToken && cookiesEnabled) {
+      this.cookieHelper.setSessionCookies(res, sessionToken, result.session?.id);
+      if (result.token) {
+        delete result.token;
       }
+      return result;
     }
-    return result;
+    // Otherwise, use the cookie helper's standard processing
+    return this.cookieHelper.processAuthResult(res, result, cookiesEnabled);
   }
   /**
-   * Clear authentication cookies
+   * Clear authentication cookies using the centralized cookie helper.
    */
   protected clearAuthCookies(res: Response): void {
-    const cookieOptions = { httpOnly: true, sameSite: 'lax' as const };
-    res.cookie('token', '', { ...cookieOptions, maxAge: 0 });
-    res.cookie('session', '', { ...cookieOptions, maxAge: 0 });
-    res.cookie('better-auth.session_token', '', { ...cookieOptions, maxAge: 0 });
-    // Clear the path-based session token cookie
-    const basePath = this.betterAuthService.getBasePath().replace(/^\//, '').replace(/\//g, '.');
-    const defaultCookieName = `${basePath}.session_token`;
-    res.cookie(defaultCookieName, '', { ...cookieOptions, maxAge: 0 });
-    // Clear configured session token cookie if different
-    const betterAuthConfig = this.configService.getFastButReadOnly('betterAuth');
-    const configuredCookieName = betterAuthConfig?.options?.advanced?.cookies?.session_token?.name;
-    if (configuredCookieName && configuredCookieName !== 'token' && configuredCookieName !== defaultCookieName) {
-      res.cookie(configuredCookieName, '', { ...cookieOptions, maxAge: 0 });
-    }
+    this.cookieHelper.clearSessionCookies(res);
   }
   // ===================================================================================================================

package/src/core/modules/better-auth/core-better-auth.middleware.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Injectable, Logger, NestMiddleware } from '@nestjs/common';
 import { NextFunction, Request, Response } from 'express';
-import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
+import { isLegacyJwt } from './core-better-auth-token.helper';
 import { BetterAuthSessionUser, CoreBetterAuthUserMapper, MappedUser } from './core-better-auth-user.mapper';
 import { extractSessionToken } from './core-better-auth-web.helper';
 import { CoreBetterAuthService } from './core-better-auth.service';
@@ -80,10 +80,9 @@ export class CoreBetterAuthMiddleware implements NestMiddleware {
         // Check if token looks like a JWT (has 3 parts)
         if (tokenParts === 3) {
-          // Decode JWT payload to check if it's a Legacy JWT or BetterAuth JWT
-          // Legacy JWTs have 'id' claim, BetterAuth JWTs use 'sub'
-          const isLegacyJwt = this.isLegacyJwt(token);
-          if (isLegacyJwt) {
+          // Check if it's a Legacy JWT (has 'id' claim, no 'sub')
+          // Legacy JWTs should be handled by Passport, not Better-Auth
+          if (isLegacyJwt(token)) {
             // Legacy JWT - skip BetterAuth processing, let Passport handle it
             return next();
           }
@@ -139,27 +138,6 @@ export class CoreBetterAuthMiddleware implements NestMiddleware {
     next();
   }
-  /**
-   * Checks if a JWT token is a Legacy Auth JWT (has 'id' claim but no 'sub' claim)
-   * Legacy JWTs use 'id' for user ID, BetterAuth JWTs use 'sub'
-   */
-  private isLegacyJwt(token: string): boolean {
-    try {
-      const parts = token.split('.');
-      if (parts.length !== 3) return false;
-      // Decode the payload (second part)
-      const payloadStr = Buffer.from(parts[1], 'base64url').toString('utf-8');
-      const payload = JSON.parse(payloadStr);
-      // Legacy JWT has 'id' claim (and typically 'deviceId', 'tokenId')
-      // BetterAuth JWT has 'sub' claim
-      return payload.id !== undefined && payload.sub === undefined;
-    } catch {
-      return false;
-    }
-  }
   /**
    * Gets the session from Better-Auth using session token from cookies
    *
@@ -173,18 +151,11 @@ export class CoreBetterAuthMiddleware implements NestMiddleware {
       const basePath = this.betterAuthService.getBasePath();
       const sessionToken = extractSessionToken(req, basePath);
-      this.logger.debug(`[MIDDLEWARE] getSession called, token found: ${sessionToken ? 'yes' : 'no'}`);
       if (sessionToken) {
-        this.logger.debug(`[MIDDLEWARE] Found session token in cookies: ${maskToken(sessionToken)}`);
         // Use getSessionByToken to validate session directly from database
         const sessionResult = await this.betterAuthService.getSessionByToken(sessionToken);
-        this.logger.debug(`[MIDDLEWARE] getSessionByToken result: user=${maskEmail(sessionResult?.user?.email)}, session=${!!sessionResult?.session}`);
         if (sessionResult?.user && sessionResult?.session) {
-          this.logger.debug(`[MIDDLEWARE] Session validated for user: ${maskEmail(sessionResult.user.email)}`);
           return sessionResult as { session: any; user: BetterAuthSessionUser };
         }
       }

package/src/core/modules/better-auth/core-better-auth.service.ts CHANGED Viewed

@@ -4,11 +4,12 @@ import { Request } from 'express';
 import { importJWK, jwtVerify } from 'jose';
 import { Connection } from 'mongoose';
-import { maskCookieHeader, maskEmail, maskToken } from '../../common/helpers/logging.helper';
+import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { IBetterAuth } from '../../common/interfaces/server-options.interface';
 import { ConfigService } from '../../common/services/config.service';
 import { BetterAuthInstance } from './better-auth.config';
 import { BetterAuthSessionUser } from './core-better-auth-user.mapper';
+import { parseCookieHeader, signCookieValueIfNeeded } from './core-better-auth-web.helper';
 import { BETTER_AUTH_INSTANCE } from './core-better-auth.module';
 /**
@@ -316,14 +317,35 @@ export class CoreBetterAuthService {
         }
       }
-      // Debug: Log the cookie header being sent to api.getSession (masked for security)
+      // Sign cookies before sending to Better-Auth API
+      // Browser clients send unsigned cookies, but Better-Auth expects signed cookies
       const cookieHeader = headers.get('cookie');
-      this.logger.debug(`getSession called with cookies: ${maskCookieHeader(cookieHeader)}`);
+      if (cookieHeader && this.config?.secret) {
+        const basePath = this.getBasePath()?.replace(/^\//, '').replace(/\//g, '.') || 'iam';
+        const sessionCookieName = `${basePath}.session_token`;
+        const cookies = parseCookieHeader(cookieHeader);
+        let modified = false;
+        for (const [name, value] of Object.entries(cookies)) {
+          // Sign the session token cookie if it's not already signed
+          if (name === sessionCookieName || name === 'token') {
+            const signedValue = signCookieValueIfNeeded(value, this.config.secret);
+            if (signedValue !== value) {
+              cookies[name] = signedValue;
+              modified = true;
+            }
+          }
+        }
-      const response = await api.getSession({ headers });
+        if (modified) {
+          const signedCookieHeader = Object.entries(cookies)
+            .map(([name, value]) => `${name}=${value}`)
+            .join('; ');
+          headers.set('cookie', signedCookieHeader);
+        }
+      }
-      // Debug: Log the response from api.getSession
-      this.logger.debug(`getSession response: ${JSON.stringify(response)?.substring(0, 200)}`);
+      const response = await api.getSession({ headers });
       if (response && typeof response === 'object' && 'user' in response) {
         return response as SessionResult;
@@ -347,11 +369,11 @@ export class CoreBetterAuthService {
    *
    * @example
    * ```typescript
-   * // Get session token from cookie or header
-   * const sessionToken = req.cookies['better-auth.session_token'];
+   * // Get session token from cookie (using basePath-based name)
+   * const sessionToken = req.cookies['iam.session_token'];
    * const success = await betterAuthService.revokeSession(sessionToken);
    * if (success) {
-   *   res.clearCookie('better-auth.session_token');
+   *   res.clearCookie('iam.session_token');
    * }
    * ```
    */

package/src/core/modules/better-auth/index.ts CHANGED Viewed

@@ -28,10 +28,12 @@ export * from './better-auth.resolver';
 export * from './better-auth.types';
 export * from './core-better-auth-api.middleware';
 export * from './core-better-auth-auth.model';
+export * from './core-better-auth-cookie.helper';
 export * from './core-better-auth-migration-status.model';
 export * from './core-better-auth-models';
 export * from './core-better-auth-rate-limit.middleware';
 export * from './core-better-auth-rate-limiter.service';
+export * from './core-better-auth-token.helper';
 export * from './core-better-auth-user.mapper';
 export * from './core-better-auth-web.helper';
 export * from './core-better-auth.controller';