npm - @momentumcms/auth - Versions diffs - 0.1.0 - Mend

@momentumcms/auth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +19 -0
package/CLAUDE.md +130 -0
package/LICENSE +21 -0
package/README.md +11 -0
package/index.cjs +1227 -0
package/package.json +37 -0
package/src/index.d.ts +10 -0
package/src/lib/auth-collections.d.ts +27 -0
package/src/lib/auth-plugin.d.ts +79 -0
package/src/lib/auth.d.ts +144 -0
package/src/lib/email-templates.d.ts +48 -0
package/src/lib/email.d.ts +72 -0
package/src/lib/plugins/admin.d.ts +19 -0
package/src/lib/plugins/index.d.ts +4 -0
package/src/lib/plugins/organization.d.ts +19 -0
package/src/lib/plugins/sub-plugin.types.d.ts +29 -0
package/src/lib/plugins/two-factor.d.ts +12 -0

package/index.cjs ADDED Viewed

@@ -0,0 +1,1227 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// libs/auth/src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  AuthAccountCollection: () => AuthAccountCollection,
+  AuthApiKeysCollection: () => AuthApiKeysCollection,
+  AuthSessionCollection: () => AuthSessionCollection,
+  AuthUserCollection: () => AuthUserCollection,
+  AuthVerificationCollection: () => AuthVerificationCollection,
+  BASE_AUTH_COLLECTIONS: () => BASE_AUTH_COLLECTIONS,
+  authAdmin: () => authAdmin,
+  authOrganization: () => authOrganization,
+  authTwoFactor: () => authTwoFactor,
+  createEmailService: () => createEmailService,
+  createMomentumAuth: () => createMomentumAuth,
+  getEnabledOAuthProviders: () => getEnabledOAuthProviders,
+  getPasswordResetEmail: () => getPasswordResetEmail,
+  getVerificationEmail: () => getVerificationEmail,
+  momentumAuth: () => momentumAuth
+});
+module.exports = __toCommonJS(src_exports);
+// libs/auth/src/lib/auth.ts
+var import_better_auth = require("better-auth");
+var import_plugins = require("better-auth/plugins");
+// libs/auth/src/lib/email.ts
+var nodemailer = __toESM(require("nodemailer"));
+function getEnvConfig() {
+  const config = {};
+  if (process.env["SMTP_HOST"]) {
+    config.host = process.env["SMTP_HOST"];
+  }
+  if (process.env["SMTP_PORT"]) {
+    config.port = parseInt(process.env["SMTP_PORT"], 10);
+  }
+  if (process.env["SMTP_FROM"]) {
+    config.from = process.env["SMTP_FROM"];
+  }
+  if (process.env["SMTP_SECURE"]) {
+    config.secure = process.env["SMTP_SECURE"] === "true";
+  }
+  if (process.env["SMTP_USER"] && process.env["SMTP_PASS"]) {
+    config.auth = {
+      user: process.env["SMTP_USER"],
+      pass: process.env["SMTP_PASS"]
+    };
+  }
+  return config;
+}
+function createEmailService(config) {
+  const envConfig = getEnvConfig();
+  const finalConfig = {
+    host: config?.host ?? envConfig.host ?? "localhost",
+    port: config?.port ?? envConfig.port ?? 1025,
+    from: config?.from ?? envConfig.from ?? "noreply@momentum.local",
+    secure: config?.secure ?? envConfig.secure ?? false,
+    auth: config?.auth ?? envConfig.auth
+  };
+  const transportOptions = {
+    host: finalConfig.host,
+    port: finalConfig.port,
+    secure: finalConfig.secure
+  };
+  if (finalConfig.auth) {
+    transportOptions.auth = finalConfig.auth;
+  }
+  const transporter = nodemailer.createTransport(transportOptions);
+  return {
+    async sendEmail(options) {
+      await transporter.sendMail({
+        from: finalConfig.from,
+        to: options.to,
+        subject: options.subject,
+        text: options.text,
+        html: options.html
+      });
+    }
+  };
+}
+// libs/auth/src/lib/email-templates.ts
+function escapeHtml(unsafe) {
+  return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function wrapEmail(content, safeAppName) {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${safeAppName}</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f5; line-height: 1.6;">
+  <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="background-color: #f4f4f5;">
+    <tr>
+      <td style="padding: 40px 20px;">
+        <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="max-width: 480px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.1);">
+          <tr>
+            <td style="padding: 40px;">
+              ${content}
+            </td>
+          </tr>
+        </table>
+        <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="max-width: 480px; margin: 20px auto 0;">
+          <tr>
+            <td style="text-align: center; color: #71717a; font-size: 12px;">
+              <p style="margin: 0;">&copy; ${(/* @__PURE__ */ new Date()).getFullYear()} ${safeAppName}. All rights reserved.</p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>
+`.trim();
+}
+function getPasswordResetEmail(options) {
+  const { name, url, appName = "Momentum CMS", expiresIn = "1 hour" } = options;
+  const greeting = name ? `Hi ${name},` : "Hi,";
+  const subject = `Reset your password - ${appName}`;
+  const text2 = `
+${greeting}
+We received a request to reset your password. Click the link below to choose a new password:
+${url}
+This link will expire in ${expiresIn}.
+If you didn't request a password reset, you can safely ignore this email. Your password will remain unchanged.
+Thanks,
+The ${appName} Team
+`.trim();
+  const safeGreeting = name ? `Hi ${escapeHtml(name)},` : "Hi,";
+  const safeUrl = escapeHtml(url);
+  const safeAppName = escapeHtml(appName);
+  const safeExpiresIn = escapeHtml(expiresIn);
+  const html = wrapEmail(
+    `
+      <h1 style="margin: 0 0 24px; font-size: 24px; font-weight: 600; color: #18181b;">Reset your password</h1>
+      <p style="margin: 0 0 16px; color: #3f3f46;">${safeGreeting}</p>
+      <p style="margin: 0 0 24px; color: #3f3f46;">We received a request to reset your password. Click the button below to choose a new password:</p>
+      <table role="presentation" width="100%" cellspacing="0" cellpadding="0">
+        <tr>
+          <td style="padding: 0 0 24px;">
+            <a href="${safeUrl}" style="display: inline-block; padding: 12px 24px; background-color: #18181b; color: #ffffff; text-decoration: none; border-radius: 6px; font-weight: 500;">Reset Password</a>
+          </td>
+        </tr>
+      </table>
+      <p style="margin: 0 0 8px; color: #71717a; font-size: 14px;">This link will expire in ${safeExpiresIn}.</p>
+      <p style="margin: 0 0 24px; color: #71717a; font-size: 14px;">If you didn't request a password reset, you can safely ignore this email.</p>
+      <hr style="border: none; border-top: 1px solid #e4e4e7; margin: 24px 0;">
+      <p style="margin: 0; color: #71717a; font-size: 12px;">If the button doesn't work, copy and paste this URL into your browser:</p>
+      <p style="margin: 8px 0 0; color: #71717a; font-size: 12px; word-break: break-all;">${safeUrl}</p>
+    `,
+    safeAppName
+  );
+  return { subject, text: text2, html };
+}
+function getVerificationEmail(options) {
+  const { name, url, appName = "Momentum CMS", expiresIn = "24 hours" } = options;
+  const greeting = name ? `Hi ${name},` : "Hi,";
+  const subject = `Verify your email - ${appName}`;
+  const text2 = `
+${greeting}
+Welcome to ${appName}! Please verify your email address by clicking the link below:
+${url}
+This link will expire in ${expiresIn}.
+If you didn't create an account, you can safely ignore this email.
+Thanks,
+The ${appName} Team
+`.trim();
+  const safeGreeting = name ? `Hi ${escapeHtml(name)},` : "Hi,";
+  const safeUrl = escapeHtml(url);
+  const safeAppName = escapeHtml(appName);
+  const safeExpiresIn = escapeHtml(expiresIn);
+  const html = wrapEmail(
+    `
+      <h1 style="margin: 0 0 24px; font-size: 24px; font-weight: 600; color: #18181b;">Verify your email</h1>
+      <p style="margin: 0 0 16px; color: #3f3f46;">${safeGreeting}</p>
+      <p style="margin: 0 0 24px; color: #3f3f46;">Welcome to ${safeAppName}! Please verify your email address by clicking the button below:</p>
+      <table role="presentation" width="100%" cellspacing="0" cellpadding="0">
+        <tr>
+          <td style="padding: 0 0 24px;">
+            <a href="${safeUrl}" style="display: inline-block; padding: 12px 24px; background-color: #18181b; color: #ffffff; text-decoration: none; border-radius: 6px; font-weight: 500;">Verify Email</a>
+          </td>
+        </tr>
+      </table>
+      <p style="margin: 0 0 8px; color: #71717a; font-size: 14px;">This link will expire in ${safeExpiresIn}.</p>
+      <p style="margin: 0 0 24px; color: #71717a; font-size: 14px;">If you didn't create an account, you can safely ignore this email.</p>
+      <hr style="border: none; border-top: 1px solid #e4e4e7; margin: 24px 0;">
+      <p style="margin: 0; color: #71717a; font-size: 12px;">If the button doesn't work, copy and paste this URL into your browser:</p>
+      <p style="margin: 8px 0 0; color: #71717a; font-size: 12px; word-break: break-all;">${safeUrl}</p>
+    `,
+    safeAppName
+  );
+  return { subject, text: text2, html };
+}
+// libs/logger/src/lib/log-level.ts
+var LOG_LEVEL_VALUES = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  fatal: 4,
+  silent: 5
+};
+function shouldLog(messageLevel, configuredLevel) {
+  return LOG_LEVEL_VALUES[messageLevel] >= LOG_LEVEL_VALUES[configuredLevel];
+}
+// libs/logger/src/lib/ansi-colors.ts
+var ANSI = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  // Foreground colors
+  red: "\x1B[31m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m",
+  white: "\x1B[37m",
+  gray: "\x1B[90m",
+  // Background colors
+  bgRed: "\x1B[41m",
+  bgYellow: "\x1B[43m"
+};
+function colorize(text2, ...codes) {
+  if (codes.length === 0)
+    return text2;
+  return `${codes.join("")}${text2}${ANSI.reset}`;
+}
+function supportsColor() {
+  if (process.env["FORCE_COLOR"] === "1")
+    return true;
+  if (process.env["NO_COLOR"] !== void 0)
+    return false;
+  if (process.env["TERM"] === "dumb")
+    return false;
+  return process.stdout.isTTY === true;
+}
+// libs/logger/src/lib/formatters.ts
+var LEVEL_COLORS = {
+  debug: [ANSI.dim, ANSI.gray],
+  info: [ANSI.cyan],
+  warn: [ANSI.yellow],
+  error: [ANSI.red],
+  fatal: [ANSI.bold, ANSI.white, ANSI.bgRed]
+};
+function padLevel(level) {
+  return level.toUpperCase().padEnd(5);
+}
+function formatTimestamp(date2) {
+  const y = date2.getFullYear();
+  const mo = String(date2.getMonth() + 1).padStart(2, "0");
+  const d = String(date2.getDate()).padStart(2, "0");
+  const h = String(date2.getHours()).padStart(2, "0");
+  const mi = String(date2.getMinutes()).padStart(2, "0");
+  const s = String(date2.getSeconds()).padStart(2, "0");
+  const ms = String(date2.getMilliseconds()).padStart(3, "0");
+  return `${y}-${mo}-${d} ${h}:${mi}:${s}.${ms}`;
+}
+function formatData(data) {
+  const entries = Object.entries(data);
+  if (entries.length === 0)
+    return "";
+  return " " + entries.map(([k, v]) => `${k}=${typeof v === "string" ? v : JSON.stringify(v)}`).join(" ");
+}
+function prettyFormatter(entry) {
+  const useColor = supportsColor();
+  const level = entry.level;
+  const ts = formatTimestamp(entry.timestamp);
+  const levelStr = padLevel(entry.level);
+  const ctx = `[${entry.context}]`;
+  const msg = entry.message;
+  const enrichmentStr = entry.enrichments ? formatData(entry.enrichments) : "";
+  const dataStr = entry.data ? formatData(entry.data) : "";
+  const extra = `${enrichmentStr}${dataStr}`;
+  if (useColor) {
+    const colors = LEVEL_COLORS[level];
+    const coloredLevel = colorize(levelStr, ...colors);
+    const coloredCtx = colorize(ctx, ANSI.magenta);
+    const coloredTs = colorize(ts, ANSI.gray);
+    return `${coloredTs} ${coloredLevel} ${coloredCtx} ${msg}${extra}
+`;
+  }
+  return `${ts} ${levelStr} ${ctx} ${msg}${extra}
+`;
+}
+function jsonFormatter(entry) {
+  const output = {
+    timestamp: entry.timestamp.toISOString(),
+    level: entry.level,
+    context: entry.context,
+    message: entry.message
+  };
+  if (entry.enrichments && Object.keys(entry.enrichments).length > 0) {
+    Object.assign(output, entry.enrichments);
+  }
+  if (entry.data && Object.keys(entry.data).length > 0) {
+    output["data"] = entry.data;
+  }
+  return JSON.stringify(output) + "\n";
+}
+// libs/logger/src/lib/logger-config.types.ts
+function resolveLoggingConfig(config) {
+  return {
+    level: config?.level ?? "info",
+    format: config?.format ?? "pretty",
+    timestamps: config?.timestamps ?? true,
+    output: config?.output ?? ((msg) => {
+      process.stdout.write(msg);
+    }),
+    errorOutput: config?.errorOutput ?? ((msg) => {
+      process.stderr.write(msg);
+    })
+  };
+}
+// libs/logger/src/lib/logger.ts
+var ERROR_LEVELS = /* @__PURE__ */ new Set(["warn", "error", "fatal"]);
+var MomentumLogger = class _MomentumLogger {
+  static {
+    this.enrichers = [];
+  }
+  constructor(context, config) {
+    this.context = context;
+    this.config = isResolvedConfig(config) ? config : resolveLoggingConfig(config);
+    this.formatter = this.config.format === "json" ? jsonFormatter : prettyFormatter;
+  }
+  debug(message, data) {
+    this.log("debug", message, data);
+  }
+  info(message, data) {
+    this.log("info", message, data);
+  }
+  warn(message, data) {
+    this.log("warn", message, data);
+  }
+  error(message, data) {
+    this.log("error", message, data);
+  }
+  fatal(message, data) {
+    this.log("fatal", message, data);
+  }
+  /**
+   * Creates a child logger with a sub-context.
+   * e.g., `Momentum:DB` → `Momentum:DB:Migrate`
+   */
+  child(subContext) {
+    return new _MomentumLogger(`${this.context}:${subContext}`, this.config);
+  }
+  /**
+   * Registers a global enricher that adds extra fields to all log entries.
+   */
+  static registerEnricher(enricher) {
+    _MomentumLogger.enrichers.push(enricher);
+  }
+  /**
+   * Removes a previously registered enricher.
+   */
+  static removeEnricher(enricher) {
+    const index = _MomentumLogger.enrichers.indexOf(enricher);
+    if (index >= 0) {
+      _MomentumLogger.enrichers.splice(index, 1);
+    }
+  }
+  /**
+   * Clears all registered enrichers. Primarily for testing.
+   */
+  static clearEnrichers() {
+    _MomentumLogger.enrichers.length = 0;
+  }
+  log(level, message, data) {
+    if (!shouldLog(level, this.config.level))
+      return;
+    const enrichments = this.collectEnrichments();
+    const entry = {
+      timestamp: /* @__PURE__ */ new Date(),
+      level,
+      context: this.context,
+      message,
+      data,
+      enrichments: Object.keys(enrichments).length > 0 ? enrichments : void 0
+    };
+    const formatted = this.formatter(entry);
+    if (ERROR_LEVELS.has(level)) {
+      this.config.errorOutput(formatted);
+    } else {
+      this.config.output(formatted);
+    }
+  }
+  collectEnrichments() {
+    const result = {};
+    for (const enricher of _MomentumLogger.enrichers) {
+      Object.assign(result, enricher.enrich());
+    }
+    return result;
+  }
+};
+function isResolvedConfig(config) {
+  if (!config)
+    return false;
+  return typeof config.level === "string" && typeof config.format === "string" && typeof config.timestamps === "boolean" && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- type guard narrows union
+  typeof config.output === "function" && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- type guard narrows union
+  typeof config.errorOutput === "function";
+}
+// libs/logger/src/lib/logger-singleton.ts
+var loggerInstance = null;
+var ROOT_CONTEXT = "Momentum";
+function getMomentumLogger() {
+  if (!loggerInstance) {
+    loggerInstance = new MomentumLogger(ROOT_CONTEXT);
+  }
+  return loggerInstance;
+}
+function createLogger(context) {
+  return getMomentumLogger().child(context);
+}
+// libs/auth/src/lib/auth.ts
+function isLegacyConfig(config) {
+  return "database" in config && !("db" in config);
+}
+function buildSocialProviders(config, baseURL) {
+  const providers = {};
+  const resolvedBaseURL = baseURL ?? "http://localhost:4000";
+  const googleClientId = config?.google?.clientId ?? process.env["GOOGLE_CLIENT_ID"];
+  const googleClientSecret = config?.google?.clientSecret ?? process.env["GOOGLE_CLIENT_SECRET"];
+  if (googleClientId && googleClientSecret) {
+    providers["google"] = {
+      clientId: googleClientId,
+      clientSecret: googleClientSecret,
+      redirectURI: config?.google?.redirectURI ?? `${resolvedBaseURL}/api/auth/callback/google`
+    };
+  }
+  const githubClientId = config?.github?.clientId ?? process.env["GITHUB_CLIENT_ID"];
+  const githubClientSecret = config?.github?.clientSecret ?? process.env["GITHUB_CLIENT_SECRET"];
+  if (githubClientId && githubClientSecret) {
+    providers["github"] = {
+      clientId: githubClientId,
+      clientSecret: githubClientSecret,
+      redirectURI: config?.github?.redirectURI ?? `${resolvedBaseURL}/api/auth/callback/github`
+    };
+  }
+  return Object.keys(providers).length > 0 ? providers : void 0;
+}
+function getEnabledOAuthProviders(config) {
+  const providers = [];
+  const googleClientId = config?.google?.clientId ?? process.env["GOOGLE_CLIENT_ID"];
+  const googleClientSecret = config?.google?.clientSecret ?? process.env["GOOGLE_CLIENT_SECRET"];
+  if (googleClientId && googleClientSecret) {
+    providers.push("google");
+  }
+  const githubClientId = config?.github?.clientId ?? process.env["GITHUB_CLIENT_ID"];
+  const githubClientSecret = config?.github?.clientSecret ?? process.env["GITHUB_CLIENT_SECRET"];
+  if (githubClientId && githubClientSecret) {
+    providers.push("github");
+  }
+  return providers;
+}
+function convertFieldsToAdditionalFields(fields) {
+  const result = {};
+  for (const field of fields) {
+    let baType;
+    switch (field.type) {
+      case "checkbox":
+        baType = "boolean";
+        break;
+      case "number":
+        baType = "number";
+        break;
+      case "date":
+        baType = "string";
+        break;
+      default:
+        baType = "string";
+        break;
+    }
+    result[field.name] = {
+      type: baType,
+      required: field.required ?? false,
+      input: false
+      // Sub-plugin fields are not user-settable by default
+    };
+  }
+  return result;
+}
+function createMomentumAuth(config) {
+  const dbConfig = isLegacyConfig(config) ? { type: "sqlite", database: config.database } : config.db;
+  const {
+    baseURL,
+    secret,
+    trustedOrigins,
+    email: emailConfig,
+    socialProviders,
+    twoFactorAuth
+  } = config;
+  const extraPlugins = !isLegacyConfig(config) ? config.plugins ?? [] : [];
+  const extraUserFields = !isLegacyConfig(config) ? config.userFields ?? [] : [];
+  const databaseOption = dbConfig.type === "sqlite" ? dbConfig.database : dbConfig.pool;
+  const emailEnabled = emailConfig?.enabled ?? !!process.env["SMTP_HOST"];
+  const appName = emailConfig?.appName ?? "Momentum CMS";
+  let emailService = null;
+  if (emailEnabled) {
+    emailService = createEmailService(emailConfig);
+  }
+  const emailAndPasswordConfig = {
+    enabled: true,
+    minPasswordLength: 8
+  };
+  if (emailService) {
+    emailAndPasswordConfig.sendResetPassword = async ({ user, url }) => {
+      const { subject, text: text2, html } = getPasswordResetEmail({
+        name: user.name,
+        url,
+        appName,
+        expiresIn: "1 hour"
+      });
+      emailService.sendEmail({
+        to: user.email,
+        subject,
+        text: text2,
+        html
+      }).catch((err) => {
+        createLogger("Auth").error(
+          `Failed to send password reset email: ${err instanceof Error ? err.message : String(err)}`
+        );
+      });
+    };
+  }
+  const requireVerification = emailConfig?.requireEmailVerification ?? false;
+  const emailVerificationConfig = emailService ? {
+    sendOnSignUp: true,
+    autoSignInAfterVerification: true,
+    expiresIn: 86400,
+    // 24 hours
+    sendVerificationEmail: async ({
+      user,
+      url
+    }) => {
+      const { subject, text: text2, html } = getVerificationEmail({
+        name: user.name,
+        url,
+        appName,
+        expiresIn: "24 hours"
+      });
+      emailService.sendEmail({
+        to: user.email,
+        subject,
+        text: text2,
+        html
+      }).catch((err) => {
+        createLogger("Auth").error(
+          `Failed to send verification email: ${err instanceof Error ? err.message : String(err)}`
+        );
+      });
+    }
+  } : void 0;
+  if (requireVerification && emailAndPasswordConfig) {
+    emailAndPasswordConfig.requireEmailVerification = true;
+  }
+  const socialProvidersConfig = buildSocialProviders(socialProviders, baseURL);
+  const plugins = [];
+  if (twoFactorAuth) {
+    plugins.push((0, import_plugins.twoFactor)());
+  }
+  for (const p of extraPlugins) {
+    if (p !== void 0) {
+      plugins.push(p);
+    }
+  }
+  return (0, import_better_auth.betterAuth)({
+    database: databaseOption,
+    baseURL: baseURL ?? "http://localhost:4000",
+    secret: secret ?? process.env["AUTH_SECRET"] ?? "momentum-cms-dev-secret-change-in-production",
+    trustedOrigins: trustedOrigins ?? [baseURL ?? "http://localhost:4000"],
+    // Enable email/password authentication with optional password reset
+    emailAndPassword: emailAndPasswordConfig,
+    // Email verification (only if email is enabled)
+    ...emailVerificationConfig && { emailVerification: emailVerificationConfig },
+    // Social login providers (only if configured)
+    ...socialProvidersConfig && { socialProviders: socialProvidersConfig },
+    // Plugins (2FA, etc.)
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/consistent-type-assertions -- Better Auth plugin types are opaque from sub-plugins
+    ...plugins.length > 0 && { plugins },
+    // Add custom role field to users + any extra user fields from sub-plugins.
+    // Base role is spread AFTER sub-plugin fields so it cannot be overwritten
+    // (a sub-plugin field named 'role' would lose defaultValue and input protection).
+    user: {
+      additionalFields: {
+        // Convert Momentum Field definitions to Better Auth additionalFields format
+        ...convertFieldsToAdditionalFields(extraUserFields.filter((f) => f.name !== "role")),
+        role: {
+          type: "string",
+          required: false,
+          defaultValue: "user",
+          input: false
+          // Don't allow users to set their own role
+        }
+      }
+    },
+    // Session configuration
+    // Note: cookieCache is intentionally disabled. It caches session data
+    // (including role) in a signed cookie, which causes stale role issues
+    // when roles are updated after session creation (e.g., setup flow).
+    session: {
+      expiresIn: 60 * 60 * 24 * 7,
+      // 7 days
+      updateAge: 60 * 60 * 24
+      // Update session every 24 hours
+    }
+  });
+}
+// libs/core/src/lib/collections/define-collection.ts
+function defineCollection(config) {
+  const collection = {
+    timestamps: true,
+    // Enable timestamps by default
+    ...config
+  };
+  if (!collection.slug) {
+    throw new Error("Collection must have a slug");
+  }
+  if (!collection.fields || collection.fields.length === 0) {
+    throw new Error(`Collection "${collection.slug}" must have at least one field`);
+  }
+  if (!/^[a-z][a-z0-9-]*$/.test(collection.slug)) {
+    throw new Error(
+      `Collection slug "${collection.slug}" must be kebab-case (lowercase letters, numbers, and hyphens, starting with a letter)`
+    );
+  }
+  return collection;
+}
+// libs/core/src/lib/fields/field-builders.ts
+function text(name, options = {}) {
+  return {
+    name,
+    type: "text",
+    ...options
+  };
+}
+function number(name, options = {}) {
+  return {
+    name,
+    type: "number",
+    ...options
+  };
+}
+function date(name, options = {}) {
+  return {
+    name,
+    type: "date",
+    ...options
+  };
+}
+function checkbox(name, options = {}) {
+  return {
+    name,
+    type: "checkbox",
+    ...options,
+    defaultValue: options.defaultValue ?? false
+  };
+}
+function select(name, options) {
+  return {
+    name,
+    type: "select",
+    ...options
+  };
+}
+function email(name, options = {}) {
+  return {
+    name,
+    type: "email",
+    ...options
+  };
+}
+function relationship(name, options) {
+  return {
+    name,
+    type: "relationship",
+    ...options
+  };
+}
+function json(name, options = {}) {
+  return {
+    name,
+    type: "json",
+    ...options
+  };
+}
+// libs/core/src/lib/collections/media.collection.ts
+var MediaCollection = defineCollection({
+  slug: "media",
+  labels: {
+    singular: "Media",
+    plural: "Media"
+  },
+  admin: {
+    useAsTitle: "filename",
+    defaultColumns: ["filename", "mimeType", "filesize", "createdAt"]
+  },
+  fields: [
+    text("filename", {
+      required: true,
+      label: "Filename",
+      description: "Original filename of the uploaded file"
+    }),
+    text("mimeType", {
+      required: true,
+      label: "MIME Type",
+      description: "File MIME type (e.g., image/jpeg, application/pdf)"
+    }),
+    number("filesize", {
+      label: "File Size",
+      description: "File size in bytes"
+    }),
+    text("path", {
+      required: true,
+      label: "Storage Path",
+      description: "Path/key where the file is stored",
+      admin: {
+        hidden: true
+      }
+    }),
+    text("url", {
+      label: "URL",
+      description: "Public URL to access the file"
+    }),
+    text("alt", {
+      label: "Alt Text",
+      description: "Alternative text for accessibility"
+    }),
+    number("width", {
+      label: "Width",
+      description: "Image width in pixels (for images only)"
+    }),
+    number("height", {
+      label: "Height",
+      description: "Image height in pixels (for images only)"
+    }),
+    json("focalPoint", {
+      label: "Focal Point",
+      description: "Focal point coordinates for image cropping",
+      admin: {
+        hidden: true
+      }
+    })
+  ],
+  access: {
+    // Media is readable by anyone by default
+    read: () => true,
+    // Only authenticated users can create/update/delete
+    create: ({ req }) => !!req?.user,
+    update: ({ req }) => !!req?.user,
+    delete: ({ req }) => !!req?.user
+  }
+});
+// libs/auth/src/lib/auth-collections.ts
+var AUTH_ROLES = [
+  { label: "Admin", value: "admin" },
+  { label: "Editor", value: "editor" },
+  { label: "User", value: "user" },
+  { label: "Viewer", value: "viewer" }
+];
+var AuthUserCollection = defineCollection({
+  slug: "auth-user",
+  dbName: "user",
+  timestamps: true,
+  labels: { singular: "User", plural: "Users" },
+  fields: [
+    text("name", { required: true }),
+    email("email", { required: true }),
+    checkbox("emailVerified"),
+    text("image"),
+    select("role", {
+      options: AUTH_ROLES,
+      defaultValue: "user"
+    })
+  ],
+  indexes: [{ columns: ["email"], unique: true }],
+  admin: {
+    group: "Authentication",
+    useAsTitle: "email",
+    defaultColumns: ["name", "email", "role", "createdAt"],
+    description: "Users authenticated via Better Auth"
+  },
+  access: {
+    admin: ({ req }) => req.user?.role === "admin",
+    read: ({ req }) => req.user?.role === "admin",
+    create: ({ req }) => req.user?.role === "admin",
+    update: ({ req }) => req.user?.role === "admin",
+    delete: ({ req }) => req.user?.role === "admin"
+  }
+});
+var AuthSessionCollection = defineCollection({
+  slug: "auth-session",
+  dbName: "session",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("userId", { required: true }),
+    text("token", { required: true }),
+    date("expiresAt", { required: true }),
+    text("ipAddress"),
+    text("userAgent")
+  ],
+  indexes: [{ columns: ["userId"] }, { columns: ["token"], unique: true }],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "Active user sessions"
+  },
+  access: {
+    admin: ({ req }) => req.user?.role === "admin",
+    read: ({ req }) => req.user?.role === "admin",
+    create: () => false,
+    update: () => false,
+    delete: ({ req }) => req.user?.role === "admin"
+  }
+});
+var AuthAccountCollection = defineCollection({
+  slug: "auth-account",
+  dbName: "account",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("userId", { required: true }),
+    text("accountId", { required: true }),
+    text("providerId", { required: true }),
+    text("accessToken"),
+    text("refreshToken"),
+    date("accessTokenExpiresAt"),
+    date("refreshTokenExpiresAt"),
+    text("scope"),
+    text("idToken"),
+    text("password")
+  ],
+  indexes: [{ columns: ["userId"] }],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "OAuth and credential accounts"
+  },
+  access: {
+    admin: ({ req }) => req.user?.role === "admin",
+    read: () => false,
+    // Never expose OAuth tokens/password hashes via API — Better Auth owns this data
+    create: () => false,
+    update: () => false,
+    delete: () => false
+  }
+});
+var AuthVerificationCollection = defineCollection({
+  slug: "auth-verification",
+  dbName: "verification",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("identifier", { required: true }),
+    text("value", { required: true }),
+    date("expiresAt", { required: true })
+  ],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "Email verification and password reset tokens"
+  },
+  access: {
+    admin: ({ req }) => req.user?.role === "admin",
+    read: () => false,
+    create: () => false,
+    update: () => false,
+    delete: () => false
+  }
+});
+var AuthApiKeysCollection = defineCollection({
+  slug: "auth-api-keys",
+  dbName: "_api_keys",
+  timestamps: true,
+  fields: [
+    text("name", { required: true }),
+    text("keyHash", { required: true, admin: { hidden: true }, access: { read: () => false } }),
+    text("keyPrefix", { required: true }),
+    relationship("createdBy", {
+      required: true,
+      collection: () => AuthUserCollection,
+      label: "Created By"
+    }),
+    select("role", {
+      options: AUTH_ROLES,
+      defaultValue: "user"
+    }),
+    date("expiresAt"),
+    date("lastUsedAt")
+  ],
+  indexes: [{ columns: ["keyHash"], unique: true }, { columns: ["createdBy"] }],
+  admin: {
+    group: "Authentication",
+    useAsTitle: "name",
+    defaultColumns: ["name", "keyPrefix", "role", "createdBy", "createdAt", "lastUsedAt"],
+    description: "API keys for programmatic access",
+    headerActions: [
+      { id: "generate-key", label: "Generate API Key", endpoint: "/api/auth/api-keys" }
+    ]
+  },
+  access: {
+    admin: ({ req }) => !!req.user,
+    read: ({ req }) => !!req.user,
+    create: () => false,
+    // API keys must be created through dedicated /api/auth/api-keys endpoint
+    update: () => false,
+    delete: () => false
+    // Deletion only via dedicated /api/auth/api-keys/:id (has ownership checks)
+  },
+  defaultWhere: (req) => {
+    if (!req.user)
+      return { createdBy: "__none__" };
+    if (req.user.role === "admin")
+      return void 0;
+    return { createdBy: req.user.id };
+  }
+});
+var BASE_AUTH_COLLECTIONS = [
+  AuthUserCollection,
+  AuthSessionCollection,
+  AuthAccountCollection,
+  AuthVerificationCollection,
+  AuthApiKeysCollection
+];
+// libs/auth/src/lib/auth-plugin.ts
+function momentumAuth(config) {
+  let authInstance = null;
+  const subPlugins = config.plugins ?? [];
+  const allCollections = [];
+  const allUserFields = [...config.userFields ?? []];
+  const allSessionFields = [];
+  const allBetterAuthPlugins = [];
+  for (const sp of subPlugins) {
+    if (sp.collections)
+      allCollections.push(...sp.collections);
+    if (sp.userFields)
+      allUserFields.push(...sp.userFields);
+    if (sp.sessionFields)
+      allSessionFields.push(...sp.sessionFields);
+    if (sp.betterAuthPlugin !== void 0)
+      allBetterAuthPlugins.push(sp.betterAuthPlugin);
+  }
+  const authUserWithFields = {
+    ...AuthUserCollection,
+    fields: [...AuthUserCollection.fields, ...allUserFields]
+  };
+  const authSessionWithFields = {
+    ...AuthSessionCollection,
+    fields: [...AuthSessionCollection.fields, ...allSessionFields]
+  };
+  const finalAuthCollections = [
+    authUserWithFields,
+    authSessionWithFields,
+    // All base collections except user and session (which we replaced above)
+    ...BASE_AUTH_COLLECTIONS.filter((c) => c.slug !== "auth-user" && c.slug !== "auth-session"),
+    // Sub-plugin collections
+    ...allCollections
+  ];
+  const showInAdmin = config.admin?.showCollections ?? true;
+  if (!showInAdmin) {
+    for (const c of finalAuthCollections) {
+      c.admin = { ...c.admin, hidden: true };
+    }
+  }
+  return {
+    name: "momentum-auth",
+    // Static collections for admin UI route data (read at config time)
+    collections: finalAuthCollections,
+    getAuth() {
+      if (!authInstance) {
+        throw new Error("Auth not initialized. Call onInit first (via initializeMomentum).");
+      }
+      return authInstance;
+    },
+    tryGetAuth() {
+      return authInstance;
+    },
+    getPluginConfig() {
+      return {
+        db: config.db,
+        socialProviders: config.socialProviders
+      };
+    },
+    async onInit(context) {
+      const { logger } = context;
+      context.collections.push(...finalAuthCollections);
+      logger.info(`Injected ${finalAuthCollections.length} auth collections`);
+      authInstance = createMomentumAuth({
+        db: config.db,
+        baseURL: config.baseURL,
+        secret: config.secret,
+        trustedOrigins: config.trustedOrigins,
+        email: config.email,
+        socialProviders: config.socialProviders,
+        plugins: allBetterAuthPlugins,
+        userFields: allUserFields
+      });
+      logger.info("Better Auth instance created");
+    }
+  };
+}
+// libs/auth/src/lib/plugins/two-factor.ts
+var import_plugins2 = require("better-auth/plugins");
+var AuthTwoFactorCollection = defineCollection({
+  slug: "auth-two-factor",
+  dbName: "twoFactor",
+  managed: true,
+  timestamps: false,
+  fields: [
+    text("secret", { required: true }),
+    text("backupCodes", { required: true }),
+    text("userId", { required: true })
+  ],
+  indexes: [{ columns: ["secret"] }, { columns: ["userId"] }],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "Two-factor authentication secrets"
+  },
+  access: {
+    read: () => false,
+    create: () => false,
+    update: () => false,
+    delete: () => false
+  }
+});
+function authTwoFactor() {
+  return {
+    name: "two-factor",
+    betterAuthPlugin: (0, import_plugins2.twoFactor)(),
+    collections: [AuthTwoFactorCollection],
+    userFields: [checkbox("twoFactorEnabled")]
+  };
+}
+// libs/auth/src/lib/plugins/admin.ts
+function authAdmin() {
+  return {
+    name: "admin",
+    // Stub: Better Auth admin plugin will be added here
+    betterAuthPlugin: void 0,
+    userFields: [checkbox("banned"), text("banReason"), date("banExpires")],
+    sessionFields: [text("impersonatedBy")]
+  };
+}
+// libs/auth/src/lib/plugins/organization.ts
+var AuthOrganizationCollection = defineCollection({
+  slug: "auth-organization",
+  dbName: "organization",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("name", { required: true }),
+    text("slug", { required: true }),
+    text("logo"),
+    text("metadata")
+  ],
+  indexes: [{ columns: ["slug"], unique: true }],
+  admin: {
+    group: "Authentication",
+    useAsTitle: "name",
+    description: "Organizations for multi-tenant access"
+  },
+  access: {
+    read: ({ req }) => req.user?.role === "admin",
+    create: ({ req }) => req.user?.role === "admin",
+    update: ({ req }) => req.user?.role === "admin",
+    delete: ({ req }) => req.user?.role === "admin"
+  }
+});
+var AuthMemberCollection = defineCollection({
+  slug: "auth-member",
+  dbName: "member",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("userId", { required: true }),
+    text("organizationId", { required: true }),
+    select("role", {
+      options: [
+        { label: "Owner", value: "owner" },
+        { label: "Admin", value: "admin" },
+        { label: "Member", value: "member" }
+      ],
+      defaultValue: "member"
+    })
+  ],
+  indexes: [
+    { columns: ["userId"] },
+    { columns: ["organizationId"] },
+    { columns: ["userId", "organizationId"], unique: true }
+  ],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "Organization membership"
+  },
+  access: {
+    read: ({ req }) => req.user?.role === "admin",
+    create: () => false,
+    update: () => false,
+    delete: () => false
+  }
+});
+var AuthInvitationCollection = defineCollection({
+  slug: "auth-invitation",
+  dbName: "invitation",
+  managed: true,
+  timestamps: true,
+  fields: [
+    text("email", { required: true }),
+    text("organizationId", { required: true }),
+    text("inviterId", { required: true }),
+    select("role", {
+      options: [
+        { label: "Admin", value: "admin" },
+        { label: "Member", value: "member" }
+      ],
+      defaultValue: "member"
+    }),
+    select("status", {
+      options: [
+        { label: "Pending", value: "pending" },
+        { label: "Accepted", value: "accepted" },
+        { label: "Rejected", value: "rejected" },
+        { label: "Cancelled", value: "cancelled" }
+      ],
+      defaultValue: "pending"
+    }),
+    date("expiresAt", { required: true })
+  ],
+  indexes: [{ columns: ["organizationId"] }, { columns: ["email"] }],
+  admin: {
+    group: "Authentication",
+    hidden: true,
+    description: "Pending organization invitations"
+  },
+  access: {
+    read: ({ req }) => req.user?.role === "admin",
+    create: () => false,
+    update: () => false,
+    delete: () => false
+  }
+});
+function authOrganization() {
+  return {
+    name: "organization",
+    // Stub: Better Auth organization plugin will be added here
+    betterAuthPlugin: void 0,
+    collections: [AuthOrganizationCollection, AuthMemberCollection, AuthInvitationCollection]
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthAccountCollection,
+  AuthApiKeysCollection,
+  AuthSessionCollection,
+  AuthUserCollection,
+  AuthVerificationCollection,
+  BASE_AUTH_COLLECTIONS,
+  authAdmin,
+  authOrganization,
+  authTwoFactor,
+  createEmailService,
+  createMomentumAuth,
+  getEnabledOAuthProviders,
+  getPasswordResetEmail,
+  getVerificationEmail,
+  momentumAuth
+});