@meistrari/auth-core 1.19.0 → 1.20.1

package/dist/index.d.mts

@@ -3393,32 +3393,8 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             };
         }>;
         listCandidateOrganizations: (applicationId: string) => Promise<{
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: null;
-        }>;
-        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
-            data: null;
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: CreateApplicationInvitationResponse;
-            error: null;
+            data: ListCandidateOrganizationsResponse;
+            error?: unknown;
         }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
@@ -4508,8 +4484,7 @@ type ExtendedOrganization = BaseOrganization & {
 /**
  * A complete organization object including its members, invitations, and teams.
  */
-type FullOrganization = Omit<ExtendedOrganization, 'slug'> & {
-    slug: string | null;
+type FullOrganization = ExtendedOrganization & {
     members: Member[];
     invitations: Invitation[];
     teams: Team[];
@@ -4559,12 +4534,7 @@ type Application = {
 /**
  * Response returned when listing candidate organizations for an application.
  */
-type ListCandidateOrganizationsResponse = {
-    /** The application being queried. */
-    application: Application;
-    /** Organizations where the user is a member and the application is entitled. */
-    organizations: FullOrganization[];
-};
+type ListCandidateOrganizationsResponse = FullOrganization[];
 /**
  * Public application context used to preserve continuity during auth redirects.
  */
@@ -4615,30 +4585,6 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
-type InviteUserToApplicationOptions = {
-    organizationId: string;
-    applicationId: string;
-    email: string;
-    role: Role;
-    teamId?: string;
-    resend?: boolean;
-    sendEmail?: boolean;
-};
-type ApplicationInvitationResponse = {
-    id: string;
-    organizationId: string;
-    email: string;
-    role: string | null;
-    teamId: string | null;
-    applicationId: string | null;
-    status: string;
-    expiresAt: Date | string;
-    inviterId: string;
-    createdAt: Date | string;
-};
-type CreateApplicationInvitationResponse = {
-    data?: ApplicationInvitationResponse;
-};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4813,22 +4759,9 @@ declare class ApplicationService {
      * the application has been enabled with appropriate entitlement rules.
      *
      * @param applicationId - The application ID to get candidate organizations for
-     * @returns The application details and list of candidate organizations
-     */
-    listCandidateOrganizations(applicationId: string): Promise<{
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    } | {
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    }>;
-    /**
-     * Invites a user to an application through an organization entitlement.
-     *
-     * @param options - Invitation details including organization, application, email, and role
-     * @returns The created invitation
+     * @returns The list of candidate organizations
      */
-    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
+    listCandidateOrganizations(applicationId: string): Promise<ListCandidateOrganizationsResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4955,6 +4888,10 @@ type ListMembersOptions = {
 };
 /**
  * Options for inviting a user to the active organization.
+ *
+ * When the SDK is authenticated with an application-scoped session, the invitation
+ * is automatically scoped to that application. First-party callers receive a
+ * plain organization invitation.
  */
 type InviteUserToOrganizationOptions = {
     /** Email address of the user to invite. */
@@ -4965,16 +4902,6 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
-    /**
-     * Application scope for legacy callers that still pass this option through
-     * the organization invitation path.
-     *
-     * New app-scoped invitations should use
-     * `applications.inviteUserToApplication`, which calls
-     * `POST /api/auth/applications/invitations`. The server rejects legacy
-     * organization invitation creation when this field is present.
-     */
-    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5159,15 +5086,17 @@ declare class OrganizationService {
     /**
      * Invites a user to join the active organization.
      *
+     * When the SDK runs with an application-scoped session, the server
+     * automatically scopes the resulting invitation to that application.
+     *
      * @param options - Invitation configuration
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
-     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5329,8 +5258,6 @@ type SignInWithEmailAndPasswordOptions = {
     password: string;
     /** URL to redirect to after successful authentication. */
     callbackURL: string;
-    /** URL to redirect to if authentication fails. */
-    errorCallbackURL?: string;
 };
 
 /**
@@ -5428,8 +5355,9 @@ declare class SessionService {
      * @param options - Email/password sign-in configuration
      * @param options.email - User's email address
      * @param options.password - User's password
+     * @param options.callbackURL - URL to redirect to after successful authentication
      */
-    signInWithEmailAndPassword({ email, password, }: SignInWithEmailAndPasswordOptions): Promise<void>;
+    signInWithEmailAndPassword({ email, password, callbackURL, }: SignInWithEmailAndPasswordOptions): Promise<void>;
     /**
      * Signs out the currently authenticated user.
      *
@@ -5657,4 +5585,4 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
 declare function extractTokenPayload(token: string): JWTPayload;
 
 export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.d.ts

@@ -3393,32 +3393,8 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             };
         }>;
         listCandidateOrganizations: (applicationId: string) => Promise<{
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: null;
-        }>;
-        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
-            data: null;
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: CreateApplicationInvitationResponse;
-            error: null;
+            data: ListCandidateOrganizationsResponse;
+            error?: unknown;
         }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
@@ -4508,8 +4484,7 @@ type ExtendedOrganization = BaseOrganization & {
 /**
  * A complete organization object including its members, invitations, and teams.
  */
-type FullOrganization = Omit<ExtendedOrganization, 'slug'> & {
-    slug: string | null;
+type FullOrganization = ExtendedOrganization & {
     members: Member[];
     invitations: Invitation[];
     teams: Team[];
@@ -4559,12 +4534,7 @@ type Application = {
 /**
  * Response returned when listing candidate organizations for an application.
  */
-type ListCandidateOrganizationsResponse = {
-    /** The application being queried. */
-    application: Application;
-    /** Organizations where the user is a member and the application is entitled. */
-    organizations: FullOrganization[];
-};
+type ListCandidateOrganizationsResponse = FullOrganization[];
 /**
  * Public application context used to preserve continuity during auth redirects.
  */
@@ -4615,30 +4585,6 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
-type InviteUserToApplicationOptions = {
-    organizationId: string;
-    applicationId: string;
-    email: string;
-    role: Role;
-    teamId?: string;
-    resend?: boolean;
-    sendEmail?: boolean;
-};
-type ApplicationInvitationResponse = {
-    id: string;
-    organizationId: string;
-    email: string;
-    role: string | null;
-    teamId: string | null;
-    applicationId: string | null;
-    status: string;
-    expiresAt: Date | string;
-    inviterId: string;
-    createdAt: Date | string;
-};
-type CreateApplicationInvitationResponse = {
-    data?: ApplicationInvitationResponse;
-};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4813,22 +4759,9 @@ declare class ApplicationService {
      * the application has been enabled with appropriate entitlement rules.
      *
      * @param applicationId - The application ID to get candidate organizations for
-     * @returns The application details and list of candidate organizations
-     */
-    listCandidateOrganizations(applicationId: string): Promise<{
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    } | {
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    }>;
-    /**
-     * Invites a user to an application through an organization entitlement.
-     *
-     * @param options - Invitation details including organization, application, email, and role
-     * @returns The created invitation
+     * @returns The list of candidate organizations
      */
-    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
+    listCandidateOrganizations(applicationId: string): Promise<ListCandidateOrganizationsResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4955,6 +4888,10 @@ type ListMembersOptions = {
 };
 /**
  * Options for inviting a user to the active organization.
+ *
+ * When the SDK is authenticated with an application-scoped session, the invitation
+ * is automatically scoped to that application. First-party callers receive a
+ * plain organization invitation.
  */
 type InviteUserToOrganizationOptions = {
     /** Email address of the user to invite. */
@@ -4965,16 +4902,6 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
-    /**
-     * Application scope for legacy callers that still pass this option through
-     * the organization invitation path.
-     *
-     * New app-scoped invitations should use
-     * `applications.inviteUserToApplication`, which calls
-     * `POST /api/auth/applications/invitations`. The server rejects legacy
-     * organization invitation creation when this field is present.
-     */
-    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5159,15 +5086,17 @@ declare class OrganizationService {
     /**
      * Invites a user to join the active organization.
      *
+     * When the SDK runs with an application-scoped session, the server
+     * automatically scopes the resulting invitation to that application.
+     *
      * @param options - Invitation configuration
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
-     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5329,8 +5258,6 @@ type SignInWithEmailAndPasswordOptions = {
     password: string;
     /** URL to redirect to after successful authentication. */
     callbackURL: string;
-    /** URL to redirect to if authentication fails. */
-    errorCallbackURL?: string;
 };
 
 /**
@@ -5428,8 +5355,9 @@ declare class SessionService {
      * @param options - Email/password sign-in configuration
      * @param options.email - User's email address
      * @param options.password - User's password
+     * @param options.callbackURL - URL to redirect to after successful authentication
      */
-    signInWithEmailAndPassword({ email, password, }: SignInWithEmailAndPasswordOptions): Promise<void>;
+    signInWithEmailAndPassword({ email, password, callbackURL, }: SignInWithEmailAndPasswordOptions): Promise<void>;
     /**
      * Signs out the currently authenticated user.
      *
@@ -5657,4 +5585,4 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
 declare function extractTokenPayload(token: string): JWTPayload;
 
 export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.mjs

@@ -8,7 +8,7 @@ import { defaultStatements } from 'better-auth/plugins/organization/access';
 import z$1, { z } from 'zod';
 export { APIError } from 'better-auth';
 
-const version = "1.19.0";
+const version = "1.20.1";
 
 const statements = {
   ...defaultStatements,
@@ -86,6 +86,17 @@ const JWTPayload = z.object({
 });
 
 const DEVICE_CODE_GRANT = "urn:ietf:params:oauth:grant-type:device_code";
+function normalizeOrganizationsResponse(response) {
+  if (Array.isArray(response)) {
+    return {
+      data: response
+    };
+  }
+  return {
+    ...response,
+    data: Array.isArray(response.data) ? response.data : []
+  };
+}
 function applicationsPluginClient() {
   return {
     id: "applications",
@@ -100,25 +111,12 @@ function applicationsPluginClient() {
             });
           },
           listCandidateOrganizations: async (applicationId) => {
-            const response = await $fetch("/applications/candidate-organizations", {
+            const response = await $fetch("/organization/list", {
               query: {
                 applicationId
               }
             });
-            const organizations = response.data?.organizations ?? [];
-            return {
-              ...response,
-              data: {
-                ...response.data,
-                organizations
-              }
-            };
-          },
-          inviteUserToApplication: async (options) => {
-            return await $fetch("/applications/invitations", {
-              method: "POST",
-              body: options
-            });
+            return normalizeOrganizationsResponse(response);
           },
           startAuthorizationFlow: async (applicationId, redirectUri, codeChallenge, organizationId) => {
             return await $fetch("/applications/authorize", {
@@ -409,7 +407,7 @@ class ApplicationService {
    * the application has been enabled with appropriate entitlement rules.
    *
    * @param applicationId - The application ID to get candidate organizations for
-   * @returns The application details and list of candidate organizations
+   * @returns The list of candidate organizations
    */
   async listCandidateOrganizations(applicationId) {
     const response = await this.client.applications.listCandidateOrganizations(applicationId);
@@ -418,20 +416,6 @@ class ApplicationService {
     }
     return response.data;
   }
-  /**
-   * Invites a user to an application through an organization entitlement.
-   *
-   * @param options - Invitation details including organization, application, email, and role
-   * @returns The created invitation
-   */
-  async inviteUserToApplication(options) {
-    const response = await this.client.applications.inviteUserToApplication(options);
-    const invitation = response.data;
-    if (!invitation) {
-      throw new Error("No invitation returned from application invitation endpoint");
-    }
-    return invitation;
-  }
   /**
    * Starts an authorization flow for a specific application.
    *
@@ -707,23 +691,23 @@ class OrganizationService {
   /**
    * Invites a user to join the active organization.
    *
+   * When the SDK runs with an application-scoped session, the server
+   * automatically scopes the resulting invitation to that application.
+   *
    * @param options - Invitation configuration
    * @param options.userEmail - Email address of the user to invite
    * @param options.role - Role to assign to the invited user
    * @param options.teamId - Team ID to add the user to
-   * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
    * @param options.resend - Whether to resend if invitation already exists
    * @returns The created invitation
    */
-  async inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }) {
-    const invitation = {
+  async inviteUserToOrganization({ userEmail, role, teamId, resend }) {
+    return await this.client.organization.inviteMember({
       email: userEmail,
       role,
       teamId,
-      resend: resend ?? false,
-      applicationId
-    };
-    return await this.client.organization.inviteMember(invitation);
+      resend: resend ?? false
+    });
   }
   /**
    * Cancels a pending organization invitation.
@@ -976,14 +960,20 @@ class SessionService {
    * @param options - Email/password sign-in configuration
    * @param options.email - User's email address
    * @param options.password - User's password
+   * @param options.callbackURL - URL to redirect to after successful authentication
    */
   async signInWithEmailAndPassword({
     email,
-    password
+    password,
+    callbackURL
   }) {
+    if (!isValidUrl(callbackURL)) {
+      throw new InvalidCallbackURL(`Invalid callback URL: ${callbackURL}`);
+    }
     await this.client.signIn.email({
       email,
-      password
+      password,
+      callbackURL
     });
   }
   /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "1.19.0",
+  "version": "1.20.1",
   "type": "module",
   "exports": {
     ".": {