@lunora/auth 0.0.0 → 1.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +105 -0
- package/README.md +125 -9
- package/__assets__/package-og.svg +14 -0
- package/dist/adapter.d.mts +43 -0
- package/dist/adapter.d.ts +43 -0
- package/dist/adapter.mjs +47 -0
- package/dist/index.d.mts +386 -0
- package/dist/index.d.ts +386 -0
- package/dist/index.mjs +12 -0
- package/dist/middleware.d.mts +189 -0
- package/dist/middleware.d.ts +189 -0
- package/dist/middleware.mjs +53 -0
- package/dist/packem_shared/DEFAULT_AUTH_BASE_PATH-DjcUWEQl.mjs +11 -0
- package/dist/packem_shared/create-auth.d-M36jwG_Y.d.mts +58 -0
- package/dist/packem_shared/create-auth.d-M36jwG_Y.d.ts +58 -0
- package/dist/packem_shared/createAuth-B-tvsvQU.mjs +56 -0
- package/dist/packem_shared/createAuthAdmin-BxrfEeA_.mjs +249 -0
- package/dist/packem_shared/ensureMigrated-wZH3oXDu.mjs +28 -0
- package/dist/packem_shared/sessionPresets-B95rXrd8.mjs +35 -0
- package/dist/plugins-client.d.mts +2 -0
- package/dist/plugins-client.d.ts +2 -0
- package/dist/plugins-client.mjs +2 -0
- package/dist/plugins.d.mts +22 -0
- package/dist/plugins.d.ts +22 -0
- package/dist/plugins.mjs +22 -0
- package/dist/schema.d.mts +44 -0
- package/dist/schema.d.ts +44 -0
- package/dist/schema.mjs +62 -0
- package/dist/sql-store.d.mts +51 -0
- package/dist/sql-store.d.ts +51 -0
- package/dist/sql-store.mjs +162 -0
- package/dist/store.d.mts +66 -0
- package/dist/store.d.ts +66 -0
- package/dist/store.mjs +170 -0
- package/dist/turnstile-middleware.d.mts +80 -0
- package/dist/turnstile-middleware.d.ts +80 -0
- package/dist/turnstile-middleware.mjs +45 -0
- package/dist/turnstile.d.mts +98 -0
- package/dist/turnstile.d.ts +98 -0
- package/dist/turnstile.mjs +61 -0
- package/package.json +80 -18
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { getMigrations } from 'better-auth/db/migration';
|
|
2
|
+
|
|
3
|
+
const migrating = /* @__PURE__ */ new WeakMap();
|
|
4
|
+
const ensureMigrated = async (auth) => {
|
|
5
|
+
const { options } = auth;
|
|
6
|
+
const inFlight = migrating.get(options);
|
|
7
|
+
if (inFlight) {
|
|
8
|
+
await inFlight;
|
|
9
|
+
return;
|
|
10
|
+
}
|
|
11
|
+
const run = (async () => {
|
|
12
|
+
const { runMigrations } = await getMigrations(options);
|
|
13
|
+
await runMigrations();
|
|
14
|
+
})();
|
|
15
|
+
migrating.set(options, run);
|
|
16
|
+
try {
|
|
17
|
+
await run;
|
|
18
|
+
} catch (error) {
|
|
19
|
+
migrating.delete(options);
|
|
20
|
+
throw error;
|
|
21
|
+
}
|
|
22
|
+
};
|
|
23
|
+
const compileMigrationsSql = async (options) => {
|
|
24
|
+
const { compileMigrations } = await getMigrations(options);
|
|
25
|
+
return compileMigrations();
|
|
26
|
+
};
|
|
27
|
+
|
|
28
|
+
export { compileMigrationsSql, ensureMigrated };
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
const MINUTE = 60;
|
|
2
|
+
const HOUR = 60 * MINUTE;
|
|
3
|
+
const DAY = 24 * HOUR;
|
|
4
|
+
const validateSessionPolicy = (policy) => {
|
|
5
|
+
const durationFields = ["expiresIn", "updateAge", "freshAge"];
|
|
6
|
+
for (const field of durationFields) {
|
|
7
|
+
const value = policy[field];
|
|
8
|
+
if (value === void 0) {
|
|
9
|
+
continue;
|
|
10
|
+
}
|
|
11
|
+
if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
|
|
12
|
+
throw new TypeError(`@lunora/auth: \`session.${field}\` must be a non-negative, finite number of seconds`);
|
|
13
|
+
}
|
|
14
|
+
}
|
|
15
|
+
return policy;
|
|
16
|
+
};
|
|
17
|
+
const sessionPresets = {
|
|
18
|
+
longLived: {
|
|
19
|
+
expiresIn: 30 * DAY,
|
|
20
|
+
freshAge: DAY,
|
|
21
|
+
updateAge: DAY
|
|
22
|
+
},
|
|
23
|
+
rolling: {
|
|
24
|
+
expiresIn: 7 * DAY,
|
|
25
|
+
freshAge: DAY,
|
|
26
|
+
updateAge: DAY
|
|
27
|
+
},
|
|
28
|
+
strict: {
|
|
29
|
+
expiresIn: HOUR,
|
|
30
|
+
freshAge: 5 * MINUTE,
|
|
31
|
+
updateAge: 15 * MINUTE
|
|
32
|
+
}
|
|
33
|
+
};
|
|
34
|
+
|
|
35
|
+
export { sessionPresets, validateSessionPolicy };
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
export { passkeyClient } from '@better-auth/passkey/client';
|
|
2
|
+
export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
export { passkeyClient } from '@better-auth/passkey/client';
|
|
2
|
+
export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
export { passkeyClient } from '@better-auth/passkey/client';
|
|
2
|
+
export { adminClient, anonymousClient, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient } from 'better-auth/client/plugins';
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
export { passkey } from '@better-auth/passkey';
|
|
2
|
+
export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
|
|
3
|
+
export { createAccessControl } from 'better-auth/plugins/access';
|
|
4
|
+
export { admin } from 'better-auth/plugins/admin';
|
|
5
|
+
export { anonymous } from 'better-auth/plugins/anonymous';
|
|
6
|
+
export { bearer } from 'better-auth/plugins/bearer';
|
|
7
|
+
export { customSession } from 'better-auth/plugins/custom-session';
|
|
8
|
+
export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
|
|
9
|
+
export { emailOTP } from 'better-auth/plugins/email-otp';
|
|
10
|
+
export { genericOAuth } from 'better-auth/plugins/generic-oauth';
|
|
11
|
+
export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
|
|
12
|
+
export { jwt } from 'better-auth/plugins/jwt';
|
|
13
|
+
export { magicLink } from 'better-auth/plugins/magic-link';
|
|
14
|
+
export { multiSession } from 'better-auth/plugins/multi-session';
|
|
15
|
+
export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
|
|
16
|
+
export { oidcProvider } from 'better-auth/plugins/oidc-provider';
|
|
17
|
+
export { oneTimeToken } from 'better-auth/plugins/one-time-token';
|
|
18
|
+
export { organization } from 'better-auth/plugins/organization';
|
|
19
|
+
export { phoneNumber } from 'better-auth/plugins/phone-number';
|
|
20
|
+
export { siwe } from 'better-auth/plugins/siwe';
|
|
21
|
+
export { twoFactor } from 'better-auth/plugins/two-factor';
|
|
22
|
+
export { username } from 'better-auth/plugins/username';
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
export { passkey } from '@better-auth/passkey';
|
|
2
|
+
export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
|
|
3
|
+
export { createAccessControl } from 'better-auth/plugins/access';
|
|
4
|
+
export { admin } from 'better-auth/plugins/admin';
|
|
5
|
+
export { anonymous } from 'better-auth/plugins/anonymous';
|
|
6
|
+
export { bearer } from 'better-auth/plugins/bearer';
|
|
7
|
+
export { customSession } from 'better-auth/plugins/custom-session';
|
|
8
|
+
export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
|
|
9
|
+
export { emailOTP } from 'better-auth/plugins/email-otp';
|
|
10
|
+
export { genericOAuth } from 'better-auth/plugins/generic-oauth';
|
|
11
|
+
export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
|
|
12
|
+
export { jwt } from 'better-auth/plugins/jwt';
|
|
13
|
+
export { magicLink } from 'better-auth/plugins/magic-link';
|
|
14
|
+
export { multiSession } from 'better-auth/plugins/multi-session';
|
|
15
|
+
export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
|
|
16
|
+
export { oidcProvider } from 'better-auth/plugins/oidc-provider';
|
|
17
|
+
export { oneTimeToken } from 'better-auth/plugins/one-time-token';
|
|
18
|
+
export { organization } from 'better-auth/plugins/organization';
|
|
19
|
+
export { phoneNumber } from 'better-auth/plugins/phone-number';
|
|
20
|
+
export { siwe } from 'better-auth/plugins/siwe';
|
|
21
|
+
export { twoFactor } from 'better-auth/plugins/two-factor';
|
|
22
|
+
export { username } from 'better-auth/plugins/username';
|
package/dist/plugins.mjs
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
export { passkey } from '@better-auth/passkey';
|
|
2
|
+
export { captcha, mcp, withMcpAuth } from 'better-auth/plugins';
|
|
3
|
+
export { createAccessControl } from 'better-auth/plugins/access';
|
|
4
|
+
export { admin } from 'better-auth/plugins/admin';
|
|
5
|
+
export { anonymous } from 'better-auth/plugins/anonymous';
|
|
6
|
+
export { bearer } from 'better-auth/plugins/bearer';
|
|
7
|
+
export { customSession } from 'better-auth/plugins/custom-session';
|
|
8
|
+
export { deviceAuthorization } from 'better-auth/plugins/device-authorization';
|
|
9
|
+
export { emailOTP } from 'better-auth/plugins/email-otp';
|
|
10
|
+
export { genericOAuth } from 'better-auth/plugins/generic-oauth';
|
|
11
|
+
export { haveIBeenPwned } from 'better-auth/plugins/haveibeenpwned';
|
|
12
|
+
export { jwt } from 'better-auth/plugins/jwt';
|
|
13
|
+
export { magicLink } from 'better-auth/plugins/magic-link';
|
|
14
|
+
export { multiSession } from 'better-auth/plugins/multi-session';
|
|
15
|
+
export { oAuthProxy } from 'better-auth/plugins/oauth-proxy';
|
|
16
|
+
export { oidcProvider } from 'better-auth/plugins/oidc-provider';
|
|
17
|
+
export { oneTimeToken } from 'better-auth/plugins/one-time-token';
|
|
18
|
+
export { organization } from 'better-auth/plugins/organization';
|
|
19
|
+
export { phoneNumber } from 'better-auth/plugins/phone-number';
|
|
20
|
+
export { siwe } from 'better-auth/plugins/siwe';
|
|
21
|
+
export { twoFactor } from 'better-auth/plugins/two-factor';
|
|
22
|
+
export { username } from 'better-auth/plugins/username';
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
import { TableDefinition } from '@lunora/server';
|
|
2
|
+
import { a as LunoraAuthOptions } from "./packem_shared/create-auth.d-M36jwG_Y.mjs";
|
|
3
|
+
import 'better-auth';
|
|
4
|
+
/**
|
|
5
|
+
* Derive Lunora table definitions from a better-auth config — the bridge that
|
|
6
|
+
* makes the **full** better-auth plugin ecosystem first-class Lunora data.
|
|
7
|
+
*
|
|
8
|
+
* better-auth's own `getAuthTables(options)` already merges every configured
|
|
9
|
+
* plugin's `schema` into one table map (core `user`/`session`/`account`/
|
|
10
|
+
* `verification`, plus whatever the plugins on `options.plugins` add —
|
|
11
|
+
* `organization`/`member`/`invitation`/`team`/`teamMember` from the
|
|
12
|
+
* organization plugin, `role`/`banned`/… columns from admin, `passkey`,
|
|
13
|
+
* `twoFactor`, `jwks`, …). This walks that map and emits an equivalent
|
|
14
|
+
* `defineTable` for each, so adding a plugin to `options.plugins` automatically
|
|
15
|
+
* surfaces its tables in the Lunora schema — no hand-written table definitions
|
|
16
|
+
* to keep in sync.
|
|
17
|
+
*
|
|
18
|
+
* Spread the result into `defineSchema` alongside your app tables (the keys are
|
|
19
|
+
* better-auth's real table names — `user`, `session`, … — left **unprefixed**
|
|
20
|
+
* because better-auth's adapter addresses them by exactly those names). Because
|
|
21
|
+
* the names are unprefixed, do **not** declare an app table that reuses one of
|
|
22
|
+
* better-auth's reserved names in the same `defineSchema` — JS spread order
|
|
23
|
+
* would let the later key win silently (unlike the plugin-extension path, which
|
|
24
|
+
* throws on collision):
|
|
25
|
+
*
|
|
26
|
+
* ```ts
|
|
27
|
+
* import { authTables } from "@lunora/auth";
|
|
28
|
+
* const authOptions = { emailAndPassword: { enabled: true }, plugins: [organization(), admin()] };
|
|
29
|
+
* export const schema = defineSchema({
|
|
30
|
+
* ...authTables(authOptions),
|
|
31
|
+
* todos: defineTable({ title: v.string() }),
|
|
32
|
+
* });
|
|
33
|
+
* ```
|
|
34
|
+
*
|
|
35
|
+
* Scope: this emits the table **shapes** (columns + types + nullability +
|
|
36
|
+
* uniqueness + FK ids). It deliberately does not carry better-auth's
|
|
37
|
+
* `defaultValue`/`onUpdate` (filled by better-auth's own write layer), `index`
|
|
38
|
+
* hints, or `bigint` precision (`bigint` fields map to `v.number()`). Those only
|
|
39
|
+
* matter once better-auth's writes are routed through Lunora's ORM — a separate
|
|
40
|
+
* adapter follow-up; today the auth rows are still written by better-auth's D1
|
|
41
|
+
* adapter and these tables make them typed + queryable via `ctx.db`.
|
|
42
|
+
*/
|
|
43
|
+
declare const authTables: (options: LunoraAuthOptions) => Record<string, TableDefinition>;
|
|
44
|
+
export { authTables as default };
|
package/dist/schema.d.ts
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
import { TableDefinition } from '@lunora/server';
|
|
2
|
+
import { a as LunoraAuthOptions } from "./packem_shared/create-auth.d-M36jwG_Y.js";
|
|
3
|
+
import 'better-auth';
|
|
4
|
+
/**
|
|
5
|
+
* Derive Lunora table definitions from a better-auth config — the bridge that
|
|
6
|
+
* makes the **full** better-auth plugin ecosystem first-class Lunora data.
|
|
7
|
+
*
|
|
8
|
+
* better-auth's own `getAuthTables(options)` already merges every configured
|
|
9
|
+
* plugin's `schema` into one table map (core `user`/`session`/`account`/
|
|
10
|
+
* `verification`, plus whatever the plugins on `options.plugins` add —
|
|
11
|
+
* `organization`/`member`/`invitation`/`team`/`teamMember` from the
|
|
12
|
+
* organization plugin, `role`/`banned`/… columns from admin, `passkey`,
|
|
13
|
+
* `twoFactor`, `jwks`, …). This walks that map and emits an equivalent
|
|
14
|
+
* `defineTable` for each, so adding a plugin to `options.plugins` automatically
|
|
15
|
+
* surfaces its tables in the Lunora schema — no hand-written table definitions
|
|
16
|
+
* to keep in sync.
|
|
17
|
+
*
|
|
18
|
+
* Spread the result into `defineSchema` alongside your app tables (the keys are
|
|
19
|
+
* better-auth's real table names — `user`, `session`, … — left **unprefixed**
|
|
20
|
+
* because better-auth's adapter addresses them by exactly those names). Because
|
|
21
|
+
* the names are unprefixed, do **not** declare an app table that reuses one of
|
|
22
|
+
* better-auth's reserved names in the same `defineSchema` — JS spread order
|
|
23
|
+
* would let the later key win silently (unlike the plugin-extension path, which
|
|
24
|
+
* throws on collision):
|
|
25
|
+
*
|
|
26
|
+
* ```ts
|
|
27
|
+
* import { authTables } from "@lunora/auth";
|
|
28
|
+
* const authOptions = { emailAndPassword: { enabled: true }, plugins: [organization(), admin()] };
|
|
29
|
+
* export const schema = defineSchema({
|
|
30
|
+
* ...authTables(authOptions),
|
|
31
|
+
* todos: defineTable({ title: v.string() }),
|
|
32
|
+
* });
|
|
33
|
+
* ```
|
|
34
|
+
*
|
|
35
|
+
* Scope: this emits the table **shapes** (columns + types + nullability +
|
|
36
|
+
* uniqueness + FK ids). It deliberately does not carry better-auth's
|
|
37
|
+
* `defaultValue`/`onUpdate` (filled by better-auth's own write layer), `index`
|
|
38
|
+
* hints, or `bigint` precision (`bigint` fields map to `v.number()`). Those only
|
|
39
|
+
* matter once better-auth's writes are routed through Lunora's ORM — a separate
|
|
40
|
+
* adapter follow-up; today the auth rows are still written by better-auth's D1
|
|
41
|
+
* adapter and these tables make them typed + queryable via `ctx.db`.
|
|
42
|
+
*/
|
|
43
|
+
declare const authTables: (options: LunoraAuthOptions) => Record<string, TableDefinition>;
|
|
44
|
+
export { authTables as default };
|
package/dist/schema.mjs
ADDED
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
import { defineTable } from '@lunora/server';
|
|
2
|
+
import { v } from '@lunora/values';
|
|
3
|
+
import { getAuthTables } from 'better-auth/db';
|
|
4
|
+
|
|
5
|
+
const baseValidator = (attribute) => {
|
|
6
|
+
if (attribute.references) {
|
|
7
|
+
return v.id(attribute.references.model);
|
|
8
|
+
}
|
|
9
|
+
const { type } = attribute;
|
|
10
|
+
if (Array.isArray(type)) {
|
|
11
|
+
return v.string();
|
|
12
|
+
}
|
|
13
|
+
switch (type) {
|
|
14
|
+
case "boolean": {
|
|
15
|
+
return v.boolean();
|
|
16
|
+
}
|
|
17
|
+
case "date": {
|
|
18
|
+
return v.date();
|
|
19
|
+
}
|
|
20
|
+
case "number": {
|
|
21
|
+
return v.number();
|
|
22
|
+
}
|
|
23
|
+
case "number[]": {
|
|
24
|
+
return v.array(v.number());
|
|
25
|
+
}
|
|
26
|
+
case "string": {
|
|
27
|
+
return v.string();
|
|
28
|
+
}
|
|
29
|
+
case "string[]": {
|
|
30
|
+
return v.array(v.string());
|
|
31
|
+
}
|
|
32
|
+
// "json" and anything unrecognised: keep the row shape permissive rather
|
|
33
|
+
// than fail schema generation on a plugin's exotic column type.
|
|
34
|
+
default: {
|
|
35
|
+
return v.any();
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
};
|
|
39
|
+
const fieldValidator = (attribute) => {
|
|
40
|
+
let validator = baseValidator(attribute);
|
|
41
|
+
if (attribute.required === false) {
|
|
42
|
+
validator = validator.nullable();
|
|
43
|
+
}
|
|
44
|
+
if (attribute.unique === true) {
|
|
45
|
+
validator = validator.unique();
|
|
46
|
+
}
|
|
47
|
+
return validator;
|
|
48
|
+
};
|
|
49
|
+
const authTables = (options) => {
|
|
50
|
+
const tables = getAuthTables(options);
|
|
51
|
+
const schema = {};
|
|
52
|
+
for (const table of Object.values(tables)) {
|
|
53
|
+
const shape = {};
|
|
54
|
+
for (const [fieldKey, attribute] of Object.entries(table.fields)) {
|
|
55
|
+
shape[attribute.fieldName ?? fieldKey] = fieldValidator(attribute);
|
|
56
|
+
}
|
|
57
|
+
schema[table.modelName] = defineTable(shape).externallyManaged();
|
|
58
|
+
}
|
|
59
|
+
return schema;
|
|
60
|
+
};
|
|
61
|
+
|
|
62
|
+
export { authTables as default };
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { AuthStore } from "./store.mjs";
|
|
2
|
+
import 'better-auth/adapters';
|
|
3
|
+
/** A D1 prepared-statement chain — the slice of `D1Database` {@link d1Executor} needs. */
|
|
4
|
+
interface D1Like {
|
|
5
|
+
prepare: (sql: string) => {
|
|
6
|
+
bind: (...values: unknown[]) => {
|
|
7
|
+
all: () => Promise<{
|
|
8
|
+
results?: Record<string, unknown>[];
|
|
9
|
+
}>;
|
|
10
|
+
run: () => Promise<unknown>;
|
|
11
|
+
};
|
|
12
|
+
};
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* The minimal SQL seam a {@link createSqlAuthStore} runs on — structurally the
|
|
16
|
+
* same `{ all, run }` contract as `@lunora/d1`'s `D1Exec`, so a Lunora D1 binding
|
|
17
|
+
* satisfies it directly (see {@link d1Executor}) and a `node:sqlite` handle does
|
|
18
|
+
* too in tests. `all` runs reads and returns rows; `run` runs writes.
|
|
19
|
+
*/
|
|
20
|
+
interface SqlExecutor {
|
|
21
|
+
all: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<Record<string, unknown>[]>;
|
|
22
|
+
run: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<void>;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* An {@link AuthStore} backed by a SQL database through the {@link SqlExecutor}
|
|
26
|
+
* seam — the production counterpart to `createMemoryAuthStore`. Point it at the
|
|
27
|
+
* same database that hosts Lunora's global (D1) tables (the ones `authTables(...)`
|
|
28
|
+
* generates) and better-auth's reads/writes land there as ordinary rows Lunora
|
|
29
|
+
* can also query. Assumes the auth tables already exist (Lunora owns the schema /
|
|
30
|
+
* migrations); it never issues DDL.
|
|
31
|
+
*
|
|
32
|
+
* ```ts
|
|
33
|
+
* const store = createSqlAuthStore(d1Executor(env.DB));
|
|
34
|
+
* const auth = createAuth({ secret: env.AUTH_SECRET, database: lunoraAuthAdapter(store) });
|
|
35
|
+
* ```
|
|
36
|
+
*
|
|
37
|
+
* Clause semantics match `createMemoryAuthStore` (operator parity is
|
|
38
|
+
* covered by a cross-store agreement test) with one unavoidable caveat:
|
|
39
|
+
* case-**insensitive** matching uses SQLite's ASCII-only `LOWER()`, whereas the
|
|
40
|
+
* in-memory store uses JS full-Unicode `toLowerCase()`. They agree on ASCII
|
|
41
|
+
* (emails, ids, tokens — the credential path); they can differ only for
|
|
42
|
+
* case-insensitive comparison of non-ASCII text.
|
|
43
|
+
*/
|
|
44
|
+
declare const createSqlAuthStore: (executor: SqlExecutor) => AuthStore;
|
|
45
|
+
/**
|
|
46
|
+
* Wrap a Cloudflare D1 binding (`env.DB`) as a {@link SqlExecutor}, so
|
|
47
|
+
* `createSqlAuthStore(d1Executor(env.DB))` routes better-auth onto D1 — the same
|
|
48
|
+
* binding Lunora's `.global()` tables use.
|
|
49
|
+
*/
|
|
50
|
+
declare const d1Executor: (database: D1Like) => SqlExecutor;
|
|
51
|
+
export { SqlExecutor, createSqlAuthStore, d1Executor };
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { AuthStore } from "./store.js";
|
|
2
|
+
import 'better-auth/adapters';
|
|
3
|
+
/** A D1 prepared-statement chain — the slice of `D1Database` {@link d1Executor} needs. */
|
|
4
|
+
interface D1Like {
|
|
5
|
+
prepare: (sql: string) => {
|
|
6
|
+
bind: (...values: unknown[]) => {
|
|
7
|
+
all: () => Promise<{
|
|
8
|
+
results?: Record<string, unknown>[];
|
|
9
|
+
}>;
|
|
10
|
+
run: () => Promise<unknown>;
|
|
11
|
+
};
|
|
12
|
+
};
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* The minimal SQL seam a {@link createSqlAuthStore} runs on — structurally the
|
|
16
|
+
* same `{ all, run }` contract as `@lunora/d1`'s `D1Exec`, so a Lunora D1 binding
|
|
17
|
+
* satisfies it directly (see {@link d1Executor}) and a `node:sqlite` handle does
|
|
18
|
+
* too in tests. `all` runs reads and returns rows; `run` runs writes.
|
|
19
|
+
*/
|
|
20
|
+
interface SqlExecutor {
|
|
21
|
+
all: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<Record<string, unknown>[]>;
|
|
22
|
+
run: (sql: string, parameters: ReadonlyArray<unknown>) => Promise<void>;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* An {@link AuthStore} backed by a SQL database through the {@link SqlExecutor}
|
|
26
|
+
* seam — the production counterpart to `createMemoryAuthStore`. Point it at the
|
|
27
|
+
* same database that hosts Lunora's global (D1) tables (the ones `authTables(...)`
|
|
28
|
+
* generates) and better-auth's reads/writes land there as ordinary rows Lunora
|
|
29
|
+
* can also query. Assumes the auth tables already exist (Lunora owns the schema /
|
|
30
|
+
* migrations); it never issues DDL.
|
|
31
|
+
*
|
|
32
|
+
* ```ts
|
|
33
|
+
* const store = createSqlAuthStore(d1Executor(env.DB));
|
|
34
|
+
* const auth = createAuth({ secret: env.AUTH_SECRET, database: lunoraAuthAdapter(store) });
|
|
35
|
+
* ```
|
|
36
|
+
*
|
|
37
|
+
* Clause semantics match `createMemoryAuthStore` (operator parity is
|
|
38
|
+
* covered by a cross-store agreement test) with one unavoidable caveat:
|
|
39
|
+
* case-**insensitive** matching uses SQLite's ASCII-only `LOWER()`, whereas the
|
|
40
|
+
* in-memory store uses JS full-Unicode `toLowerCase()`. They agree on ASCII
|
|
41
|
+
* (emails, ids, tokens — the credential path); they can differ only for
|
|
42
|
+
* case-insensitive comparison of non-ASCII text.
|
|
43
|
+
*/
|
|
44
|
+
declare const createSqlAuthStore: (executor: SqlExecutor) => AuthStore;
|
|
45
|
+
/**
|
|
46
|
+
* Wrap a Cloudflare D1 binding (`env.DB`) as a {@link SqlExecutor}, so
|
|
47
|
+
* `createSqlAuthStore(d1Executor(env.DB))` routes better-auth onto D1 — the same
|
|
48
|
+
* binding Lunora's `.global()` tables use.
|
|
49
|
+
*/
|
|
50
|
+
declare const d1Executor: (database: D1Like) => SqlExecutor;
|
|
51
|
+
export { SqlExecutor, createSqlAuthStore, d1Executor };
|
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
const quoteId = (name) => `"${name.replaceAll('"', '""')}"`;
|
|
2
|
+
const NEVER = { params: [], sql: "0" };
|
|
3
|
+
const sided = (column, insensitive) => insensitive ? { column: `LOWER(${column})`, placeholder: "LOWER(?)" } : { column, placeholder: "?" };
|
|
4
|
+
const patternFragment = (column, value, operator, insensitive) => {
|
|
5
|
+
if (typeof value !== "string") {
|
|
6
|
+
return NEVER;
|
|
7
|
+
}
|
|
8
|
+
const side = sided(column, insensitive);
|
|
9
|
+
if (operator === "contains") {
|
|
10
|
+
return { params: [value], sql: `instr(${side.column}, ${side.placeholder}) > 0` };
|
|
11
|
+
}
|
|
12
|
+
if (operator === "starts_with") {
|
|
13
|
+
return { params: [value], sql: `instr(${side.column}, ${side.placeholder}) = 1` };
|
|
14
|
+
}
|
|
15
|
+
return { params: [value, value], sql: `substr(${side.column}, -length(?)) = ${side.placeholder}` };
|
|
16
|
+
};
|
|
17
|
+
const equalityFragment = (column, value, insensitive, negated) => {
|
|
18
|
+
if (value === null) {
|
|
19
|
+
return { params: [], sql: `${column} IS ${negated ? "NOT " : ""}NULL` };
|
|
20
|
+
}
|
|
21
|
+
const side = sided(column, insensitive);
|
|
22
|
+
const symbol = negated ? "<>" : "=";
|
|
23
|
+
return { params: [value], sql: `${side.column} ${symbol} ${side.placeholder}` };
|
|
24
|
+
};
|
|
25
|
+
const inFragment = (column, value, negated, insensitive) => {
|
|
26
|
+
const values = Array.isArray(value) ? value : [];
|
|
27
|
+
if (values.length === 0) {
|
|
28
|
+
return { params: [], sql: negated ? "1" : "0" };
|
|
29
|
+
}
|
|
30
|
+
const side = sided(column, insensitive);
|
|
31
|
+
const placeholders = values.map(() => side.placeholder).join(", ");
|
|
32
|
+
return { params: [...values], sql: `${side.column} ${negated ? "NOT IN" : "IN"} (${placeholders})` };
|
|
33
|
+
};
|
|
34
|
+
const compileClause = (clause) => {
|
|
35
|
+
const column = quoteId(clause.field);
|
|
36
|
+
const { mode, operator, value } = clause;
|
|
37
|
+
const insensitive = mode === "insensitive";
|
|
38
|
+
switch (operator) {
|
|
39
|
+
case "contains":
|
|
40
|
+
case "ends_with":
|
|
41
|
+
case "starts_with": {
|
|
42
|
+
return patternFragment(column, value, operator, insensitive);
|
|
43
|
+
}
|
|
44
|
+
case "gt": {
|
|
45
|
+
return { params: [value], sql: `${column} > ?` };
|
|
46
|
+
}
|
|
47
|
+
case "gte": {
|
|
48
|
+
return { params: [value], sql: `${column} >= ?` };
|
|
49
|
+
}
|
|
50
|
+
case "in": {
|
|
51
|
+
return inFragment(column, value, false, insensitive);
|
|
52
|
+
}
|
|
53
|
+
case "lt": {
|
|
54
|
+
return { params: [value], sql: `${column} < ?` };
|
|
55
|
+
}
|
|
56
|
+
case "lte": {
|
|
57
|
+
return { params: [value], sql: `${column} <= ?` };
|
|
58
|
+
}
|
|
59
|
+
case "ne": {
|
|
60
|
+
return equalityFragment(column, value, insensitive, true);
|
|
61
|
+
}
|
|
62
|
+
case "not_in": {
|
|
63
|
+
return inFragment(column, value, true, insensitive);
|
|
64
|
+
}
|
|
65
|
+
// "eq" and the default: null-aware equality.
|
|
66
|
+
default: {
|
|
67
|
+
return equalityFragment(column, value, insensitive, false);
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
};
|
|
71
|
+
const compileWhere = (where) => {
|
|
72
|
+
if (where.length === 0) {
|
|
73
|
+
return { params: [], sql: "" };
|
|
74
|
+
}
|
|
75
|
+
let accumulator = compileClause(where[0]);
|
|
76
|
+
for (const clause of where.slice(1)) {
|
|
77
|
+
const fragment = compileClause(clause);
|
|
78
|
+
const connector = clause.connector === "OR" ? "OR" : "AND";
|
|
79
|
+
accumulator = { params: [...accumulator.params, ...fragment.params], sql: `(${accumulator.sql} ${connector} ${fragment.sql})` };
|
|
80
|
+
}
|
|
81
|
+
return accumulator;
|
|
82
|
+
};
|
|
83
|
+
const whereSuffix = (fragment) => fragment.sql ? ` WHERE ${fragment.sql}` : "";
|
|
84
|
+
const createSqlAuthStore = (executor) => {
|
|
85
|
+
const selectRows = (model, where) => {
|
|
86
|
+
const fragment = compileWhere(where);
|
|
87
|
+
return executor.all(`SELECT * FROM ${quoteId(model)}${whereSuffix(fragment)}`, fragment.params);
|
|
88
|
+
};
|
|
89
|
+
return {
|
|
90
|
+
consumeOne: async (model, where) => {
|
|
91
|
+
const fragment = compileWhere(where);
|
|
92
|
+
const table = quoteId(model);
|
|
93
|
+
const [row] = await executor.all(
|
|
94
|
+
`DELETE FROM ${table} WHERE rowid IN (SELECT rowid FROM ${table}${whereSuffix(fragment)} LIMIT 1) RETURNING *`,
|
|
95
|
+
fragment.params
|
|
96
|
+
);
|
|
97
|
+
return row;
|
|
98
|
+
},
|
|
99
|
+
count: async (model, where) => {
|
|
100
|
+
const fragment = compileWhere(where);
|
|
101
|
+
const [row] = await executor.all(`SELECT COUNT(*) AS __count FROM ${quoteId(model)}${whereSuffix(fragment)}`, fragment.params);
|
|
102
|
+
return Number(row?.["__count"] ?? 0);
|
|
103
|
+
},
|
|
104
|
+
create: async (model, data) => {
|
|
105
|
+
const columns = Object.keys(data);
|
|
106
|
+
const placeholders = columns.map(() => "?").join(", ");
|
|
107
|
+
const sql = `INSERT INTO ${quoteId(model)} (${columns.map((column) => quoteId(column)).join(", ")}) VALUES (${placeholders})`;
|
|
108
|
+
await executor.run(
|
|
109
|
+
sql,
|
|
110
|
+
columns.map((column) => data[column])
|
|
111
|
+
);
|
|
112
|
+
return { ...data };
|
|
113
|
+
},
|
|
114
|
+
read: async (model, query) => {
|
|
115
|
+
const fragment = compileWhere(query.where);
|
|
116
|
+
const parameters = [...fragment.params];
|
|
117
|
+
let sql = `SELECT * FROM ${quoteId(model)}${whereSuffix(fragment)}`;
|
|
118
|
+
if (query.sortBy) {
|
|
119
|
+
sql += ` ORDER BY ${quoteId(query.sortBy.field)} ${query.sortBy.direction === "asc" ? "ASC" : "DESC"}`;
|
|
120
|
+
}
|
|
121
|
+
if (query.limit !== void 0) {
|
|
122
|
+
sql += " LIMIT ?";
|
|
123
|
+
parameters.push(Math.trunc(query.limit));
|
|
124
|
+
}
|
|
125
|
+
if (query.offset) {
|
|
126
|
+
sql += `${query.limit === void 0 ? " LIMIT -1" : ""} OFFSET ?`;
|
|
127
|
+
parameters.push(Math.trunc(query.offset));
|
|
128
|
+
}
|
|
129
|
+
return executor.all(sql, parameters);
|
|
130
|
+
},
|
|
131
|
+
remove: async (model, where) => {
|
|
132
|
+
const fragment = compileWhere(where);
|
|
133
|
+
const deleted = await executor.all(`DELETE FROM ${quoteId(model)}${whereSuffix(fragment)} RETURNING *`, fragment.params);
|
|
134
|
+
return deleted.length;
|
|
135
|
+
},
|
|
136
|
+
update: async (model, where, values) => {
|
|
137
|
+
const columns = Object.keys(values);
|
|
138
|
+
if (columns.length === 0) {
|
|
139
|
+
return selectRows(model, where);
|
|
140
|
+
}
|
|
141
|
+
const assignments = columns.map((column) => `${quoteId(column)} = ?`).join(", ");
|
|
142
|
+
const fragment = compileWhere(where);
|
|
143
|
+
return executor.all(`UPDATE ${quoteId(model)} SET ${assignments}${whereSuffix(fragment)} RETURNING *`, [
|
|
144
|
+
...columns.map((column) => values[column]),
|
|
145
|
+
...fragment.params
|
|
146
|
+
]);
|
|
147
|
+
}
|
|
148
|
+
};
|
|
149
|
+
};
|
|
150
|
+
const d1Executor = (database) => {
|
|
151
|
+
return {
|
|
152
|
+
all: async (sql, parameters) => {
|
|
153
|
+
const result = await database.prepare(sql).bind(...parameters).all();
|
|
154
|
+
return result.results ?? [];
|
|
155
|
+
},
|
|
156
|
+
run: async (sql, parameters) => {
|
|
157
|
+
await database.prepare(sql).bind(...parameters).run();
|
|
158
|
+
}
|
|
159
|
+
};
|
|
160
|
+
};
|
|
161
|
+
|
|
162
|
+
export { createSqlAuthStore, d1Executor };
|
package/dist/store.d.mts
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
import { CustomAdapter } from 'better-auth/adapters';
|
|
2
|
+
/** A stored auth row — an opaque bag of columns keyed by better-auth field name. */
|
|
3
|
+
type AuthRow = Record<string, unknown>;
|
|
4
|
+
/**
|
|
5
|
+
* One normalized better-auth where clause. Derived from {@link CustomAdapter}'s
|
|
6
|
+
* own method signature (rather than re-declared) so a better-auth change to the
|
|
7
|
+
* clause shape surfaces as a compile error here, not a silent mis-match.
|
|
8
|
+
*/
|
|
9
|
+
type AuthWhereClause = NonNullable<Parameters<CustomAdapter["findOne"]>[0]["where"]>[number];
|
|
10
|
+
/** Read query handed to {@link AuthStore.read}: a where filter plus optional sort/window. */
|
|
11
|
+
interface AuthQuery {
|
|
12
|
+
limit?: number;
|
|
13
|
+
offset?: number;
|
|
14
|
+
sortBy?: {
|
|
15
|
+
direction: "asc" | "desc";
|
|
16
|
+
field: string;
|
|
17
|
+
};
|
|
18
|
+
where: ReadonlyArray<AuthWhereClause>;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* The minimal table-addressed store the `lunoraAuthAdapter` drives. This is the
|
|
22
|
+
* seam a Lunora runtime binds to its ORM: back each method with `ctx.db` over
|
|
23
|
+
* the global (D1) auth tables that `authTables(...)` generates, and better-auth's
|
|
24
|
+
* reads/writes flow through Lunora's data layer (triggers, aggregates, OCC)
|
|
25
|
+
* instead of better-auth's own adapter. Field names and table (`model`) names are
|
|
26
|
+
* already the database names better-auth resolved from the schema, so a store
|
|
27
|
+
* passes them straight through.
|
|
28
|
+
*
|
|
29
|
+
* {@link createMemoryAuthStore} is a reference in-memory implementation (also
|
|
30
|
+
* what the tests run better-auth against); `createSqlAuthStore` is the SQL one.
|
|
31
|
+
*/
|
|
32
|
+
interface AuthStore {
|
|
33
|
+
/**
|
|
34
|
+
* Atomically delete **at most one** row in `model` matching `where` and
|
|
35
|
+
* return it (or `undefined` if none matched). Backs better-auth's
|
|
36
|
+
* single-use-token consume (OTP / magic-link / email-verification /
|
|
37
|
+
* password-reset): implementing it natively — one round trip that finds and
|
|
38
|
+
* deletes in a single statement — closes the read-then-delete race the
|
|
39
|
+
* factory's `findMany` + `deleteMany` fallback would otherwise leave open.
|
|
40
|
+
*/
|
|
41
|
+
consumeOne: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<AuthRow | undefined>;
|
|
42
|
+
/** Count rows in `model` matching `where` (empty `where` = all rows). */
|
|
43
|
+
count: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<number>;
|
|
44
|
+
/** Insert `data` into `model`; return the stored row (the adapter pre-fills `id`). */
|
|
45
|
+
create: (model: string, data: AuthRow) => Promise<AuthRow>;
|
|
46
|
+
/** Read rows from `model` honouring the filter/sort/window in `query`. */
|
|
47
|
+
read: (model: string, query: AuthQuery) => Promise<AuthRow[]>;
|
|
48
|
+
/** Delete rows in `model` matching `where`; return how many were removed. */
|
|
49
|
+
remove: (model: string, where: ReadonlyArray<AuthWhereClause>) => Promise<number>;
|
|
50
|
+
/** Patch rows in `model` matching `where` with `values`; return the updated rows. */
|
|
51
|
+
update: (model: string, where: ReadonlyArray<AuthWhereClause>, values: AuthRow) => Promise<AuthRow[]>;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Evaluate a better-auth where clause list against a row. Clauses fold
|
|
55
|
+
* left-to-right by their `connector` (`AND` by default, `OR` when set) — the
|
|
56
|
+
* same precedence better-auth's own adapters use. An empty list matches every
|
|
57
|
+
* row. Exported so any in-memory-style {@link AuthStore} can reuse it.
|
|
58
|
+
*/
|
|
59
|
+
declare const matchesWhere: (row: AuthRow, where: ReadonlyArray<AuthWhereClause>) => boolean;
|
|
60
|
+
/**
|
|
61
|
+
* Reference in-memory {@link AuthStore} — used to run better-auth end to end in
|
|
62
|
+
* tests, and a worked example of the contract a Lunora-`ctx.db`-backed store
|
|
63
|
+
* fulfils. Not for production (state is per-instance and non-durable).
|
|
64
|
+
*/
|
|
65
|
+
declare const createMemoryAuthStore: () => AuthStore;
|
|
66
|
+
export { AuthQuery, type AuthRow, AuthStore, type AuthWhereClause, createMemoryAuthStore, matchesWhere };
|