@neutralauth/internal-auth 0.10.11

package/src/client/create-client.ts

@@ -0,0 +1,452 @@
+import {
+  httpActionGeneric,
+  internalMutationGeneric,
+  queryGeneric,
+} from "convex/server";
+import type {
+  DataModelFromSchemaDefinition,
+  FunctionReference,
+  GenericDataModel,
+  GenericMutationCtx,
+  GenericSchema,
+  HttpRouter,
+  SchemaDefinition,
+} from "convex/server";
+import { ConvexError, v } from "convex/values";
+import type { Infer } from "convex/values";
+import { convexAdapter } from "./adapter.js";
+import { corsRouter } from "convex-helpers/server/cors";
+import type defaultSchema from "../component/schema.js";
+import type { ComponentApi } from "../component/_generated/component.js";
+import type { CreateAuth, GenericCtx } from "./index.js";
+
+export type AuthFunctions = {
+  onCreate?: FunctionReference<"mutation", "internal", { [key: string]: any }>;
+  onUpdate?: FunctionReference<"mutation", "internal", { [key: string]: any }>;
+  onDelete?: FunctionReference<"mutation", "internal", { [key: string]: any }>;
+};
+
+export type Triggers<
+  DataModel extends GenericDataModel,
+  Schema extends SchemaDefinition<any, any>,
+> = {
+  [K in keyof Schema["tables"]]?: {
+    onCreate?: <Ctx extends GenericMutationCtx<DataModel>>(
+      ctx: Ctx,
+      doc: Infer<Schema["tables"][K]["validator"]> & {
+        _id: string;
+        _creationTime: number;
+      }
+    ) => Promise<void>;
+    onUpdate?: <Ctx extends GenericMutationCtx<DataModel>>(
+      ctx: Ctx,
+      newDoc: Infer<Schema["tables"][K]["validator"]> & {
+        _id: string;
+        _creationTime: number;
+      },
+      oldDoc: Infer<Schema["tables"][K]["validator"]> & {
+        _id: string;
+        _creationTime: number;
+      }
+    ) => Promise<void>;
+    onDelete?: <Ctx extends GenericMutationCtx<DataModel>>(
+      ctx: Ctx,
+      doc: Infer<Schema["tables"][K]["validator"]> & {
+        _id: string;
+        _creationTime: number;
+      }
+    ) => Promise<void>;
+  };
+};
+
+type SlimComponentApi = {
+  adapter: {
+    create: FunctionReference<"mutation", "internal">;
+    findOne: FunctionReference<"query", "internal">;
+    findMany: FunctionReference<"query", "internal">;
+    updateOne: FunctionReference<"mutation", "internal">;
+    updateMany: FunctionReference<"mutation", "internal">;
+    deleteOne: FunctionReference<"mutation", "internal">;
+    deleteMany: FunctionReference<"mutation", "internal">;
+  };
+  adapterTest?: ComponentApi["adapterTest"];
+};
+
+/**
+ * Backend API for the Better Auth component.
+ * Responsible for exposing the `client` and `triggers` APIs to the client, http
+ * route registration, and having convenience methods for interacting with the
+ * component from the backend.
+ *
+ * @param component - Generally `components.betterAuth` from
+ * `./_generated/api` once you've configured it in `convex.config.ts`.
+ * @param config - Configuration options for the component.
+ * @param config.local - Local schema configuration.
+ * @param config.verbose - Whether to enable verbose logging.
+ * @param config.triggers - Triggers configuration.
+ * @param config.authFunctions - Authentication functions configuration.
+ */
+export const createClient = <
+  DataModel extends GenericDataModel,
+  Schema extends SchemaDefinition<GenericSchema, true> = typeof defaultSchema,
+  Api extends SlimComponentApi = SlimComponentApi,
+>(
+  component: Api,
+  config?: {
+    local?: {
+      schema?: Schema;
+    };
+    verbose?: boolean;
+  } & (
+    | {
+        triggers: Triggers<DataModel, Schema>;
+        authFunctions: AuthFunctions;
+      }
+    | { triggers?: undefined }
+  )
+) => {
+  type BetterAuthDataModel = DataModelFromSchemaDefinition<Schema>;
+
+  const safeGetAuthUser = async (ctx: GenericCtx<DataModel>) => {
+    const identity = await ctx.auth.getUserIdentity();
+    if (!identity) {
+      return;
+    }
+    const session = (await ctx.runQuery(component.adapter.findOne, {
+      model: "session",
+      where: [
+        {
+          field: "_id",
+          value: identity.sessionId as string,
+        },
+        {
+          field: "expiresAt",
+          operator: "gt",
+          value: new Date().getTime(),
+        },
+      ],
+    })) as BetterAuthDataModel["session"]["document"] | null;
+
+    if (!session) {
+      return;
+    }
+
+    const doc = (await ctx.runQuery(component.adapter.findOne, {
+      model: "user",
+      where: [
+        {
+          field: "_id",
+          value: identity.subject,
+        },
+      ],
+    })) as BetterAuthDataModel["user"]["document"] | null;
+    if (!doc) {
+      return;
+    }
+    return doc;
+  };
+
+  const getAuthUser = async (ctx: GenericCtx<DataModel>) => {
+    const user = await safeGetAuthUser(ctx);
+    if (!user) {
+      throw new ConvexError("Unauthenticated");
+    }
+    return user;
+  };
+
+  const getHeaders = async (ctx: GenericCtx<DataModel>) => {
+    const identity = await ctx.auth.getUserIdentity();
+    if (!identity) {
+      return new Headers();
+    }
+    // Don't validate the session here, let Better Auth handle that
+    const session = await ctx.runQuery(component.adapter.findOne, {
+      model: "session",
+      where: [
+        {
+          field: "_id",
+          value: identity.sessionId as string,
+        },
+      ],
+    });
+    return new Headers({
+      ...(session?.token ? { authorization: `Bearer ${session.token}` } : {}),
+      ...(session?.ipAddress
+        ? { "x-forwarded-for": session.ipAddress as string }
+        : {}),
+    });
+  };
+
+  return {
+    /**
+     * Returns the Convex database adapter for use in Better Auth options.
+     * @param ctx - The Convex context
+     * @returns The Convex database adapter
+     */
+    adapter: (ctx: GenericCtx<DataModel>) =>
+      convexAdapter<DataModel, typeof ctx, Schema>(ctx, component, {
+        ...config,
+        debugLogs: config?.verbose,
+      }),
+
+    /**
+     * Returns the Better Auth auth object and headers for using Better Auth API
+     * methods directly in a Convex mutation or query. Convex functions don't
+     * have access to request headers, so the headers object is created at
+     * runtime with the token for the current session as a Bearer token.
+     *
+     * @param createAuth - The createAuth function
+     * @param ctx - The Convex context
+     * @returns A promise that resolves to the Better Auth `auth` API object and
+     * headers.
+     */
+    getAuth: async <T extends CreateAuth<DataModel>>(
+      createAuth: T,
+      ctx: GenericCtx<DataModel>
+    ) => ({
+      auth: createAuth(ctx) as ReturnType<T>,
+      headers: await getHeaders(ctx),
+    }),
+
+    /**
+     * Returns a Headers object for the current session using the session id
+     * from the current user identity via `ctx.auth.getUserIdentity()`. This is
+     * used to pass the headers to the Better Auth API methods when using the
+     * `getAuth` method.
+     *
+     * @param ctx - The Convex context
+     * @returns The headers
+     */
+    getHeaders,
+
+    /**
+     * Returns the current user or null if the user is not found
+     * @param ctx - The Convex context
+     * @returns The user or null if the user is not found
+     */
+    safeGetAuthUser,
+
+    /**
+     * Returns the current user or throws an error if the user is not found
+     *
+     * @param ctx - The Convex context
+     * @returns The user or throws an error if the user is not found
+     */
+    getAuthUser,
+
+    /**
+     * Returns a user by their Better Auth user id.
+     * @param ctx - The Convex context
+     * @param id - The Better Auth user id
+     * @returns The user or null if the user is not found
+     */
+    getAnyUserById: async (ctx: GenericCtx<DataModel>, id: string) => {
+      return (await ctx.runQuery(component.adapter.findOne, {
+        model: "user",
+        where: [{ field: "_id", value: id }],
+      })) as BetterAuthDataModel["user"]["document"] | null;
+    },
+
+    /**
+     * Replaces 0.7 behavior of returning a new user id from
+     * onCreateUser
+     * @param ctx - The Convex context
+     * @param authId - The Better Auth user id
+     * @param userId - The app user id
+     * @deprecated in 0.9
+     */
+    setUserId: async (
+      ctx: GenericMutationCtx<DataModel>,
+      authId: string,
+      userId: string
+    ) => {
+      await ctx.runMutation(component.adapter.updateOne, {
+        input: {
+          model: "user",
+          where: [{ field: "_id", value: authId }],
+          update: { userId },
+        },
+      });
+    },
+
+    /**
+     * Exposes functions for use with the ClientAuthBoundary component. Currently
+     * only contains getAuthUser.
+     * @returns Functions to pass to the ClientAuthBoundary component.
+     */
+    clientApi: () => ({
+      /**
+       * Convex query to get the current user. For use with the ClientAuthBoundary component.
+       *
+       * ```ts title="convex/auth.ts"
+       * export const { getAuthUser } = authComponent.clientApi();
+       * ```
+       *
+       * @returns The user or throws an error if the user is not found
+       */
+      getAuthUser: queryGeneric({
+        args: {},
+        handler: async (ctx: GenericCtx<DataModel>) => {
+          return await getAuthUser(ctx);
+        },
+      }),
+    }),
+
+    /**
+     * Exposes functions for executing trigger callbacks in the app context.
+     *
+     * Callbacks are defined in the `triggers` option to the component client config.
+     *
+     * See {@link createClient} for more information.
+     *
+     * @returns Functions to execute trigger callbacks in the app context.
+     */
+    triggersApi: () => ({
+      onCreate: internalMutationGeneric({
+        args: {
+          doc: v.any(),
+          model: v.string(),
+        },
+        handler: async (ctx, args) => {
+          await config?.triggers?.[args.model]?.onCreate?.(ctx, args.doc);
+        },
+      }),
+      onUpdate: internalMutationGeneric({
+        args: {
+          oldDoc: v.any(),
+          newDoc: v.any(),
+          model: v.string(),
+        },
+        handler: async (ctx, args) => {
+          await config?.triggers?.[args.model]?.onUpdate?.(
+            ctx,
+            args.newDoc,
+            args.oldDoc
+          );
+        },
+      }),
+      onDelete: internalMutationGeneric({
+        args: {
+          doc: v.any(),
+          model: v.string(),
+        },
+        handler: async (ctx, args) => {
+          await config?.triggers?.[args.model]?.onDelete?.(ctx, args.doc);
+        },
+      }),
+    }),
+
+    registerRoutes: (
+      http: HttpRouter,
+      createAuth: CreateAuth<DataModel>,
+      opts: {
+        cors?:
+          | boolean
+          | {
+              // These values are appended to the default values
+              allowedOrigins?: string[];
+              allowedHeaders?: string[];
+              exposedHeaders?: string[];
+            };
+      } = {}
+    ) => {
+      const staticAuth = createAuth({} as any);
+      const path = staticAuth.options.basePath ?? "/api/auth";
+      const authRequestHandler = httpActionGeneric(async (ctx, request) => {
+        if (config?.verbose) {
+          // eslint-disable-next-line no-console
+          console.log("options.baseURL", staticAuth.options.baseURL);
+          // eslint-disable-next-line no-console
+          console.log("request headers", request.headers);
+        }
+        const auth = createAuth(ctx as any);
+        const response = await auth.handler(request);
+        if (config?.verbose) {
+          // eslint-disable-next-line no-console
+          console.log("response headers", response.headers);
+        }
+        return response;
+      });
+      const wellKnown = http.lookup("/.well-known/openid-configuration", "GET");
+
+      // If registerRoutes is used multiple times, this may already be defined
+      if (!wellKnown) {
+        // Redirect root well-known to api well-known
+        http.route({
+          path: "/.well-known/openid-configuration",
+          method: "GET",
+          handler: httpActionGeneric(async () => {
+            const url = `${process.env.CONVEX_SITE_URL}${path}/convex/.well-known/openid-configuration`;
+            return Response.redirect(url);
+          }),
+        });
+      }
+
+      if (!opts.cors) {
+        http.route({
+          pathPrefix: `${path}/`,
+          method: "GET",
+          handler: authRequestHandler,
+        });
+
+        http.route({
+          pathPrefix: `${path}/`,
+          method: "POST",
+          handler: authRequestHandler,
+        });
+
+        return;
+      }
+      const corsOpts =
+        typeof opts.cors === "boolean"
+          ? { allowedOrigins: [], allowedHeaders: [], exposedHeaders: [] }
+          : opts.cors;
+      let trustedOriginsOption:
+        | string[]
+        | ((request: Request) => string[] | Promise<string[]>)
+        | undefined;
+      const cors = corsRouter(http, {
+        allowedOrigins: async (request) => {
+          trustedOriginsOption =
+            trustedOriginsOption ??
+            (await staticAuth.$context).options.trustedOrigins ??
+            [];
+          const trustedOrigins = Array.isArray(trustedOriginsOption)
+            ? trustedOriginsOption
+            : await trustedOriginsOption(request);
+          return trustedOrigins
+            .map((origin) =>
+              // Strip trailing wildcards, unsupported for allowedOrigins
+              origin.endsWith("*") && origin.length > 1
+                ? origin.slice(0, -1)
+                : origin
+            )
+            .concat(corsOpts.allowedOrigins ?? []);
+        },
+        allowCredentials: true,
+        allowedHeaders: [
+          "Content-Type",
+          "Better-Auth-Cookie",
+          "Authorization",
+        ].concat(corsOpts.allowedHeaders ?? []),
+        exposedHeaders: ["Set-Better-Auth-Cookie"].concat(
+          corsOpts.exposedHeaders ?? []
+        ),
+        debug: config?.verbose,
+        enforceAllowOrigins: false,
+      });
+
+      cors.route({
+        pathPrefix: `${path}/`,
+        method: "GET",
+        handler: authRequestHandler,
+      });
+
+      cors.route({
+        pathPrefix: `${path}/`,
+        method: "POST",
+        handler: authRequestHandler,
+      });
+    },
+  };
+};

package/src/client/create-schema.ts

@@ -0,0 +1,166 @@
+import type { BetterAuthDBSchema, DBFieldAttribute } from "better-auth/db";
+
+// Manually add fields to index on for schema generation,
+// all fields in the schema specialFields are automatically indexed
+export const indexFields = {
+  account: ["accountId", ["accountId", "providerId"], ["providerId", "userId"]],
+  rateLimit: ["key"],
+  session: ["expiresAt", ["expiresAt", "userId"]],
+  verification: ["expiresAt", "identifier"],
+  user: [["email", "name"], "name", "userId"],
+  passkey: ["credentialID"],
+  oauthConsent: [["clientId", "userId"]],
+};
+
+// Return map of unique, sortable, and reference fields
+const specialFields = (tables: BetterAuthDBSchema) =>
+  Object.fromEntries(
+    Object.entries(tables)
+      .map(([key, table]) => {
+        const fields = Object.fromEntries(
+          Object.entries(table.fields)
+            .map(([fieldKey, field]) => [
+              field.fieldName ?? fieldKey,
+              {
+                ...(field.sortable ? { sortable: true } : {}),
+                ...(field.unique ? { unique: true } : {}),
+                ...(field.references ? { references: field.references } : {}),
+              },
+            ])
+            .filter(([_key, value]) =>
+              typeof value === "object" ? Object.keys(value).length > 0 : true
+            )
+        );
+        return [key, fields];
+      })
+      .filter(([_key, value]) =>
+        typeof value === "object" ? Object.keys(value).length > 0 : true
+      )
+  );
+
+const mergedIndexFields = (tables: BetterAuthDBSchema) =>
+  Object.fromEntries(
+    Object.entries(tables).map(([key, table]) => {
+      const manualIndexes =
+        indexFields[key as keyof typeof indexFields]?.map((index) => {
+          return typeof index === "string"
+            ? (table.fields[index]?.fieldName ?? index)
+            : index.map((i) => table.fields[i]?.fieldName ?? i);
+        }) || [];
+      const specialFieldIndexes = Object.keys(
+        specialFields(tables)[key as keyof ReturnType<typeof specialFields>] ||
+          {}
+      ).filter(
+        (index) =>
+          !manualIndexes.some((m) =>
+            Array.isArray(m) ? m[0] === index : m === index
+          )
+      );
+      return [key, manualIndexes.concat(specialFieldIndexes)];
+    })
+  );
+
+export const createSchema = async ({
+  file,
+  tables,
+}: {
+  tables: BetterAuthDBSchema;
+  file?: string;
+}) => {
+  // stop convex esbuild from throwing over this import, only runs
+  // in the better auth cli
+  const pathImport = "path";
+  const path = await import(pathImport);
+  const baseName = path.basename(path.resolve(process.cwd(), file ?? ""));
+  // if the target directory is named "convex", they're almost definitely
+  // generating the schema in the wrong directory, likely would replace the
+  // app schema
+  if (baseName === "convex") {
+    throw new Error(
+      "Better Auth schema must be generated in the Better Auth component directory."
+    );
+  }
+  let code: string = `/**
+ * This file is auto-generated. Do not edit this file manually.
+ * To regenerate the schema, run:
+ * \`npx @better-auth/cli generate --output ${file} -y\`
+ * 
+ * To customize the schema, generate to an alternate file and import
+ * the table definitions to your schema file. See
+ * https://labs.convex.dev/better-auth/features/local-install#adding-custom-indexes.
+ */
+
+import { defineSchema, defineTable } from "convex/server";
+import { v } from "convex/values";
+
+export const tables = {
+`;
+
+  for (const tableKey in tables) {
+    const table = tables[tableKey]!;
+    const modelName = table.modelName;
+
+    // No id fields in Convex schema
+    const fields = Object.fromEntries(
+      Object.entries(table.fields).filter(([key]) => key !== "id")
+    );
+
+    function getType(name: string, field: DBFieldAttribute) {
+      const type = field.type as
+        | "string"
+        | "number"
+        | "boolean"
+        | "date"
+        | "json"
+        | `${"string" | "number"}[]`;
+
+      const typeMap: Record<typeof type, string> = {
+        string: `v.string()`,
+        boolean: `v.boolean()`,
+        number: `v.number()`,
+        date: `v.number()`,
+        json: `v.string()`,
+        "number[]": `v.array(v.number())`,
+        "string[]": `v.array(v.string())`,
+      } as const;
+      return typeMap[type];
+    }
+
+    const indexes =
+      mergedIndexFields(tables)[
+        tableKey as keyof typeof mergedIndexFields
+      ]?.map((index) => {
+        const indexArray = Array.isArray(index) ? index.sort() : [index];
+        const indexName = indexArray.join("_");
+        return `.index("${indexName}", ${JSON.stringify(indexArray)})`;
+      }) || [];
+
+    const schema = `${modelName}: defineTable({
+${Object.keys(fields)
+  .map((field) => {
+    const attr = fields[field]!;
+    const type = getType(field, attr as DBFieldAttribute);
+    const optional = (fieldSchema: string) =>
+      attr.required
+        ? fieldSchema
+        : `v.optional(v.union(v.null(), ${fieldSchema}))`;
+    return `    ${attr.fieldName ?? field}: ${optional(type)},`;
+  })
+  .join("\n")}
+  })${indexes.length > 0 ? `\n    ${indexes.join("\n    ")}` : ""},\n`;
+    code += `  ${schema}`;
+  }
+
+  code += `};
+
+const schema = defineSchema(tables);
+
+export default schema;
+`;
+
+  return {
+    code,
+    path: file ?? "./schema.ts",
+    overwrite: true,
+  };
+};

package/src/client/index.ts

@@ -0,0 +1,22 @@
+import { convexAdapter } from "./adapter.js";
+import { version as convexVersion } from "convex";
+import semverLt from "semver/functions/lt.js";
+import { createClient } from "./create-client.js";
+import type { AuthFunctions, Triggers } from "./create-client.js";
+import { createApi } from "./create-api.js";
+import type { CreateAuth, EventFunction, GenericCtx } from "../utils/index.js";
+
+if (semverLt(convexVersion, "1.25.0")) {
+  throw new Error("Convex version must be at least 1.25.0");
+}
+
+export {
+  convexAdapter,
+  createClient,
+  createApi,
+  type CreateAuth,
+  type EventFunction,
+  type GenericCtx,
+  type Triggers,
+  type AuthFunctions,
+};

package/src/client/plugins/index.ts

@@ -0,0 +1,2 @@
+export * from "../../plugins/convex/client.js";
+export * from "../../plugins/cross-domain/client.js";

package/src/component/_generated/api.ts

@@ -0,0 +1,52 @@
+/* eslint-disable */
+/**
+ * Generated `api` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import type * as adapter from "../adapter.js";
+import type * as adapterTest from "../adapterTest.js";
+
+import type {
+  ApiFromModules,
+  FilterApi,
+  FunctionReference,
+} from "convex/server";
+import { anyApi, componentsGeneric } from "convex/server";
+
+const fullApi: ApiFromModules<{
+  adapter: typeof adapter;
+  adapterTest: typeof adapterTest;
+}> = anyApi as any;
+
+/**
+ * A utility for referencing Convex functions in your app's public API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = api.myModule.myFunction;
+ * ```
+ */
+export const api: FilterApi<
+  typeof fullApi,
+  FunctionReference<any, "public">
+> = anyApi as any;
+
+/**
+ * A utility for referencing Convex functions in your app's internal API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = internal.myModule.myFunction;
+ * ```
+ */
+export const internal: FilterApi<
+  typeof fullApi,
+  FunctionReference<any, "internal">
+> = anyApi as any;
+
+export const components = componentsGeneric() as unknown as {};