@lunora/auth 0.0.0 → 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/LICENSE.md +105 -0
  2. package/README.md +125 -9
  3. package/__assets__/package-og.svg +14 -0
  4. package/dist/adapter.d.mts +43 -0
  5. package/dist/adapter.d.ts +43 -0
  6. package/dist/adapter.mjs +47 -0
  7. package/dist/index.d.mts +386 -0
  8. package/dist/index.d.ts +386 -0
  9. package/dist/index.mjs +12 -0
  10. package/dist/middleware.d.mts +189 -0
  11. package/dist/middleware.d.ts +189 -0
  12. package/dist/middleware.mjs +53 -0
  13. package/dist/packem_shared/DEFAULT_AUTH_BASE_PATH-DjcUWEQl.mjs +11 -0
  14. package/dist/packem_shared/create-auth.d-M36jwG_Y.d.mts +58 -0
  15. package/dist/packem_shared/create-auth.d-M36jwG_Y.d.ts +58 -0
  16. package/dist/packem_shared/createAuth-B-tvsvQU.mjs +56 -0
  17. package/dist/packem_shared/createAuthAdmin-BxrfEeA_.mjs +249 -0
  18. package/dist/packem_shared/ensureMigrated-wZH3oXDu.mjs +28 -0
  19. package/dist/packem_shared/sessionPresets-B95rXrd8.mjs +35 -0
  20. package/dist/plugins-client.d.mts +2 -0
  21. package/dist/plugins-client.d.ts +2 -0
  22. package/dist/plugins-client.mjs +2 -0
  23. package/dist/plugins.d.mts +22 -0
  24. package/dist/plugins.d.ts +22 -0
  25. package/dist/plugins.mjs +22 -0
  26. package/dist/schema.d.mts +44 -0
  27. package/dist/schema.d.ts +44 -0
  28. package/dist/schema.mjs +62 -0
  29. package/dist/sql-store.d.mts +51 -0
  30. package/dist/sql-store.d.ts +51 -0
  31. package/dist/sql-store.mjs +162 -0
  32. package/dist/store.d.mts +66 -0
  33. package/dist/store.d.ts +66 -0
  34. package/dist/store.mjs +170 -0
  35. package/dist/turnstile-middleware.d.mts +80 -0
  36. package/dist/turnstile-middleware.d.ts +80 -0
  37. package/dist/turnstile-middleware.mjs +45 -0
  38. package/dist/turnstile.d.mts +98 -0
  39. package/dist/turnstile.d.ts +98 -0
  40. package/dist/turnstile.mjs +61 -0
  41. package/package.json +80 -18
@@ -0,0 +1,28 @@
1
+ import { getMigrations } from 'better-auth/db/migration';
2
+
3
+ const migrating = /* @__PURE__ */ new WeakMap();
4
+ const ensureMigrated = async (auth) => {
5
+ const { options } = auth;
6
+ const inFlight = migrating.get(options);
7
+ if (inFlight) {
8
+ await inFlight;
9
+ return;
10
+ }
11
+ const run = (async () => {
12
+ const { runMigrations } = await getMigrations(options);
13
+ await runMigrations();
14
+ })();
15
+ migrating.set(options, run);
16
+ try {
17
+ await run;
18
+ } catch (error) {
19
+ migrating.delete(options);
20
+ throw error;
21
+ }
22
+ };
23
+ const compileMigrationsSql = async (options) => {
24
+ const { compileMigrations } = await getMigrations(options);
25
+ return compileMigrations();
26
+ };
27
+
28
+ export { compileMigrationsSql, ensureMigrated };
@@ -0,0 +1,35 @@
1
+ const MINUTE = 60;
2
+ const HOUR = 60 * MINUTE;
3
+ const DAY = 24 * HOUR;
4
+ const validateSessionPolicy = (policy) => {
5
+ const durationFields = ["expiresIn", "updateAge", "freshAge"];
6
+ for (const field of durationFields) {
7
+ const value = policy[field];
8
+ if (value === void 0) {
9
+ continue;
10
+ }
11
+ if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
12
+ throw new TypeError(`@lunora/auth: \`session.${field}\` must be a non-negative, finite number of seconds`);
13
+ }
14
+ }
15
+ return policy;
16
+ };
17
+ const sessionPresets = {
18
+ longLived: {
19
+ expiresIn: 30 * DAY,
20
+ freshAge: DAY,
21
+ updateAge: DAY
22
+ },
23
+ rolling: {
24
+ expiresIn: 7 * DAY,
25
+ freshAge: DAY,
26
+ updateAge: DAY
27
+ },
28
+ strict: {
29
+ expiresIn: HOUR,
30
+ freshAge: 5 * MINUTE,
31
+ updateAge: 15 * MINUTE
32
+ }
33
+ };
34
+
35
+ export { sessionPresets, validateSessionPolicy };
@@ -0,0 +1,2 @@
1
+ export { passkeyClient } from '@better-auth/passkey/client';
2
+ export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
@@ -0,0 +1,2 @@
1
+ export { passkeyClient } from '@better-auth/passkey/client';
2
+ export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
@@ -0,0 +1,2 @@
1
+ export { passkeyClient } from '@better-auth/passkey/client';
2
+ export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
@@ -0,0 +1,22 @@
1
+ export { passkey } from '@better-auth/passkey';
2
+ export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
3
+ export { createAccessControl } from 'better-auth/plugins/access';
4
+ export { admin } from 'better-auth/plugins/admin';
5
+ export { anonymous } from 'better-auth/plugins/anonymous';
6
+ export { bearer } from 'better-auth/plugins/bearer';
7
+ export { customSession } from 'better-auth/plugins/custom-session';
8
+ export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
9
+ export { emailOTP } from 'better-auth/plugins/email-otp';
10
+ export { genericOAuth } from 'better-auth/plugins/generic-oauth';
11
+ export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
12
+ export { jwt } from 'better-auth/plugins/jwt';
13
+ export { magicLink } from 'better-auth/plugins/magic-link';
14
+ export { multiSession } from 'better-auth/plugins/multi-session';
15
+ export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
16
+ export { oidcProvider } from 'better-auth/plugins/oidc-provider';
17
+ export { oneTimeToken } from 'better-auth/plugins/one-time-token';
18
+ export { organization } from 'better-auth/plugins/organization';
19
+ export { phoneNumber } from 'better-auth/plugins/phone-number';
20
+ export { siwe } from 'better-auth/plugins/siwe';
21
+ export { twoFactor } from 'better-auth/plugins/two-factor';
22
+ export { username } from 'better-auth/plugins/username';
@@ -0,0 +1,22 @@
1
+ export { passkey } from '@better-auth/passkey';
2
+ export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
3
+ export { createAccessControl } from 'better-auth/plugins/access';
4
+ export { admin } from 'better-auth/plugins/admin';
5
+ export { anonymous } from 'better-auth/plugins/anonymous';
6
+ export { bearer } from 'better-auth/plugins/bearer';
7
+ export { customSession } from 'better-auth/plugins/custom-session';
8
+ export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
9
+ export { emailOTP } from 'better-auth/plugins/email-otp';
10
+ export { genericOAuth } from 'better-auth/plugins/generic-oauth';
11
+ export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
12
+ export { jwt } from 'better-auth/plugins/jwt';
13
+ export { magicLink } from 'better-auth/plugins/magic-link';
14
+ export { multiSession } from 'better-auth/plugins/multi-session';
15
+ export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
16
+ export { oidcProvider } from 'better-auth/plugins/oidc-provider';
17
+ export { oneTimeToken } from 'better-auth/plugins/one-time-token';
18
+ export { organization } from 'better-auth/plugins/organization';
19
+ export { phoneNumber } from 'better-auth/plugins/phone-number';
20
+ export { siwe } from 'better-auth/plugins/siwe';
21
+ export { twoFactor } from 'better-auth/plugins/two-factor';
22
+ export { username } from 'better-auth/plugins/username';
@@ -0,0 +1,22 @@
1
+ export { passkey } from '@better-auth/passkey';
2
+ export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
3
+ export { createAccessControl } from 'better-auth/plugins/access';
4
+ export { admin } from 'better-auth/plugins/admin';
5
+ export { anonymous } from 'better-auth/plugins/anonymous';
6
+ export { bearer } from 'better-auth/plugins/bearer';
7
+ export { customSession } from 'better-auth/plugins/custom-session';
8
+ export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
9
+ export { emailOTP } from 'better-auth/plugins/email-otp';
10
+ export { genericOAuth } from 'better-auth/plugins/generic-oauth';
11
+ export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
12
+ export { jwt } from 'better-auth/plugins/jwt';
13
+ export { magicLink } from 'better-auth/plugins/magic-link';
14
+ export { multiSession } from 'better-auth/plugins/multi-session';
15
+ export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
16
+ export { oidcProvider } from 'better-auth/plugins/oidc-provider';
17
+ export { oneTimeToken } from 'better-auth/plugins/one-time-token';
18
+ export { organization } from 'better-auth/plugins/organization';
19
+ export { phoneNumber } from 'better-auth/plugins/phone-number';
20
+ export { siwe } from 'better-auth/plugins/siwe';
21
+ export { twoFactor } from 'better-auth/plugins/two-factor';
22
+ export { username } from 'better-auth/plugins/username';
@@ -0,0 +1,44 @@
1
+ import { TableDefinition } from '@lunora/server';
2
+ import { a as LunoraAuthOptions } from "./packem_shared/create-auth.d-M36jwG_Y.mjs";
3
+ import 'better-auth';
4
+ /**
5
+ * Derive Lunora table definitions from a better-auth config — the bridge that
6
+ * makes the **full** better-auth plugin ecosystem first-class Lunora data.
7
+ *
8
+ * better-auth's own `getAuthTables(options)` already merges every configured
9
+ * plugin's `schema` into one table map (core `user`/`session`/`account`/
10
+ * `verification`, plus whatever the plugins on `options.plugins` add —
11
+ * `organization`/`member`/`invitation`/`team`/`teamMember` from the
12
+ * organization plugin, `role`/`banned`/… columns from admin, `passkey`,
13
+ * `twoFactor`, `jwks`, …). This walks that map and emits an equivalent
14
+ * `defineTable` for each, so adding a plugin to `options.plugins` automatically
15
+ * surfaces its tables in the Lunora schema — no hand-written table definitions
16
+ * to keep in sync.
17
+ *
18
+ * Spread the result into `defineSchema` alongside your app tables (the keys are
19
+ * better-auth's real table names — `user`, `session`, … — left **unprefixed**
20
+ * because better-auth's adapter addresses them by exactly those names). Because
21
+ * the names are unprefixed, do **not** declare an app table that reuses one of
22
+ * better-auth's reserved names in the same `defineSchema` — JS spread order
23
+ * would let the later key win silently (unlike the plugin-extension path, which
24
+ * throws on collision):
25
+ *
26
+ * ```ts
27
+ * import { authTables } from "@lunora/auth";
28
+ * const authOptions = { emailAndPassword: { enabled: true }, plugins: [organization(), admin()] };
29
+ * export const schema = defineSchema({
30
+ * ...authTables(authOptions),
31
+ * todos: defineTable({ title: v.string() }),
32
+ * });
33
+ * ```
34
+ *
35
+ * Scope: this emits the table **shapes** (columns + types + nullability +
36
+ * uniqueness + FK ids). It deliberately does not carry better-auth's
37
+ * `defaultValue`/`onUpdate` (filled by better-auth's own write layer), `index`
38
+ * hints, or `bigint` precision (`bigint` fields map to `v.number()`). Those only
39
+ * matter once better-auth's writes are routed through Lunora's ORM — a separate
40
+ * adapter follow-up; today the auth rows are still written by better-auth's D1
41
+ * adapter and these tables make them typed + queryable via `ctx.db`.
42
+ */
43
+ declare const authTables: (options: LunoraAuthOptions) => Record<string, TableDefinition>;
44
+ export { authTables as default };
@@ -0,0 +1,44 @@
1
+ import { TableDefinition } from '@lunora/server';
2
+ import { a as LunoraAuthOptions } from "./packem_shared/create-auth.d-M36jwG_Y.js";
3
+ import 'better-auth';
4
+ /**
5
+ * Derive Lunora table definitions from a better-auth config — the bridge that
6
+ * makes the **full** better-auth plugin ecosystem first-class Lunora data.
7
+ *
8
+ * better-auth's own `getAuthTables(options)` already merges every configured
9
+ * plugin's `schema` into one table map (core `user`/`session`/`account`/
10
+ * `verification`, plus whatever the plugins on `options.plugins` add —
11
+ * `organization`/`member`/`invitation`/`team`/`teamMember` from the
12
+ * organization plugin, `role`/`banned`/… columns from admin, `passkey`,
13
+ * `twoFactor`, `jwks`, …). This walks that map and emits an equivalent
14
+ * `defineTable` for each, so adding a plugin to `options.plugins` automatically
15
+ * surfaces its tables in the Lunora schema — no hand-written table definitions
16
+ * to keep in sync.
17
+ *
18
+ * Spread the result into `defineSchema` alongside your app tables (the keys are
19
+ * better-auth's real table names — `user`, `session`, … — left **unprefixed**
20
+ * because better-auth's adapter addresses them by exactly those names). Because
21
+ * the names are unprefixed, do **not** declare an app table that reuses one of
22
+ * better-auth's reserved names in the same `defineSchema` — JS spread order
23
+ * would let the later key win silently (unlike the plugin-extension path, which
24
+ * throws on collision):
25
+ *
26
+ * ```ts
27
+ * import { authTables } from "@lunora/auth";
28
+ * const authOptions = { emailAndPassword: { enabled: true }, plugins: [organization(), admin()] };
29
+ * export const schema = defineSchema({
30
+ * ...authTables(authOptions),
31
+ * todos: defineTable({ title: v.string() }),
32
+ * });
33
+ * ```
34
+ *
35
+ * Scope: this emits the table **shapes** (columns + types + nullability +
36
+ * uniqueness + FK ids). It deliberately does not carry better-auth's
37
+ * `defaultValue`/`onUpdate` (filled by better-auth's own write layer), `index`
38
+ * hints, or `bigint` precision (`bigint` fields map to `v.number()`). Those only
39
+ * matter once better-auth's writes are routed through Lunora's ORM — a separate
40
+ * adapter follow-up; today the auth rows are still written by better-auth's D1
41
+ * adapter and these tables make them typed + queryable via `ctx.db`.
42
+ */
43
+ declare const authTables: (options: LunoraAuthOptions) => Record<string, TableDefinition>;
44
+ export { authTables as default };
@@ -0,0 +1,62 @@
1
+ import { defineTable } from '@lunora/server';
2
+ import { v } from '@lunora/values';
3
+ import { getAuthTables } from 'better-auth/db';
4
+
5
+ const baseValidator = (attribute) => {
6
+ if (attribute.references) {
7
+ return v.id(attribute.references.model);
8
+ }
9
+ const { type } = attribute;
10
+ if (Array.isArray(type)) {
11
+ return v.string();
12
+ }
13
+ switch (type) {
14
+ case "boolean": {
15
+ return v.boolean();
16
+ }
17
+ case "date": {
18
+ return v.date();
19
+ }
20
+ case "number": {
21
+ return v.number();
22
+ }
23
+ case "number[]": {
24
+ return v.array(v.number());
25
+ }
26
+ case "string": {
27
+ return v.string();
28
+ }
29
+ case "string[]": {
30
+ return v.array(v.string());
31
+ }
32
+ // "json" and anything unrecognised: keep the row shape permissive rather
33
+ // than fail schema generation on a plugin's exotic column type.
34
+ default: {
35
+ return v.any();
36
+ }
37
+ }
38
+ };
39
+ const fieldValidator = (attribute) => {
40
+ let validator = baseValidator(attribute);
41
+ if (attribute.required === false) {
42
+ validator = validator.nullable();
43
+ }
44
+ if (attribute.unique === true) {
45
+ validator = validator.unique();
46
+ }
47
+ return validator;
48
+ };
49
+ const authTables = (options) => {
50
+ const tables = getAuthTables(options);
51
+ const schema = {};
52
+ for (const table of Object.values(tables)) {
53
+ const shape = {};
54
+ for (const [fieldKey, attribute] of Object.entries(table.fields)) {
55
+ shape[attribute.fieldName ?? fieldKey] = fieldValidator(attribute);
56
+ }
57
+ schema[table.modelName] = defineTable(shape).externallyManaged();
58
+ }
59
+ return schema;
60
+ };
61
+
62
+ export { authTables as default };
@@ -0,0 +1,51 @@
1
+ import { AuthStore } from "./store.mjs";
2
+ import 'better-auth/adapters';
3
+ /** A D1 prepared-statement chain — the slice of `D1Database` {@link d1Executor} needs. */
4
+ interface D1Like {
5
+ prepare: (sql: string) => {
6
+ bind: (...values: unknown[]) => {
7
+ all: () => Promise<{
8
+ results?: Record<string, unknown>[];
9
+ }>;
10
+ run: () => Promise<unknown>;
11
+ };
12
+ };
13
+ }
14
+ /**
15
+ * The minimal SQL seam a {@link createSqlAuthStore} runs on — structurally the
16
+ * same `{ all, run }` contract as `@lunora/d1`'s `D1Exec`, so a Lunora D1 binding
17
+ * satisfies it directly (see {@link d1Executor}) and a `node:sqlite` handle does
18
+ * too in tests. `all` runs reads and returns rows; `run` runs writes.
19
+ */
20
+ interface SqlExecutor {
21
+ all: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<Record<string, unknown>[]>;
22
+ run: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<void>;
23
+ }
24
+ /**
25
+ * An {@link AuthStore} backed by a SQL database through the {@link SqlExecutor}
26
+ * seam — the production counterpart to `createMemoryAuthStore`. Point it at the
27
+ * same database that hosts Lunora's global (D1) tables (the ones `authTables(...)`
28
+ * generates) and better-auth's reads/writes land there as ordinary rows Lunora
29
+ * can also query. Assumes the auth tables already exist (Lunora owns the schema /
30
+ * migrations); it never issues DDL.
31
+ *
32
+ * ```ts
33
+ * const store = createSqlAuthStore(d1Executor(env.DB));
34
+ * const auth = createAuth({ secret: env.AUTH_SECRET, database: lunoraAuthAdapter(store) });
35
+ * ```
36
+ *
37
+ * Clause semantics match `createMemoryAuthStore` (operator parity is
38
+ * covered by a cross-store agreement test) with one unavoidable caveat:
39
+ * case-**insensitive** matching uses SQLite's ASCII-only `LOWER()`, whereas the
40
+ * in-memory store uses JS full-Unicode `toLowerCase()`. They agree on ASCII
41
+ * (emails, ids, tokens — the credential path); they can differ only for
42
+ * case-insensitive comparison of non-ASCII text.
43
+ */
44
+ declare const createSqlAuthStore: (executor: SqlExecutor) => AuthStore;
45
+ /**
46
+ * Wrap a Cloudflare D1 binding (`env.DB`) as a {@link SqlExecutor}, so
47
+ * `createSqlAuthStore(d1Executor(env.DB))` routes better-auth onto D1 — the same
48
+ * binding Lunora's `.global()` tables use.
49
+ */
50
+ declare const d1Executor: (database: D1Like) => SqlExecutor;
51
+ export { SqlExecutor, createSqlAuthStore, d1Executor };
@@ -0,0 +1,51 @@
1
+ import { AuthStore } from "./store.js";
2
+ import 'better-auth/adapters';
3
+ /** A D1 prepared-statement chain — the slice of `D1Database` {@link d1Executor} needs. */
4
+ interface D1Like {
5
+ prepare: (sql: string) => {
6
+ bind: (...values: unknown[]) => {
7
+ all: () => Promise<{
8
+ results?: Record<string, unknown>[];
9
+ }>;
10
+ run: () => Promise<unknown>;
11
+ };
12
+ };
13
+ }
14
+ /**
15
+ * The minimal SQL seam a {@link createSqlAuthStore} runs on — structurally the
16
+ * same `{ all, run }` contract as `@lunora/d1`'s `D1Exec`, so a Lunora D1 binding
17
+ * satisfies it directly (see {@link d1Executor}) and a `node:sqlite` handle does
18
+ * too in tests. `all` runs reads and returns rows; `run` runs writes.
19
+ */
20
+ interface SqlExecutor {
21
+ all: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<Record<string, unknown>[]>;
22
+ run: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<void>;
23
+ }
24
+ /**
25
+ * An {@link AuthStore} backed by a SQL database through the {@link SqlExecutor}
26
+ * seam — the production counterpart to `createMemoryAuthStore`. Point it at the
27
+ * same database that hosts Lunora's global (D1) tables (the ones `authTables(...)`
28
+ * generates) and better-auth's reads/writes land there as ordinary rows Lunora
29
+ * can also query. Assumes the auth tables already exist (Lunora owns the schema /
30
+ * migrations); it never issues DDL.
31
+ *
32
+ * ```ts
33
+ * const store = createSqlAuthStore(d1Executor(env.DB));
34
+ * const auth = createAuth({ secret: env.AUTH_SECRET, database: lunoraAuthAdapter(store) });
35
+ * ```
36
+ *
37
+ * Clause semantics match `createMemoryAuthStore` (operator parity is
38
+ * covered by a cross-store agreement test) with one unavoidable caveat:
39
+ * case-**insensitive** matching uses SQLite's ASCII-only `LOWER()`, whereas the
40
+ * in-memory store uses JS full-Unicode `toLowerCase()`. They agree on ASCII
41
+ * (emails, ids, tokens — the credential path); they can differ only for
42
+ * case-insensitive comparison of non-ASCII text.
43
+ */
44
+ declare const createSqlAuthStore: (executor: SqlExecutor) => AuthStore;
45
+ /**
46
+ * Wrap a Cloudflare D1 binding (`env.DB`) as a {@link SqlExecutor}, so
47
+ * `createSqlAuthStore(d1Executor(env.DB))` routes better-auth onto D1 — the same
48
+ * binding Lunora's `.global()` tables use.
49
+ */
50
+ declare const d1Executor: (database: D1Like) => SqlExecutor;
51
+ export { SqlExecutor, createSqlAuthStore, d1Executor };
@@ -0,0 +1,162 @@
1
+ const quoteId = (name) => `"${name.replaceAll('"', '""')}"`;
2
+ const NEVER = { params: [], sql: "0" };
3
+ const sided = (column, insensitive) => insensitive ? { column: `LOWER(${column})`, placeholder: "LOWER(?)" } : { column, placeholder: "?" };
4
+ const patternFragment = (column, value, operator, insensitive) => {
5
+ if (typeof value !== "string") {
6
+ return NEVER;
7
+ }
8
+ const side = sided(column, insensitive);
9
+ if (operator === "contains") {
10
+ return { params: [value], sql: `instr(${side.column}, ${side.placeholder}) > 0` };
11
+ }
12
+ if (operator === "starts_with") {
13
+ return { params: [value], sql: `instr(${side.column}, ${side.placeholder}) = 1` };
14
+ }
15
+ return { params: [value, value], sql: `substr(${side.column}, -length(?)) = ${side.placeholder}` };
16
+ };
17
+ const equalityFragment = (column, value, insensitive, negated) => {
18
+ if (value === null) {
19
+ return { params: [], sql: `${column} IS ${negated ? "NOT " : ""}NULL` };
20
+ }
21
+ const side = sided(column, insensitive);
22
+ const symbol = negated ? "<>" : "=";
23
+ return { params: [value], sql: `${side.column} ${symbol} ${side.placeholder}` };
24
+ };
25
+ const inFragment = (column, value, negated, insensitive) => {
26
+ const values = Array.isArray(value) ? value : [];
27
+ if (values.length === 0) {
28
+ return { params: [], sql: negated ? "1" : "0" };
29
+ }
30
+ const side = sided(column, insensitive);
31
+ const placeholders = values.map(() => side.placeholder).join(", ");
32
+ return { params: [...values], sql: `${side.column} ${negated ? "NOT IN" : "IN"} (${placeholders})` };
33
+ };
34
+ const compileClause = (clause) => {
35
+ const column = quoteId(clause.field);
36
+ const { mode, operator, value } = clause;
37
+ const insensitive = mode === "insensitive";
38
+ switch (operator) {
39
+ case "contains":
40
+ case "ends_with":
41
+ case "starts_with": {
42
+ return patternFragment(column, value, operator, insensitive);
43
+ }
44
+ case "gt": {
45
+ return { params: [value], sql: `${column} > ?` };
46
+ }
47
+ case "gte": {
48
+ return { params: [value], sql: `${column} >= ?` };
49
+ }
50
+ case "in": {
51
+ return inFragment(column, value, false, insensitive);
52
+ }
53
+ case "lt": {
54
+ return { params: [value], sql: `${column} < ?` };
55
+ }
56
+ case "lte": {
57
+ return { params: [value], sql: `${column} <= ?` };
58
+ }
59
+ case "ne": {
60
+ return equalityFragment(column, value, insensitive, true);
61
+ }
62
+ case "not_in": {
63
+ return inFragment(column, value, true, insensitive);
64
+ }
65
+ // "eq" and the default: null-aware equality.
66
+ default: {
67
+ return equalityFragment(column, value, insensitive, false);
68
+ }
69
+ }
70
+ };
71
+ const compileWhere = (where) => {
72
+ if (where.length === 0) {
73
+ return { params: [], sql: "" };
74
+ }
75
+ let accumulator = compileClause(where[0]);
76
+ for (const clause of where.slice(1)) {
77
+ const fragment = compileClause(clause);
78
+ const connector = clause.connector === "OR" ? "OR" : "AND";
79
+ accumulator = { params: [...accumulator.params, ...fragment.params], sql: `(${accumulator.sql} ${connector} ${fragment.sql})` };
80
+ }
81
+ return accumulator;
82
+ };
83
+ const whereSuffix = (fragment) => fragment.sql ? ` WHERE ${fragment.sql}` : "";
84
+ const createSqlAuthStore = (executor) => {
85
+ const selectRows = (model, where) => {
86
+ const fragment = compileWhere(where);
87
+ return executor.all(`SELECT * FROM ${quoteId(model)}${whereSuffix(fragment)}`, fragment.params);
88
+ };
89
+ return {
90
+ consumeOne: async (model, where) => {
91
+ const fragment = compileWhere(where);
92
+ const table = quoteId(model);
93
+ const [row] = await executor.all(
94
+ `DELETE FROM ${table} WHERE rowid IN (SELECT rowid FROM ${table}${whereSuffix(fragment)} LIMIT 1) RETURNING *`,
95
+ fragment.params
96
+ );
97
+ return row;
98
+ },
99
+ count: async (model, where) => {
100
+ const fragment = compileWhere(where);
101
+ const [row] = await executor.all(`SELECT COUNT(*) AS __count FROM ${quoteId(model)}${whereSuffix(fragment)}`, fragment.params);
102
+ return Number(row?.["__count"] ?? 0);
103
+ },
104
+ create: async (model, data) => {
105
+ const columns = Object.keys(data);
106
+ const placeholders = columns.map(() => "?").join(", ");
107
+ const sql = `INSERT INTO ${quoteId(model)} (${columns.map((column) => quoteId(column)).join(", ")}) VALUES (${placeholders})`;
108
+ await executor.run(
109
+ sql,
110
+ columns.map((column) => data[column])
111
+ );
112
+ return { ...data };
113
+ },
114
+ read: async (model, query) => {
115
+ const fragment = compileWhere(query.where);
116
+ const parameters = [...fragment.params];
117
+ let sql = `SELECT * FROM ${quoteId(model)}${whereSuffix(fragment)}`;
118
+ if (query.sortBy) {
119
+ sql += ` ORDER BY ${quoteId(query.sortBy.field)} ${query.sortBy.direction === "asc" ? "ASC" : "DESC"}`;
120
+ }
121
+ if (query.limit !== void 0) {
122
+ sql += " LIMIT ?";
123
+ parameters.push(Math.trunc(query.limit));
124
+ }
125
+ if (query.offset) {
126
+ sql += `${query.limit === void 0 ? " LIMIT -1" : ""} OFFSET ?`;
127
+ parameters.push(Math.trunc(query.offset));
128
+ }
129
+ return executor.all(sql, parameters);
130
+ },
131
+ remove: async (model, where) => {
132
+ const fragment = compileWhere(where);
133
+ const deleted = await executor.all(`DELETE FROM ${quoteId(model)}${whereSuffix(fragment)} RETURNING *`, fragment.params);
134
+ return deleted.length;
135
+ },
136
+ update: async (model, where, values) => {
137
+ const columns = Object.keys(values);
138
+ if (columns.length === 0) {
139
+ return selectRows(model, where);
140
+ }
141
+ const assignments = columns.map((column) => `${quoteId(column)} = ?`).join(", ");
142
+ const fragment = compileWhere(where);
143
+ return executor.all(`UPDATE ${quoteId(model)} SET ${assignments}${whereSuffix(fragment)} RETURNING *`, [
144
+ ...columns.map((column) => values[column]),
145
+ ...fragment.params
146
+ ]);
147
+ }
148
+ };
149
+ };
150
+ const d1Executor = (database) => {
151
+ return {
152
+ all: async (sql, parameters) => {
153
+ const result = await database.prepare(sql).bind(...parameters).all();
154
+ return result.results ?? [];
155
+ },
156
+ run: async (sql, parameters) => {
157
+ await database.prepare(sql).bind(...parameters).run();
158
+ }
159
+ };
160
+ };
161
+
162
+ export { createSqlAuthStore, d1Executor };
@@ -0,0 +1,66 @@
1
+ import { CustomAdapter } from 'better-auth/adapters';
2
+ /** A stored auth row — an opaque bag of columns keyed by better-auth field name. */
3
+ type AuthRow = Record<string, unknown>;
4
+ /**
5
+ * One normalized better-auth where clause. Derived from {@link CustomAdapter}'s
6
+ * own method signature (rather than re-declared) so a better-auth change to the
7
+ * clause shape surfaces as a compile error here, not a silent mis-match.
8
+ */
9
+ type AuthWhereClause = NonNullable<Parameters<CustomAdapter["findOne"]>[0]["where"]>[number];
10
+ /** Read query handed to {@link AuthStore.read}: a where filter plus optional sort/window. */
11
+ interface AuthQuery {
12
+ limit?: number;
13
+ offset?: number;
14
+ sortBy?: {
15
+ direction: "asc" | "desc";
16
+ field: string;
17
+ };
18
+ where: ReadonlyArray<AuthWhereClause>;
19
+ }
20
+ /**
21
+ * The minimal table-addressed store the `lunoraAuthAdapter` drives. This is the
22
+ * seam a Lunora runtime binds to its ORM: back each method with `ctx.db` over
23
+ * the global (D1) auth tables that `authTables(...)` generates, and better-auth's
24
+ * reads/writes flow through Lunora's data layer (triggers, aggregates, OCC)
25
+ * instead of better-auth's own adapter. Field names and table (`model`) names are
26
+ * already the database names better-auth resolved from the schema, so a store
27
+ * passes them straight through.
28
+ *
29
+ * {@link createMemoryAuthStore} is a reference in-memory implementation (also
30
+ * what the tests run better-auth against); `createSqlAuthStore` is the SQL one.
31
+ */
32
+ interface AuthStore {
33
+ /**
34
+ * Atomically delete **at most one** row in `model` matching `where` and
35
+ * return it (or `undefined` if none matched). Backs better-auth's
36
+ * single-use-token consume (OTP / magic-link / email-verification /
37
+ * password-reset): implementing it natively — one round trip that finds and
38
+ * deletes in a single statement — closes the read-then-delete race the
39
+ * factory's `findMany` + `deleteMany` fallback would otherwise leave open.
40
+ */
41
+ consumeOne: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<AuthRow | undefined>;
42
+ /** Count rows in `model` matching `where` (empty `where` = all rows). */
43
+ count: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<number>;
44
+ /** Insert `data` into `model`; return the stored row (the adapter pre-fills `id`). */
45
+ create: (model: string, data: AuthRow) => Promise<AuthRow>;
46
+ /** Read rows from `model` honouring the filter/sort/window in `query`. */
47
+ read: (model: string, query: AuthQuery) => Promise<AuthRow[]>;
48
+ /** Delete rows in `model` matching `where`; return how many were removed. */
49
+ remove: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<number>;
50
+ /** Patch rows in `model` matching `where` with `values`; return the updated rows. */
51
+ update: (model: string, where: ReadonlyArray<AuthWhereClause>, values: AuthRow) => Promise<AuthRow[]>;
52
+ }
53
+ /**
54
+ * Evaluate a better-auth where clause list against a row. Clauses fold
55
+ * left-to-right by their `connector` (`AND` by default, `OR` when set) — the
56
+ * same precedence better-auth's own adapters use. An empty list matches every
57
+ * row. Exported so any in-memory-style {@link AuthStore} can reuse it.
58
+ */
59
+ declare const matchesWhere: (row: AuthRow, where: ReadonlyArray<AuthWhereClause>) => boolean;
60
+ /**
61
+ * Reference in-memory {@link AuthStore} — used to run better-auth end to end in
62
+ * tests, and a worked example of the contract a Lunora-`ctx.db`-backed store
63
+ * fulfils. Not for production (state is per-instance and non-durable).
64
+ */
65
+ declare const createMemoryAuthStore: () => AuthStore;
66
+ export { AuthQuery, type AuthRow, AuthStore, type AuthWhereClause, createMemoryAuthStore, matchesWhere };