@meistrari/auth-core 1.16.0 → 1.17.0

package/dist/index.d.mts

@@ -209,6 +209,18 @@ declare const memberAdditionalFields: {
         defaultValue: null;
     };
 };
+/**
+ * Additional database fields added to the `invitation` table.
+ *
+ * @internal
+ */
+declare const invitationAdditionalFields: {
+    applicationId: {
+        type: "string";
+        input: true;
+        required: false;
+    };
+};
 /**
  * Zod schema and type for the `user` claim within a JWT payload.
  */
@@ -3383,6 +3395,17 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
                 statusText: string;
             };
         }>;
+        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CreateApplicationInvitationResponse;
+            error: null;
+        }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
             error: {
@@ -4571,6 +4594,30 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
+type InviteUserToApplicationOptions = {
+    organizationId: string;
+    applicationId: string;
+    email: string;
+    role: Role;
+    teamId?: string;
+    resend?: boolean;
+    sendEmail?: boolean;
+};
+type ApplicationInvitationResponse = {
+    id: string;
+    organizationId: string;
+    email: string;
+    role: string | null;
+    teamId: string | null;
+    applicationId: string | null;
+    status: string;
+    expiresAt: Date | string;
+    inviterId: string;
+    createdAt: Date | string;
+};
+type CreateApplicationInvitationResponse = {
+    data?: ApplicationInvitationResponse;
+};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4747,6 +4794,13 @@ declare class ApplicationService {
         organizations: FullOrganization[];
         application?: Application | undefined;
     }>;
+    /**
+     * Invites a user to an application through an organization entitlement.
+     *
+     * @param options - Invitation details including organization, application, email, and role
+     * @returns The created invitation
+     */
+    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4883,6 +4937,16 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
+    /**
+     * Application scope for legacy callers that still pass this option through
+     * the organization invitation path.
+     *
+     * New app-scoped invitations should use
+     * `applications.inviteUserToApplication`, which calls
+     * `POST /api/auth/applications/invitations`. The server rejects legacy
+     * organization invitation creation when this field is present.
+     */
+    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5071,10 +5135,11 @@ declare class OrganizationService {
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
+     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5105,8 +5170,12 @@ declare class OrganizationService {
      * Accepts an organization invitation.
      *
      * @param id - The invitation ID to accept
+     * @returns Object containing the application's `homeUrl` when the invitation is
+     *   scoped to an application that defines one; otherwise `null`.
      */
-    acceptInvitation(id: string): Promise<void>;
+    acceptInvitation(id: string): Promise<{
+        homeUrl: string | null;
+    }>;
     /**
      * Removes a user from the active organization.
      *
@@ -5559,5 +5628,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.d.ts

@@ -209,6 +209,18 @@ declare const memberAdditionalFields: {
         defaultValue: null;
     };
 };
+/**
+ * Additional database fields added to the `invitation` table.
+ *
+ * @internal
+ */
+declare const invitationAdditionalFields: {
+    applicationId: {
+        type: "string";
+        input: true;
+        required: false;
+    };
+};
 /**
  * Zod schema and type for the `user` claim within a JWT payload.
  */
@@ -3383,6 +3395,17 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
                 statusText: string;
             };
         }>;
+        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CreateApplicationInvitationResponse;
+            error: null;
+        }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
             error: {
@@ -4571,6 +4594,30 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
+type InviteUserToApplicationOptions = {
+    organizationId: string;
+    applicationId: string;
+    email: string;
+    role: Role;
+    teamId?: string;
+    resend?: boolean;
+    sendEmail?: boolean;
+};
+type ApplicationInvitationResponse = {
+    id: string;
+    organizationId: string;
+    email: string;
+    role: string | null;
+    teamId: string | null;
+    applicationId: string | null;
+    status: string;
+    expiresAt: Date | string;
+    inviterId: string;
+    createdAt: Date | string;
+};
+type CreateApplicationInvitationResponse = {
+    data?: ApplicationInvitationResponse;
+};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4747,6 +4794,13 @@ declare class ApplicationService {
         organizations: FullOrganization[];
         application?: Application | undefined;
     }>;
+    /**
+     * Invites a user to an application through an organization entitlement.
+     *
+     * @param options - Invitation details including organization, application, email, and role
+     * @returns The created invitation
+     */
+    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4883,6 +4937,16 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
+    /**
+     * Application scope for legacy callers that still pass this option through
+     * the organization invitation path.
+     *
+     * New app-scoped invitations should use
+     * `applications.inviteUserToApplication`, which calls
+     * `POST /api/auth/applications/invitations`. The server rejects legacy
+     * organization invitation creation when this field is present.
+     */
+    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5071,10 +5135,11 @@ declare class OrganizationService {
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
+     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5105,8 +5170,12 @@ declare class OrganizationService {
      * Accepts an organization invitation.
      *
      * @param id - The invitation ID to accept
+     * @returns Object containing the application's `homeUrl` when the invitation is
+     *   scoped to an application that defines one; otherwise `null`.
      */
-    acceptInvitation(id: string): Promise<void>;
+    acceptInvitation(id: string): Promise<{
+        homeUrl: string | null;
+    }>;
     /**
      * Removes a user from the active organization.
      *
@@ -5559,5 +5628,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.mjs

@@ -8,7 +8,7 @@ import { defaultStatements } from 'better-auth/plugins/organization/access';
 import { z } from 'zod';
 export { APIError } from 'better-auth';
 
-const version = "1.16.0";
+const version = "1.17.0";
 
 const statements = {
   ...defaultStatements,
@@ -61,6 +61,13 @@ const memberAdditionalFields = {
     defaultValue: null
   }
 };
+const invitationAdditionalFields = {
+  applicationId: {
+    type: "string",
+    input: true,
+    required: false
+  }
+};
 const JWTPayloadUser = z.object({
   id: z.string(),
   name: z.string(),
@@ -100,6 +107,12 @@ function applicationsPluginClient() {
               }
             };
           },
+          inviteUserToApplication: async (options) => {
+            return await $fetch("/applications/invitations", {
+              method: "POST",
+              body: options
+            });
+          },
           startAuthorizationFlow: async (applicationId, redirectUri, codeChallenge, organizationId) => {
             return await $fetch("/applications/authorize", {
               method: "POST",
@@ -385,6 +398,20 @@ class ApplicationService {
     }
     return response.data;
   }
+  /**
+   * Invites a user to an application through an organization entitlement.
+   *
+   * @param options - Invitation details including organization, application, email, and role
+   * @returns The created invitation
+   */
+  async inviteUserToApplication(options) {
+    const response = await this.client.applications.inviteUserToApplication(options);
+    const invitation = response.data;
+    if (!invitation) {
+      throw new Error("No invitation returned from application invitation endpoint");
+    }
+    return invitation;
+  }
   /**
    * Starts an authorization flow for a specific application.
    *
@@ -664,16 +691,19 @@ class OrganizationService {
    * @param options.userEmail - Email address of the user to invite
    * @param options.role - Role to assign to the invited user
    * @param options.teamId - Team ID to add the user to
+   * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
    * @param options.resend - Whether to resend if invitation already exists
    * @returns The created invitation
    */
-  async inviteUserToOrganization({ userEmail, role, teamId, resend }) {
-    return await this.client.organization.inviteMember({
+  async inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }) {
+    const invitation = {
       email: userEmail,
       role,
       teamId,
-      resend: resend ?? false
-    });
+      resend: resend ?? false,
+      applicationId
+    };
+    return await this.client.organization.inviteMember(invitation);
   }
   /**
    * Cancels a pending organization invitation.
@@ -689,11 +719,14 @@ class OrganizationService {
    * Accepts an organization invitation.
    *
    * @param id - The invitation ID to accept
+   * @returns Object containing the application's `homeUrl` when the invitation is
+   *   scoped to an application that defines one; otherwise `null`.
    */
   async acceptInvitation(id) {
-    await this.client.organization.acceptInvitation({
+    const response = await this.client.organization.acceptInvitation({
       invitationId: id
     });
+    return { homeUrl: response?.homeUrl ?? null };
   }
   /**
    * Removes a user from the active organization.
@@ -1126,4 +1159,4 @@ function extractTokenPayload(token) {
   return payload;
 }
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "type": "module",
   "exports": {
     ".": {