@mostajs/auth-lite 0.1.0

package/LICENSE

@@ -0,0 +1,29 @@
+GNU AFFERO GENERAL PUBLIC LICENSE
+Version 3, 19 November 2007
+
+Copyright (c) 2026 Dr Hamid MADANI <drmdh@msn.com>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+COMMERCIAL LICENSE
+
+For organizations that cannot comply with the AGPL open-source requirements,
+a commercial license is available. Contact: drmdh@msn.com
+
+The commercial license allows you to:
+- Use the software in proprietary/closed-source projects
+- Modify without publishing your source code
+- Get priority support and SLA
+
+Contact: Dr Hamid MADANI <drmdh@msn.com>

package/README.md

@@ -0,0 +1,212 @@
+# @mostajs/auth-lite
+
+> Minimal email/password + session auth for **Next.js (App Router)** on top of [`@mostajs/orm`](https://www.npmjs.com/package/@mostajs/orm).
+> **No native addon** (no bcrypt/argon2) → it boots in **Bolt.new / StackBlitz / WebContainers / the edge**, on the first try.
+
+[![npm](https://img.shields.io/npm/v/@mostajs/auth-lite)](https://www.npmjs.com/package/@mostajs/auth-lite)
+[![License: AGPL v3](https://img.shields.io/badge/License-AGPL_v3-blue.svg)](./LICENSE)
+
+`auth-lite` is the **readable, dependency-free** auth brick: salted iterated SHA-256
+password hashing (Node core `crypto`), a ready-made `Session` schema, login/signup/logout
+Route Handlers, and a `getCurrentUser()` for Server Components. It was extracted from the
+`mostajs-saas-starter` and hardened until it actually boots inside the StackBlitz
+WebContainer — the lessons learned are baked into its API (see [Why "lite"](#why-lite--webcontainer-safe-by-design)).
+
+> **Need OAuth, MFA, WebAuthn, magic links, Argon2id, refresh tokens?** Use the full
+> [`@mostajs/auth`](https://www.npmjs.com/package/@mostajs/auth) instead. `auth-lite` and
+> `@mostajs/auth` are alternatives — pick one (see [comparison](#auth-lite-vs-mostajsauth)).
+
+---
+
+## Install
+
+```bash
+npm i @mostajs/auth-lite @mostajs/orm next
+```
+
+Peer requirements: `@mostajs/orm >= 2.5.2`, `next >= 14`.
+To boot in a browser / WebContainer, use one of the ORM's WASM dialects (`sqljs` or `pglite`)
+so there is **zero native binary** in the dependency tree.
+
+---
+
+## Quickstart (5 steps)
+
+### 1 · Schemas — your `User` + the bundled `Session`
+
+Your `User` entity must have at least `email` (unique), `passwordHash`, and `name`.
+
+```ts
+// lib/orm/schemas.ts
+import type { EntitySchema } from '@mostajs/orm';
+export { SessionSchema } from '@mostajs/auth-lite';
+
+export const UserSchema: EntitySchema = {
+  name: 'User',
+  collection: 'users',
+  fields: {
+    email:        { type: 'string', required: true, unique: true, lowercase: true, trim: true },
+    name:         { type: 'string', required: true, trim: true },
+    passwordHash: { type: 'string', required: true },
+  },
+  indexes: [{ fields: ['email'], unique: true }],
+  timestamps: true,
+};
+```
+
+### 2 · Repos — expose `getRepos()`
+
+```ts
+// lib/orm/index.ts
+import { BaseRepository } from '@mostajs/orm';
+import { getDialect } from '@mostajs/orm';
+import { SessionSchema } from '@mostajs/auth-lite';
+import { UserSchema } from './schemas';
+
+export type User = { id: string; email: string; name: string; passwordHash: string };
+
+export async function getRepos() {
+  const dialect = await getDialect(
+    { dialect: 'sqljs', uri: ':memory:' },   // WASM → boots in Bolt/StackBlitz
+    [UserSchema, SessionSchema],
+  );
+  return {
+    users:    new BaseRepository<User>(UserSchema, dialect),
+    sessions: new BaseRepository(SessionSchema, dialect),
+  };
+}
+```
+
+### 3 · Route Handlers — login / signup / logout
+
+```ts
+// app/api/auth/login/route.ts
+import { createAuthHandlers } from '@mostajs/auth-lite';
+import { getRepos } from '@/lib/orm';
+export const POST = createAuthHandlers({ getRepos }).login;
+```
+
+```ts
+// app/api/auth/signup/route.ts
+import { createAuthHandlers } from '@mostajs/auth-lite';
+import { getRepos } from '@/lib/orm';
+export const POST = createAuthHandlers({ getRepos }).signup;
+```
+
+```ts
+// app/api/auth/logout/route.ts
+import { createAuthHandlers } from '@mostajs/auth-lite';
+import { getRepos } from '@/lib/orm';
+export const POST = createAuthHandlers({ getRepos }).logout;
+```
+
+### 4 · Read the session in Server Components
+
+```ts
+// lib/auth.ts
+import { createGetCurrentUser } from '@mostajs/auth-lite';
+import { getRepos, type User } from '@/lib/orm';
+export const getCurrentUser = createGetCurrentUser<User>({ getRepos });
+```
+
+### 5 · Forms post to the handlers (works without client JS)
+
+```tsx
+// app/login/page.tsx
+export default function LoginPage() {
+  return (
+    <form action="/api/auth/login" method="post">
+      <input name="email" type="email" required />
+      <input name="password" type="password" required />
+      <button type="submit">Log in</button>
+    </form>
+  );
+}
+```
+
+Guard each protected page:
+
+```tsx
+// app/dashboard/page.tsx
+import { redirect } from 'next/navigation';
+import { getCurrentUser } from '@/lib/auth';
+
+export const dynamic = 'force-dynamic';
+
+export default async function Dashboard() {
+  const user = await getCurrentUser();
+  if (!user) redirect('/login');         // ← per page, not only in the layout
+  return <p>Welcome, {user.name}</p>;
+}
+```
+
+---
+
+## API
+
+| Export | Signature | Purpose |
+|---|---|---|
+| `hashPassword` | `(password: string) => string` | Salted, 10 000× iterated SHA-256 → `"salt:hashHex"`. No native addon. |
+| `verifyPassword` | `(password: string, stored: string) => boolean` | Constant-time check (`timingSafeEqual`). |
+| `SessionSchema` | `EntitySchema` | `Session` entity (`token` unique, `expiresAt`, `user` → `User` M-1 cascade). Register it alongside `User`. |
+| `createAuthHandlers` | `(config) => { login, signup, logout }` | Each is `(req: NextRequest) => Promise<NextResponse>`; export as `POST`. |
+| `createGetCurrentUser` | `<TUser>(config) => () => Promise<TUser \| null>` | Resolve the logged-in user from the cookie (read before any DB call). |
+
+### `AuthLiteConfig`
+
+```ts
+interface AuthLiteConfig {
+  getRepos: () => Promise<{ users: AuthRepo; sessions: AuthRepo }>; // required
+  cookieName?: string;        // default "session"
+  ttlDays?: number;           // default 7
+  afterAuth?: string;         // default "/dashboard"
+  afterLogout?: string;       // default "/"
+  loginErrorPath?: string;    // default "/login?error=invalid"
+  signupErrorPath?: (kind: 'invalid' | 'exists') => string; // default "/signup?error=<kind>"
+}
+```
+
+`AuthRepo` is the minimal subset this module needs (`findOne`, `create`, `delete`,
+`findByIdWithRelations`) — fully satisfied by `@mostajs/orm`'s `BaseRepository`.
+
+---
+
+## Why "lite" — WebContainer-safe by design
+
+Tested for real in StackBlitz; the failures it hit are now prevented by the API itself:
+
+- **Cookies via Route Handlers, not `cookies()`.** Some runtimes (StackBlitz WebContainer)
+  lose Next's request async-context (AsyncLocalStorage) across an `await` on the DB, which
+  makes a later `cookies()` throw *"called outside a request scope"*. `createAuthHandlers`
+  sets the cookie on the **`NextResponse`** object (`res.cookies.set`) — that works everywhere.
+- **Read the cookie before the DB.** `getCurrentUser` reads the cookie while the request
+  context is still intact, then resolves the session.
+- **No native binary.** SHA-256 from Node core `crypto` — no bcrypt/argon2 to compile. For a
+  classic production server you can swap in argon2/scrypt (the `hashPassword`/`verifyPassword`
+  API is unchanged) or move to `@mostajs/auth`.
+- **Guard per page.** Always `if (!user) redirect('/login')` in each protected page — a layout
+  guard alone is not enough (layout and page run in parallel → `null.id` crash).
+
+---
+
+## `auth-lite` vs `@mostajs/auth`
+
+| | `@mostajs/auth-lite` | `@mostajs/auth` |
+|---|---|---|
+| Password hash | SHA-256 iterated (core crypto) | Argon2id |
+| Methods | email/password + sessions | email/password, OAuth/OIDC, magic link, MFA TOTP, WebAuthn/Passkeys |
+| Stack | `@mostajs/orm` + Next Route Handlers | NextAuth v5 + `@mostajs/rbac` |
+| Native deps | **none** (WebContainer/edge ready) | argon2 etc. (server) |
+| Footprint | one file, readable | ~30 sub-paths, full-featured |
+| Best for | starters, MVPs, Bolt/StackBlitz demos | production apps needing rich auth |
+
+They are **alternatives** — depend on one, not both.
+
+---
+
+## License
+
+AGPL-3.0-or-later. A commercial license is available for proprietary/closed-source use —
+see [`LICENSE`](./LICENSE).
+
+**Author**: Dr Hamid MADANI <drmdh@msn.com>

package/dist/index.d.ts

@@ -0,0 +1,51 @@
+/**
+ * @mostajs/auth-lite — minimal, dependency-free email/password + session auth
+ * for Next.js (App Router) on top of @mostajs/orm.
+ *
+ * Why "lite": it boots in WebContainers (Bolt.new / StackBlitz) and the edge —
+ * no native addon (no bcrypt/argon2), and it sets the session cookie on the
+ * NextResponse object inside Route Handlers, which sidesteps the AsyncLocalStorage
+ * pitfalls of `cookies()` after a DB call in constrained runtimes.
+ *
+ * Password hashing is salted, iterated SHA-256 (works everywhere). For a
+ * production server you can swap in argon2/scrypt — the API is unchanged.
+ *
+ * @author Dr Hamid MADANI <drmdh@msn.com>
+ */
+import type { NextRequest } from 'next/server';
+import type { EntitySchema } from '@mostajs/orm';
+export declare function hashPassword(password: string): string;
+export declare function verifyPassword(password: string, stored: string): boolean;
+export declare const SessionSchema: EntitySchema;
+/** Minimal repository shape this module needs (compatible with @mostajs/orm BaseRepository). */
+export interface AuthRepo {
+    findOne(filter: Record<string, unknown>): Promise<any>;
+    create(data: Record<string, unknown>): Promise<any>;
+    delete(id: string): Promise<unknown>;
+    findByIdWithRelations(id: string, relations: string[], options?: unknown): Promise<any>;
+}
+export interface AuthLiteConfig {
+    /** Returns the User + Session repositories (e.g. your getRepos()). */
+    getRepos: () => Promise<{
+        users: AuthRepo;
+        sessions: AuthRepo;
+    }>;
+    /** Session cookie name (default "session"). */
+    cookieName?: string;
+    /** Session lifetime in days (default 7). */
+    ttlDays?: number;
+    /** Where to go after login/signup (default "/dashboard"). */
+    afterAuth?: string;
+    /** Where to go after logout (default "/"). */
+    afterLogout?: string;
+    /** Redirect on invalid login (default "/login?error=invalid"). */
+    loginErrorPath?: string;
+    /** Redirect on signup error (default "/signup?error=<kind>"). */
+    signupErrorPath?: (kind: 'invalid' | 'exists') => string;
+}
+export declare function createAuthHandlers(config: AuthLiteConfig): {
+    login: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
+    signup: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
+    logout: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
+};
+export declare function createGetCurrentUser<TUser = unknown>(config: AuthLiteConfig): () => Promise<TUser | null>;

package/dist/index.js

@@ -0,0 +1,136 @@
+import { createHash, randomBytes, timingSafeEqual } from 'crypto';
+import { baseFromHeaders } from '@mostajs/url';
+/**
+ * Base PUBLIQUE (`proto://host`) pour les redirects. En WebContainer
+ * (StackBlitz/Bolt) ou derrière un reverse proxy, `req.url` côté Node pointe
+ * sur le bind interne (`http://localhost:3000`) → l'utilisateur serait redirigé
+ * vers localhost. `baseFromHeaders` lit l'hôte public réel depuis
+ * `X-Forwarded-Host`/`Host` ; fallback sur l'origine de `req.url`.
+ */
+function reqBase(req) {
+    return baseFromHeaders(req.headers) ?? new URL(req.url).origin;
+}
+// ---------------------------------------------------------------------------
+// Password hashing — salted, iterated SHA-256 (no native addon, boots anywhere)
+// ---------------------------------------------------------------------------
+const ITERATIONS = 10_000;
+function derive(password, salt) {
+    let h = createHash('sha256').update(`${salt}:${password}`).digest();
+    for (let i = 0; i < ITERATIONS; i++)
+        h = createHash('sha256').update(h).digest();
+    return h;
+}
+export function hashPassword(password) {
+    const salt = randomBytes(16).toString('hex');
+    return `${salt}:${derive(password, salt).toString('hex')}`;
+}
+export function verifyPassword(password, stored) {
+    const [salt, hashHex] = stored.split(':');
+    if (!salt || !hashHex)
+        return false;
+    const expected = Buffer.from(hashHex, 'hex');
+    const actual = derive(password, salt);
+    return expected.length === actual.length && timingSafeEqual(expected, actual);
+}
+// ---------------------------------------------------------------------------
+// Default Session EntitySchema — register it alongside your own `User` entity
+// (User must have at least `email` (unique) and `passwordHash`; `name` for signup).
+// ---------------------------------------------------------------------------
+export const SessionSchema = {
+    name: 'Session',
+    collection: 'sessions',
+    fields: {
+        token: { type: 'string', required: true, unique: true },
+        expiresAt: { type: 'date', required: true },
+    },
+    relations: {
+        user: { target: 'User', type: 'many-to-one', required: true, onDelete: 'cascade' },
+    },
+    indexes: [{ fields: ['token'], unique: true }],
+    timestamps: true,
+};
+// ---------------------------------------------------------------------------
+// Route Handlers — login / signup / logout (set the cookie on the response)
+// ---------------------------------------------------------------------------
+export function createAuthHandlers(config) {
+    const cookie = config.cookieName ?? 'session';
+    const ttlMs = (config.ttlDays ?? 7) * 86400000;
+    const afterAuth = config.afterAuth ?? '/dashboard';
+    const afterLogout = config.afterLogout ?? '/';
+    const loginError = config.loginErrorPath ?? '/login?error=invalid';
+    const signupError = config.signupErrorPath ?? ((k) => `/signup?error=${k}`);
+    async function startSession(req, sessions, userId) {
+        const { NextResponse } = await import('next/server');
+        const token = randomBytes(32).toString('hex');
+        const expiresAt = new Date(Date.now() + ttlMs);
+        await sessions.create({ token, user: userId, expiresAt });
+        const res = NextResponse.redirect(new URL(afterAuth, reqBase(req)), 303);
+        res.cookies.set(cookie, token, { httpOnly: true, sameSite: 'lax', path: '/', expires: expiresAt });
+        return res;
+    }
+    /** POST handler — verify credentials, start a session. */
+    async function login(req) {
+        const { NextResponse } = await import('next/server');
+        const form = await req.formData();
+        const email = String(form.get('email') ?? '').toLowerCase().trim();
+        const password = String(form.get('password') ?? '');
+        const { users, sessions } = await config.getRepos();
+        const user = await users.findOne({ email });
+        if (!user || !verifyPassword(password, user.passwordHash)) {
+            return NextResponse.redirect(new URL(loginError, reqBase(req)), 303);
+        }
+        return startSession(req, sessions, user.id);
+    }
+    /** POST handler — create the account, start a session. */
+    async function signup(req) {
+        const { NextResponse } = await import('next/server');
+        const form = await req.formData();
+        const email = String(form.get('email') ?? '').toLowerCase().trim();
+        const name = String(form.get('name') ?? '').trim();
+        const password = String(form.get('password') ?? '');
+        if (!email || !name || password.length < 6) {
+            return NextResponse.redirect(new URL(signupError('invalid'), reqBase(req)), 303);
+        }
+        const { users, sessions } = await config.getRepos();
+        if (await users.findOne({ email })) {
+            return NextResponse.redirect(new URL(signupError('exists'), reqBase(req)), 303);
+        }
+        const user = await users.create({ email, name, passwordHash: hashPassword(password) });
+        return startSession(req, sessions, user.id);
+    }
+    /** POST handler — destroy the session (DB + cookie). */
+    async function logout(req) {
+        const { NextResponse } = await import('next/server');
+        const token = req.cookies.get(cookie)?.value;
+        if (token) {
+            const { sessions } = await config.getRepos();
+            const session = await sessions.findOne({ token });
+            if (session)
+                await sessions.delete(session.id);
+        }
+        const res = NextResponse.redirect(new URL(afterLogout, reqBase(req)), 303);
+        res.cookies.delete(cookie);
+        return res;
+    }
+    return { login, signup, logout };
+}
+// ---------------------------------------------------------------------------
+// getCurrentUser — read the session in Server Components (cookie read before DB)
+// ---------------------------------------------------------------------------
+export function createGetCurrentUser(config) {
+    const cookie = config.cookieName ?? 'session';
+    return async function getCurrentUser() {
+        const { cookies } = await import('next/headers');
+        const token = (await cookies()).get(cookie)?.value;
+        if (!token)
+            return null;
+        const { sessions } = await config.getRepos();
+        const session = await sessions.findOne({ token });
+        if (!session)
+            return null;
+        if (new Date(session.expiresAt) < new Date())
+            return null;
+        const populated = (await sessions.findByIdWithRelations(session.id, ['user']));
+        return populated?.user ?? null;
+    };
+}

package/llms.txt

@@ -0,0 +1,101 @@
+# @mostajs/auth-lite — fiche LLM
+> Auth email/mot de passe + sessions minimale pour Next.js (App Router) sur @mostajs/orm. Zéro addon natif → boote dans Bolt.new / StackBlitz / edge.
+
+- Version: 0.1.0 · Licence: AGPL-3.0-or-later · Auteur: Dr Hamid MADANI <drmdh@msn.com>
+- Chemin: mostajs/mosta-auth-lite · Statut: scaffold initial (src/index.ts) · peer: @mostajs/orm >=2.5.2, next >=14
+- Origine: extraction de la couche auth du `mostajs-saas-starter`, durcie jusqu'à booter réellement dans le WebContainer StackBlitz/Bolt.
+
+## RÔLE
+Brique d'authentification **minimale et sans dépendance native** pour les apps Next.js
+App Router qui tournent sur `@mostajs/orm` — en particulier celles générées/exécutées
+dans un WebContainer (Bolt.new, StackBlitz) ou à l'edge, où `bcrypt`/`argon2` (addons
+natifs) ne se compilent pas. Fournit : hachage de mot de passe (SHA-256 salé itéré,
+cœur Node, zéro binaire), un `EntitySchema` de session prêt à l'emploi, des Route
+Handlers login/signup/logout, et un lecteur de session pour Server Components.
+Ce N'EST PAS un remplaçant de `@mostajs/auth` (le module complet : Argon2id, OAuth/OIDC,
+magic link, MFA TOTP, WebAuthn, refresh tokens, NextAuth v5). `auth-lite` vise la
+simplicité lisible et la compatibilité WebContainer ; `@mostajs/auth` vise la production
+riche en fonctionnalités. Choisir l'un OU l'autre selon le besoin.
+
+## INSTALLATION
+npm i @mostajs/auth-lite @mostajs/orm next
+(le consumer fournit son entité `User` et ses repos via @mostajs/orm ; le module ne ship
+aucune DB. Pour booter en navigateur/WebContainer, utiliser un dialecte WASM de l'ORM :
+`sqljs` ou `pglite`.)
+
+## EXPORTS (point d'entrée unique `.`)
+- Fonctions: hashPassword, verifyPassword, createAuthHandlers, createGetCurrentUser
+- Schéma: SessionSchema (EntitySchema)
+- Types: AuthRepo, AuthLiteConfig
+
+## API — SIGNATURES
+hashPassword(password: string): string
+  // → "salt:hashHex" ; SHA-256 salé + itéré 10 000× (crypto cœur Node, aucun addon natif).
+verifyPassword(password: string, stored: string): boolean
+  // comparaison à temps constant (timingSafeEqual). false si format invalide.
+SessionSchema: EntitySchema
+  // name 'Session', collection 'sessions' ; fields { token (string, unique), expiresAt (date) } ;
+  // relation user → 'User' (many-to-one, required, onDelete: 'cascade') ; index unique sur token ; timestamps.
+createAuthHandlers(config: AuthLiteConfig): { login, signup, logout }
+  // chaque membre = (req: NextRequest) => Promise<NextResponse> — à exporter comme POST dans un Route Handler.
+  // login   : vérifie email+password, crée la session, pose le cookie sur la réponse, 303 → afterAuth.
+  // signup  : valide (email/name requis, password ≥ 6), rejette si email existe, crée user+session, 303 → afterAuth.
+  // logout  : supprime la session DB + le cookie, 303 → afterLogout.
+createGetCurrentUser<TUser = unknown>(config: AuthLiteConfig): () => Promise<TUser | null>
+  // getCurrentUser() : lit le cookie AVANT toute requête DB, résout la session, renvoie l'utilisateur peuplé ou null.
+  // null si pas de cookie / session absente / session expirée.
+
+## TYPES
+AuthRepo {
+  findOne(filter): Promise<any>
+  create(data): Promise<any>
+  delete(id: string): Promise<unknown>
+  findByIdWithRelations(id: string, relations: string[], options?): Promise<any>
+}  // sous-ensemble compatible @mostajs/orm BaseRepository.
+
+AuthLiteConfig {
+  getRepos: () => Promise<{ users: AuthRepo; sessions: AuthRepo }>   // requis
+  cookieName?: string         // défaut "session"
+  ttlDays?: number            // défaut 7
+  afterAuth?: string          // défaut "/dashboard"
+  afterLogout?: string        // défaut "/"
+  loginErrorPath?: string     // défaut "/login?error=invalid"
+  signupErrorPath?: (kind: 'invalid' | 'exists') => string  // défaut "/signup?error=<kind>"
+}
+
+## CONTRAINTES CONSUMER
+- L'entité `User` doit exposer au minimum `email` (unique), `passwordHash`, et `name` (pour signup).
+- Enregistrer `SessionSchema` à côté de l'entité `User` dans l'ORM.
+- `getRepos()` renvoie des `BaseRepository` (ou objets compatibles `AuthRepo`).
+
+## POURQUOI « lite » — leçons WebContainer (gravées dans l'API)
+- L1 — Mutation de cookie via Route Handlers : `createAuthHandlers` pose le cookie sur l'objet
+  `NextResponse` (`res.cookies.set`), pas via `cookies()`. Certains runtimes (StackBlitz
+  WebContainer) perdent le contexte async (AsyncLocalStorage) de Next à travers un `await` DB,
+  ce qui fait planter `cookies()` ("called outside a request scope"). Poser le cookie sur la
+  réponse marche partout.
+- L2 — Lecture de session avant DB : `getCurrentUser` lit le cookie AVANT toute requête DB
+  (contexte requête intact), puis seulement résout l'utilisateur.
+- L3 — Zéro addon natif : hachage SHA-256 (cœur `crypto`), pas de bcrypt/argon2 → compile et
+  boote en WebContainer / edge. Pour un serveur prod classique, on peut swapper argon2/scrypt
+  (l'API hashPassword/verifyPassword reste identique) ou passer à `@mostajs/auth`.
+- Garde-fou consumer : protéger CHAQUE page par `const u = await getCurrentUser(); if (!u) redirect('/login')`
+  — ne pas se reposer sur le seul `layout` + assertion `!` (layout et page s'exécutent en
+  parallèle → crash `null.id`).
+
+## EXEMPLE MINIMAL (Route Handler login)
+// app/api/auth/login/route.ts
+import { createAuthHandlers } from '@mostajs/auth-lite';
+import { getRepos } from '@/lib/orm';
+const { login } = createAuthHandlers({ getRepos });
+export const POST = login;
+
+// lib/auth.ts (Server Components)
+import { createGetCurrentUser } from '@mostajs/auth-lite';
+import { getRepos } from '@/lib/orm';
+export const getCurrentUser = createGetCurrentUser<User>({ getRepos });
+
+## VOIR AUSSI
+- `@mostajs/orm` — la couche données (dialectes WASM `sqljs`/`pglite` pour WebContainer).
+- `@mostajs/auth` — auth complète (Argon2id, OAuth, MFA, WebAuthn…) pour serveurs prod.
+- `mostajs-saas-starter` — app de référence d'où la couche est extraite.

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@mostajs/auth-lite",
+  "version": "0.1.0",
+  "description": "Minimal email/password + session auth for Next.js on @mostajs/orm. No native addon — boots in Bolt.new / StackBlitz / edge.",
+  "license": "AGPL-3.0-or-later",
+  "author": "Dr Hamid MADANI <drmdh@msn.com>",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "llms.txt",
+    "LICENSE"
+  ],
+  "keywords": [
+    "auth",
+    "authentication",
+    "sessions",
+    "nextjs",
+    "mostajs",
+    "orm",
+    "webcontainer",
+    "lightweight",
+    "password"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/apolocine/mosta-auth-lite"
+  },
+  "homepage": "https://mostajs.dev",
+  "engines": {
+    "node": ">=18.18.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "peerDependencies": {
+    "@mostajs/orm": ">=2.5.2",
+    "next": ">=14.0.0"
+  },
+  "devDependencies": {
+    "@mostajs/orm": "^2.5.2",
+    "@types/node": "^22.0.0",
+    "better-sqlite3": "^12.10.0",
+    "next": "^15.4.11",
+    "react": "^19.0.0",
+    "typescript": "^5.6.0"
+  },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/sponsors/apolocine"
+  },
+  "dependencies": {
+    "@mostajs/url": "^0.5.0"
+  }
+}