@neondatabase/auth 0.1.0-beta.1

package/dist/adapter-core-BDOw-gBC.mjs

@@ -0,0 +1,494 @@
+import { getGlobalBroadcastChannel } from "better-auth/client";
+import { adminClient, anonymousClient, emailOTPClient, jwtClient, magicLinkClient, organizationClient, phoneNumberClient } from "better-auth/client/plugins";
+
+//#region src/core/in-flight-request-manager.ts
+/**
+* Generic in-flight request deduplication manager.
+*
+* Prevents thundering herd by tracking Promises by key.
+* Multiple concurrent calls with the same key await the same Promise
+* instead of making N identical requests.
+*
+* Example:
+* ```typescript
+* const manager = new InFlightRequestManager();
+*
+* // 10 concurrent calls deduplicate to 1 actual fetch
+* const results = await Promise.all([
+*   manager.deduplicate('user:123', () => fetchUser(123)),
+*   manager.deduplicate('user:123', () => fetchUser(123)),
+*   // ... 8 more calls
+* ]);
+* // Result: 1 fetch call, 10 identical results
+* ```
+*
+* Thread Safety: JavaScript is single-threaded, no race conditions possible
+*/
+var InFlightRequestManager = class {
+	/**
+	* Map of request keys to in-flight Promises.
+	* Automatically cleared after Promise resolution (success or error).
+	*/
+	inFlightRequests = /* @__PURE__ */ new Map();
+	/**
+	* Execute function with deduplication.
+	*
+	* If request with same key is in-flight, returns existing Promise.
+	* Otherwise, executes fn and tracks the Promise.
+	*
+	* @param key - Unique identifier for this request (e.g., "getSession")
+	* @param fn - Async function to execute (only called if no in-flight request exists)
+	* @returns Promise that resolves to the function result
+	*
+	* @example
+	* ```typescript
+	* // First call: Executes fetchSession(), tracks Promise
+	* const result1 = await manager.deduplicate('getSession', fetchSession);
+	*
+	* // Concurrent call: Returns existing Promise (no fetchSession() call)
+	* const result2 = await manager.deduplicate('getSession', fetchSession);
+	*
+	* // Both results are identical (same object reference)
+	* console.log(result1 === result2); // true
+	* ```
+	*/
+	async deduplicate(key, fn) {
+		const existing = this.inFlightRequests.get(key);
+		if (existing) return existing;
+		const promise = fn().finally(() => {
+			this.inFlightRequests.delete(key);
+		});
+		this.inFlightRequests.set(key, promise);
+		return promise;
+	}
+	/**
+	* Clear specific in-flight request.
+	*
+	* Useful for forced refresh or cache invalidation scenarios.
+	* Next call with same key will execute fresh request.
+	*
+	* @param key - Request key to clear
+	*/
+	clear(key) {
+		this.inFlightRequests.delete(key);
+	}
+	/**
+	* Clear all in-flight requests.
+	*
+	* Useful for cleanup on sign-out or reset scenarios.
+	*/
+	clearAll() {
+		this.inFlightRequests.clear();
+	}
+	/**
+	* Check if request is in-flight.
+	*
+	* @param key - Request key to check
+	* @returns True if request is currently in-flight
+	*/
+	has(key) {
+		return this.inFlightRequests.has(key);
+	}
+	/**
+	* Get count of in-flight requests (for debugging/testing).
+	*
+	* @returns Number of currently tracked requests
+	*/
+	size() {
+		return this.inFlightRequests.size;
+	}
+};
+
+//#endregion
+//#region src/core/constants.ts
+/**
+* Session caching configuration constants
+*
+* Uses industry-standard 60s cache TTL (common across auth providers).
+*
+* Note: Token refresh detection is now automatic via Better Auth's
+* fetchOptions.onSuccess callback. No polling is needed.
+*/
+/** Session cache TTL in milliseconds (60 seconds) */
+const SESSION_CACHE_TTL_MS = 6e4;
+/** Clock skew buffer for token expiration checks in milliseconds (10 seconds) */
+const CLOCK_SKEW_BUFFER_MS = 1e4;
+/** Default session expiry duration in milliseconds (1 hour) */
+const DEFAULT_SESSION_EXPIRY_MS = 36e5;
+/** Name of the session verifier parameter in the URL, used for the OAUTH flow */
+const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
+
+//#endregion
+//#region src/utils/jwt.ts
+/**
+* Extract expiration timestamp from JWT payload
+* @param jwt - The JWT token string
+* @returns Expiration timestamp in seconds (Unix time) or null if invalid
+*/
+function getJwtExpiration(jwt) {
+	try {
+		const parts = jwt.split(".");
+		if (parts.length !== 3) return null;
+		const exp = JSON.parse(atob(parts[1])).exp;
+		return typeof exp === "number" ? exp : null;
+	} catch {
+		return null;
+	}
+}
+
+//#endregion
+//#region src/core/session-cache-manager.ts
+/**
+* Manages in-memory session cache with TTL expiration.
+*
+* Features:
+* - Stores sessions in Better Auth native format
+* - Automatic expiration based on JWT token expiration
+* - Invalidation flag for sign-out scenarios
+* - TTL calculation with clock skew buffer
+*
+* Example:
+* ```typescript
+* const cacheManager = new SessionCacheManager();
+* cacheManager.setCachedSession({ session, user });
+* const cached = cacheManager.getCachedSession();
+* ```
+*/
+var SessionCacheManager = class {
+	cache = null;
+	lastSessionData = null;
+	/**
+	* Get cached session if valid and not expired.
+	* Returns null if cache is invalid, expired, or doesn't exist.
+	*/
+	getCachedSession() {
+		if (!this.cache || this.cache.invalidated) return null;
+		if (Date.now() > this.cache.expiresAt) {
+			this.clearSessionCache();
+			return null;
+		}
+		return this.cache.data;
+	}
+	/**
+	* Set cached session with optional TTL.
+	* If TTL not provided, calculates from JWT expiration.
+	* Skips caching if cache was invalidated (sign-out scenario).
+	*/
+	setCachedSession(data, ttl) {
+		if (this.cache?.invalidated) return;
+		this.lastSessionData = this.cache?.data ?? null;
+		const calculatedTtl = ttl ?? this.calculateCacheTTL(data.session.token);
+		this.cache = {
+			data,
+			expiresAt: Date.now() + calculatedTtl,
+			invalidated: false
+		};
+	}
+	/**
+	* Invalidate cache (marks as invalid but doesn't clear).
+	* Useful for sign-out scenarios where in-flight requests should not cache.
+	*/
+	invalidateSessionCache() {
+		if (this.cache) this.cache.invalidated = true;
+	}
+	/**
+	* Clear cache completely.
+	*/
+	clearSessionCache() {
+		this.cache = null;
+		this.lastSessionData = null;
+	}
+	/**
+	* Check if token was refreshed by comparing tokens with previous session.
+	* Returns true if tokens differ (token was refreshed), false otherwise.
+	*/
+	wasTokenRefreshed(data) {
+		if (!this.lastSessionData?.session?.token || !data?.session?.token) return false;
+		return this.lastSessionData.session.token !== data.session.token;
+	}
+	/**
+	* Calculate cache TTL from JWT expiration.
+	* Falls back to default TTL if JWT is invalid or missing.
+	*/
+	calculateCacheTTL(jwt) {
+		if (!jwt) return SESSION_CACHE_TTL_MS;
+		const exp = getJwtExpiration(jwt);
+		if (!exp) return SESSION_CACHE_TTL_MS;
+		const now = Date.now();
+		const ttl = exp * 1e3 - now - CLOCK_SKEW_BUFFER_MS;
+		return Math.max(ttl, 1e3);
+	}
+};
+
+//#endregion
+//#region src/utils/browser.ts
+/**
+* Checks if the code is running in a browser environment
+* @returns true if in browser, false otherwise (e.g., Node.js)
+*/
+const isBrowser = () => {
+	return globalThis.window !== void 0 && typeof document !== "undefined";
+};
+
+//#endregion
+//#region src/core/better-auth-methods.ts
+const CURRENT_TAB_CLIENT_ID = crypto.randomUUID();
+const BETTER_AUTH_METHODS_IN_FLIGHT_REQUESTS = new InFlightRequestManager();
+const BETTER_AUTH_METHODS_CACHE = new SessionCacheManager();
+const BETTER_AUTH_ENDPOINTS = {
+	signUp: "/sign-up",
+	signIn: "/sign-in",
+	signOut: "/sign-out",
+	updateUser: "/update-user",
+	getSession: "/get-session",
+	token: "/token"
+};
+const BETTER_AUTH_METHODS_HOOKS = {
+	signUp: {
+		onRequest: () => {},
+		onSuccess: (responseData) => {
+			if (isSessionResponseData(responseData)) {
+				const sessionData = {
+					session: responseData.session,
+					user: responseData.user
+				};
+				BETTER_AUTH_METHODS_CACHE.setCachedSession(sessionData);
+				emitAuthEvent({
+					type: "SIGN_IN",
+					data: sessionData
+				});
+			}
+		}
+	},
+	signIn: {
+		onRequest: () => {},
+		onSuccess: (responseData) => {
+			if (isSessionResponseData(responseData)) {
+				const sessionData = {
+					session: responseData.session,
+					user: responseData.user
+				};
+				BETTER_AUTH_METHODS_CACHE.setCachedSession(sessionData);
+				emitAuthEvent({
+					type: "SIGN_IN",
+					data: sessionData
+				});
+			}
+		}
+	},
+	signOut: {
+		onRequest: () => {
+			BETTER_AUTH_METHODS_CACHE.invalidateSessionCache();
+			BETTER_AUTH_METHODS_IN_FLIGHT_REQUESTS.clearAll();
+		},
+		onSuccess: () => {
+			BETTER_AUTH_METHODS_CACHE.clearSessionCache();
+			emitAuthEvent({ type: "SIGN_OUT" });
+		}
+	},
+	updateUser: {
+		onRequest: () => {},
+		onSuccess: (responseData) => {
+			if (isSessionResponseData(responseData)) emitAuthEvent({
+				type: "USER_UPDATE",
+				data: {
+					session: responseData.session,
+					user: responseData.user
+				}
+			});
+		}
+	},
+	getSession: {
+		beforeRequest: () => {
+			const cachedData = BETTER_AUTH_METHODS_CACHE.getCachedSession();
+			if (!cachedData) return null;
+			return Response.json(cachedData, { status: 200 });
+		},
+		onRequest: (ctx) => {
+			if (!isBrowser()) return;
+			const neonAuthSessionVerifierParam = new URLSearchParams(globalThis.window.location.search).get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+			if (neonAuthSessionVerifierParam) {
+				const url = typeof ctx.url === "string" ? new URL(ctx.url) : ctx.url;
+				url.searchParams.set(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, neonAuthSessionVerifierParam);
+				return {
+					...ctx,
+					url
+				};
+			}
+		},
+		onSuccess: (responseData) => {
+			if (isSessionResponseData(responseData)) {
+				const sessionData = {
+					session: responseData.session,
+					user: responseData.user
+				};
+				const wasRefreshed = BETTER_AUTH_METHODS_CACHE.wasTokenRefreshed(sessionData);
+				BETTER_AUTH_METHODS_CACHE.setCachedSession(sessionData);
+				if (wasRefreshed) emitAuthEvent({
+					type: "TOKEN_REFRESH",
+					data: sessionData
+				});
+				if (isBrowser()) {
+					const url = new URL(globalThis.window.location.href);
+					if (url.searchParams.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME)) {
+						url.searchParams.delete(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+						history.replaceState(history.state, "", url.href);
+					}
+				}
+			}
+		}
+	}
+};
+/**
+* Unified event emission method that handles Better Auth broadcasts.
+* Broadcasts use Better Auth native format - each adapter handles
+* conversion to their specific format (e.g., Supabase Session).
+*
+* This ensures:
+* - Single source of truth for all event emissions
+* - Better Auth ecosystem compatibility via getGlobalBroadcastChannel()
+* - Adapter-agnostic event format
+* - Cross-tab synchronization via Better Auth's broadcast system
+*/
+async function emitAuthEvent(event) {
+	const eventType = mapToEventType(event);
+	const sessionData = "data" in event ? event.data : null;
+	const trigger = mapToTrigger(event);
+	if (trigger) getGlobalBroadcastChannel().post({
+		event: "session",
+		data: { trigger },
+		clientId: CURRENT_TAB_CLIENT_ID
+	});
+	getGlobalBroadcastChannel().post({
+		event: "session",
+		data: {
+			trigger: eventType,
+			sessionData
+		},
+		clientId: CURRENT_TAB_CLIENT_ID
+	});
+}
+/** Maps internal event types to NeonAuthChangeEvent */
+function mapToEventType(event) {
+	switch (event.type) {
+		case "SIGN_IN": return "SIGNED_IN";
+		case "SIGN_OUT": return "SIGNED_OUT";
+		case "TOKEN_REFRESH": return "TOKEN_REFRESHED";
+		case "USER_UPDATE": return "USER_UPDATED";
+	}
+}
+/** Maps internal event types to Better Auth broadcast triggers */
+function mapToTrigger(event) {
+	switch (event.type) {
+		case "SIGN_OUT": return "signout";
+		case "TOKEN_REFRESH": return null;
+		case "USER_UPDATE": return "updateUser";
+		case "SIGN_IN": return null;
+	}
+}
+/**
+* Type guard that validates response data has non-null session and user.
+* Narrows the type to ensure session and user are not null.
+*/
+function isSessionResponseData(responseData) {
+	return Boolean(responseData && typeof responseData === "object" && "session" in responseData && "user" in responseData && responseData.session !== null && responseData.user !== null);
+}
+function deriveBetterAuthMethodFromUrl(url) {
+	if (url.includes(BETTER_AUTH_ENDPOINTS.signIn)) return "signIn";
+	if (url.includes(BETTER_AUTH_ENDPOINTS.signUp)) return "signUp";
+	if (url.includes(BETTER_AUTH_ENDPOINTS.signOut)) return "signOut";
+	if (url.includes(BETTER_AUTH_ENDPOINTS.updateUser)) return "updateUser";
+	if (url.includes(BETTER_AUTH_ENDPOINTS.getSession) || url.includes(BETTER_AUTH_ENDPOINTS.token)) return "getSession";
+}
+function initBroadcastChannel() {
+	getGlobalBroadcastChannel().subscribe((message) => {
+		if (message.clientId === CURRENT_TAB_CLIENT_ID) return;
+		const trigger = message.data?.trigger;
+		if (trigger === "signout" || trigger === "updateUser" || trigger === "getSession") BETTER_AUTH_METHODS_CACHE.clearSessionCache();
+	});
+}
+
+//#endregion
+//#region src/core/adapter-core.ts
+const FORCE_FETCH_HEADER = "X-Force-Fetch";
+const supportedBetterAuthClientPlugins = [
+	jwtClient(),
+	adminClient(),
+	organizationClient(),
+	emailOTPClient(),
+	anonymousClient(),
+	phoneNumberClient(),
+	magicLinkClient()
+];
+var NeonAuthAdapterCore = class {
+	betterAuthOptions;
+	/**
+	* Better Auth adapter implementing the NeonAuthClient interface.
+	* See CLAUDE.md for architecture details and API mappings.
+	*/
+	constructor(betterAuthClientOptions) {
+		const userOnSuccess = betterAuthClientOptions.fetchOptions?.onSuccess;
+		const userOnRequest = betterAuthClientOptions.fetchOptions?.onRequest;
+		this.betterAuthOptions = {
+			...betterAuthClientOptions,
+			plugins: supportedBetterAuthClientPlugins,
+			fetchOptions: {
+				...betterAuthClientOptions.fetchOptions,
+				throw: false,
+				onRequest: (request) => {
+					const url = request.url;
+					const method = deriveBetterAuthMethodFromUrl(url.toString());
+					if (method) BETTER_AUTH_METHODS_HOOKS[method].onRequest(request);
+					userOnRequest?.(request);
+				},
+				customFetchImpl: async (url, init) => {
+					if (init?.headers && FORCE_FETCH_HEADER in init.headers) {
+						const headers = { ...init.headers };
+						delete headers[FORCE_FETCH_HEADER];
+						const response$1 = await fetch(url, {
+							...init,
+							headers
+						});
+						if (!response$1.ok) {
+							const body = await response$1.clone().json().catch(() => ({}));
+							const err = new Error(body.message || `HTTP ${response$1.status} ${response$1.statusText}`);
+							err.status = response$1.status;
+							err.statusText = response$1.statusText;
+							throw err;
+						}
+						return response$1;
+					}
+					const betterAuthMethod = deriveBetterAuthMethodFromUrl(url.toString());
+					if (betterAuthMethod) {
+						const response$1 = await BETTER_AUTH_METHODS_HOOKS[betterAuthMethod].beforeRequest?.(url, init);
+						if (response$1) return response$1;
+					}
+					const key = `${init?.method || "GET"}:${url}:${init?.body || ""}`;
+					const response = await BETTER_AUTH_METHODS_IN_FLIGHT_REQUESTS.deduplicate(key, () => fetch(url, init));
+					if (!response.ok) {
+						const errorBody = await response.clone().json().catch(() => ({}));
+						const err = new Error(errorBody.message || `HTTP ${response.status} ${response.statusText}`);
+						err.status = response.status;
+						err.statusText = response.statusText;
+						throw err;
+					}
+					return response.clone();
+				},
+				onSuccess: async (ctx) => {
+					const jwt = ctx.response.headers.get("set-auth-jwt");
+					if (jwt) if (ctx.data?.session) ctx.data.session.token = jwt;
+					else console.warn("[onSuccess] JWT found but no session data to inject into!");
+					const url = ctx.request.url.toString();
+					const responseData = ctx.data;
+					const method = deriveBetterAuthMethodFromUrl(url);
+					if (method) BETTER_AUTH_METHODS_HOOKS[method].onSuccess(responseData);
+					await userOnSuccess?.(ctx);
+				}
+			}
+		};
+		initBroadcastChannel();
+	}
+};
+
+//#endregion
+export { DEFAULT_SESSION_EXPIRY_MS as a, CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };