@lenne.tech/nest-server 11.7.0 → 11.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config.env.js +17 -1
- package/dist/config.env.js.map +1 -1
- package/dist/core/common/interfaces/server-options.interface.d.ts +35 -15
- package/dist/core/modules/auth/core-auth.controller.d.ts +1 -0
- package/dist/core/modules/auth/core-auth.controller.js +29 -3
- package/dist/core/modules/auth/core-auth.controller.js.map +1 -1
- package/dist/core/modules/auth/core-auth.module.js +14 -1
- package/dist/core/modules/auth/core-auth.module.js.map +1 -1
- package/dist/core/modules/auth/core-auth.resolver.d.ts +1 -0
- package/dist/core/modules/auth/core-auth.resolver.js +21 -3
- package/dist/core/modules/auth/core-auth.resolver.js.map +1 -1
- package/dist/core/modules/auth/exceptions/legacy-auth-disabled.exception.d.ts +4 -0
- package/dist/core/modules/auth/exceptions/legacy-auth-disabled.exception.js +17 -0
- package/dist/core/modules/auth/exceptions/legacy-auth-disabled.exception.js.map +1 -0
- package/dist/core/modules/auth/guards/legacy-auth-rate-limit.guard.d.ts +9 -0
- package/dist/core/modules/auth/guards/legacy-auth-rate-limit.guard.js +74 -0
- package/dist/core/modules/auth/guards/legacy-auth-rate-limit.guard.js.map +1 -0
- package/dist/core/modules/auth/interfaces/auth-provider.interface.d.ts +7 -0
- package/dist/core/modules/auth/interfaces/auth-provider.interface.js +5 -0
- package/dist/core/modules/auth/interfaces/auth-provider.interface.js.map +1 -0
- package/dist/core/modules/auth/interfaces/core-auth-user.interface.d.ts +1 -0
- package/dist/core/modules/auth/services/core-auth.service.d.ts +10 -1
- package/dist/core/modules/auth/services/core-auth.service.js +141 -9
- package/dist/core/modules/auth/services/core-auth.service.js.map +1 -1
- package/dist/core/modules/auth/services/legacy-auth-rate-limiter.service.d.ts +31 -0
- package/dist/core/modules/auth/services/legacy-auth-rate-limiter.service.js +153 -0
- package/dist/core/modules/auth/services/legacy-auth-rate-limiter.service.js.map +1 -0
- package/dist/core/modules/better-auth/better-auth-migration-status.model.d.ts +10 -0
- package/dist/core/modules/better-auth/better-auth-migration-status.model.js +57 -0
- package/dist/core/modules/better-auth/better-auth-migration-status.model.js.map +1 -0
- package/dist/core/modules/better-auth/better-auth-rate-limiter.service.js +1 -1
- package/dist/core/modules/better-auth/better-auth-rate-limiter.service.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth-user.mapper.d.ts +33 -0
- package/dist/core/modules/better-auth/better-auth-user.mapper.js +395 -0
- package/dist/core/modules/better-auth/better-auth-user.mapper.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.config.js +29 -10
- package/dist/core/modules/better-auth/better-auth.config.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.middleware.d.ts +1 -0
- package/dist/core/modules/better-auth/better-auth.middleware.js +55 -1
- package/dist/core/modules/better-auth/better-auth.middleware.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.module.d.ts +1 -1
- package/dist/core/modules/better-auth/better-auth.module.js +46 -18
- package/dist/core/modules/better-auth/better-auth.module.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.resolver.js +0 -11
- package/dist/core/modules/better-auth/better-auth.resolver.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.service.d.ts +22 -1
- package/dist/core/modules/better-auth/better-auth.service.js +209 -8
- package/dist/core/modules/better-auth/better-auth.service.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth.types.d.ts +2 -0
- package/dist/core/modules/better-auth/better-auth.types.js.map +1 -1
- package/dist/core/modules/better-auth/core-better-auth.controller.d.ts +1 -0
- package/dist/core/modules/better-auth/core-better-auth.controller.js +15 -2
- package/dist/core/modules/better-auth/core-better-auth.controller.js.map +1 -1
- package/dist/core/modules/better-auth/core-better-auth.resolver.d.ts +7 -0
- package/dist/core/modules/better-auth/core-better-auth.resolver.js +72 -12
- package/dist/core/modules/better-auth/core-better-auth.resolver.js.map +1 -1
- package/dist/core/modules/better-auth/index.d.ts +1 -0
- package/dist/core/modules/better-auth/index.js +1 -0
- package/dist/core/modules/better-auth/index.js.map +1 -1
- package/dist/core/modules/user/core-user.service.d.ts +7 -1
- package/dist/core/modules/user/core-user.service.js +57 -3
- package/dist/core/modules/user/core-user.service.js.map +1 -1
- package/dist/core/modules/user/interfaces/core-user-service-options.interface.d.ts +4 -0
- package/dist/core/modules/user/interfaces/core-user-service-options.interface.js +3 -0
- package/dist/core/modules/user/interfaces/core-user-service-options.interface.js.map +1 -0
- package/dist/core.module.d.ts +3 -0
- package/dist/core.module.js +136 -55
- package/dist/core.module.js.map +1 -1
- package/dist/index.d.ts +5 -0
- package/dist/index.js +5 -0
- package/dist/index.js.map +1 -1
- package/dist/server/modules/auth/auth.resolver.js +2 -0
- package/dist/server/modules/auth/auth.resolver.js.map +1 -1
- package/dist/server/modules/better-auth/better-auth.module.d.ts +1 -1
- package/dist/server/modules/better-auth/better-auth.module.js +2 -1
- package/dist/server/modules/better-auth/better-auth.module.js.map +1 -1
- package/dist/server/modules/better-auth/better-auth.resolver.d.ts +5 -0
- package/dist/server/modules/better-auth/better-auth.resolver.js +27 -11
- package/dist/server/modules/better-auth/better-auth.resolver.js.map +1 -1
- package/dist/server/modules/user/user.controller.js +0 -8
- package/dist/server/modules/user/user.controller.js.map +1 -1
- package/dist/server/modules/user/user.service.d.ts +3 -1
- package/dist/server/modules/user/user.service.js +7 -3
- package/dist/server/modules/user/user.service.js.map +1 -1
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +1 -1
- package/src/config.env.ts +32 -2
- package/src/core/common/interfaces/server-options.interface.ts +304 -58
- package/src/core/modules/auth/core-auth.controller.ts +94 -6
- package/src/core/modules/auth/core-auth.module.ts +15 -1
- package/src/core/modules/auth/core-auth.resolver.ts +71 -3
- package/src/core/modules/auth/exceptions/legacy-auth-disabled.exception.ts +35 -0
- package/src/core/modules/auth/guards/legacy-auth-rate-limit.guard.ts +109 -0
- package/src/core/modules/auth/interfaces/auth-provider.interface.ts +86 -0
- package/src/core/modules/auth/interfaces/core-auth-user.interface.ts +6 -0
- package/src/core/modules/auth/services/core-auth.service.ts +245 -6
- package/src/core/modules/auth/services/legacy-auth-rate-limiter.service.ts +283 -0
- package/src/core/modules/better-auth/INTEGRATION-CHECKLIST.md +255 -0
- package/src/core/modules/better-auth/README.md +565 -208
- package/src/core/modules/better-auth/better-auth-migration-status.model.ts +73 -0
- package/src/core/modules/better-auth/better-auth-rate-limiter.service.ts +1 -1
- package/src/core/modules/better-auth/better-auth-user.mapper.ts +737 -0
- package/src/core/modules/better-auth/better-auth.config.ts +45 -15
- package/src/core/modules/better-auth/better-auth.middleware.ts +85 -2
- package/src/core/modules/better-auth/better-auth.module.ts +83 -27
- package/src/core/modules/better-auth/better-auth.resolver.ts +0 -11
- package/src/core/modules/better-auth/better-auth.service.ts +367 -12
- package/src/core/modules/better-auth/better-auth.types.ts +16 -0
- package/src/core/modules/better-auth/core-better-auth.controller.ts +44 -3
- package/src/core/modules/better-auth/core-better-auth.resolver.ts +136 -16
- package/src/core/modules/better-auth/index.ts +1 -0
- package/src/core/modules/user/core-user.service.ts +131 -4
- package/src/core/modules/user/interfaces/core-user-service-options.interface.ts +15 -0
- package/src/core.module.ts +264 -76
- package/src/index.ts +5 -0
- package/src/server/modules/auth/auth.resolver.ts +8 -0
- package/src/server/modules/better-auth/better-auth.module.ts +9 -3
- package/src/server/modules/better-auth/better-auth.resolver.ts +18 -11
- package/src/server/modules/user/user.controller.ts +1 -9
- package/src/server/modules/user/user.service.ts +4 -2
|
@@ -0,0 +1,255 @@
|
|
|
1
|
+
# BetterAuth Integration Checklist
|
|
2
|
+
|
|
3
|
+
**For integrating BetterAuth into projects using `@lenne.tech/nest-server`.**
|
|
4
|
+
|
|
5
|
+
> **Estimated time:** 10-15 minutes
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Choose Your Scenario
|
|
10
|
+
|
|
11
|
+
| Scenario | Use When | CoreModule Signature | Steps |
|
|
12
|
+
|----------|----------|---------------------|-------|
|
|
13
|
+
| **New Project (IAM-Only)** | Starting fresh, no legacy users | `CoreModule.forRoot(envConfig)` | 1-6 |
|
|
14
|
+
| **Existing Project (Migration)** | Have legacy users to migrate | `CoreModule.forRoot(AuthService, AuthModule, envConfig)` | 1-6 |
|
|
15
|
+
|
|
16
|
+
**Key difference:** New projects disable Legacy endpoints, existing projects keep them enabled during migration.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Reference Implementation
|
|
21
|
+
|
|
22
|
+
All files you need to create are already implemented as reference in the package:
|
|
23
|
+
|
|
24
|
+
**Local (in your node_modules):**
|
|
25
|
+
```
|
|
26
|
+
node_modules/@lenne.tech/nest-server/src/server/modules/better-auth/
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
**GitHub:**
|
|
30
|
+
https://github.com/lenneTech/nest-server/tree/develop/src/server/modules/better-auth
|
|
31
|
+
|
|
32
|
+
**Also see the UserService integration:**
|
|
33
|
+
- Local: `node_modules/@lenne.tech/nest-server/src/server/modules/user/user.service.ts`
|
|
34
|
+
- GitHub: https://github.com/lenneTech/nest-server/blob/develop/src/server/modules/user/user.service.ts
|
|
35
|
+
|
|
36
|
+
---
|
|
37
|
+
|
|
38
|
+
## Required Files (Create in Order)
|
|
39
|
+
|
|
40
|
+
### 1. BetterAuth Module
|
|
41
|
+
**Create:** `src/server/modules/better-auth/better-auth.module.ts`
|
|
42
|
+
**Copy from:** `node_modules/@lenne.tech/nest-server/src/server/modules/better-auth/better-auth.module.ts`
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
### 2. BetterAuth Controller
|
|
47
|
+
**Create:** `src/server/modules/better-auth/better-auth.controller.ts`
|
|
48
|
+
**Copy from:** `node_modules/@lenne.tech/nest-server/src/server/modules/better-auth/better-auth.controller.ts`
|
|
49
|
+
|
|
50
|
+
---
|
|
51
|
+
|
|
52
|
+
### 3. BetterAuth Resolver (CRITICAL!)
|
|
53
|
+
**Create:** `src/server/modules/better-auth/better-auth.resolver.ts`
|
|
54
|
+
**Copy from:** `node_modules/@lenne.tech/nest-server/src/server/modules/better-auth/better-auth.resolver.ts`
|
|
55
|
+
|
|
56
|
+
**WHY must ALL decorators be re-declared?**
|
|
57
|
+
GraphQL schema is built from decorators at compile time. The parent class (`CoreBetterAuthResolver`) is marked as `isAbstract: true`, so its methods are not registered in the schema. You MUST re-declare `@Query`, `@Mutation`, `@Roles` decorators in the child class for the methods to appear in the GraphQL schema.
|
|
58
|
+
|
|
59
|
+
**Note:** `@UseGuards(AuthGuard(JWT))` is NOT needed when using `@Roles(S_USER)` or `@Roles(ADMIN)` because `RolesGuard` already extends `AuthGuard(JWT)` internally.
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
### 4. Update UserService (CRITICAL!)
|
|
64
|
+
**Modify:** `src/server/modules/user/user.service.ts`
|
|
65
|
+
**Reference:** `node_modules/@lenne.tech/nest-server/src/server/modules/user/user.service.ts`
|
|
66
|
+
|
|
67
|
+
**Required changes:**
|
|
68
|
+
|
|
69
|
+
1. Add import:
|
|
70
|
+
```typescript
|
|
71
|
+
import { BetterAuthUserMapper } from '@lenne.tech/nest-server';
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
2. Add constructor parameter:
|
|
75
|
+
```typescript
|
|
76
|
+
@Optional() private readonly betterAuthUserMapper?: BetterAuthUserMapper,
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
3. Pass to super() via options object:
|
|
80
|
+
```typescript
|
|
81
|
+
super(configService, emailService, mainDbModel, mainModelConstructor, { betterAuthUserMapper });
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
**WHY is this critical?**
|
|
85
|
+
The `BetterAuthUserMapper` enables bidirectional password synchronization:
|
|
86
|
+
- User signs up via BetterAuth → password synced to Legacy Auth (bcrypt hash)
|
|
87
|
+
- User changes password → synced between both systems
|
|
88
|
+
- **Without this, users can only authenticate via ONE system!**
|
|
89
|
+
|
|
90
|
+
---
|
|
91
|
+
|
|
92
|
+
### 5. Update ServerModule
|
|
93
|
+
**Modify:** `src/server/server.module.ts`
|
|
94
|
+
**Reference:** `node_modules/@lenne.tech/nest-server/src/server/server.module.ts`
|
|
95
|
+
|
|
96
|
+
#### For New Projects (IAM-Only) - Recommended:
|
|
97
|
+
```typescript
|
|
98
|
+
@Module({
|
|
99
|
+
imports: [
|
|
100
|
+
CoreModule.forRoot(envConfig), // Simplified signature
|
|
101
|
+
BetterAuthModule.forRoot({
|
|
102
|
+
config: envConfig.betterAuth,
|
|
103
|
+
fallbackSecrets: [envConfig.jwt?.secret],
|
|
104
|
+
}),
|
|
105
|
+
// ... other modules
|
|
106
|
+
],
|
|
107
|
+
})
|
|
108
|
+
export class ServerModule {}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
#### For Existing Projects (Migration):
|
|
112
|
+
```typescript
|
|
113
|
+
@Module({
|
|
114
|
+
imports: [
|
|
115
|
+
CoreModule.forRoot(AuthService, AuthModule.forRoot(envConfig.jwt), envConfig),
|
|
116
|
+
BetterAuthModule.forRoot({
|
|
117
|
+
config: envConfig.betterAuth,
|
|
118
|
+
fallbackSecrets: [envConfig.jwt?.secret],
|
|
119
|
+
}),
|
|
120
|
+
// ... other modules
|
|
121
|
+
],
|
|
122
|
+
})
|
|
123
|
+
export class ServerModule {}
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
### 6. Update config.env.ts
|
|
129
|
+
**Modify:** `src/config.env.ts`
|
|
130
|
+
**Reference:** `node_modules/@lenne.tech/nest-server/src/config.env.ts`
|
|
131
|
+
|
|
132
|
+
#### For New Projects (IAM-Only):
|
|
133
|
+
```typescript
|
|
134
|
+
const config = {
|
|
135
|
+
// Disable Legacy Auth endpoints
|
|
136
|
+
auth: {
|
|
137
|
+
legacyEndpoints: {
|
|
138
|
+
enabled: false,
|
|
139
|
+
},
|
|
140
|
+
},
|
|
141
|
+
// BetterAuth configuration (minimal - JWT enabled by default)
|
|
142
|
+
betterAuth: true, // or betterAuth: {} for same effect
|
|
143
|
+
|
|
144
|
+
// OR with optional features:
|
|
145
|
+
betterAuth: {
|
|
146
|
+
twoFactor: {}, // Enable 2FA (opt-in)
|
|
147
|
+
passkey: {}, // Enable Passkeys (opt-in)
|
|
148
|
+
// JWT is already enabled by default
|
|
149
|
+
},
|
|
150
|
+
};
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
#### For Existing Projects (Migration):
|
|
154
|
+
```typescript
|
|
155
|
+
const config = {
|
|
156
|
+
// Keep Legacy Auth endpoints enabled during migration
|
|
157
|
+
auth: {
|
|
158
|
+
legacyEndpoints: {
|
|
159
|
+
enabled: true, // Default - can disable after migration
|
|
160
|
+
},
|
|
161
|
+
},
|
|
162
|
+
// BetterAuth configuration (JWT enabled by default)
|
|
163
|
+
betterAuth: true, // Minimal config, or use object for more options
|
|
164
|
+
};
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
---
|
|
168
|
+
|
|
169
|
+
## Verification Checklist
|
|
170
|
+
|
|
171
|
+
After integration, verify:
|
|
172
|
+
|
|
173
|
+
- [ ] `npm run build` succeeds without errors
|
|
174
|
+
- [ ] `npm test` passes
|
|
175
|
+
- [ ] GraphQL Playground shows `betterAuthEnabled` query
|
|
176
|
+
- [ ] REST endpoint `GET /iam/session` responds
|
|
177
|
+
- [ ] Sign-up via BetterAuth creates user in database with `iamId`
|
|
178
|
+
- [ ] Sign-in via BetterAuth works correctly
|
|
179
|
+
|
|
180
|
+
### Additional checks for Migration scenario:
|
|
181
|
+
- [ ] Sign-in via Legacy Auth works for BetterAuth-created users
|
|
182
|
+
- [ ] Sign-in via BetterAuth works for Legacy-created users
|
|
183
|
+
- [ ] `betterAuthMigrationStatus` query shows correct counts
|
|
184
|
+
|
|
185
|
+
---
|
|
186
|
+
|
|
187
|
+
## Common Mistakes
|
|
188
|
+
|
|
189
|
+
| Mistake | Symptom | Fix |
|
|
190
|
+
|---------|---------|-----|
|
|
191
|
+
| Forgot to re-declare decorators in Resolver | GraphQL endpoints missing (404) | Copy resolver from reference, keep ALL decorators |
|
|
192
|
+
| Forgot `BetterAuthUserMapper` in UserService | Auth systems not synced, users can't cross-authenticate | Add `@Optional()` parameter and pass to super() |
|
|
193
|
+
| Missing `fallbackSecrets` in ServerModule | Session issues without explicit secret | Add `fallbackSecrets: [envConfig.jwt?.secret, ...]` |
|
|
194
|
+
| Wrong `basePath` in config | 404 on BetterAuth endpoints | Ensure basePath matches controller (default: `/iam`) |
|
|
195
|
+
| Using wrong CoreModule signature | Build errors or missing features | New projects: 1-parameter, Existing: 3-parameter |
|
|
196
|
+
| AuthResolver override missing `checkLegacyGraphQLEnabled()` | Legacy endpoint disabling doesn't work (no HTTP 410) | Call `this.checkLegacyGraphQLEnabled('signIn')` in overrides |
|
|
197
|
+
|
|
198
|
+
---
|
|
199
|
+
|
|
200
|
+
## Important: AuthResolver Override Pattern
|
|
201
|
+
|
|
202
|
+
If your project has a custom `AuthResolver` that extends `CoreAuthResolver` and overrides `signIn()` or `signUp()`, you **MUST** call the protected check method:
|
|
203
|
+
|
|
204
|
+
```typescript
|
|
205
|
+
// src/server/modules/auth/auth.resolver.ts
|
|
206
|
+
@Mutation(() => Auth)
|
|
207
|
+
override async signIn(...): Promise<Auth> {
|
|
208
|
+
this.checkLegacyGraphQLEnabled('signIn'); // Required!
|
|
209
|
+
const result = await this.authService.signIn(input, serviceOptions);
|
|
210
|
+
return this.processCookies(ctx, result);
|
|
211
|
+
}
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
**WHY?** When `auth.legacyEndpoints.enabled: false`, this method throws `LegacyAuthDisabledException` (HTTP 410). Without this call, legacy endpoints remain accessible even when configured as disabled.
|
|
215
|
+
|
|
216
|
+
See: `.claude/rules/module-inheritance.md` for the full pattern.
|
|
217
|
+
|
|
218
|
+
---
|
|
219
|
+
|
|
220
|
+
## Client-Side Configuration
|
|
221
|
+
|
|
222
|
+
Clients must be configured to use the correct base path and hash passwords:
|
|
223
|
+
|
|
224
|
+
```typescript
|
|
225
|
+
// auth-client.ts (e.g., for Nuxt/Vue)
|
|
226
|
+
import { createAuthClient } from 'better-auth/vue';
|
|
227
|
+
import { sha256 } from '~/utils/crypto';
|
|
228
|
+
|
|
229
|
+
const baseClient = createAuthClient({
|
|
230
|
+
baseURL: import.meta.env.VITE_API_URL,
|
|
231
|
+
basePath: '/iam', // Must match server config
|
|
232
|
+
plugins: [...],
|
|
233
|
+
});
|
|
234
|
+
|
|
235
|
+
// Wrap signIn/signUp to hash passwords before sending
|
|
236
|
+
export const authClient = {
|
|
237
|
+
...baseClient,
|
|
238
|
+
signIn: {
|
|
239
|
+
...baseClient.signIn,
|
|
240
|
+
email: async (params) => {
|
|
241
|
+
const hashedPassword = await sha256(params.password);
|
|
242
|
+
return baseClient.signIn.email({ ...params, password: hashedPassword });
|
|
243
|
+
},
|
|
244
|
+
},
|
|
245
|
+
// ... same for signUp, resetPassword, etc.
|
|
246
|
+
};
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
---
|
|
250
|
+
|
|
251
|
+
## Detailed Documentation
|
|
252
|
+
|
|
253
|
+
For complete configuration options, API reference, and advanced topics:
|
|
254
|
+
- **README.md:** `node_modules/@lenne.tech/nest-server/src/core/modules/better-auth/README.md`
|
|
255
|
+
- **GitHub:** https://github.com/lenneTech/nest-server/blob/develop/src/core/modules/better-auth/README.md
|