@lenne.tech/nuxt-extensions 1.2.11 → 1.3.0

package/dist/module.d.mts

@@ -6,7 +6,7 @@ export { LtAuthModuleOptions, LtErrorTranslationModuleOptions, LtExtensionsModul
 export { LtErrorTranslationResponse, LtParsedError, UseLtErrorTranslationReturn } from '../dist/runtime/types/error.js';
 
 declare const name = "@lenne.tech/nuxt-extensions";
-declare const version = "1.0.0";
+declare const version = "1.3.0";
 declare const configKey = "ltExtensions";
 declare const _default: _nuxt_schema.NuxtModule<LtExtensionsModuleOptions, LtExtensionsModuleOptions, false>;
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "configKey": "ltExtensions",
   "name": "@lenne.tech/nuxt-extensions",
-  "version": "1.0.0",
+  "version": "1.3.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,7 +1,7 @@
 import { defineNuxtModule, createResolver, addImports, addComponent, addPlugin, addRouteMiddleware } from '@nuxt/kit';
 
 const name = "@lenne.tech/nuxt-extensions";
-const version = "1.0.0";
+const version = "1.3.0";
 const configKey = "ltExtensions";
 const defaultOptions = {
   auth: {
@@ -111,6 +111,8 @@ const module$1 = defineNuxtModule({
       { name: "getLtJwtToken", from: resolve("./runtime/lib/auth-state") },
       { name: "setLtJwtToken", from: resolve("./runtime/lib/auth-state") },
       { name: "getLtApiBase", from: resolve("./runtime/lib/auth-state") },
+      { name: "buildLtApiUrl", from: resolve("./runtime/lib/auth-state") },
+      { name: "isLocalDevApiProxy", from: resolve("./runtime/lib/auth-state") },
       { name: "attemptLtJwtSwitch", from: resolve("./runtime/lib/auth-state") },
       { name: "isLtAuthenticated", from: resolve("./runtime/lib/auth-state") },
       { name: "createLtAuthFetch", from: resolve("./runtime/lib/auth-state") },

package/dist/runtime/composables/auth/use-system-setup.d.ts

@@ -5,6 +5,8 @@
  * and provides a method to perform that setup.
  *
  * Uses useState for SSR-compatible state management.
+ *
+ * URL handling is delegated to {@link buildLtApiUrl} (SSR / proxy / direct).
  */
 import type { ComputedRef } from "vue";
 export interface UseSystemSetupReturn {

package/dist/runtime/composables/auth/use-system-setup.js

@@ -1,19 +1,12 @@
-import { computed, useRuntimeConfig, useState } from "#imports";
-import { getLtApiBase } from "../../lib/auth-state.js";
+import { computed, useState } from "#imports";
 import { ltSha256 } from "../../utils/crypto.js";
+import { buildLtApiUrl } from "../../lib/auth-state.js";
 export function useSystemSetup() {
-  const runtimeConfig = useRuntimeConfig();
   const needsSetupState = useState("lt-needs-setup", () => null);
   const needsSetup = computed(() => needsSetupState.value);
   async function checkSetupStatus() {
     try {
-      let url;
-      if (import.meta.server) {
-        const apiUrl = runtimeConfig.apiUrl || "http://localhost:3000";
-        url = `${apiUrl}/api/system-setup/status`;
-      } else {
-        url = "/api/system-setup/status";
-      }
+      const url = buildLtApiUrl("/system-setup/status");
       const data = await $fetch(url);
       needsSetupState.value = data.needsSetup;
       return data.needsSetup;
@@ -23,9 +16,9 @@ export function useSystemSetup() {
     }
   }
   async function initSetup(params) {
-    const apiBase = getLtApiBase();
+    const url = buildLtApiUrl("/system-setup/init");
     const hashedPassword = await ltSha256(params.password);
-    await $fetch(`${apiBase}/system-setup/init`, {
+    await $fetch(url, {
       method: "POST",
       body: {
         email: params.email,

package/dist/runtime/composables/use-lt-auth-client.d.ts

@@ -27,9 +27,10 @@ export declare function resetLtAuthClient(): void;
  * The client is created once and reused across all calls.
  * Configuration is read from RuntimeConfig on first call.
  *
- * IMPORTANT: In dev mode, the basePath is automatically prefixed with '/api'
- * to leverage Nuxt's server proxy. This is required for WebAuthn/Passkey
- * to work correctly (same-origin policy).
+ * IMPORTANT: When the API proxy is enabled (NUXT_PUBLIC_API_PROXY=true),
+ * the basePath is automatically prefixed with '/api' so the Vite dev proxy
+ * can forward requests to the backend. This is required for same-origin
+ * cookies and WebAuthn/Passkey to work correctly.
  */
 export declare function useLtAuthClient(): LtAuthClient;
 export declare const ltAuthClient: {

package/dist/runtime/composables/use-lt-auth-client.js

@@ -3,7 +3,7 @@ import {
   getOrCreateLtAuthClient,
   resetLtAuthClientSingleton
 } from "../lib/auth-client.js";
-import { isLtDevMode } from "../lib/auth-state.js";
+import { isLocalDevApiProxy } from "../lib/auth-state.js";
 export function resetLtAuthClient() {
   resetLtAuthClientSingleton();
 }
@@ -11,13 +11,13 @@ export function useLtAuthClient() {
   try {
     const nuxtApp = useNuxtApp();
     const config = nuxtApp.$config?.public?.ltExtensions?.auth || {};
-    const isDev = isLtDevMode();
+    const useProxy = isLocalDevApiProxy();
     let basePath = config.basePath || "/iam";
-    if (isDev && basePath && !basePath.startsWith("/api")) {
+    if (useProxy && basePath && !basePath.startsWith("/api")) {
       basePath = `/api${basePath}`;
     }
     return getOrCreateLtAuthClient({
-      baseURL: isDev ? "" : config.baseURL,
+      baseURL: useProxy ? "" : config.baseURL,
       basePath,
       twoFactorRedirectPath: config.twoFactorRedirectPath,
       enableAdmin: config.enableAdmin,

package/dist/runtime/composables/use-lt-error-translation.d.ts

@@ -5,7 +5,9 @@
  * Works with or without @nuxtjs/i18n.
  *
  * Backend error format: "#LTNS_0100: Unauthorized - User is not logged in"
- * Translations loaded from: GET /api/i18n/errors/:locale
+ * Translations loaded from: GET /i18n/errors/:locale
+ *
+ * URL handling is delegated to {@link buildLtApiUrl} (SSR / proxy / direct).
  */
 import type { UseLtErrorTranslationReturn } from "../types/error.js";
 /**

package/dist/runtime/composables/use-lt-error-translation.js

@@ -1,4 +1,5 @@
 import { computed, ref, useState, useNuxtApp, useRuntimeConfig } from "#imports";
+import { buildLtApiUrl } from "../lib/auth-state.js";
 const ERROR_CODE_REGEX = /^#([A-Z_]+_\d+):\s*(.+)$/;
 export function useLtErrorTranslation() {
   const nuxtApp = useNuxtApp();
@@ -29,8 +30,8 @@ export function useLtErrorTranslation() {
     }
     return config?.defaultLocale || "de";
   }
-  function getApiBase() {
-    return runtimeConfig.public?.ltExtensions?.auth?.baseURL || "";
+  function buildErrorUrl(locale) {
+    return buildLtApiUrl(`/i18n/errors/${locale}`);
   }
   async function loadTranslations(locale) {
     const targetLocale = locale || detectLocale();
@@ -42,10 +43,8 @@ export function useLtErrorTranslation() {
     }
     isLoading.value = true;
     try {
-      const apiBase = getApiBase();
-      const response = await $fetch(
-        `${apiBase}/api/i18n/errors/${targetLocale}`
-      );
+      const url = buildErrorUrl(targetLocale);
+      const response = await $fetch(url);
       if (response?.errors) {
         translations.value = {
           ...translations.value,

package/dist/runtime/lib/auth-client.d.ts

@@ -280,6 +280,21 @@ export declare function createLtAuthClient(config?: LtAuthClientConfig): {
         listen: (signal: Omit<string, "$sessionSignal"> | "$sessionSignal", listener: (value: boolean, oldValue?: boolean | undefined) => void) => void;
         atoms: Record<string, import("better-auth/client").WritableAtom<any>>;
     };
+    requestPasswordReset: <FetchOptions extends import("better-auth").ClientFetchOption<Partial<{
+        email: string;
+        redirectTo?: string | undefined;
+    }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: import("better-auth").Prettify<{
+        email: string;
+        redirectTo?: string | undefined;
+    } & {
+        fetchOptions?: FetchOptions | undefined;
+    }>, data_1?: FetchOptions | undefined) => Promise<import("better-auth/client").BetterFetchResponse<{
+        status: boolean;
+        message: string;
+    }, {
+        code?: string | undefined;
+        message?: string | undefined;
+    }, FetchOptions["throw"] extends true ? true : false>>;
     /**
      * Change password for an authenticated user (both passwords are hashed)
      */
@@ -615,21 +630,6 @@ export declare function createLtAuthClient(config?: LtAuthClientConfig): {
             message?: string | undefined;
         }, FetchOptions["throw"] extends true ? true : false>>;
     };
-    requestPasswordReset: <FetchOptions extends import("better-auth").ClientFetchOption<Partial<{
-        email: string;
-        redirectTo?: string | undefined;
-    }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: import("better-auth").Prettify<{
-        email: string;
-        redirectTo?: string | undefined;
-    } & {
-        fetchOptions?: FetchOptions | undefined;
-    }>, data_1?: FetchOptions | undefined) => Promise<import("better-auth/client").BetterFetchResponse<{
-        status: boolean;
-        message: string;
-    }, {
-        code?: string | undefined;
-        message?: string | undefined;
-    }, FetchOptions["throw"] extends true ? true : false>>;
     listSessions: <FetchOptions extends import("better-auth").ClientFetchOption<never, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0?: import("better-auth").Prettify<{
         query?: Record<string, any> | undefined;
         fetchOptions?: FetchOptions | undefined;

package/dist/runtime/lib/auth-client.js

@@ -3,7 +3,7 @@ import { adminClient, twoFactorClient } from "better-auth/client/plugins";
 import { createAuthClient } from "better-auth/vue";
 import { navigateTo } from "#imports";
 import { ltSha256 } from "../utils/crypto.js";
-import { createLtAuthFetch, isLtDevMode } from "./auth-state.js";
+import { createLtAuthFetch, isLocalDevApiProxy } from "./auth-state.js";
 let _ltAuthPluginRegistry = [];
 let _pluginsChangedAfterCreation = false;
 let _authClientSingleton = null;
@@ -38,9 +38,9 @@ export function getOrCreateLtAuthClient(config) {
   return _authClientSingleton;
 }
 export function createLtAuthClient(config = {}) {
-  const isDev = isLtDevMode();
-  const defaultBaseURL = isDev ? "" : import.meta.env?.VITE_API_URL || process.env.API_URL || "http://localhost:3000";
-  const defaultBasePath = isDev ? "/api/iam" : "/iam";
+  const useProxy = isLocalDevApiProxy();
+  const defaultBaseURL = useProxy ? "" : import.meta.env?.VITE_API_URL || process.env.API_URL || "http://localhost:3000";
+  const defaultBasePath = useProxy ? "/api/iam" : "/iam";
   const {
     baseURL = defaultBaseURL,
     basePath = defaultBasePath,
@@ -89,6 +89,7 @@ export function createLtAuthClient(config = {}) {
     $Infer: baseClient.$Infer,
     $fetch: baseClient.$fetch,
     $store: baseClient.$store,
+    requestPasswordReset: baseClient.requestPasswordReset,
     /**
      * Change password for an authenticated user (both passwords are hashed)
      */

package/dist/runtime/lib/auth-state.d.ts

@@ -13,14 +13,49 @@
  */
 import type { LtAuthMode } from "../types/index.js";
 /**
- * Detects if we're running in development mode at runtime.
+ * Determines if HTTP requests should use the Nuxt Vite dev proxy.
  *
- * Note: `import.meta.dev` is evaluated at build time and doesn't work
- * correctly for pre-built modules. This function uses runtime checks instead.
+ * When `true`, client-side requests are prefixed with `/api/` so the
+ * Vite dev server can forward them to the backend. The proxy strips
+ * the `/api/` prefix before forwarding, so the backend receives the
+ * original path (e.g., `/iam/sign-in`, `/i18n/errors/de`).
  *
- * @returns true if running in development mode
+ * **Why a proxy?**
+ * In local development the frontend (localhost:3001) and backend
+ * (localhost:3000) run on different ports. Browsers enforce same-origin
+ * policy for cookies, which breaks session-based authentication.
+ * The Vite proxy makes all requests appear same-origin.
+ *
+ * **How is this controlled?**
+ * Set `NUXT_PUBLIC_API_PROXY=true` in your `.env` file to enable the proxy.
+ * Nuxt auto-maps this to `runtimeConfig.public.apiProxy`.
+ * This should ONLY be enabled for local development (`nuxt dev`).
+ * On deployed stages (develop, test, preview, production) the proxy
+ * must NOT be enabled — requests go directly to the backend.
+ *
+ * **Fallback:** If `apiProxy` is not configured, the function checks
+ * whether the app runs under `nuxt dev` (buildId === 'dev'). If so,
+ * the proxy is activated with a prominent console warning so the
+ * implicit activation is immediately visible.
+ *
+ * **SSR never uses the proxy** — server-side requests call the backend
+ * directly via `runtimeConfig.apiUrl`.
+ *
+ * @returns true if the `/api/` proxy prefix should be used for client requests
+ *
+ * @see https://github.com/lenneTech/nuxt-base-starter — Vite proxy configuration
  */
-export declare function isLtDevMode(): boolean;
+export declare function isLocalDevApiProxy(): boolean;
+/**
+ * Build a full API URL for a given path, handling SSR, proxy, and direct modes.
+ *
+ * - **SSR**: `runtimeConfig.apiUrl` + path (direct backend call)
+ * - **Client + Proxy** (`NUXT_PUBLIC_API_PROXY=true`): `/api` + path (Vite proxy)
+ * - **Client direct**: `runtimeConfig.public.apiUrl` + path
+ *
+ * @param path - The API path (e.g., `/system-setup/status`, `/i18n/errors/de`)
+ */
+export declare function buildLtApiUrl(path: string): string;
 /**
  * Get the current auth mode from cookie
  */
@@ -38,7 +73,13 @@ export declare function setLtJwtToken(token: string | null): void;
  */
 export declare function setLtAuthMode(mode: LtAuthMode): void;
 /**
- * Get the API base URL from runtime config
+ * Get the API base URL for auth (IAM) requests.
+ *
+ * Uses {@link isLocalDevApiProxy} to determine the URL strategy:
+ * - **Proxy mode** (`NUXT_PUBLIC_API_PROXY=true`): Returns `/api{basePath}`
+ *   (e.g., `/api/iam`) so the Vite dev proxy forwards the request to the backend.
+ * - **Direct mode** (proxy disabled or not set): Returns `{baseURL}{basePath}`
+ *   (e.g., `https://api.example.com/iam`) for direct backend calls.
  *
  * @param basePath - The auth API base path. If not provided, reads from runtime config (default: '/iam')
  */

package/dist/runtime/lib/auth-state.js

@@ -1,18 +1,45 @@
-export function isLtDevMode() {
+import { useRuntimeConfig } from "#imports";
+let _proxyFallbackWarned = false;
+export function isLocalDevApiProxy() {
   if (import.meta.server) {
-    return process.env.NODE_ENV !== "production";
+    return false;
   }
-  if (typeof window !== "undefined") {
-    const buildId = window.__NUXT__?.config?.app?.buildId;
+  try {
+    const runtimeConfig = useRuntimeConfig();
+    const apiProxy = runtimeConfig.public?.apiProxy;
+    if (apiProxy !== void 0 && apiProxy !== null && apiProxy !== "") {
+      return apiProxy === true || apiProxy === "true";
+    }
+    const buildId = runtimeConfig?.app && runtimeConfig.app?.buildId;
     if (buildId === "dev") {
+      if (!_proxyFallbackWarned) {
+        _proxyFallbackWarned = true;
+        console.warn(
+          "\n\u26A0\uFE0F  [LtExtensions] API proxy activated implicitly because nuxt dev was detected.\n    To make this explicit, add NUXT_PUBLIC_API_PROXY=true to your .env file.\n    If you do NOT want the proxy, set NUXT_PUBLIC_API_PROXY=false.\n"
+        );
+      }
       return true;
     }
-    const hostname = window.location?.hostname;
-    if (hostname === "localhost" || hostname === "127.0.0.1") {
-      return true;
+    return false;
+  } catch {
+    return false;
+  }
+}
+export function buildLtApiUrl(path) {
+  try {
+    const runtimeConfig = useRuntimeConfig();
+    if (import.meta.server) {
+      const apiUrl2 = runtimeConfig.apiUrl || "http://localhost:3000";
+      return `${apiUrl2}${path}`;
     }
+    if (isLocalDevApiProxy()) {
+      return `/api${path}`;
+    }
+    const apiUrl = runtimeConfig.public.apiUrl || runtimeConfig.public?.ltExtensions?.auth?.baseURL || "http://localhost:3000";
+    return `${apiUrl}${path}`;
+  } catch {
+    return `http://localhost:3000${path}`;
   }
-  return false;
 }
 export function getLtAuthMode() {
   if (import.meta.server) return "cookie";
@@ -69,18 +96,14 @@ export function setLtAuthMode(mode) {
   }
 }
 export function getLtApiBase(basePath) {
-  if (!basePath && typeof window !== "undefined") {
-    basePath = window.__NUXT__?.config?.public?.ltExtensions?.auth?.basePath;
-  }
-  basePath = basePath || "/iam";
-  const isDev = isLtDevMode();
-  if (isDev) {
-    return `/api${basePath}`;
-  }
-  if (typeof window !== "undefined" && window.__NUXT__?.config?.public?.ltExtensions?.auth?.baseURL) {
-    return `${window.__NUXT__.config.public.ltExtensions.auth.baseURL}${basePath}`;
+  if (!basePath) {
+    try {
+      const runtimeConfig = useRuntimeConfig();
+      basePath = runtimeConfig.public?.ltExtensions?.auth?.basePath;
+    } catch {
+    }
   }
-  return `http://localhost:3000${basePath}`;
+  return buildLtApiUrl(basePath || "/iam");
 }
 export async function attemptLtJwtSwitch(basePath = "/iam") {
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nuxt-extensions",
-  "version": "1.2.11",
+  "version": "1.3.0",
   "description": "Reusable Nuxt 4 composables, components, and Better-Auth integration for lenne.tech projects",
   "repository": {
     "type": "git",
@@ -47,7 +47,7 @@
   ],
   "scripts": {
     "prepare": "git config core.hooksPath .githooks",
-    "prepack": "nuxt-module-build build",
+    "prepack": "node scripts/sync-module-version.mjs && nuxt-module-build build",
     "c": "pnpm run check",
     "check": "pnpm audit && pnpm run format:check && pnpm run lint && pnpm test:types && pnpm test && pnpm run build",
     "check:fix": "pnpm install && pnpm audit --fix && pnpm run format && pnpm run lint:fix && pnpm test:types && pnpm test && pnpm run build",
@@ -131,4 +131,4 @@
     "file-upload",
     "lenne-tech"
   ]
-}
+}