@neondatabase/auth 0.1.0-beta.12 → 0.1.0-beta.14

package/dist/{adapter-core-DODfSw9P.mjs → adapter-core-BPv4mLT0.mjs}

@@ -1,5 +1,6 @@
 import { getGlobalBroadcastChannel } from "better-auth/client";
-import { adminClient, anonymousClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
+import { adminClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
+import z from "zod";
 
 //#region src/core/in-flight-request-manager.ts
 /**
@@ -136,16 +137,68 @@ function getJwtExpiration(jwt) {
 	}
 }
 
+//#endregion
+//#region src/core/token-cache.ts
+var TokenCache = class {
+	cache = null;
+	/**
+	* Get cached data if not expired.
+	* Returns null if cache is empty or expired.
+	*/
+	get() {
+		if (!this.cache) return null;
+		if (Date.now() > this.cache.expiresAt) {
+			this.cache = null;
+			return null;
+		}
+		return this.cache.data;
+	}
+	/**
+	* Set cached data with TTL.
+	* If jwt is provided, TTL is calculated from its expiration.
+	* Otherwise, uses default SESSION_CACHE_TTL_MS.
+	*/
+	set(data, jwt) {
+		const ttl = this.calculateTTL(jwt);
+		this.cache = {
+			data,
+			expiresAt: Date.now() + ttl
+		};
+	}
+	/**
+	* Clear the cache.
+	*/
+	clear() {
+		this.cache = null;
+	}
+	/**
+	* Check if cache has valid (non-expired) data.
+	*/
+	has() {
+		return this.get() !== null;
+	}
+	/**
+	* Calculate cache TTL from JWT expiration.
+	* Falls back to default TTL if JWT is invalid or missing.
+	*/
+	calculateTTL(jwt) {
+		if (!jwt) return SESSION_CACHE_TTL_MS;
+		const exp = getJwtExpiration(jwt);
+		if (!exp) return SESSION_CACHE_TTL_MS;
+		const now = Date.now();
+		const ttl = exp * 1e3 - now - CLOCK_SKEW_BUFFER_MS;
+		return Math.max(ttl, 1e3);
+	}
+};
+
 //#endregion
 //#region src/core/session-cache-manager.ts
 /**
 * Manages in-memory session cache with TTL expiration.
 *
-* Features:
-* - Stores sessions in Better Auth native format
-* - Automatic expiration based on JWT token expiration
+* Built on TokenCache, adding session-specific features:
 * - Invalidation flag for sign-out scenarios
-* - TTL calculation with clock skew buffer
+* - Token refresh detection via lastSessionData comparison
 *
 * Example:
 * ```typescript
@@ -155,48 +208,40 @@ function getJwtExpiration(jwt) {
 * ```
 */
 var SessionCacheManager = class {
-	cache = null;
+	cache = new TokenCache();
 	lastSessionData = null;
+	invalidated = false;
 	/**
 	* Get cached session if valid and not expired.
 	* Returns null if cache is invalid, expired, or doesn't exist.
 	*/
 	getCachedSession() {
-		if (!this.cache || this.cache.invalidated) return null;
-		if (Date.now() > this.cache.expiresAt) {
-			this.clearSessionCache();
-			return null;
-		}
-		return this.cache.data;
+		if (this.invalidated) return null;
+		return this.cache.get();
 	}
 	/**
-	* Set cached session with optional TTL.
-	* If TTL not provided, calculates from JWT expiration.
+	* Set cached session with JWT-based TTL.
 	* Skips caching if cache was invalidated (sign-out scenario).
 	*/
-	setCachedSession(data, ttl) {
-		if (this.cache?.invalidated) return;
-		this.lastSessionData = this.cache?.data ?? null;
-		const calculatedTtl = ttl ?? this.calculateCacheTTL(data.session.token);
-		this.cache = {
-			data,
-			expiresAt: Date.now() + calculatedTtl,
-			invalidated: false
-		};
+	setCachedSession(data) {
+		if (this.invalidated) return;
+		this.lastSessionData = this.cache.get();
+		this.cache.set(data, data.session.token);
 	}
 	/**
 	* Invalidate cache (marks as invalid but doesn't clear).
 	* Useful for sign-out scenarios where in-flight requests should not cache.
 	*/
 	invalidateSessionCache() {
-		if (this.cache) this.cache.invalidated = true;
+		this.invalidated = true;
 	}
 	/**
 	* Clear cache completely.
 	*/
 	clearSessionCache() {
-		this.cache = null;
+		this.cache.clear();
 		this.lastSessionData = null;
+		this.invalidated = false;
 	}
 	/**
 	* Check if token was refreshed by comparing tokens with previous session.
@@ -206,17 +251,45 @@ var SessionCacheManager = class {
 		if (!this.lastSessionData?.session?.token || !data?.session?.token) return false;
 		return this.lastSessionData.session.token !== data.session.token;
 	}
+};
+
+//#endregion
+//#region src/core/anonymous-token-cache-manager.ts
+/**
+* Manages in-memory anonymous token cache with TTL expiration.
+*
+* Stores the full anonymous token response (token + expires_at).
+* Unlike SessionCacheManager, doesn't need:
+* - Invalidation flag (no sign-out scenario for anonymous tokens)
+* - Refresh detection (anonymous tokens are stateless)
+*/
+var AnonymousTokenCacheManager = class {
+	cache = new TokenCache();
 	/**
-	* Calculate cache TTL from JWT expiration.
-	* Falls back to default TTL if JWT is invalid or missing.
+	* Get cached anonymous token response if not expired.
+	* Returns null if cache is empty or expired.
 	*/
-	calculateCacheTTL(jwt) {
-		if (!jwt) return SESSION_CACHE_TTL_MS;
-		const exp = getJwtExpiration(jwt);
-		if (!exp) return SESSION_CACHE_TTL_MS;
-		const now = Date.now();
-		const ttl = exp * 1e3 - now - CLOCK_SKEW_BUFFER_MS;
-		return Math.max(ttl, 1e3);
+	getCachedResponse() {
+		return this.cache.get();
+	}
+	/**
+	* Set cached anonymous token response with JWT-based TTL.
+	* TTL is automatically calculated from the JWT expiration.
+	*/
+	setCachedResponse(data) {
+		this.cache.set(data, data.token);
+	}
+	/**
+	* Clear the cache.
+	*/
+	clearCache() {
+		this.cache.clear();
+	}
+	/**
+	* Check if cache has a valid (non-expired) response.
+	*/
+	hasCachedResponse() {
+		return this.cache.has();
 	}
 };
 
@@ -230,11 +303,34 @@ const isBrowser = () => {
 	return globalThis.window !== void 0 && typeof document !== "undefined";
 };
 
+//#endregion
+//#region src/plugins/anonymous-token.ts
+const ANONYMOUS_TOKEN_ENDPOINT = "/token/anonymous";
+const anonymousTokenResponseSchema = z.object({
+	token: z.string(),
+	expires_at: z.number()
+});
+const anonymousTokenClient = () => {
+	return {
+		id: "anonymous-token",
+		pathMethods: { [ANONYMOUS_TOKEN_ENDPOINT]: "GET" },
+		getActions: ($fetch) => {
+			return { getAnonymousToken: async (fetchOptions) => {
+				return await $fetch(ANONYMOUS_TOKEN_ENDPOINT, {
+					method: "GET",
+					...fetchOptions
+				});
+			} };
+		}
+	};
+};
+
 //#endregion
 //#region src/core/better-auth-methods.ts
 const CURRENT_TAB_CLIENT_ID = crypto.randomUUID();
 const BETTER_AUTH_METHODS_IN_FLIGHT_REQUESTS = new InFlightRequestManager();
 const BETTER_AUTH_METHODS_CACHE = new SessionCacheManager();
+const BETTER_AUTH_ANONYMOUS_TOKEN_CACHE = new AnonymousTokenCacheManager();
 const BETTER_AUTH_ENDPOINTS = {
 	signUp: "/sign-up",
 	signIn: "/sign-in",
@@ -242,7 +338,8 @@ const BETTER_AUTH_ENDPOINTS = {
 	updateUser: "/update-user",
 	getSession: "/get-session",
 	token: "/token",
-	anonymousSignIn: "/sign-in/anonymous"
+	anonymousSignIn: "/sign-in/anonymous",
+	anonymousToken: "/token/anonymous"
 };
 const BETTER_AUTH_METHODS_HOOKS = {
 	signUp: {
@@ -338,6 +435,18 @@ const BETTER_AUTH_METHODS_HOOKS = {
 				}
 			}
 		}
+	},
+	anonymousToken: {
+		beforeRequest: () => {
+			const cachedResponse = BETTER_AUTH_ANONYMOUS_TOKEN_CACHE.getCachedResponse();
+			if (!cachedResponse) return null;
+			return Response.json(cachedResponse, { status: 200 });
+		},
+		onRequest: () => {},
+		onSuccess: (responseData) => {
+			const parsed = anonymousTokenResponseSchema.safeParse(responseData);
+			if (parsed.success) BETTER_AUTH_ANONYMOUS_TOKEN_CACHE.setCachedResponse(parsed.data);
+		}
 	}
 };
 /**
@@ -396,6 +505,7 @@ function isSessionResponseData(responseData) {
 }
 function deriveBetterAuthMethodFromUrl(url) {
 	if (url.includes("/sign-in/anonymous")) return "anonymousSignIn";
+	if (url.includes(BETTER_AUTH_ENDPOINTS.anonymousToken)) return "anonymousToken";
 	if (url.includes(BETTER_AUTH_ENDPOINTS.signIn)) return "signIn";
 	if (url.includes(BETTER_AUTH_ENDPOINTS.signUp)) return "signUp";
 	if (url.includes(BETTER_AUTH_ENDPOINTS.signOut)) return "signOut";
@@ -418,7 +528,7 @@ const supportedBetterAuthClientPlugins = [
 	adminClient(),
 	organizationClient(),
 	emailOTPClient(),
-	anonymousClient()
+	anonymousTokenClient()
 ];
 var NeonAuthAdapterCore = class {
 	betterAuthOptions;
@@ -488,6 +598,20 @@ var NeonAuthAdapterCore = class {
 		};
 		initBroadcastChannel();
 	}
+	/**
+	* Get JWT token for authenticated or anonymous access.
+	* Single source of truth for token retrieval logic.
+	*
+	* @param allowAnonymous - When true, fetches anonymous token if no session exists
+	* @returns JWT token string or null if unavailable
+	*/
+	async getJWTToken(allowAnonymous) {
+		const client = this.getBetterAuthInstance();
+		const session = await client.getSession();
+		if (session.data?.session?.token) return session.data.session.token;
+		if (allowAnonymous) return (await client.getAnonymousToken()).data?.token ?? null;
+		return null;
+	}
 };
 
 //#endregion