@mastra/auth-better-auth 1.0.2 → 1.0.3-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @mastra/auth-better-auth
 
+## 1.0.3-alpha.0
+
+### Patch Changes
+
+- Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. ([#17410](https://github.com/mastra-ai/mastra/pull/17410))
+
+- Updated dependencies [[`c973db4`](https://github.com/mastra-ai/mastra/commit/c973db428df1b564ff0c35d4b2a90e8f4f1e13fd), [`552285e`](https://github.com/mastra-ai/mastra/commit/552285e5af43cfc680a0972032cab8de8776c6a0), [`77e686c`](https://github.com/mastra-ai/mastra/commit/77e686c264e493e99ae5024e4dfe3ea5d5a09718), [`ece8dba`](https://github.com/mastra-ai/mastra/commit/ece8dba7ec1a5089eee8c33167cd762bfa91e509), [`e751af2`](https://github.com/mastra-ai/mastra/commit/e751af219433fbf4c7035b2d771b4c9ec8813b05), [`e2a8380`](https://github.com/mastra-ai/mastra/commit/e2a838017a7657850404c1e94c70d79ffdc6f14a), [`be3f1cd`](https://github.com/mastra-ai/mastra/commit/be3f1cd81f0e2a649e8eac15a024d542d814aef8), [`a34d9db`](https://github.com/mastra-ai/mastra/commit/a34d9dbc39fedb722f271318e9355ecee70489ab)]:
+  - @mastra/core@1.39.0-alpha.0
+
 ## 1.0.2
 
 ### Patch Changes

package/dist/index.cjs

@@ -3,6 +3,12 @@
 var server = require('@mastra/core/server');
 
 // src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
 function mapBetterAuthUserToEEUser(user) {
   return {
     id: user.id,
@@ -94,14 +100,13 @@ var MastraAuthBetterAuth = class extends server.MastraAuthProvider {
    * Better Auth's `api.getSession()` endpoint.
    *
    * @param token - The bearer token (session token) to authenticate
-   * @param request - The Hono request object containing headers
+   * @param request - The request containing headers
    * @returns The authenticated user and session, or null if authentication fails
    */
   async authenticateToken(token, request) {
     try {
       const headers = new Headers();
-      const rawRequest = "raw" in request ? request.raw : request;
-      const cookieHeader = rawRequest.headers.get("Cookie");
+      const cookieHeader = getRequestHeader(request, "Cookie");
       if (cookieHeader) {
         headers.set("Cookie", cookieHeader);
       }

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider"],"mappings":";;;;;AAoBA,SAAS,0BAA0B,IAAA,EAAoB;AACrD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AAsDO,IAAM,oBAAA,GAAN,cACGA,yBAAA,CAEV;AAAA,EACY,IAAA;AAAA,EACA,mBAAA;AAAA,EACH,iBAAA;AAAA,EAEP,YAAY,OAAA,EAAsC;AAChD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,eAAe,CAAA;AAE9C,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,mBAAA,GAAsB,QAAQ,aAAA,IAAiB,IAAA;AAGpD,IAAA,MAAM,kBAAkB,IAAA,CAAK,IAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,OAAA,EAAS,QAAA,EAAU,YAAA,IAAgB,aAAA;AAClE,IAAA,IAAA,CAAK,iBAAA,GAAoB,GAAG,MAAM,CAAA,cAAA,CAAA;AAElC,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C,SAAS,OAAA,CAAQ;AAAA,OAClB,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,yBAAA,CAA0B,OAAO,IAAI,CAAA;AAAA,IAC9C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAQ,OAAA,EAAyC;AAIrD,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KAEF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAsD;AAC3F,IAAA,IAAI;AAEF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAI5B,MAAA,MAAM,UAAA,GAAsB,KAAA,IAAS,OAAA,GAAW,OAAA,CAAgB,GAAA,GAAO,OAAA;AAEvE,MAAA,MAAM,YAAA,GAAe,UAAA,CAAW,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACpD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAIA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EAAc,MAAM,GAAG,CAAA,CAAE,KAAK,CAAA,IAAA,KAAQ;AAC/D,QAAA,MAAM,CAAC,GAAG,CAAA,GAAI,KAAK,IAAA,EAAK,CAAE,MAAM,GAAG,CAAA;AACnC,QAAA,OAAO,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA;AAAA,MAC9B,CAAC,CAAA;AACD,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C;AAAA,OACD,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAC9C,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,cAAc,IAAA,EAAwC;AAE1D,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,OAAA,EAAS,MAAM,CAAC,CAAC,MAAM,IAAA,EAAM,EAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAS;AAAA,MACxB,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AACnD,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAU,MAAM,WAAA,EAAY;AAAA,MAC3C,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAA,GAAiD;AAE/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AACF","file":"index.cjs","sourcesContent":["import type { IUserProvider, ICredentialsProvider, CredentialsResult } from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport type { Auth, Session, User } from 'better-auth';\nimport type { HonoRequest } from 'hono';\n\n/**\n * User type returned by Better Auth session verification.\n * Used internally for authentication token verification.\n */\nexport interface BetterAuthUser {\n  session: Session;\n  user: User;\n}\n\n/**\n * Maps Better Auth User to EE User format.\n */\nfunction mapBetterAuthUserToEEUser(user: User): EEUser {\n  return {\n    id: user.id,\n    email: user.email,\n    name: user.name,\n    avatarUrl: user.image ?? undefined,\n    metadata: {\n      emailVerified: user.emailVerified,\n      createdAt: user.createdAt,\n      updatedAt: user.updatedAt,\n    },\n  };\n}\n\ninterface MastraAuthBetterAuthOptions extends MastraAuthProviderOptions<BetterAuthUser> {\n  /**\n   * The Better Auth instance to use for authentication.\n   * This should be the result of calling `betterAuth({ ... })`.\n   */\n  auth: Auth;\n\n  /**\n   * Whether to allow new user registration via sign-up.\n   * Set to false to disable public registration.\n   * @default true\n   */\n  signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Better Auth.\n *\n * Better Auth is a self-hosted, open-source authentication framework\n * that gives you full control over your authentication system.\n *\n * @example\n * ```typescript\n * import { betterAuth } from 'better-auth';\n * import { MastraAuthBetterAuth } from '@mastra/auth-better-auth';\n *\n * // Create your Better Auth instance\n * const auth = betterAuth({\n *   database: {\n *     provider: 'postgresql',\n *     url: process.env.DATABASE_URL!,\n *   },\n *   emailAndPassword: {\n *     enabled: true,\n *   },\n * });\n *\n * // Create the Mastra auth provider\n * const mastraAuth = new MastraAuthBetterAuth({\n *   auth,\n * });\n *\n * // Use with Mastra\n * const mastra = new Mastra({\n *   server: {\n *     auth: mastraAuth,\n *   },\n * });\n * ```\n *\n * @see https://better-auth.com for Better Auth documentation\n */\nexport class MastraAuthBetterAuth\n  extends MastraAuthProvider<BetterAuthUser>\n  implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>\n{\n  protected auth: Auth;\n  protected signUpEnabledConfig: boolean;\n  public sessionCookieName: string;\n\n  constructor(options: MastraAuthBetterAuthOptions) {\n    super({ name: options?.name ?? 'better-auth' });\n\n    if (!options.auth) {\n      throw new Error(\n        'Better Auth instance is required. Please provide the auth option with your Better Auth instance created via betterAuth({ ... })',\n      );\n    }\n\n    this.auth = options.auth;\n    this.signUpEnabledConfig = options.signUpEnabled ?? true;\n\n    // Derive the session cookie name from Better Auth's cookiePrefix option\n    const authWithOptions = this.auth as unknown as { options?: { advanced?: { cookiePrefix?: string } } };\n    const prefix = authWithOptions.options?.advanced?.cookiePrefix ?? 'better-auth';\n    this.sessionCookieName = `${prefix}.session_token`;\n\n    this.registerOptions(options);\n  }\n\n  /**\n   * Check if sign-up is enabled.\n   * Implements ICredentialsProvider.isSignUpEnabled.\n   */\n  isSignUpEnabled(): boolean {\n    return this.signUpEnabledConfig;\n  }\n\n  // ============================================\n  // IUserProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Get current user from request.\n   * Implements IUserProvider for EE user awareness in Studio.\n   *\n   * @param request - Incoming HTTP request\n   * @returns EE User object or null if not authenticated\n   */\n  async getCurrentUser(request: Request): Promise<EEUser | null> {\n    try {\n      const result = await this.auth.api.getSession({\n        headers: request.headers,\n      });\n\n      if (!result?.user) return null;\n      return mapBetterAuthUserToEEUser(result.user);\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Get user by ID.\n   * Implements IUserProvider for EE user awareness.\n   *\n   * Note: Better Auth doesn't expose a direct getUser API.\n   * For full functionality, you may need to implement this using\n   * direct database access in a subclass.\n   *\n   * @param userId - User identifier\n   * @returns EE User object or null if not found\n   */\n  async getUser(_userId: string): Promise<EEUser | null> {\n    // Better Auth doesn't have a direct getUser API\n    // Users can override this method with their own implementation\n    // that queries the database directly\n    console.warn(\n      '[MastraAuthBetterAuth] getUser() requires direct database access. ' +\n        'Override this method in a subclass for full user lookup support.',\n    );\n    return null;\n  }\n\n  /**\n   * Get URL to user's profile page.\n   * Optional IUserProvider method.\n   */\n  getUserProfileUrl(user: EEUser): string {\n    return `/profile/${user.id}`;\n  }\n\n  /**\n   * Authenticate a bearer token by verifying the session with Better Auth.\n   *\n   * This method extracts the session from the request headers using\n   * Better Auth's `api.getSession()` endpoint.\n   *\n   * @param token - The bearer token (session token) to authenticate\n   * @param request - The Hono request object containing headers\n   * @returns The authenticated user and session, or null if authentication fails\n   */\n  async authenticateToken(token: string, request: HonoRequest): Promise<BetterAuthUser | null> {\n    try {\n      // Better Auth's api.getSession() reads session tokens from the Cookie header\n      const headers = new Headers();\n\n      // The auth middleware may pass a raw Request (c.req.raw) instead of HonoRequest,\n      // so unwrap via 'raw' property detection and use the standard Web API.\n      const rawRequest: Request = 'raw' in request ? (request as any).raw : (request as unknown as Request);\n\n      const cookieHeader = rawRequest.headers.get('Cookie');\n      if (cookieHeader) {\n        headers.set('Cookie', cookieHeader);\n      }\n\n      // Convert Bearer token to a session cookie if not already present.\n      // better-auth ignores the Authorization header — it only reads from Cookie.\n      const hasSessionCookie = !!cookieHeader?.split(';').some(pair => {\n        const [key] = pair.trim().split('=');\n        return key?.trim() === this.sessionCookieName;\n      });\n      if (token && !hasSessionCookie) {\n        const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n        headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n      }\n\n      const result = await this.auth.api.getSession({\n        headers,\n      });\n\n      if (!result || !result.session || !result.user) {\n        return null;\n      }\n\n      return {\n        session: result.session,\n        user: result.user,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Authorize a user for access.\n   *\n   * By default, any authenticated user with a valid session is authorized.\n   * You can override this behavior by providing a custom `authorizeUser` function\n   * in the constructor options.\n   *\n   * @param user - The authenticated user and session\n   * @returns True if the user is authorized, false otherwise\n   */\n  async authorizeUser(user: BetterAuthUser): Promise<boolean> {\n    // By default, any authenticated user with a valid session is authorized\n    return !!user?.session?.id && !!user?.user?.id;\n  }\n\n  // ============================================\n  // ICredentialsProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Sign in with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param request - Incoming HTTP request\n   * @returns Result with user and session cookies\n   * @throws Error if credentials are invalid\n   */\n  async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signInEmail({\n      body: { email, password },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Invalid email or password');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Invalid email or password');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Sign up with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param name - Optional display name\n   * @param request - Incoming HTTP request\n   * @returns Result with new user and session cookies\n   * @throws Error if sign up fails\n   */\n  async signUp(\n    email: string,\n    password: string,\n    name: string | undefined,\n    request: Request,\n  ): Promise<CredentialsResult<EEUser>> {\n    const displayName = name ?? email.split('@')[0] ?? 'User';\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signUpEmail({\n      body: { email, password, name: displayName },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Failed to create account');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Failed to create account');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Get the underlying Better Auth instance.\n   * Useful for accessing Better Auth APIs directly.\n   */\n  getAuth(): Auth {\n    return this.auth;\n  }\n\n  /**\n   * Get headers to clear the session cookies on logout.\n   * Partial ISessionProvider implementation for logout support.\n   *\n   * Clears Better Auth's default session cookies.\n   */\n  getClearSessionHeaders(): Record<string, string> {\n    // Clear both the session token and its signature cookie\n    const cookies = [\n      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n    ];\n    return {\n      'Set-Cookie': cookies.join(', '),\n    };\n  }\n}\n"]}
+{"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider"],"mappings":";;;;;AAeA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAcA,SAAS,0BAA0B,IAAA,EAAoB;AACrD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AAsDO,IAAM,oBAAA,GAAN,cACGA,yBAAA,CAEV;AAAA,EACY,IAAA;AAAA,EACA,mBAAA;AAAA,EACH,iBAAA;AAAA,EAEP,YAAY,OAAA,EAAsC;AAChD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,eAAe,CAAA;AAE9C,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,mBAAA,GAAsB,QAAQ,aAAA,IAAiB,IAAA;AAGpD,IAAA,MAAM,kBAAkB,IAAA,CAAK,IAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,OAAA,EAAS,QAAA,EAAU,YAAA,IAAgB,aAAA;AAClE,IAAA,IAAA,CAAK,iBAAA,GAAoB,GAAG,MAAM,CAAA,cAAA,CAAA;AAElC,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C,SAAS,OAAA,CAAQ;AAAA,OAClB,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,yBAAA,CAA0B,OAAO,IAAI,CAAA;AAAA,IAC9C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAQ,OAAA,EAAyC;AAIrD,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KAEF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA4D;AACjG,IAAA,IAAI;AAEF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAE5B,MAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAIA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EAAc,MAAM,GAAG,CAAA,CAAE,KAAK,CAAA,IAAA,KAAQ;AAC/D,QAAA,MAAM,CAAC,GAAG,CAAA,GAAI,KAAK,IAAA,EAAK,CAAE,MAAM,GAAG,CAAA;AACnC,QAAA,OAAO,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA;AAAA,MAC9B,CAAC,CAAA;AACD,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C;AAAA,OACD,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAC9C,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,cAAc,IAAA,EAAwC;AAE1D,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,OAAA,EAAS,MAAM,CAAC,CAAC,MAAM,IAAA,EAAM,EAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAS;AAAA,MACxB,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AACnD,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAU,MAAM,WAAA,EAAY;AAAA,MAC3C,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAA,GAAiD;AAE/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AACF","file":"index.cjs","sourcesContent":["import type { IUserProvider, ICredentialsProvider, CredentialsResult } from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport type { Auth, Session, User } from 'better-auth';\n\ntype HonoRequestLike = {\n  raw?: Request;\n  headers?: Headers;\n  header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n  if (request instanceof Request) {\n    return request.headers.get(name);\n  }\n\n  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\n/**\n * User type returned by Better Auth session verification.\n * Used internally for authentication token verification.\n */\nexport interface BetterAuthUser {\n  session: Session;\n  user: User;\n}\n\n/**\n * Maps Better Auth User to EE User format.\n */\nfunction mapBetterAuthUserToEEUser(user: User): EEUser {\n  return {\n    id: user.id,\n    email: user.email,\n    name: user.name,\n    avatarUrl: user.image ?? undefined,\n    metadata: {\n      emailVerified: user.emailVerified,\n      createdAt: user.createdAt,\n      updatedAt: user.updatedAt,\n    },\n  };\n}\n\ninterface MastraAuthBetterAuthOptions extends MastraAuthProviderOptions<BetterAuthUser> {\n  /**\n   * The Better Auth instance to use for authentication.\n   * This should be the result of calling `betterAuth({ ... })`.\n   */\n  auth: Auth;\n\n  /**\n   * Whether to allow new user registration via sign-up.\n   * Set to false to disable public registration.\n   * @default true\n   */\n  signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Better Auth.\n *\n * Better Auth is a self-hosted, open-source authentication framework\n * that gives you full control over your authentication system.\n *\n * @example\n * ```typescript\n * import { betterAuth } from 'better-auth';\n * import { MastraAuthBetterAuth } from '@mastra/auth-better-auth';\n *\n * // Create your Better Auth instance\n * const auth = betterAuth({\n *   database: {\n *     provider: 'postgresql',\n *     url: process.env.DATABASE_URL!,\n *   },\n *   emailAndPassword: {\n *     enabled: true,\n *   },\n * });\n *\n * // Create the Mastra auth provider\n * const mastraAuth = new MastraAuthBetterAuth({\n *   auth,\n * });\n *\n * // Use with Mastra\n * const mastra = new Mastra({\n *   server: {\n *     auth: mastraAuth,\n *   },\n * });\n * ```\n *\n * @see https://better-auth.com for Better Auth documentation\n */\nexport class MastraAuthBetterAuth\n  extends MastraAuthProvider<BetterAuthUser>\n  implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>\n{\n  protected auth: Auth;\n  protected signUpEnabledConfig: boolean;\n  public sessionCookieName: string;\n\n  constructor(options: MastraAuthBetterAuthOptions) {\n    super({ name: options?.name ?? 'better-auth' });\n\n    if (!options.auth) {\n      throw new Error(\n        'Better Auth instance is required. Please provide the auth option with your Better Auth instance created via betterAuth({ ... })',\n      );\n    }\n\n    this.auth = options.auth;\n    this.signUpEnabledConfig = options.signUpEnabled ?? true;\n\n    // Derive the session cookie name from Better Auth's cookiePrefix option\n    const authWithOptions = this.auth as unknown as { options?: { advanced?: { cookiePrefix?: string } } };\n    const prefix = authWithOptions.options?.advanced?.cookiePrefix ?? 'better-auth';\n    this.sessionCookieName = `${prefix}.session_token`;\n\n    this.registerOptions(options);\n  }\n\n  /**\n   * Check if sign-up is enabled.\n   * Implements ICredentialsProvider.isSignUpEnabled.\n   */\n  isSignUpEnabled(): boolean {\n    return this.signUpEnabledConfig;\n  }\n\n  // ============================================\n  // IUserProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Get current user from request.\n   * Implements IUserProvider for EE user awareness in Studio.\n   *\n   * @param request - Incoming HTTP request\n   * @returns EE User object or null if not authenticated\n   */\n  async getCurrentUser(request: Request): Promise<EEUser | null> {\n    try {\n      const result = await this.auth.api.getSession({\n        headers: request.headers,\n      });\n\n      if (!result?.user) return null;\n      return mapBetterAuthUserToEEUser(result.user);\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Get user by ID.\n   * Implements IUserProvider for EE user awareness.\n   *\n   * Note: Better Auth doesn't expose a direct getUser API.\n   * For full functionality, you may need to implement this using\n   * direct database access in a subclass.\n   *\n   * @param userId - User identifier\n   * @returns EE User object or null if not found\n   */\n  async getUser(_userId: string): Promise<EEUser | null> {\n    // Better Auth doesn't have a direct getUser API\n    // Users can override this method with their own implementation\n    // that queries the database directly\n    console.warn(\n      '[MastraAuthBetterAuth] getUser() requires direct database access. ' +\n        'Override this method in a subclass for full user lookup support.',\n    );\n    return null;\n  }\n\n  /**\n   * Get URL to user's profile page.\n   * Optional IUserProvider method.\n   */\n  getUserProfileUrl(user: EEUser): string {\n    return `/profile/${user.id}`;\n  }\n\n  /**\n   * Authenticate a bearer token by verifying the session with Better Auth.\n   *\n   * This method extracts the session from the request headers using\n   * Better Auth's `api.getSession()` endpoint.\n   *\n   * @param token - The bearer token (session token) to authenticate\n   * @param request - The request containing headers\n   * @returns The authenticated user and session, or null if authentication fails\n   */\n  async authenticateToken(token: string, request: MastraAuthRequest): Promise<BetterAuthUser | null> {\n    try {\n      // Better Auth's api.getSession() reads session tokens from the Cookie header\n      const headers = new Headers();\n\n      const cookieHeader = getRequestHeader(request, 'Cookie');\n      if (cookieHeader) {\n        headers.set('Cookie', cookieHeader);\n      }\n\n      // Convert Bearer token to a session cookie if not already present.\n      // better-auth ignores the Authorization header — it only reads from Cookie.\n      const hasSessionCookie = !!cookieHeader?.split(';').some(pair => {\n        const [key] = pair.trim().split('=');\n        return key?.trim() === this.sessionCookieName;\n      });\n      if (token && !hasSessionCookie) {\n        const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n        headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n      }\n\n      const result = await this.auth.api.getSession({\n        headers,\n      });\n\n      if (!result || !result.session || !result.user) {\n        return null;\n      }\n\n      return {\n        session: result.session,\n        user: result.user,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Authorize a user for access.\n   *\n   * By default, any authenticated user with a valid session is authorized.\n   * You can override this behavior by providing a custom `authorizeUser` function\n   * in the constructor options.\n   *\n   * @param user - The authenticated user and session\n   * @returns True if the user is authorized, false otherwise\n   */\n  async authorizeUser(user: BetterAuthUser): Promise<boolean> {\n    // By default, any authenticated user with a valid session is authorized\n    return !!user?.session?.id && !!user?.user?.id;\n  }\n\n  // ============================================\n  // ICredentialsProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Sign in with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param request - Incoming HTTP request\n   * @returns Result with user and session cookies\n   * @throws Error if credentials are invalid\n   */\n  async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signInEmail({\n      body: { email, password },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Invalid email or password');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Invalid email or password');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Sign up with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param name - Optional display name\n   * @param request - Incoming HTTP request\n   * @returns Result with new user and session cookies\n   * @throws Error if sign up fails\n   */\n  async signUp(\n    email: string,\n    password: string,\n    name: string | undefined,\n    request: Request,\n  ): Promise<CredentialsResult<EEUser>> {\n    const displayName = name ?? email.split('@')[0] ?? 'User';\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signUpEmail({\n      body: { email, password, name: displayName },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Failed to create account');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Failed to create account');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Get the underlying Better Auth instance.\n   * Useful for accessing Better Auth APIs directly.\n   */\n  getAuth(): Auth {\n    return this.auth;\n  }\n\n  /**\n   * Get headers to clear the session cookies on logout.\n   * Partial ISessionProvider implementation for logout support.\n   *\n   * Clears Better Auth's default session cookies.\n   */\n  getClearSessionHeaders(): Record<string, string> {\n    // Clear both the session token and its signature cookie\n    const cookies = [\n      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n    ];\n    return {\n      'Set-Cookie': cookies.join(', '),\n    };\n  }\n}\n"]}

package/dist/index.d.ts

@@ -3,7 +3,12 @@ import type { EEUser } from '@mastra/core/auth/ee';
 import type { MastraAuthProviderOptions } from '@mastra/core/server';
 import { MastraAuthProvider } from '@mastra/core/server';
 import type { Auth, Session, User } from 'better-auth';
-import type { HonoRequest } from 'hono';
+type HonoRequestLike = {
+    raw?: Request;
+    headers?: Headers;
+    header(name: string): string | undefined;
+};
+type MastraAuthRequest = Request | HonoRequestLike;
 /**
  * User type returned by Better Auth session verification.
  * Used internally for authentication token verification.
@@ -104,10 +109,10 @@ export declare class MastraAuthBetterAuth extends MastraAuthProvider<BetterAuthU
      * Better Auth's `api.getSession()` endpoint.
      *
      * @param token - The bearer token (session token) to authenticate
-     * @param request - The Hono request object containing headers
+     * @param request - The request containing headers
      * @returns The authenticated user and session, or null if authentication fails
      */
-    authenticateToken(token: string, request: HonoRequest): Promise<BetterAuthUser | null>;
+    authenticateToken(token: string, request: MastraAuthRequest): Promise<BetterAuthUser | null>;
     /**
      * Authorize a user for access.
      *

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAChG,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEzD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAExC;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;CACZ;AAmBD,UAAU,2BAA4B,SAAQ,yBAAyB,CAAC,cAAc,CAAC;IACrF;;;OAGG;IACH,IAAI,EAAE,IAAI,CAAC;IAEX;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,qBAAa,oBACX,SAAQ,kBAAkB,CAAC,cAAc,CACzC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC;IAE9D,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC;IACrB,SAAS,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAChC,iBAAiB,EAAE,MAAM,CAAC;gBAErB,OAAO,EAAE,2BAA2B;IAoBhD;;;OAGG;IACH,eAAe,IAAI,OAAO;IAS1B;;;;;;OAMG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAa9D;;;;;;;;;;OAUG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAWtD;;;OAGG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAIvC;;;;;;;;;OASG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA0C5F;;;;;;;;;OASG;IACG,aAAa,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAU3D;;;;;;;;;OASG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAoCnG;;;;;;;;;;OAUG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAqCrC;;;OAGG;IACH,OAAO,IAAI,IAAI;IAIf;;;;;OAKG;IACH,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAUjD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAChG,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEzD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAEvD,KAAK,eAAe,GAAG;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C,CAAC;AAEF,KAAK,iBAAiB,GAAG,OAAO,GAAG,eAAe,CAAC;AAUnD;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;CACZ;AAmBD,UAAU,2BAA4B,SAAQ,yBAAyB,CAAC,cAAc,CAAC;IACrF;;;OAGG;IACH,IAAI,EAAE,IAAI,CAAC;IAEX;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,qBAAa,oBACX,SAAQ,kBAAkB,CAAC,cAAc,CACzC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC;IAE9D,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC;IACrB,SAAS,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAChC,iBAAiB,EAAE,MAAM,CAAC;gBAErB,OAAO,EAAE,2BAA2B;IAoBhD;;;OAGG;IACH,eAAe,IAAI,OAAO;IAS1B;;;;;;OAMG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAa9D;;;;;;;;;;OAUG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAWtD;;;OAGG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAIvC;;;;;;;;;OASG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAsClG;;;;;;;;;OASG;IACG,aAAa,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAU3D;;;;;;;;;OASG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAoCnG;;;;;;;;;;OAUG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAqCrC;;;OAGG;IACH,OAAO,IAAI,IAAI;IAIf;;;;;OAKG;IACH,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAUjD"}

package/dist/index.js

@@ -1,6 +1,12 @@
 import { MastraAuthProvider } from '@mastra/core/server';
 
 // src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
 function mapBetterAuthUserToEEUser(user) {
   return {
     id: user.id,
@@ -92,14 +98,13 @@ var MastraAuthBetterAuth = class extends MastraAuthProvider {
    * Better Auth's `api.getSession()` endpoint.
    *
    * @param token - The bearer token (session token) to authenticate
-   * @param request - The Hono request object containing headers
+   * @param request - The request containing headers
    * @returns The authenticated user and session, or null if authentication fails
    */
   async authenticateToken(token, request) {
     try {
       const headers = new Headers();
-      const rawRequest = "raw" in request ? request.raw : request;
-      const cookieHeader = rawRequest.headers.get("Cookie");
+      const cookieHeader = getRequestHeader(request, "Cookie");
       if (cookieHeader) {
         headers.set("Cookie", cookieHeader);
       }

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;AAoBA,SAAS,0BAA0B,IAAA,EAAoB;AACrD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AAsDO,IAAM,oBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACY,IAAA;AAAA,EACA,mBAAA;AAAA,EACH,iBAAA;AAAA,EAEP,YAAY,OAAA,EAAsC;AAChD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,eAAe,CAAA;AAE9C,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,mBAAA,GAAsB,QAAQ,aAAA,IAAiB,IAAA;AAGpD,IAAA,MAAM,kBAAkB,IAAA,CAAK,IAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,OAAA,EAAS,QAAA,EAAU,YAAA,IAAgB,aAAA;AAClE,IAAA,IAAA,CAAK,iBAAA,GAAoB,GAAG,MAAM,CAAA,cAAA,CAAA;AAElC,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C,SAAS,OAAA,CAAQ;AAAA,OAClB,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,yBAAA,CAA0B,OAAO,IAAI,CAAA;AAAA,IAC9C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAQ,OAAA,EAAyC;AAIrD,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KAEF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAsD;AAC3F,IAAA,IAAI;AAEF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAI5B,MAAA,MAAM,UAAA,GAAsB,KAAA,IAAS,OAAA,GAAW,OAAA,CAAgB,GAAA,GAAO,OAAA;AAEvE,MAAA,MAAM,YAAA,GAAe,UAAA,CAAW,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACpD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAIA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EAAc,MAAM,GAAG,CAAA,CAAE,KAAK,CAAA,IAAA,KAAQ;AAC/D,QAAA,MAAM,CAAC,GAAG,CAAA,GAAI,KAAK,IAAA,EAAK,CAAE,MAAM,GAAG,CAAA;AACnC,QAAA,OAAO,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA;AAAA,MAC9B,CAAC,CAAA;AACD,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C;AAAA,OACD,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAC9C,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,cAAc,IAAA,EAAwC;AAE1D,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,OAAA,EAAS,MAAM,CAAC,CAAC,MAAM,IAAA,EAAM,EAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAS;AAAA,MACxB,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AACnD,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAU,MAAM,WAAA,EAAY;AAAA,MAC3C,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAA,GAAiD;AAE/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AACF","file":"index.js","sourcesContent":["import type { IUserProvider, ICredentialsProvider, CredentialsResult } from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport type { Auth, Session, User } from 'better-auth';\nimport type { HonoRequest } from 'hono';\n\n/**\n * User type returned by Better Auth session verification.\n * Used internally for authentication token verification.\n */\nexport interface BetterAuthUser {\n  session: Session;\n  user: User;\n}\n\n/**\n * Maps Better Auth User to EE User format.\n */\nfunction mapBetterAuthUserToEEUser(user: User): EEUser {\n  return {\n    id: user.id,\n    email: user.email,\n    name: user.name,\n    avatarUrl: user.image ?? undefined,\n    metadata: {\n      emailVerified: user.emailVerified,\n      createdAt: user.createdAt,\n      updatedAt: user.updatedAt,\n    },\n  };\n}\n\ninterface MastraAuthBetterAuthOptions extends MastraAuthProviderOptions<BetterAuthUser> {\n  /**\n   * The Better Auth instance to use for authentication.\n   * This should be the result of calling `betterAuth({ ... })`.\n   */\n  auth: Auth;\n\n  /**\n   * Whether to allow new user registration via sign-up.\n   * Set to false to disable public registration.\n   * @default true\n   */\n  signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Better Auth.\n *\n * Better Auth is a self-hosted, open-source authentication framework\n * that gives you full control over your authentication system.\n *\n * @example\n * ```typescript\n * import { betterAuth } from 'better-auth';\n * import { MastraAuthBetterAuth } from '@mastra/auth-better-auth';\n *\n * // Create your Better Auth instance\n * const auth = betterAuth({\n *   database: {\n *     provider: 'postgresql',\n *     url: process.env.DATABASE_URL!,\n *   },\n *   emailAndPassword: {\n *     enabled: true,\n *   },\n * });\n *\n * // Create the Mastra auth provider\n * const mastraAuth = new MastraAuthBetterAuth({\n *   auth,\n * });\n *\n * // Use with Mastra\n * const mastra = new Mastra({\n *   server: {\n *     auth: mastraAuth,\n *   },\n * });\n * ```\n *\n * @see https://better-auth.com for Better Auth documentation\n */\nexport class MastraAuthBetterAuth\n  extends MastraAuthProvider<BetterAuthUser>\n  implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>\n{\n  protected auth: Auth;\n  protected signUpEnabledConfig: boolean;\n  public sessionCookieName: string;\n\n  constructor(options: MastraAuthBetterAuthOptions) {\n    super({ name: options?.name ?? 'better-auth' });\n\n    if (!options.auth) {\n      throw new Error(\n        'Better Auth instance is required. Please provide the auth option with your Better Auth instance created via betterAuth({ ... })',\n      );\n    }\n\n    this.auth = options.auth;\n    this.signUpEnabledConfig = options.signUpEnabled ?? true;\n\n    // Derive the session cookie name from Better Auth's cookiePrefix option\n    const authWithOptions = this.auth as unknown as { options?: { advanced?: { cookiePrefix?: string } } };\n    const prefix = authWithOptions.options?.advanced?.cookiePrefix ?? 'better-auth';\n    this.sessionCookieName = `${prefix}.session_token`;\n\n    this.registerOptions(options);\n  }\n\n  /**\n   * Check if sign-up is enabled.\n   * Implements ICredentialsProvider.isSignUpEnabled.\n   */\n  isSignUpEnabled(): boolean {\n    return this.signUpEnabledConfig;\n  }\n\n  // ============================================\n  // IUserProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Get current user from request.\n   * Implements IUserProvider for EE user awareness in Studio.\n   *\n   * @param request - Incoming HTTP request\n   * @returns EE User object or null if not authenticated\n   */\n  async getCurrentUser(request: Request): Promise<EEUser | null> {\n    try {\n      const result = await this.auth.api.getSession({\n        headers: request.headers,\n      });\n\n      if (!result?.user) return null;\n      return mapBetterAuthUserToEEUser(result.user);\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Get user by ID.\n   * Implements IUserProvider for EE user awareness.\n   *\n   * Note: Better Auth doesn't expose a direct getUser API.\n   * For full functionality, you may need to implement this using\n   * direct database access in a subclass.\n   *\n   * @param userId - User identifier\n   * @returns EE User object or null if not found\n   */\n  async getUser(_userId: string): Promise<EEUser | null> {\n    // Better Auth doesn't have a direct getUser API\n    // Users can override this method with their own implementation\n    // that queries the database directly\n    console.warn(\n      '[MastraAuthBetterAuth] getUser() requires direct database access. ' +\n        'Override this method in a subclass for full user lookup support.',\n    );\n    return null;\n  }\n\n  /**\n   * Get URL to user's profile page.\n   * Optional IUserProvider method.\n   */\n  getUserProfileUrl(user: EEUser): string {\n    return `/profile/${user.id}`;\n  }\n\n  /**\n   * Authenticate a bearer token by verifying the session with Better Auth.\n   *\n   * This method extracts the session from the request headers using\n   * Better Auth's `api.getSession()` endpoint.\n   *\n   * @param token - The bearer token (session token) to authenticate\n   * @param request - The Hono request object containing headers\n   * @returns The authenticated user and session, or null if authentication fails\n   */\n  async authenticateToken(token: string, request: HonoRequest): Promise<BetterAuthUser | null> {\n    try {\n      // Better Auth's api.getSession() reads session tokens from the Cookie header\n      const headers = new Headers();\n\n      // The auth middleware may pass a raw Request (c.req.raw) instead of HonoRequest,\n      // so unwrap via 'raw' property detection and use the standard Web API.\n      const rawRequest: Request = 'raw' in request ? (request as any).raw : (request as unknown as Request);\n\n      const cookieHeader = rawRequest.headers.get('Cookie');\n      if (cookieHeader) {\n        headers.set('Cookie', cookieHeader);\n      }\n\n      // Convert Bearer token to a session cookie if not already present.\n      // better-auth ignores the Authorization header — it only reads from Cookie.\n      const hasSessionCookie = !!cookieHeader?.split(';').some(pair => {\n        const [key] = pair.trim().split('=');\n        return key?.trim() === this.sessionCookieName;\n      });\n      if (token && !hasSessionCookie) {\n        const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n        headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n      }\n\n      const result = await this.auth.api.getSession({\n        headers,\n      });\n\n      if (!result || !result.session || !result.user) {\n        return null;\n      }\n\n      return {\n        session: result.session,\n        user: result.user,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Authorize a user for access.\n   *\n   * By default, any authenticated user with a valid session is authorized.\n   * You can override this behavior by providing a custom `authorizeUser` function\n   * in the constructor options.\n   *\n   * @param user - The authenticated user and session\n   * @returns True if the user is authorized, false otherwise\n   */\n  async authorizeUser(user: BetterAuthUser): Promise<boolean> {\n    // By default, any authenticated user with a valid session is authorized\n    return !!user?.session?.id && !!user?.user?.id;\n  }\n\n  // ============================================\n  // ICredentialsProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Sign in with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param request - Incoming HTTP request\n   * @returns Result with user and session cookies\n   * @throws Error if credentials are invalid\n   */\n  async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signInEmail({\n      body: { email, password },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Invalid email or password');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Invalid email or password');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Sign up with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param name - Optional display name\n   * @param request - Incoming HTTP request\n   * @returns Result with new user and session cookies\n   * @throws Error if sign up fails\n   */\n  async signUp(\n    email: string,\n    password: string,\n    name: string | undefined,\n    request: Request,\n  ): Promise<CredentialsResult<EEUser>> {\n    const displayName = name ?? email.split('@')[0] ?? 'User';\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signUpEmail({\n      body: { email, password, name: displayName },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Failed to create account');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Failed to create account');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Get the underlying Better Auth instance.\n   * Useful for accessing Better Auth APIs directly.\n   */\n  getAuth(): Auth {\n    return this.auth;\n  }\n\n  /**\n   * Get headers to clear the session cookies on logout.\n   * Partial ISessionProvider implementation for logout support.\n   *\n   * Clears Better Auth's default session cookies.\n   */\n  getClearSessionHeaders(): Record<string, string> {\n    // Clear both the session token and its signature cookie\n    const cookies = [\n      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n    ];\n    return {\n      'Set-Cookie': cookies.join(', '),\n    };\n  }\n}\n"]}
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;AAeA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAcA,SAAS,0BAA0B,IAAA,EAAoB;AACrD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AAsDO,IAAM,oBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACY,IAAA;AAAA,EACA,mBAAA;AAAA,EACH,iBAAA;AAAA,EAEP,YAAY,OAAA,EAAsC;AAChD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,eAAe,CAAA;AAE9C,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,mBAAA,GAAsB,QAAQ,aAAA,IAAiB,IAAA;AAGpD,IAAA,MAAM,kBAAkB,IAAA,CAAK,IAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,OAAA,EAAS,QAAA,EAAU,YAAA,IAAgB,aAAA;AAClE,IAAA,IAAA,CAAK,iBAAA,GAAoB,GAAG,MAAM,CAAA,cAAA,CAAA;AAElC,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C,SAAS,OAAA,CAAQ;AAAA,OAClB,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,yBAAA,CAA0B,OAAO,IAAI,CAAA;AAAA,IAC9C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAQ,OAAA,EAAyC;AAIrD,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KAEF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA4D;AACjG,IAAA,IAAI;AAEF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAE5B,MAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAIA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EAAc,MAAM,GAAG,CAAA,CAAE,KAAK,CAAA,IAAA,KAAQ;AAC/D,QAAA,MAAM,CAAC,GAAG,CAAA,GAAI,KAAK,IAAA,EAAK,CAAE,MAAM,GAAG,CAAA;AACnC,QAAA,OAAO,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA;AAAA,MAC9B,CAAC,CAAA;AACD,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,UAAA,CAAW;AAAA,QAC5C;AAAA,OACD,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAC9C,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,cAAc,IAAA,EAAwC;AAE1D,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,OAAA,EAAS,MAAM,CAAC,CAAC,MAAM,IAAA,EAAM,EAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAS;AAAA,MACxB,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AACnD,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,OAAA,EAAQ;AAGhD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,IAAA,CAAK,IAAI,WAAA,CAAY;AAAA,MAC/C,IAAA,EAAM,EAAE,KAAA,EAAO,QAAA,EAAU,MAAM,WAAA,EAAY;AAAA,MAC3C,OAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,MAAM,eAAA,GAAkB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AACzD,IAAA,IAAI,eAAA,EAAiB;AAEnB,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,eAAA,CAAgB,KAAA,CAAM,cAAc,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,yBAAA,CAA0B,MAAA,CAAO,IAAI,CAAA;AAAA,MAC3C,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAA,GAAiD;AAE/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AACF","file":"index.js","sourcesContent":["import type { IUserProvider, ICredentialsProvider, CredentialsResult } from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport type { Auth, Session, User } from 'better-auth';\n\ntype HonoRequestLike = {\n  raw?: Request;\n  headers?: Headers;\n  header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n  if (request instanceof Request) {\n    return request.headers.get(name);\n  }\n\n  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\n/**\n * User type returned by Better Auth session verification.\n * Used internally for authentication token verification.\n */\nexport interface BetterAuthUser {\n  session: Session;\n  user: User;\n}\n\n/**\n * Maps Better Auth User to EE User format.\n */\nfunction mapBetterAuthUserToEEUser(user: User): EEUser {\n  return {\n    id: user.id,\n    email: user.email,\n    name: user.name,\n    avatarUrl: user.image ?? undefined,\n    metadata: {\n      emailVerified: user.emailVerified,\n      createdAt: user.createdAt,\n      updatedAt: user.updatedAt,\n    },\n  };\n}\n\ninterface MastraAuthBetterAuthOptions extends MastraAuthProviderOptions<BetterAuthUser> {\n  /**\n   * The Better Auth instance to use for authentication.\n   * This should be the result of calling `betterAuth({ ... })`.\n   */\n  auth: Auth;\n\n  /**\n   * Whether to allow new user registration via sign-up.\n   * Set to false to disable public registration.\n   * @default true\n   */\n  signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Better Auth.\n *\n * Better Auth is a self-hosted, open-source authentication framework\n * that gives you full control over your authentication system.\n *\n * @example\n * ```typescript\n * import { betterAuth } from 'better-auth';\n * import { MastraAuthBetterAuth } from '@mastra/auth-better-auth';\n *\n * // Create your Better Auth instance\n * const auth = betterAuth({\n *   database: {\n *     provider: 'postgresql',\n *     url: process.env.DATABASE_URL!,\n *   },\n *   emailAndPassword: {\n *     enabled: true,\n *   },\n * });\n *\n * // Create the Mastra auth provider\n * const mastraAuth = new MastraAuthBetterAuth({\n *   auth,\n * });\n *\n * // Use with Mastra\n * const mastra = new Mastra({\n *   server: {\n *     auth: mastraAuth,\n *   },\n * });\n * ```\n *\n * @see https://better-auth.com for Better Auth documentation\n */\nexport class MastraAuthBetterAuth\n  extends MastraAuthProvider<BetterAuthUser>\n  implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>\n{\n  protected auth: Auth;\n  protected signUpEnabledConfig: boolean;\n  public sessionCookieName: string;\n\n  constructor(options: MastraAuthBetterAuthOptions) {\n    super({ name: options?.name ?? 'better-auth' });\n\n    if (!options.auth) {\n      throw new Error(\n        'Better Auth instance is required. Please provide the auth option with your Better Auth instance created via betterAuth({ ... })',\n      );\n    }\n\n    this.auth = options.auth;\n    this.signUpEnabledConfig = options.signUpEnabled ?? true;\n\n    // Derive the session cookie name from Better Auth's cookiePrefix option\n    const authWithOptions = this.auth as unknown as { options?: { advanced?: { cookiePrefix?: string } } };\n    const prefix = authWithOptions.options?.advanced?.cookiePrefix ?? 'better-auth';\n    this.sessionCookieName = `${prefix}.session_token`;\n\n    this.registerOptions(options);\n  }\n\n  /**\n   * Check if sign-up is enabled.\n   * Implements ICredentialsProvider.isSignUpEnabled.\n   */\n  isSignUpEnabled(): boolean {\n    return this.signUpEnabledConfig;\n  }\n\n  // ============================================\n  // IUserProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Get current user from request.\n   * Implements IUserProvider for EE user awareness in Studio.\n   *\n   * @param request - Incoming HTTP request\n   * @returns EE User object or null if not authenticated\n   */\n  async getCurrentUser(request: Request): Promise<EEUser | null> {\n    try {\n      const result = await this.auth.api.getSession({\n        headers: request.headers,\n      });\n\n      if (!result?.user) return null;\n      return mapBetterAuthUserToEEUser(result.user);\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Get user by ID.\n   * Implements IUserProvider for EE user awareness.\n   *\n   * Note: Better Auth doesn't expose a direct getUser API.\n   * For full functionality, you may need to implement this using\n   * direct database access in a subclass.\n   *\n   * @param userId - User identifier\n   * @returns EE User object or null if not found\n   */\n  async getUser(_userId: string): Promise<EEUser | null> {\n    // Better Auth doesn't have a direct getUser API\n    // Users can override this method with their own implementation\n    // that queries the database directly\n    console.warn(\n      '[MastraAuthBetterAuth] getUser() requires direct database access. ' +\n        'Override this method in a subclass for full user lookup support.',\n    );\n    return null;\n  }\n\n  /**\n   * Get URL to user's profile page.\n   * Optional IUserProvider method.\n   */\n  getUserProfileUrl(user: EEUser): string {\n    return `/profile/${user.id}`;\n  }\n\n  /**\n   * Authenticate a bearer token by verifying the session with Better Auth.\n   *\n   * This method extracts the session from the request headers using\n   * Better Auth's `api.getSession()` endpoint.\n   *\n   * @param token - The bearer token (session token) to authenticate\n   * @param request - The request containing headers\n   * @returns The authenticated user and session, or null if authentication fails\n   */\n  async authenticateToken(token: string, request: MastraAuthRequest): Promise<BetterAuthUser | null> {\n    try {\n      // Better Auth's api.getSession() reads session tokens from the Cookie header\n      const headers = new Headers();\n\n      const cookieHeader = getRequestHeader(request, 'Cookie');\n      if (cookieHeader) {\n        headers.set('Cookie', cookieHeader);\n      }\n\n      // Convert Bearer token to a session cookie if not already present.\n      // better-auth ignores the Authorization header — it only reads from Cookie.\n      const hasSessionCookie = !!cookieHeader?.split(';').some(pair => {\n        const [key] = pair.trim().split('=');\n        return key?.trim() === this.sessionCookieName;\n      });\n      if (token && !hasSessionCookie) {\n        const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n        headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n      }\n\n      const result = await this.auth.api.getSession({\n        headers,\n      });\n\n      if (!result || !result.session || !result.user) {\n        return null;\n      }\n\n      return {\n        session: result.session,\n        user: result.user,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Authorize a user for access.\n   *\n   * By default, any authenticated user with a valid session is authorized.\n   * You can override this behavior by providing a custom `authorizeUser` function\n   * in the constructor options.\n   *\n   * @param user - The authenticated user and session\n   * @returns True if the user is authorized, false otherwise\n   */\n  async authorizeUser(user: BetterAuthUser): Promise<boolean> {\n    // By default, any authenticated user with a valid session is authorized\n    return !!user?.session?.id && !!user?.user?.id;\n  }\n\n  // ============================================\n  // ICredentialsProvider implementation (EE capability)\n  // License check happens in buildCapabilities()\n  // ============================================\n\n  /**\n   * Sign in with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param request - Incoming HTTP request\n   * @returns Result with user and session cookies\n   * @throws Error if credentials are invalid\n   */\n  async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signInEmail({\n      body: { email, password },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Invalid email or password');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Invalid email or password');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Sign up with email and password.\n   * Implements ICredentialsProvider for EE credentials auth.\n   *\n   * @param email - User email\n   * @param password - User password\n   * @param name - Optional display name\n   * @param request - Incoming HTTP request\n   * @returns Result with new user and session cookies\n   * @throws Error if sign up fails\n   */\n  async signUp(\n    email: string,\n    password: string,\n    name: string | undefined,\n    request: Request,\n  ): Promise<CredentialsResult<EEUser>> {\n    const displayName = name ?? email.split('@')[0] ?? 'User';\n    const headers = request?.headers ?? new Headers();\n\n    // Use asResponse: true to get the full response with Set-Cookie headers\n    const response = await this.auth.api.signUpEmail({\n      body: { email, password, name: displayName },\n      headers,\n      asResponse: true,\n    });\n\n    if (!response.ok) {\n      const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n      throw new Error(errorData.message || 'Failed to create account');\n    }\n\n    const result = (await response.json()) as { user?: User; token?: string | null };\n\n    if (!result?.user) {\n      throw new Error('Failed to create account');\n    }\n\n    // Extract Set-Cookie headers from Better Auth response\n    const cookies: string[] = [];\n    const setCookieHeader = response.headers.get('set-cookie');\n    if (setCookieHeader) {\n      // Split multiple cookies (they may be comma-separated or in multiple headers)\n      cookies.push(...setCookieHeader.split(/,(?=\\s*\\w+=)/));\n    }\n\n    return {\n      user: mapBetterAuthUserToEEUser(result.user),\n      token: result.token ?? undefined,\n      cookies,\n    };\n  }\n\n  /**\n   * Get the underlying Better Auth instance.\n   * Useful for accessing Better Auth APIs directly.\n   */\n  getAuth(): Auth {\n    return this.auth;\n  }\n\n  /**\n   * Get headers to clear the session cookies on logout.\n   * Partial ISessionProvider implementation for logout support.\n   *\n   * Clears Better Auth's default session cookies.\n   */\n  getClearSessionHeaders(): Record<string, string> {\n    // Clear both the session token and its signature cookie\n    const cookies = [\n      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n    ];\n    return {\n      'Set-Cookie': cookies.join(', '),\n    };\n  }\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mastra/auth-better-auth",
-  "version": "1.0.2",
+  "version": "1.0.3-alpha.0",
   "description": "Mastra Better Auth integration - self-hosted authentication",
   "type": "module",
   "main": "dist/index.js",
@@ -20,23 +20,22 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "better-auth": "^1.4.18"
+    "better-auth": "^1.5.5"
   },
   "peerDependencies": {
     "@mastra/core": ">=1.0.0-0 <2.0.0-0"
   },
   "devDependencies": {
-    "@types/node": "22.19.7",
-    "hono": "^4.11.9",
-    "@vitest/coverage-v8": "4.0.18",
-    "@vitest/ui": "4.0.18",
-    "eslint": "^9.37.0",
+    "@types/node": "22.19.15",
+    "@vitest/coverage-v8": "4.1.5",
+    "@vitest/ui": "4.1.5",
+    "eslint": "^10.2.1",
     "tsup": "^8.5.1",
-    "typescript": "^5.9.3",
-    "vitest": "4.0.18",
-    "@internal/types-builder": "0.0.39",
-    "@internal/lint": "0.0.64",
-    "@mastra/core": "1.9.0"
+    "typescript": "^6.0.3",
+    "vitest": "4.1.5",
+    "@internal/lint": "0.0.100",
+    "@internal/types-builder": "0.0.75",
+    "@mastra/core": "1.39.0-alpha.0"
   },
   "files": [
     "dist",