@lenne.tech/nuxt-extensions 1.0.0

package/dist/runtime/lib/auth-client.js

@@ -0,0 +1,144 @@
+import { passkeyClient } from "@better-auth/passkey/client";
+import { adminClient, twoFactorClient } from "better-auth/client/plugins";
+import { createAuthClient } from "better-auth/vue";
+import { navigateTo } from "#imports";
+import { ltSha256 } from "../utils/crypto.js";
+import { createLtAuthFetch } from "./auth-state.js";
+export function createLtAuthClient(config = {}) {
+  const isDev = import.meta.dev || process.env.NODE_ENV === "local";
+  const defaultBaseURL = isDev ? "" : import.meta.env?.VITE_API_URL || process.env.API_URL || "http://localhost:3000";
+  const defaultBasePath = isDev ? "/api/iam" : "/iam";
+  const {
+    baseURL = defaultBaseURL,
+    basePath = defaultBasePath,
+    twoFactorRedirectPath = "/auth/2fa",
+    enableAdmin = true,
+    enableTwoFactor = true,
+    enablePasskey = true
+  } = config;
+  const plugins = [];
+  if (enableAdmin) {
+    plugins.push(adminClient());
+  }
+  if (enableTwoFactor) {
+    plugins.push(
+      twoFactorClient({
+        onTwoFactorRedirect() {
+          navigateTo(twoFactorRedirectPath);
+        }
+      })
+    );
+  }
+  if (enablePasskey) {
+    plugins.push(passkeyClient());
+  }
+  const authFetch = createLtAuthFetch(basePath.replace("/api", ""));
+  const baseClient = createAuthClient({
+    basePath,
+    baseURL,
+    fetchOptions: {
+      customFetchImpl: authFetch
+    },
+    plugins
+  });
+  return {
+    // Spread all base client properties and methods
+    ...baseClient,
+    // Explicitly pass through methods not captured by spread operator
+    useSession: baseClient.useSession,
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    passkey: baseClient.passkey,
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    admin: baseClient.admin,
+    $Infer: baseClient.$Infer,
+    $fetch: baseClient.$fetch,
+    $store: baseClient.$store,
+    /**
+     * Change password for an authenticated user (both passwords are hashed)
+     */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    changePassword: async (params, options) => {
+      const [hashedCurrent, hashedNew] = await Promise.all([ltSha256(params.currentPassword), ltSha256(params.newPassword)]);
+      return baseClient.changePassword?.({ currentPassword: hashedCurrent, newPassword: hashedNew }, options);
+    },
+    /**
+     * Reset password with token (new password is hashed before sending)
+     */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    resetPassword: async (params, options) => {
+      const hashedPassword = await ltSha256(params.newPassword);
+      return baseClient.resetPassword?.({ newPassword: hashedPassword, token: params.token }, options);
+    },
+    // Override signIn to hash password (keep passkey method from plugin)
+    signIn: {
+      ...baseClient.signIn,
+      /**
+       * Sign in with email and password (password is hashed before sending)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      email: async (params, options) => {
+        const hashedPassword = await ltSha256(params.password);
+        return baseClient.signIn.email({ ...params, password: hashedPassword }, options);
+      },
+      /**
+       * Sign in with passkey (pass through to base client - provided by passkeyClient plugin)
+       * @see https://www.better-auth.com/docs/plugins/passkey
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      passkey: baseClient.signIn.passkey
+    },
+    // Explicitly pass through signOut (not captured by spread operator)
+    signOut: baseClient.signOut,
+    // Override signUp to hash password
+    signUp: {
+      ...baseClient.signUp,
+      /**
+       * Sign up with email and password (password is hashed before sending)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      email: async (params, options) => {
+        const hashedPassword = await ltSha256(params.password);
+        return baseClient.signUp.email({ ...params, password: hashedPassword }, options);
+      }
+    },
+    // Override twoFactor to hash passwords (provided by twoFactorClient plugin)
+    twoFactor: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      ...baseClient.twoFactor,
+      /**
+       * Disable 2FA (password is hashed before sending)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      disable: async (params, options) => {
+        const hashedPassword = await ltSha256(params.password);
+        return baseClient.twoFactor.disable({ password: hashedPassword }, options);
+      },
+      /**
+       * Enable 2FA (password is hashed before sending)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      enable: async (params, options) => {
+        const hashedPassword = await ltSha256(params.password);
+        return baseClient.twoFactor.enable({ password: hashedPassword }, options);
+      },
+      /**
+       * Generate backup codes (password is hashed before sending)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      generateBackupCodes: async (params, options) => {
+        const hashedPassword = await ltSha256(params.password);
+        return baseClient.twoFactor.generateBackupCodes({ password: hashedPassword }, options);
+      },
+      /**
+       * Verify TOTP code (pass through to base client)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      verifyTotp: baseClient.twoFactor.verifyTotp,
+      /**
+       * Verify backup code (pass through to base client)
+       */
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      verifyBackupCode: baseClient.twoFactor.verifyBackupCode
+    }
+  };
+}

package/dist/runtime/lib/auth-state.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Shared authentication state for Cookie/JWT dual-mode authentication
+ *
+ * This module provides a reactive state that is shared between:
+ * - auth-client.ts (uses it for customFetch)
+ * - use-lt-auth.ts (manages the state)
+ *
+ * Auth Mode Strategy:
+ * 1. Primary: Session cookies (more secure, HttpOnly)
+ * 2. Fallback: JWT tokens (when cookies are not available/working)
+ *
+ * The state is persisted in cookies for SSR compatibility.
+ */
+import type { LtAuthMode } from '../types/index.js';
+/**
+ * Get the current auth mode from cookie
+ */
+export declare function getLtAuthMode(): LtAuthMode;
+/**
+ * Get the JWT token from cookie
+ */
+export declare function getLtJwtToken(): string | null;
+/**
+ * Set JWT token in cookie
+ */
+export declare function setLtJwtToken(token: string | null): void;
+/**
+ * Update auth mode in the lt-auth-state cookie
+ */
+export declare function setLtAuthMode(mode: LtAuthMode): void;
+/**
+ * Get the API base URL from runtime config
+ *
+ * @param basePath - The auth API base path (default: '/iam')
+ */
+export declare function getLtApiBase(basePath?: string): string;
+/**
+ * Attempt to switch to JWT mode by fetching a token
+ *
+ * @param basePath - The auth API base path (default: '/iam')
+ */
+export declare function attemptLtJwtSwitch(basePath?: string): Promise<boolean>;
+/**
+ * Check if user is authenticated (has lt-auth-state with user)
+ */
+export declare function isLtAuthenticated(): boolean;
+/**
+ * Custom fetch function that handles Cookie/JWT dual-mode authentication
+ *
+ * This function:
+ * 1. In cookie mode: Uses credentials: 'include'
+ * 2. In JWT mode: Adds Authorization header
+ * 3. On 401 in cookie mode: Attempts to switch to JWT and retries
+ *
+ * @param basePath - The auth API base path for JWT switch (default: '/iam')
+ */
+export declare function createLtAuthFetch(basePath?: string): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+export declare const ltAuthFetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;

package/dist/runtime/lib/auth-state.js

@@ -0,0 +1,131 @@
+export function getLtAuthMode() {
+  if (import.meta.server) return "cookie";
+  try {
+    const cookie = document.cookie.split("; ").find((row) => row.startsWith("lt-auth-state="));
+    if (cookie) {
+      const parts = cookie.split("=");
+      const value = parts.length > 1 ? decodeURIComponent(parts.slice(1).join("=")) : "";
+      const state = JSON.parse(value);
+      return state?.authMode || "cookie";
+    }
+  } catch {
+  }
+  return "cookie";
+}
+export function getLtJwtToken() {
+  if (import.meta.server) return null;
+  try {
+    const cookie = document.cookie.split("; ").find((row) => row.startsWith("lt-jwt-token="));
+    if (cookie) {
+      const parts = cookie.split("=");
+      const value = parts.length > 1 ? decodeURIComponent(parts.slice(1).join("=")) : "";
+      if (value.startsWith('"') && value.endsWith('"')) {
+        return JSON.parse(value);
+      }
+      return value || null;
+    }
+  } catch {
+  }
+  return null;
+}
+export function setLtJwtToken(token) {
+  if (import.meta.server) return;
+  const maxAge = 60 * 60 * 24 * 7;
+  if (token) {
+    document.cookie = `lt-jwt-token=${encodeURIComponent(JSON.stringify(token))}; path=/; max-age=${maxAge}; samesite=lax`;
+  } else {
+    document.cookie = `lt-jwt-token=; path=/; max-age=0`;
+  }
+}
+export function setLtAuthMode(mode) {
+  if (import.meta.server) return;
+  try {
+    const cookie = document.cookie.split("; ").find((row) => row.startsWith("lt-auth-state="));
+    let state = { user: null, authMode: mode };
+    if (cookie) {
+      const parts = cookie.split("=");
+      const value = parts.length > 1 ? decodeURIComponent(parts.slice(1).join("=")) : "";
+      state = { ...JSON.parse(value), authMode: mode };
+    }
+    const maxAge = 60 * 60 * 24 * 7;
+    document.cookie = `lt-auth-state=${encodeURIComponent(JSON.stringify(state))}; path=/; max-age=${maxAge}; samesite=lax`;
+  } catch {
+  }
+}
+export function getLtApiBase(basePath = "/iam") {
+  const isDev = import.meta.dev;
+  if (isDev) {
+    return `/api${basePath}`;
+  }
+  if (typeof window !== "undefined" && window.__NUXT__?.config?.public?.ltExtensions?.auth?.baseURL) {
+    return `${window.__NUXT__.config.public.ltExtensions.auth.baseURL}${basePath}`;
+  }
+  return `http://localhost:3000${basePath}`;
+}
+export async function attemptLtJwtSwitch(basePath = "/iam") {
+  try {
+    const apiBase = getLtApiBase(basePath);
+    const response = await fetch(`${apiBase}/token`, {
+      method: "GET",
+      credentials: "include"
+    });
+    if (response.ok) {
+      const data = await response.json();
+      if (data.token) {
+        setLtJwtToken(data.token);
+        setLtAuthMode("jwt");
+        console.debug("[LtAuth] Switched to JWT mode");
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+export function isLtAuthenticated() {
+  if (import.meta.server) return false;
+  try {
+    const cookie = document.cookie.split("; ").find((row) => row.startsWith("lt-auth-state="));
+    if (cookie) {
+      const parts = cookie.split("=");
+      const value = parts.length > 1 ? decodeURIComponent(parts.slice(1).join("=")) : "";
+      const state = JSON.parse(value);
+      return !!state?.user;
+    }
+  } catch {
+  }
+  return false;
+}
+export function createLtAuthFetch(basePath = "/iam") {
+  return async function ltAuthFetch2(input, init) {
+    const authMode = getLtAuthMode();
+    const jwtToken = getLtJwtToken();
+    const headers = new Headers(init?.headers);
+    if (authMode === "jwt" && jwtToken) {
+      headers.set("Authorization", `Bearer ${jwtToken}`);
+    }
+    const response = await fetch(input, {
+      ...init,
+      headers,
+      credentials: "include"
+    });
+    if (response.status === 401 && authMode === "cookie" && isLtAuthenticated()) {
+      console.debug("[LtAuth] Cookie auth failed, attempting JWT fallback...");
+      const switched = await attemptLtJwtSwitch(basePath);
+      if (switched) {
+        const newToken = getLtJwtToken();
+        if (newToken) {
+          headers.set("Authorization", `Bearer ${newToken}`);
+          return fetch(input, {
+            ...init,
+            headers,
+            credentials: "include"
+          });
+        }
+      }
+    }
+    return response;
+  };
+}
+export const ltAuthFetch = createLtAuthFetch("/iam");

package/dist/runtime/lib/index.d.ts

@@ -0,0 +1,2 @@
+export { attemptLtJwtSwitch, createLtAuthFetch, getLtApiBase, getLtAuthMode, getLtJwtToken, isLtAuthenticated, ltAuthFetch, setLtAuthMode, setLtJwtToken, } from './auth-state.js';
+export { createLtAuthClient, type LtAuthClient } from './auth-client.js';

package/dist/runtime/lib/index.js

@@ -0,0 +1,12 @@
+export {
+  attemptLtJwtSwitch,
+  createLtAuthFetch,
+  getLtApiBase,
+  getLtAuthMode,
+  getLtJwtToken,
+  isLtAuthenticated,
+  ltAuthFetch,
+  setLtAuthMode,
+  setLtJwtToken
+} from "./auth-state.js";
+export { createLtAuthClient } from "./auth-client.js";

package/dist/runtime/locales/de.json

@@ -0,0 +1,19 @@
+{
+  "lt": {
+    "auth": {
+      "loggingOut": "Abmelden...",
+      "noPasskeySelected": "Kein Passkey ausgewählt",
+      "passkeyAborted": "Passkey-Authentifizierung wurde abgebrochen",
+      "passkeyCreationAborted": "Passkey-Erstellung wurde abgebrochen",
+      "passkeyError": "Konnte Passkey-Optionen nicht laden",
+      "passkeyFailed": "Passkey-Anmeldung fehlgeschlagen",
+      "passkeyRegisterFailed": "Passkey-Registrierung fehlgeschlagen",
+      "registerOptionsError": "Konnte Registrierungsoptionen nicht laden",
+      "sessionExpired": "Sitzung abgelaufen"
+    },
+    "share": {
+      "copied": "Link kopiert",
+      "copiedDescription": "Der Link wurde in die Zwischenablage kopiert."
+    }
+  }
+}

package/dist/runtime/locales/en.json

@@ -0,0 +1,19 @@
+{
+  "lt": {
+    "auth": {
+      "loggingOut": "Logging out...",
+      "noPasskeySelected": "No passkey selected",
+      "passkeyAborted": "Passkey authentication was cancelled",
+      "passkeyCreationAborted": "Passkey creation was cancelled",
+      "passkeyError": "Could not load passkey options",
+      "passkeyFailed": "Passkey login failed",
+      "passkeyRegisterFailed": "Passkey registration failed",
+      "registerOptionsError": "Could not load registration options",
+      "sessionExpired": "Session expired"
+    },
+    "share": {
+      "copied": "Link copied",
+      "copiedDescription": "The link has been copied to clipboard."
+    }
+  }
+}

package/dist/runtime/plugins/auth-interceptor.client.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Auth Interceptor Plugin
+ *
+ * This plugin intercepts all API responses and handles session expiration.
+ * When a 401 (Unauthorized) response is received, it automatically:
+ * 1. Clears the user session state
+ * 2. Redirects to the login page
+ *
+ * Note: This is a client-only plugin (.client.ts) since auth state
+ * management only makes sense in the browser context.
+ */
+import type { NuxtApp } from '#app';
+declare const _default: (nuxtApp: NuxtApp) => void;
+export default _default;

package/dist/runtime/plugins/auth-interceptor.client.js

@@ -0,0 +1,88 @@
+import { useLtAuth } from "../composables/auth/use-lt-auth.js";
+export default (nuxtApp) => {
+  if (import.meta.server) return;
+  const { clearUser, isAuthenticated } = useLtAuth();
+  const runtimeConfig = nuxtApp.$config?.public?.ltExtensions?.auth || {};
+  const loginPath = runtimeConfig.loginPath || "/auth/login";
+  const configuredPublicPaths = runtimeConfig.interceptor?.publicPaths || [];
+  let isHandling401 = false;
+  const defaultPublicPaths = ["/auth/login", "/auth/register", "/auth/forgot-password", "/auth/reset-password", "/auth/2fa"];
+  const publicAuthPaths = [.../* @__PURE__ */ new Set([...defaultPublicPaths, ...configuredPublicPaths])];
+  function isPublicAuthRoute() {
+    const route = nuxtApp.$router?.currentRoute?.value;
+    if (!route) return false;
+    return publicAuthPaths.some((path) => route.path.startsWith(path));
+  }
+  function isAuthEndpoint(url) {
+    const authEndpoints = [
+      "/sign-in",
+      "/sign-up",
+      "/sign-out",
+      "/forgot-password",
+      "/reset-password",
+      "/verify-email",
+      "/session",
+      "/token",
+      // Passkey endpoints - handled by authFetch with JWT fallback
+      "/passkey/",
+      "/list-user-passkeys",
+      "/generate-register-options",
+      "/verify-registration",
+      "/generate-authenticate-options",
+      "/verify-authentication",
+      // Two-factor endpoints
+      "/two-factor/"
+    ];
+    return authEndpoints.some((endpoint) => url.includes(endpoint));
+  }
+  async function handleUnauthorized(requestUrl) {
+    if (isHandling401) {
+      return;
+    }
+    if (requestUrl && isAuthEndpoint(requestUrl)) {
+      return;
+    }
+    if (isPublicAuthRoute()) {
+      return;
+    }
+    isHandling401 = true;
+    try {
+      if (isAuthenticated.value) {
+        console.debug("[LtAuth Interceptor] Session expired, logging out...");
+        clearUser();
+        const currentPath = nuxtApp.$router?.currentRoute?.value?.fullPath;
+        const redirectQuery = currentPath && currentPath !== loginPath ? `?redirect=${encodeURIComponent(currentPath)}` : "";
+        window.location.href = loginPath + redirectQuery;
+      }
+    } finally {
+      setTimeout(() => {
+        isHandling401 = false;
+      }, 1e3);
+    }
+  }
+  const originalFetch = globalThis.$fetch;
+  globalThis.$fetch = ((url, options) => {
+    return originalFetch(url, {
+      ...options,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      onResponseError: (context) => {
+        if (options?.onResponseError) {
+          options.onResponseError(context);
+        }
+        if (context.response?.status === 401) {
+          handleUnauthorized(url);
+        }
+      }
+    });
+  });
+  const originalNativeFetch = globalThis.fetch;
+  globalThis.fetch = async (input, init) => {
+    const response = await originalNativeFetch(input, init);
+    if (response.status === 401) {
+      const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+      handleUnauthorized(url);
+    }
+    return response;
+  };
+  nuxtApp.provide("ltHandleUnauthorized", handleUnauthorized);
+};

package/dist/runtime/server/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../../../.nuxt/tsconfig.server.json",
+}

package/dist/runtime/types/auth.d.ts

@@ -0,0 +1,127 @@
+import type { ComputedRef, Ref } from 'vue';
+/**
+ * User type for Better Auth session
+ * Compatible with @lenne.tech/nest-server IAM module
+ */
+export interface LtUser {
+    banExpires?: Date;
+    banned?: boolean;
+    banReason?: string;
+    email: string;
+    emailVerified?: boolean;
+    id: string;
+    image?: string;
+    name?: string;
+    role?: string;
+    twoFactorEnabled?: boolean;
+}
+/**
+ * Authentication mode for Cookie/JWT dual-mode authentication
+ * - 'cookie': Primary mode using HttpOnly session cookies (more secure)
+ * - 'jwt': Fallback mode using JWT tokens in Authorization header
+ */
+export type LtAuthMode = 'cookie' | 'jwt';
+/**
+ * Stored auth state (persisted in cookie for SSR compatibility)
+ */
+export interface LtAuthState {
+    authMode: LtAuthMode;
+    user: LtUser | null;
+}
+/**
+ * Configuration options for the auth client factory
+ * All options have sensible defaults for nest-server compatibility
+ */
+export interface LtAuthClientConfig {
+    /** API base URL (default: from env or http://localhost:3000) */
+    baseURL?: string;
+    /** Auth API base path (default: '/iam' - must match nest-server betterAuth.basePath) */
+    basePath?: string;
+    /** Enable admin plugin (default: true) */
+    enableAdmin?: boolean;
+    /** Enable passkey plugin (default: true) */
+    enablePasskey?: boolean;
+    /** Enable 2FA plugin (default: true) */
+    enableTwoFactor?: boolean;
+    /** 2FA redirect path (default: '/auth/2fa') */
+    twoFactorRedirectPath?: string;
+}
+/**
+ * Normalized response type for Better-Auth operations
+ * The Vue client returns complex union types - this provides a consistent interface
+ */
+export interface LtAuthResponse {
+    data?: null | {
+        redirect?: boolean;
+        token?: null | string;
+        url?: string;
+        user?: LtUser;
+    };
+    error?: null | {
+        code?: string;
+        message?: string;
+        status?: number;
+    };
+}
+/**
+ * Result of passkey authentication
+ */
+export interface LtPasskeyAuthResult {
+    error?: string;
+    session?: {
+        token: string;
+    };
+    success: boolean;
+    user?: LtUser;
+}
+/**
+ * Result of passkey registration
+ */
+export interface LtPasskeyRegisterResult {
+    error?: string;
+    passkey?: unknown;
+    success: boolean;
+}
+/**
+ * Return type for useLtAuth composable
+ */
+export interface UseLtAuthReturn {
+    authMode: ComputedRef<LtAuthMode>;
+    isAuthenticated: ComputedRef<boolean>;
+    isJwtMode: ComputedRef<boolean>;
+    isLoading: ComputedRef<boolean>;
+    jwtToken: Ref<string | null>;
+    user: ComputedRef<LtUser | null>;
+    is2FAEnabled: ComputedRef<boolean>;
+    isAdmin: ComputedRef<boolean>;
+    authenticateWithPasskey: () => Promise<LtPasskeyAuthResult>;
+    changePassword: (params: {
+        currentPassword: string;
+        newPassword: string;
+    }, options?: unknown) => Promise<unknown>;
+    clearUser: () => void;
+    fetchWithAuth: (url: string, options?: RequestInit) => Promise<Response>;
+    refreshJwtToken: () => Promise<boolean>;
+    registerPasskey: (name?: string) => Promise<LtPasskeyRegisterResult>;
+    setUser: (userData: LtUser | null, mode?: LtAuthMode) => void;
+    signIn: {
+        email: (params: {
+            email: string;
+            password: string;
+            rememberMe?: boolean;
+        }, options?: unknown) => Promise<unknown>;
+        passkey?: (options?: unknown) => Promise<unknown>;
+    };
+    signOut: (options?: unknown) => Promise<unknown>;
+    signUp: {
+        email: (params: {
+            email: string;
+            name: string;
+            password: string;
+        }, options?: unknown) => Promise<unknown>;
+    };
+    switchToJwtMode: () => Promise<boolean>;
+    validateSession: () => Promise<boolean>;
+    passkey?: unknown;
+    twoFactor?: unknown;
+}

package/dist/runtime/types/index.d.ts

@@ -0,0 +1,3 @@
+export type { LtAuthClientConfig, LtAuthMode, LtAuthResponse, LtAuthState, LtPasskeyAuthResult, LtPasskeyRegisterResult, LtUser, UseLtAuthReturn, } from './auth.js';
+export type { LtFileInfo, LtUploadItem, LtUploadOptions, LtUploadProgress, LtUploadStatus, UseLtFileReturn, UseLtTusUploadReturn, } from './upload.js';
+export type { LtAuthModuleOptions, LtExtensionsModuleOptions, LtExtensionsPublicRuntimeConfig, LtI18nModuleOptions, LtTusModuleOptions, } from './module.js';