@lunora/auth 0.0.0 → 1.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +105 -0
- package/README.md +125 -9
- package/__assets__/package-og.svg +14 -0
- package/dist/adapter.d.mts +43 -0
- package/dist/adapter.d.ts +43 -0
- package/dist/adapter.mjs +47 -0
- package/dist/index.d.mts +386 -0
- package/dist/index.d.ts +386 -0
- package/dist/index.mjs +12 -0
- package/dist/middleware.d.mts +189 -0
- package/dist/middleware.d.ts +189 -0
- package/dist/middleware.mjs +53 -0
- package/dist/packem_shared/DEFAULT_AUTH_BASE_PATH-DjcUWEQl.mjs +11 -0
- package/dist/packem_shared/create-auth.d-M36jwG_Y.d.mts +58 -0
- package/dist/packem_shared/create-auth.d-M36jwG_Y.d.ts +58 -0
- package/dist/packem_shared/createAuth-B-tvsvQU.mjs +56 -0
- package/dist/packem_shared/createAuthAdmin-BxrfEeA_.mjs +249 -0
- package/dist/packem_shared/ensureMigrated-wZH3oXDu.mjs +28 -0
- package/dist/packem_shared/sessionPresets-B95rXrd8.mjs +35 -0
- package/dist/plugins-client.d.mts +2 -0
- package/dist/plugins-client.d.ts +2 -0
- package/dist/plugins-client.mjs +2 -0
- package/dist/plugins.d.mts +22 -0
- package/dist/plugins.d.ts +22 -0
- package/dist/plugins.mjs +22 -0
- package/dist/schema.d.mts +44 -0
- package/dist/schema.d.ts +44 -0
- package/dist/schema.mjs +62 -0
- package/dist/sql-store.d.mts +51 -0
- package/dist/sql-store.d.ts +51 -0
- package/dist/sql-store.mjs +162 -0
- package/dist/store.d.mts +66 -0
- package/dist/store.d.ts +66 -0
- package/dist/store.mjs +170 -0
- package/dist/turnstile-middleware.d.mts +80 -0
- package/dist/turnstile-middleware.d.ts +80 -0
- package/dist/turnstile-middleware.mjs +45 -0
- package/dist/turnstile.d.mts +98 -0
- package/dist/turnstile.d.ts +98 -0
- package/dist/turnstile.mjs +61 -0
- package/package.json +80 -18
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
import { L as LunoraAuth } from "./packem_shared/create-auth.d-M36jwG_Y.js";
|
|
2
|
+
import 'better-auth';
|
|
3
|
+
/**
|
|
4
|
+
* Structural mirror of `@lunora/server`'s `MiddlewareNext` — the continuation
|
|
5
|
+
* callback handed to a middleware. Repeated here so this package does not take
|
|
6
|
+
* a runtime dependency on `@lunora/server`; the types are assignable from the
|
|
7
|
+
* fully-typed builder.
|
|
8
|
+
*/
|
|
9
|
+
interface MiddlewareNext<ContextIn> {
|
|
10
|
+
(): Promise<ContextIn>;
|
|
11
|
+
<Extension extends Record<string, unknown>>(options: {
|
|
12
|
+
ctx: Extension;
|
|
13
|
+
}): Promise<ContextIn & Extension>;
|
|
14
|
+
}
|
|
15
|
+
/**
|
|
16
|
+
* Thrown by the runtime header guard when a privileged `ctx.authApi.*` endpoint
|
|
17
|
+
* is invoked without a `headers` property on its argument object. Carries the
|
|
18
|
+
* offending `method` name so callers can pinpoint the bad call site, and points
|
|
19
|
+
* at the explicit escape hatches.
|
|
20
|
+
*
|
|
21
|
+
* This is the runtime sibling of the static `auth_api_call_without_headers`
|
|
22
|
+
* advisor lint — both treat a header-less `ctx.authApi.*` call as an
|
|
23
|
+
* authorization bypass, so a call that trips the lint also trips this guard.
|
|
24
|
+
*/
|
|
25
|
+
declare class LunoraAuthHeadersError extends Error {
|
|
26
|
+
/** The `ctx.authApi.<method>` that was called without `headers`. */
|
|
27
|
+
readonly method: string;
|
|
28
|
+
constructor(method: string);
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Options for {@link withAuthPlugins}.
|
|
32
|
+
*/
|
|
33
|
+
interface WithAuthPluginsOptions {
|
|
34
|
+
/**
|
|
35
|
+
* Whether to install the runtime header guard around `ctx.authApi`.
|
|
36
|
+
*
|
|
37
|
+
* **Defaults to `true` — the safe default.** When enabled, every
|
|
38
|
+
* `ctx.authApi.<method>(…)` call that omits `headers` throws
|
|
39
|
+
* {@link LunoraAuthHeadersError} instead of silently running with full
|
|
40
|
+
* server-to-server privileges. For a deliberate, per-call unauthenticated
|
|
41
|
+
* invocation, use the explicit `ctx.authApi.withoutHeaders()` escape hatch
|
|
42
|
+
* rather than disabling the guard wholesale.
|
|
43
|
+
*
|
|
44
|
+
* Set to `false` only when you have audited every `ctx.authApi.*` call site
|
|
45
|
+
* and accept responsibility for passing headers yourself. This is the loud,
|
|
46
|
+
* all-or-nothing opt-out; prefer `withoutHeaders()` for one-offs.
|
|
47
|
+
*/
|
|
48
|
+
enforceHeaders?: boolean;
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* The Lunora context extension this middleware installs. It does *not* replace
|
|
52
|
+
* `ctx.auth` (the identity-only surface populated by the runtime — `userId` and
|
|
53
|
+
* `getIdentity()`); instead it adds a sibling `ctx.authApi` that points at the
|
|
54
|
+
* full better-auth plugin API surface.
|
|
55
|
+
*
|
|
56
|
+
* The shape of `authApi` is the shape of the better-auth instance's `api` —
|
|
57
|
+
* a flat record of endpoint functions like `createOrganization`, `banUser`,
|
|
58
|
+
* `listMembers`, … contributed by whichever plugins are configured on the auth
|
|
59
|
+
* instance. Because the type is `Auth["api"]` and `LunoraAuth` is generic over
|
|
60
|
+
* the auth instance, callers get end-to-end inference: the endpoints they see
|
|
61
|
+
* are exactly the ones their auth instance loaded.
|
|
62
|
+
*/
|
|
63
|
+
interface LunoraAuthApiContext<Auth extends LunoraAuth> {
|
|
64
|
+
/**
|
|
65
|
+
* The better-auth endpoint surface — every endpoint contributed by every
|
|
66
|
+
* plugin configured on the auth instance, ready to call directly:
|
|
67
|
+
*
|
|
68
|
+
* ```ts
|
|
69
|
+
* await ctx.authApi.createOrganization({ body: { name: "Acme" }, headers });
|
|
70
|
+
* await ctx.authApi.banUser({ body: { userId: "u_1" }, headers });
|
|
71
|
+
* ```
|
|
72
|
+
*
|
|
73
|
+
* # ⚠️ SECURITY: privileged surface — you MUST pass `headers`
|
|
74
|
+
*
|
|
75
|
+
* This is the **full, privileged** better-auth API (`auth.api`) — it
|
|
76
|
+
* includes admin/management endpoints such as `banUser`, `setRole`,
|
|
77
|
+
* impersonation, `createOrganization`, `removeMember`, … better-auth
|
|
78
|
+
* authorizes these calls from the caller's session in the `headers` you
|
|
79
|
+
* pass. Invoked **without** `headers`, better-auth treats the call as a
|
|
80
|
+
* trusted server-side invocation and **bypasses session authorization
|
|
81
|
+
* entirely** — any procedure that can reach `ctx.authApi` could then ban a
|
|
82
|
+
* user, escalate a role, or read another tenant's data.
|
|
83
|
+
*
|
|
84
|
+
* To stop that bypass at runtime, `withAuthPlugins` installs a guard around
|
|
85
|
+
* `ctx.authApi` by default: a header-less call to any endpoint throws
|
|
86
|
+
* {@link LunoraAuthHeadersError} rather than running with full privileges.
|
|
87
|
+
* The same `auth_api_call_without_headers` advisor lint catches it
|
|
88
|
+
* statically; the guard is the runtime backstop for the cases the lint
|
|
89
|
+
* can't see (dynamic method names, indirected calls). For the rare,
|
|
90
|
+
* deliberate unauthenticated server-to-server call, opt out explicitly with
|
|
91
|
+
* `ctx.authApi.withoutHeaders().<method>(…)`.
|
|
92
|
+
*
|
|
93
|
+
* Lunora's procedure context carries only the resolved identity, not the
|
|
94
|
+
* raw inbound `Headers`, so this middleware CANNOT pre-bind them for you.
|
|
95
|
+
* Therefore: **thread the inbound `Headers` into every `ctx.authApi.*`
|
|
96
|
+
* call** (typically from an HTTP action — see {@link withAuthPlugins}). A
|
|
97
|
+
* header-less call is an authorization bypass, not a convenience.
|
|
98
|
+
*/
|
|
99
|
+
readonly authApi: {
|
|
100
|
+
/**
|
|
101
|
+
* Explicit, loud escape hatch from the runtime header guard. Returns
|
|
102
|
+
* the raw, **unguarded** `auth.api` surface — every endpoint reached
|
|
103
|
+
* through it runs as a trusted server-to-server call with session
|
|
104
|
+
* authorization skipped.
|
|
105
|
+
*
|
|
106
|
+
* ```ts
|
|
107
|
+
* // A scheduled job with no inbound request that must create the
|
|
108
|
+
* // system org. Audited and intentional:
|
|
109
|
+
* await ctx.authApi.withoutHeaders().createOrganization({ body: { name } });
|
|
110
|
+
* ```
|
|
111
|
+
*
|
|
112
|
+
* Use only for deliberate, audited unauthenticated calls. For ordinary
|
|
113
|
+
* request-driven calls, pass `headers` so authorization is enforced.
|
|
114
|
+
*/
|
|
115
|
+
withoutHeaders: () => Auth["api"];
|
|
116
|
+
} & Auth["api"];
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Build a Lunora middleware that mounts a better-auth instance's plugin API
|
|
120
|
+
* onto `ctx.authApi`. Compose it with `.use(...)` once per builder and every
|
|
121
|
+
* downstream handler gets typed access to the plugin endpoints — no more
|
|
122
|
+
* importing the auth instance directly from every query/mutation file.
|
|
123
|
+
*
|
|
124
|
+
* # ⚠️ SECURITY: headers are load-bearing for authorization
|
|
125
|
+
*
|
|
126
|
+
* `ctx.authApi` is the **full privileged** better-auth surface (`auth.api`):
|
|
127
|
+
* `banUser`, `setRole`, impersonation, `createOrganization`, `removeMember`,
|
|
128
|
+
* and so on. better-auth authorizes these from the caller's session carried in
|
|
129
|
+
* the `headers` you pass. **Called without `headers`, better-auth treats the
|
|
130
|
+
* invocation as a trusted server-side call and skips session authorization
|
|
131
|
+
* altogether** — so a header-less `ctx.authApi.banUser(...)` from any procedure
|
|
132
|
+
* runs with full privileges regardless of who the caller is. This is an
|
|
133
|
+
* authorization bypass, not just a missing convenience.
|
|
134
|
+
*
|
|
135
|
+
* To make that bypass fail loudly instead of silently, this middleware wraps
|
|
136
|
+
* `ctx.authApi` in a **runtime header guard by default**: any endpoint called
|
|
137
|
+
* without a `headers` property throws {@link LunoraAuthHeadersError}. The guard
|
|
138
|
+
* mirrors the static `auth_api_call_without_headers` advisor lint exactly, so
|
|
139
|
+
* the two agree on what counts as a header-bearing call.
|
|
140
|
+
*
|
|
141
|
+
* - **Default (safe):** `withAuthPlugins(auth)` — header-less calls throw.
|
|
142
|
+
* - **Per-call opt-out (preferred):** `ctx.authApi.withoutHeaders().banUser(…)`
|
|
143
|
+
* for a deliberate, audited unauthenticated server-to-server call.
|
|
144
|
+
* - **Whole-middleware opt-out (loud):** `withAuthPlugins(auth, { enforceHeaders: false })`
|
|
145
|
+
* disables the guard entirely; only do this once every call site is audited.
|
|
146
|
+
*
|
|
147
|
+
* Lunora's procedure context does not currently carry the raw request headers
|
|
148
|
+
* (only the resolved identity — see `AuthState` in `@lunora/server`), so
|
|
149
|
+
* this middleware **cannot** pre-bind headers for you and does **not** do so.
|
|
150
|
+
* You MUST pass the inbound `Headers` explicitly into **every** `ctx.authApi.*`
|
|
151
|
+
* call, from a transport that has them — typically an HTTP action:
|
|
152
|
+
*
|
|
153
|
+
* ```ts
|
|
154
|
+
* // lunora/orgs.ts
|
|
155
|
+
* import { httpAction } from "@lunora/server";
|
|
156
|
+
* import { withAuthPlugins } from "@lunora/auth/middleware";
|
|
157
|
+
* import { auth } from "./auth.js";
|
|
158
|
+
*
|
|
159
|
+
* export const createOrg = httpAction(async (ctx, request) => {
|
|
160
|
+
* const { name } = await request.json();
|
|
161
|
+
*
|
|
162
|
+
* // ctx.authApi is installed by withAuthPlugins(auth) on the builder.
|
|
163
|
+
* const org = await ctx.authApi.createOrganization({
|
|
164
|
+
* body: { name },
|
|
165
|
+
* headers: request.headers,
|
|
166
|
+
* });
|
|
167
|
+
*
|
|
168
|
+
* return Response.json(org);
|
|
169
|
+
* });
|
|
170
|
+
* ```
|
|
171
|
+
*
|
|
172
|
+
* For internal server-to-server calls where there is no inbound request
|
|
173
|
+
* (e.g. a scheduled job that creates the system org), opt out explicitly with
|
|
174
|
+
* `ctx.authApi.withoutHeaders()` and authenticate with whatever bearer token
|
|
175
|
+
* your auth instance is configured to honour.
|
|
176
|
+
*/
|
|
177
|
+
/**
|
|
178
|
+
* Shape of the middleware {@link withAuthPlugins} returns: a callable generic
|
|
179
|
+
* over the incoming ctx so chaining `.use(...)` preserves whatever ctx fields
|
|
180
|
+
* the upstream middleware already installed. Lives as its own interface
|
|
181
|
+
* because TypeScript doesn't allow declaring `const fn: <CtxIn>() => ...` —
|
|
182
|
+
* the generic must live on a callable type alias or interface.
|
|
183
|
+
*/
|
|
184
|
+
type WithAuthPluginsMiddleware<Auth extends LunoraAuth> = <ContextIn>(options: {
|
|
185
|
+
ctx: ContextIn;
|
|
186
|
+
next: MiddlewareNext<ContextIn>;
|
|
187
|
+
}) => Promise<ContextIn & LunoraAuthApiContext<Auth>>;
|
|
188
|
+
declare const withAuthPlugins: <Auth extends LunoraAuth>(auth: Auth, options?: WithAuthPluginsOptions) => WithAuthPluginsMiddleware<Auth>;
|
|
189
|
+
export { LunoraAuthApiContext, LunoraAuthHeadersError, WithAuthPluginsMiddleware, WithAuthPluginsOptions, withAuthPlugins };
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
const callHasHeaders = (argument) => {
|
|
2
|
+
if (argument === void 0) {
|
|
3
|
+
return false;
|
|
4
|
+
}
|
|
5
|
+
if (typeof argument !== "object" || argument === null) {
|
|
6
|
+
return true;
|
|
7
|
+
}
|
|
8
|
+
const { headers } = argument;
|
|
9
|
+
return headers !== void 0 && headers !== null;
|
|
10
|
+
};
|
|
11
|
+
const guardAuthApi = (api) => {
|
|
12
|
+
const withoutHeaders = () => api;
|
|
13
|
+
return /* @__PURE__ */ new Proxy(api, {
|
|
14
|
+
// eslint-disable-next-line sonarjs/function-return-type -- a Proxy `get` trap is intrinsically polymorphic: it returns the synthetic `withoutHeaders`, the guarded endpoint wrapper, or any passthrough property value
|
|
15
|
+
get(target, property, receiver) {
|
|
16
|
+
if (property === "withoutHeaders" && !(property in target)) {
|
|
17
|
+
return withoutHeaders;
|
|
18
|
+
}
|
|
19
|
+
const value = Reflect.get(target, property, receiver);
|
|
20
|
+
if (typeof value !== "function" || typeof property !== "string") {
|
|
21
|
+
return value;
|
|
22
|
+
}
|
|
23
|
+
const method = property;
|
|
24
|
+
return (...arguments_) => {
|
|
25
|
+
if (!callHasHeaders(arguments_[0])) {
|
|
26
|
+
return Promise.reject(new LunoraAuthHeadersError(method));
|
|
27
|
+
}
|
|
28
|
+
return Reflect.apply(value, target, arguments_);
|
|
29
|
+
};
|
|
30
|
+
}
|
|
31
|
+
});
|
|
32
|
+
};
|
|
33
|
+
class LunoraAuthHeadersError extends Error {
|
|
34
|
+
/** The `ctx.authApi.<method>` that was called without `headers`. */
|
|
35
|
+
method;
|
|
36
|
+
constructor(method) {
|
|
37
|
+
super(
|
|
38
|
+
`@lunora/auth: ctx.authApi.${method}(…) was called without \`headers\`. better-auth treats a header-less call as a trusted server-to-server invocation and skips session authorization entirely — an authorization bypass. Pass the inbound request headers: ctx.authApi.${method}({ body, headers: request.headers }). If you genuinely intend an unauthenticated server-to-server call, opt out explicitly via ctx.authApi.withoutHeaders().<method>(…), or disable the guard for the whole middleware with withAuthPlugins(auth, { enforceHeaders: false }).`
|
|
39
|
+
);
|
|
40
|
+
this.name = "LunoraAuthHeadersError";
|
|
41
|
+
this.method = method;
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
const withAuthPlugins = (auth, options = {}) => {
|
|
45
|
+
const enforceHeaders = options.enforceHeaders ?? true;
|
|
46
|
+
const authApi = enforceHeaders ? guardAuthApi(auth.api) : auth.api;
|
|
47
|
+
return async ({ next }) => {
|
|
48
|
+
const extended = await next({ ctx: { authApi } });
|
|
49
|
+
return extended;
|
|
50
|
+
};
|
|
51
|
+
};
|
|
52
|
+
|
|
53
|
+
export { LunoraAuthHeadersError, withAuthPlugins };
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
const DEFAULT_AUTH_BASE_PATH = "/api/auth";
|
|
2
|
+
const handleAuthRequest = async (auth, request, basePath = DEFAULT_AUTH_BASE_PATH) => {
|
|
3
|
+
const url = new URL(request.url);
|
|
4
|
+
const base = basePath.endsWith("/") ? basePath.slice(0, -1) : basePath;
|
|
5
|
+
if (url.pathname !== base && !url.pathname.startsWith(`${base}/`)) {
|
|
6
|
+
return void 0;
|
|
7
|
+
}
|
|
8
|
+
return auth.handler(request);
|
|
9
|
+
};
|
|
10
|
+
|
|
11
|
+
export { DEFAULT_AUTH_BASE_PATH, handleAuthRequest };
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
import { betterAuth, BetterAuthOptions } from 'better-auth';
|
|
2
|
+
/**
|
|
3
|
+
* Lunora's options pass straight through to better-auth — the only thing we add
|
|
4
|
+
* is requiring `secret` up front so a misconfigured deployment fails loudly
|
|
5
|
+
* instead of at the first sign-in.
|
|
6
|
+
*
|
|
7
|
+
* For `database`, prefer `lunoraD1Adapter` (`database: lunoraD1Adapter(env.DB)`)
|
|
8
|
+
* over passing the raw `env.DB`. better-auth *does* accept a D1Database directly,
|
|
9
|
+
* but it then resolves its Kysely adapter via a runtime `await import(...)` inside
|
|
10
|
+
* `auth.$context` — and that import never settles under `@cloudflare/vite-plugin`'s
|
|
11
|
+
* worker runner, hanging every auth request in `pnpm dev`. The explicit adapter
|
|
12
|
+
* skips it, so dev and prod behave the same. (Raw `env.DB` is still correct for
|
|
13
|
+
* the migration-only instance — see `lunoraD1Adapter`'s note.)
|
|
14
|
+
*
|
|
15
|
+
* Session rotation / richer session policies are configured via the `session`
|
|
16
|
+
* field (a `SessionPolicy`); Lunora validates it for obviously-broken
|
|
17
|
+
* durations and forwards it verbatim to better-auth. See `sessionPresets`
|
|
18
|
+
* for ready-made rotation/expiry trade-offs.
|
|
19
|
+
*
|
|
20
|
+
* ## Serverless background tasks (Cloudflare Workers)
|
|
21
|
+
*
|
|
22
|
+
* better-auth runs some work *after* sending the response — most importantly the
|
|
23
|
+
* password-reset email, whose background send is what keeps reset responses
|
|
24
|
+
* constant-time (a timing-attack defence: the response doesn't reveal whether
|
|
25
|
+
* the account exists). On Cloudflare Workers a promise that isn't handed to
|
|
26
|
+
* `ctx.waitUntil` can be cancelled the moment the response returns, dropping
|
|
27
|
+
* that send and weakening the guarantee. Wire your request's `ctx.waitUntil`
|
|
28
|
+
* into better-auth's background handler so the work survives:
|
|
29
|
+
*
|
|
30
|
+
* ```ts
|
|
31
|
+
* // in your worker fetch handler, where `ctx: ExecutionContext` is in scope
|
|
32
|
+
* const auth = createAuth({
|
|
33
|
+
* secret: env.AUTH_SECRET,
|
|
34
|
+
* database: lunoraD1Adapter(env.DB),
|
|
35
|
+
* advanced: {
|
|
36
|
+
* backgroundTasks: { handler: (promise) => ctx.waitUntil(promise) },
|
|
37
|
+
* },
|
|
38
|
+
* });
|
|
39
|
+
* ```
|
|
40
|
+
*
|
|
41
|
+
* (Lunora can't set this for you — `ctx.waitUntil` is per-request, but
|
|
42
|
+
* `createAuth` runs once at worker setup.)
|
|
43
|
+
*/
|
|
44
|
+
type LunoraAuthOptions = BetterAuthOptions;
|
|
45
|
+
/**
|
|
46
|
+
* The full better-auth instance: `auth.handler` accepts a `Request` and
|
|
47
|
+
* returns a `Response` (used by `handleAuthRequest`); `auth.api`
|
|
48
|
+
* exposes the typed endpoint surface for server-side calls (e.g.
|
|
49
|
+
* `auth.api.getSession({ headers })` inside a query/mutation).
|
|
50
|
+
*/
|
|
51
|
+
type LunoraAuth = ReturnType<typeof betterAuth>;
|
|
52
|
+
/**
|
|
53
|
+
* Create the auth instance. Thin wrapper around `betterAuth` that enforces
|
|
54
|
+
* the `secret` requirement at construction time so misconfigured deployments
|
|
55
|
+
* fail loudly at the first fetch rather than the first sign-in attempt.
|
|
56
|
+
*/
|
|
57
|
+
declare const createAuth: (options: LunoraAuthOptions) => LunoraAuth;
|
|
58
|
+
export { LunoraAuth as L, LunoraAuthOptions as a, createAuth as c };
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
import { betterAuth, BetterAuthOptions } from 'better-auth';
|
|
2
|
+
/**
|
|
3
|
+
* Lunora's options pass straight through to better-auth — the only thing we add
|
|
4
|
+
* is requiring `secret` up front so a misconfigured deployment fails loudly
|
|
5
|
+
* instead of at the first sign-in.
|
|
6
|
+
*
|
|
7
|
+
* For `database`, prefer `lunoraD1Adapter` (`database: lunoraD1Adapter(env.DB)`)
|
|
8
|
+
* over passing the raw `env.DB`. better-auth *does* accept a D1Database directly,
|
|
9
|
+
* but it then resolves its Kysely adapter via a runtime `await import(...)` inside
|
|
10
|
+
* `auth.$context` — and that import never settles under `@cloudflare/vite-plugin`'s
|
|
11
|
+
* worker runner, hanging every auth request in `pnpm dev`. The explicit adapter
|
|
12
|
+
* skips it, so dev and prod behave the same. (Raw `env.DB` is still correct for
|
|
13
|
+
* the migration-only instance — see `lunoraD1Adapter`'s note.)
|
|
14
|
+
*
|
|
15
|
+
* Session rotation / richer session policies are configured via the `session`
|
|
16
|
+
* field (a `SessionPolicy`); Lunora validates it for obviously-broken
|
|
17
|
+
* durations and forwards it verbatim to better-auth. See `sessionPresets`
|
|
18
|
+
* for ready-made rotation/expiry trade-offs.
|
|
19
|
+
*
|
|
20
|
+
* ## Serverless background tasks (Cloudflare Workers)
|
|
21
|
+
*
|
|
22
|
+
* better-auth runs some work *after* sending the response — most importantly the
|
|
23
|
+
* password-reset email, whose background send is what keeps reset responses
|
|
24
|
+
* constant-time (a timing-attack defence: the response doesn't reveal whether
|
|
25
|
+
* the account exists). On Cloudflare Workers a promise that isn't handed to
|
|
26
|
+
* `ctx.waitUntil` can be cancelled the moment the response returns, dropping
|
|
27
|
+
* that send and weakening the guarantee. Wire your request's `ctx.waitUntil`
|
|
28
|
+
* into better-auth's background handler so the work survives:
|
|
29
|
+
*
|
|
30
|
+
* ```ts
|
|
31
|
+
* // in your worker fetch handler, where `ctx: ExecutionContext` is in scope
|
|
32
|
+
* const auth = createAuth({
|
|
33
|
+
* secret: env.AUTH_SECRET,
|
|
34
|
+
* database: lunoraD1Adapter(env.DB),
|
|
35
|
+
* advanced: {
|
|
36
|
+
* backgroundTasks: { handler: (promise) => ctx.waitUntil(promise) },
|
|
37
|
+
* },
|
|
38
|
+
* });
|
|
39
|
+
* ```
|
|
40
|
+
*
|
|
41
|
+
* (Lunora can't set this for you — `ctx.waitUntil` is per-request, but
|
|
42
|
+
* `createAuth` runs once at worker setup.)
|
|
43
|
+
*/
|
|
44
|
+
type LunoraAuthOptions = BetterAuthOptions;
|
|
45
|
+
/**
|
|
46
|
+
* The full better-auth instance: `auth.handler` accepts a `Request` and
|
|
47
|
+
* returns a `Response` (used by `handleAuthRequest`); `auth.api`
|
|
48
|
+
* exposes the typed endpoint surface for server-side calls (e.g.
|
|
49
|
+
* `auth.api.getSession({ headers })` inside a query/mutation).
|
|
50
|
+
*/
|
|
51
|
+
type LunoraAuth = ReturnType<typeof betterAuth>;
|
|
52
|
+
/**
|
|
53
|
+
* Create the auth instance. Thin wrapper around `betterAuth` that enforces
|
|
54
|
+
* the `secret` requirement at construction time so misconfigured deployments
|
|
55
|
+
* fail loudly at the first fetch rather than the first sign-in attempt.
|
|
56
|
+
*/
|
|
57
|
+
declare const createAuth: (options: LunoraAuthOptions) => LunoraAuth;
|
|
58
|
+
export { LunoraAuth as L, LunoraAuthOptions as a, createAuth as c };
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
import { betterAuth } from 'better-auth';
|
|
2
|
+
import { validateSessionPolicy } from './sessionPresets-B95rXrd8.mjs';
|
|
3
|
+
|
|
4
|
+
const MIN_SECRET_LENGTH = 32;
|
|
5
|
+
const isWeakSecret = (secret) => {
|
|
6
|
+
const trimmedLength = typeof secret === "string" ? secret.trim().length : 0;
|
|
7
|
+
return trimmedLength > 0 && trimmedLength < MIN_SECRET_LENGTH;
|
|
8
|
+
};
|
|
9
|
+
const isHttpsBaseUrl = (baseURL) => {
|
|
10
|
+
if (typeof baseURL === "string") {
|
|
11
|
+
return baseURL.startsWith("https://");
|
|
12
|
+
}
|
|
13
|
+
if (baseURL && typeof baseURL === "object") {
|
|
14
|
+
if (baseURL.protocol === "https") {
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
17
|
+
if (baseURL.protocol === "http") {
|
|
18
|
+
return false;
|
|
19
|
+
}
|
|
20
|
+
return typeof baseURL.fallback === "string" && baseURL.fallback.startsWith("https://");
|
|
21
|
+
}
|
|
22
|
+
return false;
|
|
23
|
+
};
|
|
24
|
+
const hardenAuthOptions = (options) => {
|
|
25
|
+
if (isWeakSecret(options.secret)) {
|
|
26
|
+
const message = `@lunora/auth: AUTH_SECRET is only ${String(options.secret?.trim().length)} characters. Use at least ${String(MIN_SECRET_LENGTH)} for a brute-force-resistant secret — generate one with \`openssl rand -hex 32\`.`;
|
|
27
|
+
if (isHttpsBaseUrl(options.baseURL)) {
|
|
28
|
+
throw new Error(message);
|
|
29
|
+
}
|
|
30
|
+
console.warn(message);
|
|
31
|
+
}
|
|
32
|
+
const advanced = options.advanced ?? {};
|
|
33
|
+
return {
|
|
34
|
+
...options,
|
|
35
|
+
advanced: {
|
|
36
|
+
...advanced,
|
|
37
|
+
defaultCookieAttributes: advanced.defaultCookieAttributes ?? { httpOnly: true, path: "/", sameSite: "lax" },
|
|
38
|
+
...advanced.useSecureCookies === void 0 && isHttpsBaseUrl(options.baseURL) ? { useSecureCookies: true } : {}
|
|
39
|
+
}
|
|
40
|
+
};
|
|
41
|
+
};
|
|
42
|
+
const createAuth = (options) => {
|
|
43
|
+
if (!options.secret || options.secret.trim() === "") {
|
|
44
|
+
throw new Error(
|
|
45
|
+
'@lunora/auth: `secret` is required. Set AUTH_SECRET locally in .dev.vars (`lunora env set AUTH_SECRET "$(openssl rand -hex 32)"`), and in production with `wrangler secret put AUTH_SECRET`.'
|
|
46
|
+
);
|
|
47
|
+
}
|
|
48
|
+
if (options.session) {
|
|
49
|
+
validateSessionPolicy(options.session);
|
|
50
|
+
}
|
|
51
|
+
const hardened = hardenAuthOptions(options);
|
|
52
|
+
const resolvedOptions = hardened.rateLimit?.enabled === void 0 ? { ...hardened, rateLimit: { ...hardened.rateLimit, enabled: true } } : hardened;
|
|
53
|
+
return betterAuth(resolvedOptions);
|
|
54
|
+
};
|
|
55
|
+
|
|
56
|
+
export { createAuth };
|
|
@@ -0,0 +1,249 @@
|
|
|
1
|
+
class LunoraAuthAdminError extends Error {
|
|
2
|
+
code;
|
|
3
|
+
constructor(message, code) {
|
|
4
|
+
super(message);
|
|
5
|
+
this.name = "LunoraAuthAdminError";
|
|
6
|
+
this.code = code;
|
|
7
|
+
}
|
|
8
|
+
}
|
|
9
|
+
const DEFAULT_LIMIT = 50;
|
|
10
|
+
const MAX_LIMIT = 500;
|
|
11
|
+
const DEFAULT_IMPERSONATION_SECONDS = 3600;
|
|
12
|
+
const MAX_IMPERSONATION_SECONDS = DEFAULT_IMPERSONATION_SECONDS * 24;
|
|
13
|
+
const MAX_BAN_SECONDS = 100 * 365 * 24 * 60 * 60;
|
|
14
|
+
const SENSITIVE_FIELDS = /* @__PURE__ */ new Set(["accessToken", "backupCodes", "idToken", "password", "publicKey", "refreshToken", "secret", "token"]);
|
|
15
|
+
const clampLimit = (limit) => Math.min(Math.max(Math.trunc(limit ?? DEFAULT_LIMIT), 1), MAX_LIMIT);
|
|
16
|
+
const clampOffset = (offset) => Math.max(0, Math.trunc(offset ?? 0));
|
|
17
|
+
const normalizeRow = (row) => {
|
|
18
|
+
const out = {};
|
|
19
|
+
for (const [key, value] of Object.entries(row)) {
|
|
20
|
+
if (SENSITIVE_FIELDS.has(key)) {
|
|
21
|
+
continue;
|
|
22
|
+
}
|
|
23
|
+
out[key] = value instanceof Date ? value.getTime() : value;
|
|
24
|
+
}
|
|
25
|
+
return out;
|
|
26
|
+
};
|
|
27
|
+
const serializeRole = (role) => Array.isArray(role) ? role.join(",") : role;
|
|
28
|
+
const asAdminError = (error) => {
|
|
29
|
+
if (error instanceof LunoraAuthAdminError) {
|
|
30
|
+
return error;
|
|
31
|
+
}
|
|
32
|
+
const candidate = error;
|
|
33
|
+
const code = candidate?.body?.code ?? candidate?.code ?? "AUTH_ADMIN_ERROR";
|
|
34
|
+
const message = candidate?.body?.message ?? candidate?.message ?? "auth admin operation failed";
|
|
35
|
+
return new LunoraAuthAdminError(message, code);
|
|
36
|
+
};
|
|
37
|
+
const createAuthAdmin = (auth, options = {}) => {
|
|
38
|
+
const context = auth.$context;
|
|
39
|
+
const features = options.features ?? {};
|
|
40
|
+
const withContext = async (function_) => {
|
|
41
|
+
try {
|
|
42
|
+
return await function_(await context);
|
|
43
|
+
} catch (error) {
|
|
44
|
+
throw asAdminError(error);
|
|
45
|
+
}
|
|
46
|
+
};
|
|
47
|
+
const toUser = (row) => normalizeRow(row);
|
|
48
|
+
const page = async (context_, model, options_) => {
|
|
49
|
+
const where = options_.where && options_.where.length > 0 ? options_.where : void 0;
|
|
50
|
+
const [rows, total] = await Promise.all([
|
|
51
|
+
context_.adapter.findMany({
|
|
52
|
+
limit: clampLimit(options_.limit),
|
|
53
|
+
model,
|
|
54
|
+
offset: clampOffset(options_.offset),
|
|
55
|
+
sortBy: options_.sortBy,
|
|
56
|
+
where
|
|
57
|
+
}),
|
|
58
|
+
context_.adapter.count({ model, where })
|
|
59
|
+
]);
|
|
60
|
+
return { rows: rows.map((row) => normalizeRow(row)), total };
|
|
61
|
+
};
|
|
62
|
+
return {
|
|
63
|
+
banUser: ({ expiresInSeconds, reason, userId }) => withContext(async (context_) => {
|
|
64
|
+
const seconds = typeof expiresInSeconds === "number" && Number.isFinite(expiresInSeconds) ? Math.min(Math.trunc(expiresInSeconds), MAX_BAN_SECONDS) : 0;
|
|
65
|
+
const banExpires = seconds > 0 ? new Date(Date.now() + seconds * 1e3) : void 0;
|
|
66
|
+
const user = await context_.internalAdapter.updateUser(userId, {
|
|
67
|
+
banExpires,
|
|
68
|
+
banned: true,
|
|
69
|
+
banReason: reason ?? "No reason"
|
|
70
|
+
});
|
|
71
|
+
await context_.internalAdapter.deleteUserSessions(userId);
|
|
72
|
+
return toUser(user);
|
|
73
|
+
}),
|
|
74
|
+
cancelInvitation: ({ invitationId }) => withContext(async (context_) => {
|
|
75
|
+
await context_.adapter.delete({ model: "invitation", where: [{ field: "id", value: invitationId }] });
|
|
76
|
+
}),
|
|
77
|
+
capabilities: () => withContext((context_) => {
|
|
78
|
+
const ids = new Set((context_.options.plugins ?? []).map((plugin) => plugin.id));
|
|
79
|
+
const has = (id) => ids.has(id);
|
|
80
|
+
return Promise.resolve({
|
|
81
|
+
accounts: features.accounts ?? true,
|
|
82
|
+
admin: features.admin ?? has("admin"),
|
|
83
|
+
organization: features.organization ?? has("organization"),
|
|
84
|
+
passkey: features.passkey ?? has("passkey"),
|
|
85
|
+
twoFactor: features.twoFactor ?? has("two-factor")
|
|
86
|
+
});
|
|
87
|
+
}),
|
|
88
|
+
// The one op that genuinely builds a row rather than mutating one. Replicates
|
|
89
|
+
// the plugin's create-user handler over `internalAdapter` (lowercase + dedupe
|
|
90
|
+
// email, create the row, then link a credential account when a password is given).
|
|
91
|
+
createUser: ({ data, email, name, password, role }) => withContext(async (context_) => {
|
|
92
|
+
const normalizedEmail = email.toLowerCase();
|
|
93
|
+
if (await context_.internalAdapter.findUserByEmail(normalizedEmail)) {
|
|
94
|
+
throw new LunoraAuthAdminError("a user with this email already exists", "USER_ALREADY_EXISTS");
|
|
95
|
+
}
|
|
96
|
+
const user = await context_.internalAdapter.createUser({
|
|
97
|
+
email: normalizedEmail,
|
|
98
|
+
name,
|
|
99
|
+
role: role === void 0 ? void 0 : serializeRole(role),
|
|
100
|
+
...data
|
|
101
|
+
});
|
|
102
|
+
if (password !== void 0 && password !== "") {
|
|
103
|
+
const hashed = await context_.password.hash(password);
|
|
104
|
+
await context_.internalAdapter.linkAccount({
|
|
105
|
+
accountId: user.id,
|
|
106
|
+
password: hashed,
|
|
107
|
+
providerId: "credential",
|
|
108
|
+
userId: user.id
|
|
109
|
+
});
|
|
110
|
+
}
|
|
111
|
+
return toUser(user);
|
|
112
|
+
}),
|
|
113
|
+
deletePasskey: ({ passkeyId }) => withContext(async (context_) => {
|
|
114
|
+
await context_.adapter.delete({ model: "passkey", where: [{ field: "id", value: passkeyId }] });
|
|
115
|
+
}),
|
|
116
|
+
disableTwoFactor: ({ userId }) => withContext(async (context_) => {
|
|
117
|
+
await context_.adapter.deleteMany({ model: "twoFactor", where: [{ field: "userId", value: userId }] });
|
|
118
|
+
await context_.internalAdapter.updateUser(userId, { twoFactorEnabled: false });
|
|
119
|
+
}),
|
|
120
|
+
impersonateUser: ({ userId }) => withContext(async (context_) => {
|
|
121
|
+
const user = await context_.internalAdapter.findUserById(userId);
|
|
122
|
+
if (!user) {
|
|
123
|
+
throw new LunoraAuthAdminError("user not found", "USER_NOT_FOUND");
|
|
124
|
+
}
|
|
125
|
+
const rawSeconds = options.impersonationSeconds;
|
|
126
|
+
let ttlSeconds = DEFAULT_IMPERSONATION_SECONDS;
|
|
127
|
+
if (rawSeconds !== void 0) {
|
|
128
|
+
if (!Number.isInteger(rawSeconds) || !Number.isFinite(rawSeconds) || rawSeconds <= 0) {
|
|
129
|
+
throw new LunoraAuthAdminError("impersonationSeconds must be a positive finite integer", "INVALID_IMPERSONATION_SECONDS");
|
|
130
|
+
}
|
|
131
|
+
ttlSeconds = Math.min(rawSeconds, MAX_IMPERSONATION_SECONDS);
|
|
132
|
+
}
|
|
133
|
+
const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
|
|
134
|
+
const session = await context_.internalAdapter.createSession(
|
|
135
|
+
userId,
|
|
136
|
+
true,
|
|
137
|
+
{ expiresAt, impersonatedBy: options.impersonatedBy ?? userId },
|
|
138
|
+
true
|
|
139
|
+
);
|
|
140
|
+
return {
|
|
141
|
+
expiresAt: session.expiresAt instanceof Date ? session.expiresAt.getTime() : expiresAt.getTime(),
|
|
142
|
+
token: session.token,
|
|
143
|
+
user: toUser(user)
|
|
144
|
+
};
|
|
145
|
+
}),
|
|
146
|
+
listAccounts: ({ userId }) => withContext(async (context_) => {
|
|
147
|
+
const rows = await context_.adapter.findMany({ model: "account", where: [{ field: "userId", value: userId }] });
|
|
148
|
+
return rows.map((row) => normalizeRow(row));
|
|
149
|
+
}),
|
|
150
|
+
listInvitations: ({ limit, offset, organizationId }) => withContext(
|
|
151
|
+
(context_) => page(context_, "invitation", {
|
|
152
|
+
limit,
|
|
153
|
+
offset,
|
|
154
|
+
where: [{ field: "organizationId", value: organizationId }]
|
|
155
|
+
})
|
|
156
|
+
),
|
|
157
|
+
listMembers: ({ limit, offset, organizationId }) => withContext(
|
|
158
|
+
(context_) => page(context_, "member", {
|
|
159
|
+
limit,
|
|
160
|
+
offset,
|
|
161
|
+
sortBy: { direction: "desc", field: "createdAt" },
|
|
162
|
+
where: [{ field: "organizationId", value: organizationId }]
|
|
163
|
+
})
|
|
164
|
+
),
|
|
165
|
+
listOrganizations: ({ limit, offset }) => withContext((context_) => page(context_, "organization", { limit, offset, sortBy: { direction: "desc", field: "createdAt" } })),
|
|
166
|
+
listPasskeys: ({ userId }) => withContext(async (context_) => {
|
|
167
|
+
const rows = await context_.adapter.findMany({ model: "passkey", where: [{ field: "userId", value: userId }] });
|
|
168
|
+
return rows.map((row) => normalizeRow(row));
|
|
169
|
+
}),
|
|
170
|
+
listSessions: ({ limit, offset, userId }) => withContext(
|
|
171
|
+
(context_) => page(context_, "session", {
|
|
172
|
+
limit,
|
|
173
|
+
offset,
|
|
174
|
+
sortBy: { direction: "desc", field: "createdAt" },
|
|
175
|
+
where: userId === void 0 || userId === "" ? void 0 : [{ field: "userId", value: userId }]
|
|
176
|
+
})
|
|
177
|
+
),
|
|
178
|
+
listUsers: ({ filterField, filterValue, limit, offset, search, searchField, sortBy, sortDirection }) => withContext((context_) => {
|
|
179
|
+
const where = [];
|
|
180
|
+
if (search !== void 0 && search !== "") {
|
|
181
|
+
where.push({ field: searchField ?? "email", operator: "contains", value: search });
|
|
182
|
+
}
|
|
183
|
+
if (filterValue !== void 0) {
|
|
184
|
+
where.push({ field: filterField ?? "email", operator: "eq", value: filterValue });
|
|
185
|
+
}
|
|
186
|
+
return page(context_, "user", {
|
|
187
|
+
limit,
|
|
188
|
+
offset,
|
|
189
|
+
sortBy: { direction: sortDirection ?? "desc", field: sortBy ?? "createdAt" },
|
|
190
|
+
where
|
|
191
|
+
});
|
|
192
|
+
}),
|
|
193
|
+
removeMember: ({ memberId }) => withContext(async (context_) => {
|
|
194
|
+
await context_.adapter.delete({ model: "member", where: [{ field: "id", value: memberId }] });
|
|
195
|
+
}),
|
|
196
|
+
removeUser: ({ userId }) => withContext(async (context_) => {
|
|
197
|
+
await context_.internalAdapter.deleteUserSessions(userId);
|
|
198
|
+
await context_.internalAdapter.deleteUser(userId);
|
|
199
|
+
}),
|
|
200
|
+
// Keyed on the session *id*, not its token: tokens are bearer credentials we
|
|
201
|
+
// deliberately never surface to the studio. Resolve the row to recover its
|
|
202
|
+
// token, then delete via `internalAdapter.deleteSession` — which also clears
|
|
203
|
+
// secondary (KV) storage, unlike a raw `adapter.delete` on the DB row.
|
|
204
|
+
revokeUserSession: ({ sessionId }) => withContext(async (context_) => {
|
|
205
|
+
const session = await context_.adapter.findOne({ model: "session", where: [{ field: "id", value: sessionId }] });
|
|
206
|
+
if (session?.token) {
|
|
207
|
+
await context_.internalAdapter.deleteSession(session.token);
|
|
208
|
+
}
|
|
209
|
+
}),
|
|
210
|
+
revokeUserSessions: ({ userId }) => withContext(async (context_) => {
|
|
211
|
+
await context_.internalAdapter.deleteUserSessions(userId);
|
|
212
|
+
}),
|
|
213
|
+
setRole: ({ role, userId }) => withContext(async (context_) => {
|
|
214
|
+
const user = await context_.internalAdapter.updateUser(userId, { role: serializeRole(role) });
|
|
215
|
+
return toUser(user);
|
|
216
|
+
}),
|
|
217
|
+
setUserPassword: ({ newPassword, userId }) => withContext(async (context_) => {
|
|
218
|
+
const min = context_.password.config.minPasswordLength;
|
|
219
|
+
const max = context_.password.config.maxPasswordLength;
|
|
220
|
+
if (newPassword.length < min) {
|
|
221
|
+
throw new LunoraAuthAdminError(`password must be at least ${min.toString()} characters`, "PASSWORD_TOO_SHORT");
|
|
222
|
+
}
|
|
223
|
+
if (newPassword.length > max) {
|
|
224
|
+
throw new LunoraAuthAdminError(`password must be at most ${max.toString()} characters`, "PASSWORD_TOO_LONG");
|
|
225
|
+
}
|
|
226
|
+
const hashed = await context_.password.hash(newPassword);
|
|
227
|
+
await context_.internalAdapter.updatePassword(userId, hashed);
|
|
228
|
+
}),
|
|
229
|
+
unbanUser: ({ userId }) => withContext(async (context_) => {
|
|
230
|
+
const user = await context_.internalAdapter.updateUser(userId, { banExpires: null, banned: false, banReason: null });
|
|
231
|
+
return toUser(user);
|
|
232
|
+
}),
|
|
233
|
+
unlinkAccount: ({ accountId, userId }) => withContext(async (context_) => {
|
|
234
|
+
await context_.adapter.delete({
|
|
235
|
+
model: "account",
|
|
236
|
+
where: [
|
|
237
|
+
{ field: "id", value: accountId },
|
|
238
|
+
{ connector: "AND", field: "userId", value: userId }
|
|
239
|
+
]
|
|
240
|
+
});
|
|
241
|
+
}),
|
|
242
|
+
updateUser: ({ data, userId }) => withContext(async (context_) => {
|
|
243
|
+
const user = await context_.internalAdapter.updateUser(userId, data);
|
|
244
|
+
return toUser(user);
|
|
245
|
+
})
|
|
246
|
+
};
|
|
247
|
+
};
|
|
248
|
+
|
|
249
|
+
export { LunoraAuthAdminError, createAuthAdmin };
|