@nexusts/auth 0.7.0

package/README.md

@@ -0,0 +1,45 @@
+# @nexusts/auth
+
+> **NexusTS** — Bun-native fullstack framework
+
+## Description
+
+Authentication via better-auth integration.
+
+Provides authentication via better-auth. Brings the standard adapter so better-auth's API stays consistent with the rest of NexusTS (DI / decorator model). Type-safe users via @CurrentUser, sessions integrated with the framework's session module.
+
+## Install
+
+This module is part of the NexusTS monorepo. Each module is published as its own npm package under the `@nexusts/` scope.
+
+Most apps start with just the core:
+
+```bash
+bun add @nexusts/core reflect-metadata zod hono
+```
+
+Then add this module only if you need it:
+
+```bash
+bun add @nexusts/auth
+```
+
+## Peer dependencies
+
+```bash
+bun add better-auth
+```
+
+Required by this module. Without them the module loads but its public methods throw a clear error pointing to this install command on first call.
+
+## Usage
+
+```typescript
+import { /* public API */ } from "@nexusts/auth";
+```
+
+See the [user guide](../../docs/user-guide/auth.md) and the [example app](../../examples/) for a working demo.
+
+## License
+
+MIT — see the root [LICENSE](../../LICENSE).

package/dist/index.js

@@ -0,0 +1,502 @@
+// @bun
+var __legacyDecorateClassTS = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function")
+    r = Reflect.decorate(decorators, target, key, desc);
+  else
+    for (var i = decorators.length - 1;i >= 0; i--)
+      if (d = decorators[i])
+        r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __legacyDecorateParamTS = (index, decorator) => (target, key) => decorator(target, key, index);
+var __legacyMetadataTS = (k, v) => {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function")
+    return Reflect.metadata(k, v);
+};
+var __require = import.meta.require;
+// packages/auth/src/auth.ts
+import { betterAuth } from "better-auth";
+function createAuth(config = {}) {
+  const secret = config.secret ?? process.env["BETTER_AUTH_SECRET"];
+  const baseURL = config.baseUrl ?? process.env["BETTER_AUTH_URL"];
+  if (!secret) {
+    throw new Error("[nexus/auth] BETTER_AUTH_SECRET is required. " + "Generate one with `openssl rand -base64 32` and add it to .env.");
+  }
+  if (!baseURL) {
+    throw new Error("[nexus/auth] BETTER_AUTH_URL is required (e.g. http://localhost:3000).");
+  }
+  const plugins = [];
+  if (config.jwt?.enabled) {
+    const { jwt } = __require("better-auth/plugins");
+    plugins.push(jwt({
+      jwks: {
+        path: config.jwt.jwksPath ?? "/api/auth/jwks"
+      },
+      issuer: config.jwt.issuer ?? baseURL,
+      audience: config.jwt.audience ?? baseURL,
+      expiresIn: config.jwt.expiresIn ?? 60 * 15
+    }));
+  }
+  if (config.passkey?.enabled) {
+    const { passkey } = __require("better-auth/plugins");
+    plugins.push(passkey({
+      rpName: config.passkey.rpName,
+      rpID: config.passkey.rpId,
+      origin: config.passkey.origin
+    }));
+  }
+  return betterAuth({
+    secret,
+    baseURL,
+    basePath: config.basePath ?? "/api/auth",
+    emailAndPassword: {
+      enabled: config.emailAndPassword?.enabled ?? true,
+      requireEmailVerification: config.emailAndPassword?.requireEmailVerification ?? false,
+      minPasswordLength: config.emailAndPassword?.minPasswordLength ?? 8,
+      maxPasswordLength: config.emailAndPassword?.maxPasswordLength ?? 128
+    },
+    session: {
+      expiresIn: config.sessionExpiresInSeconds ?? 60 * 60 * 24 * 7
+    },
+    socialProviders: config.socialProviders,
+    advanced: {
+      cookies: {
+        sessionToken: {
+          attributes: {
+            sameSite: config.cookieSameSite ?? "lax",
+            secure: config.cookieSecure ?? process.env["NODE_ENV"] === "production",
+            ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+          }
+        }
+      },
+      crossSubDomainCookies: config.crossSubDomainCookies?.enabled ? {
+        enabled: true,
+        domain: config.crossSubDomainCookies.domain
+      } : undefined
+    },
+    plugins
+  });
+}
+// packages/auth/src/auth.service.ts
+import { Inject, Injectable } from "@nexusts/core/decorators/index.js";
+class AuthService {
+  config;
+  static TOKEN = Symbol.for("nexus:AuthService");
+  instance;
+  #sessionService = null;
+  constructor(config) {
+    this.config = config;
+    this.instance = createAuth(this.config);
+  }
+  bindSession(sessionService) {
+    this.#sessionService = sessionService;
+    return this;
+  }
+  hasSessionBinding() {
+    return this.#sessionService !== null;
+  }
+  async getSession(input) {
+    if (this.#sessionService) {
+      const cookieName = this.#sessionService.cookieName;
+      if (cookieName) {
+        const cookieHeader = input.headers.get("cookie") ?? "";
+        const value = parseCookie(cookieHeader, cookieName);
+        if (value) {
+          const decoded = this.#sessionService.decodeCookie(value);
+          if (decoded?.userId) {
+            const fromBetterAuth = await this.instance.api.getSession({
+              headers: input.headers
+            });
+            if (fromBetterAuth?.user) {
+              return fromBetterAuth;
+            }
+          }
+        }
+      }
+    }
+    const result = await this.instance.api.getSession({
+      headers: input.headers
+    });
+    return result;
+  }
+  async getRawSession(input) {
+    if (!this.#sessionService)
+      return null;
+    const cookieName = this.#sessionService.cookieName;
+    if (!cookieName)
+      return null;
+    const cookieHeader = input.headers.get("cookie") ?? "";
+    const value = parseCookie(cookieHeader, cookieName);
+    if (!value)
+      return null;
+    return this.#sessionService.decodeCookie(value);
+  }
+  async signUp(input) {
+    return this.instance.api.signUpEmail({
+      body: input
+    });
+  }
+  async signIn(input) {
+    return this.instance.api.signInEmail({
+      body: input
+    });
+  }
+  async signOut(input) {
+    return this.instance.api.signOut({
+      headers: input.headers
+    });
+  }
+  async getOAuthUrl(input) {
+    return this.instance.api.signInSocial({
+      body: input
+    });
+  }
+  async handleOAuthCallback(input) {
+    return this.instance.api.signInSocial({
+      headers: input.headers,
+      query: input.query,
+      body: {}
+    });
+  }
+  async issueJwt(input) {
+    const api = this.instance.api;
+    if (!api.signJWT) {
+      throw new Error("[nexus/auth] JWT plugin not enabled. Set `auth.jwt.enabled: true` in nx.config.ts.");
+    }
+    return api.signJWT({ body: { userId: input.userId } });
+  }
+  async registerPasskey(input) {
+    const api = this.instance.api;
+    if (!api.passkey) {
+      throw new Error("[nexus/auth] Passkey plugin not enabled. Set `auth.passkey.enabled: true` in nx.config.ts.");
+    }
+    return api.passkey.register({ headers: input.headers });
+  }
+  async authenticatePasskey(input) {
+    const api = this.instance.api;
+    if (!api.passkey) {
+      throw new Error("[nexus/auth] Passkey plugin not enabled.");
+    }
+    return api.passkey.authenticate({ headers: input.headers, body: input.body });
+  }
+  redirect(to, status = 302) {
+    return new Response(null, { status, headers: { Location: to } });
+  }
+  toContextVariables(session) {
+    if (!session)
+      return { user: null, session: null };
+    return { user: session.user, session: session.session };
+  }
+}
+AuthService = __legacyDecorateClassTS([
+  Injectable(),
+  __legacyDecorateParamTS(0, Inject("AUTH_CONFIG")),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof AuthConfig === "undefined" ? Object : AuthConfig
+  ])
+], AuthService);
+function parseCookie(cookieHeader, name) {
+  if (!cookieHeader)
+    return null;
+  const parts = cookieHeader.split(";");
+  for (const part of parts) {
+    const eq = part.indexOf("=");
+    if (eq < 0)
+      continue;
+    const k = part.slice(0, eq).trim();
+    if (k === name) {
+      return decodeURIComponent(part.slice(eq + 1).trim());
+    }
+  }
+  return null;
+}
+// packages/auth/src/auth.controller.ts
+import {
+  Body,
+  Controller,
+  Get,
+  Inject as Inject2,
+  Post,
+  Req,
+  Res
+} from "@nexusts/core/decorators/index.js";
+class AuthController {
+  auth;
+  constructor(auth) {
+    this.auth = auth;
+  }
+  async session(c) {
+    const session = await this.auth.getSession({
+      headers: c.req.raw.headers
+    });
+    return c.json(session ?? { user: null, session: null });
+  }
+  async signUpEmail(c, body) {
+    const result = await this.auth.signUp(body);
+    return c.json(result, 201);
+  }
+  async signInEmail(c, body) {
+    const result = await this.auth.signIn(body);
+    return c.json(result);
+  }
+  async signOut(c, _res) {
+    await this.auth.signOut({ headers: c.req.raw.headers });
+    return c.json({ ok: true });
+  }
+  async socialSignIn(c, _body) {
+    const provider = c.req.param("provider") ?? "";
+    const callbackURL = c.req.query("callbackURL") ?? "/";
+    const result = await this.auth.getOAuthUrl({ provider, callbackURL });
+    return c.json(result);
+  }
+  async oauthCallback(c) {
+    const result = await this.auth.handleOAuthCallback({
+      headers: c.req.raw.headers,
+      query: c.req.query()
+    });
+    return c.json(result);
+  }
+  async issueJwt(c) {
+    const session = await this.auth.getSession({
+      headers: c.req.raw.headers
+    });
+    if (!session)
+      return c.json({ error: "Unauthorized" }, 401);
+    const token = await this.auth.issueJwt({ userId: session.user.id });
+    return c.json(token);
+  }
+  async passkeyRegister(c) {
+    const result = await this.auth.registerPasskey({
+      headers: c.req.raw.headers
+    });
+    return c.json(result);
+  }
+  async passkeyAuthenticate(c, body) {
+    const result = await this.auth.authenticatePasskey({
+      headers: c.req.raw.headers,
+      body
+    });
+    return c.json(result);
+  }
+}
+__legacyDecorateClassTS([
+  Get("/session"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "session", null);
+__legacyDecorateClassTS([
+  Post("/sign-up/email"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyDecorateParamTS(1, Body()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context,
+    Object
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "signUpEmail", null);
+__legacyDecorateClassTS([
+  Post("/sign-in/email"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyDecorateParamTS(1, Body()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context,
+    Object
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "signInEmail", null);
+__legacyDecorateClassTS([
+  Post("/sign-out"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyDecorateParamTS(1, Res()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context,
+    typeof Response === "undefined" ? Object : Response
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "signOut", null);
+__legacyDecorateClassTS([
+  Get("/sign-in/:provider"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyDecorateParamTS(1, Body()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context,
+    undefined
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "socialSignIn", null);
+__legacyDecorateClassTS([
+  Get("/callback/:provider"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "oauthCallback", null);
+__legacyDecorateClassTS([
+  Post("/jwt"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "issueJwt", null);
+__legacyDecorateClassTS([
+  Post("/passkey/register"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "passkeyRegister", null);
+__legacyDecorateClassTS([
+  Post("/passkey/authenticate"),
+  __legacyDecorateParamTS(0, Req()),
+  __legacyDecorateParamTS(1, Body()),
+  __legacyMetadataTS("design:type", Function),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof Context === "undefined" ? Object : Context,
+    Object
+  ]),
+  __legacyMetadataTS("design:returntype", Promise)
+], AuthController.prototype, "passkeyAuthenticate", null);
+AuthController = __legacyDecorateClassTS([
+  Controller("/api/auth"),
+  __legacyDecorateParamTS(0, Inject2(AuthService.TOKEN)),
+  __legacyMetadataTS("design:paramtypes", [
+    typeof AuthService === "undefined" ? Object : AuthService
+  ])
+], AuthController);
+// packages/auth/src/auth.module.ts
+import"reflect-metadata";
+import { Module } from "@nexusts/core/decorators/module.js";
+class AuthModule {
+  static forRoot(config) {
+    class ConfiguredAuthModule {
+    }
+    ConfiguredAuthModule = __legacyDecorateClassTS([
+      Module({
+        controllers: [AuthController],
+        providers: [
+          AuthService,
+          { provide: AuthService.TOKEN, useExisting: AuthService },
+          { provide: "AUTH_CONFIG", useValue: config }
+        ],
+        exports: [AuthService, AuthService.TOKEN]
+      })
+    ], ConfiguredAuthModule);
+    Object.defineProperty(ConfiguredAuthModule, "name", {
+      value: "ConfiguredAuthModule"
+    });
+    return ConfiguredAuthModule;
+  }
+}
+AuthModule = __legacyDecorateClassTS([
+  Module({
+    controllers: [AuthController],
+    providers: [
+      AuthService,
+      { provide: AuthService.TOKEN, useExisting: AuthService }
+    ],
+    exports: [AuthService, AuthService.TOKEN]
+  })
+], AuthModule);
+// packages/auth/src/middleware.ts
+function authMiddleware(auth, options = {}) {
+  const {
+    mode = "optional",
+    scope,
+    protectedPaths,
+    ignoredPaths,
+    onUnauthenticated = defaultUnauthenticated,
+    onForbidden = defaultForbidden
+  } = options;
+  const ignored = toMatcher(ignoredPaths);
+  const protected_ = mode === "scoped" ? toMatcher(scope ?? protectedPaths ?? /^\/.+/) : null;
+  return async (c, next) => {
+    const path = c.req.path;
+    if (ignored?.test(path)) {
+      return next();
+    }
+    const session = await auth.api.getSession({
+      headers: c.req.raw.headers
+    });
+    if (session) {
+      c.set("user", session.user);
+      c.set("session", session.session);
+    } else {
+      c.set("user", null);
+      c.set("session", null);
+    }
+    if (mode === "required" || protected_?.test(path) && session === null) {
+      if (session === null)
+        return onUnauthenticated(c);
+    }
+    return next();
+  };
+}
+function toMatcher(input) {
+  if (!input)
+    return null;
+  if (Array.isArray(input)) {
+    return new RegExp(input.map((r) => `(?:${r.source})`).join("|"));
+  }
+  return input;
+}
+function defaultUnauthenticated(c) {
+  return c.json({ error: "Unauthorized", message: "Authentication required." }, 401);
+}
+function defaultForbidden(c) {
+  return c.json({ error: "Forbidden", message: "Insufficient permissions." }, 403);
+}
+function authHandler(auth) {
+  return async (c) => auth.handler(c.req.raw);
+}
+// packages/auth/src/decorators/current-user.ts
+import"reflect-metadata";
+import { createParamDecorator } from "@nexusts/core/src/decorators/params.js";
+import { PARAM_TYPES } from "@nexusts/core/src/constants.js";
+function CurrentUser(options = {}) {
+  return createParamDecorator(PARAM_TYPES.USER, options);
+}
+
+class UnauthenticatedError extends Error {
+  status = 401;
+  constructor(message = "Authentication required.") {
+    super(message);
+    this.name = "UnauthenticatedError";
+  }
+}
+
+class ForbiddenError extends Error {
+  status = 403;
+  constructor(message = "Insufficient permissions.") {
+    super(message);
+    this.name = "ForbiddenError";
+  }
+}
+export {
+  createAuth,
+  authMiddleware,
+  authHandler,
+  UnauthenticatedError,
+  ForbiddenError,
+  CurrentUser,
+  AuthService,
+  AuthModule,
+  AuthController
+};
+
+//# debugId=5736524FC5C13DE864756E2164756E21
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,15 @@
+{
+  "version": 3,
+  "sources": ["../src/auth.ts", "../src/auth.service.ts", "../src/auth.controller.ts", "../src/auth.module.ts", "../src/middleware.ts", "../src/decorators/current-user.ts"],
+  "sourcesContent": [
+    "/**\n * `createAuth()` — wrap better-auth's `betterAuth()` factory with\n * NexusTS-friendly defaults.\n *\n * This is the **only** place that talks to better-auth directly. Every\n * other NexusTS auth module consumes the resulting `Auth` instance via\n * DI or the registered token.\n *\n * Why an adapter layer instead of calling `betterAuth()` directly?\n *   1. NexusTS users write `auth.config.ts`, not raw better-auth options.\n *      The adapter translates between the two.\n *   2. Plugin selection (jwt, passkey) is toggled by boolean flags,\n *      not by importing plugin objects.\n *   3. Cookie / CORS / cross-subdomain defaults match Hono's `cors()`\n *      middleware so the two never conflict.\n *\n * Usage:\n *   // src/auth/auth.ts\n *   import { createAuth } from 'nexusjs/auth';\n *   export const auth = createAuth({\n *     basePath: '/api/auth',\n *     emailAndPassword: { enabled: true },\n *     socialProviders: {\n *       github: {\n *         clientId: process.env.GITHUB_CLIENT_ID!,\n *         clientSecret: process.env.GITHUB_CLIENT_SECRET!,\n *       },\n *     },\n *   });\n */\n\nimport { betterAuth } from \"better-auth\";\nimport type { AuthConfig } from \"./types.js\";\n\ntype BetterAuthInstance = ReturnType<typeof betterAuth>;\n\n/**\n * Create a better-auth instance with NexusTS-friendly defaults.\n *\n * @param config NexusTS-shaped config (see types.ts).\n * @returns A `better-auth` Auth instance.\n */\nexport function createAuth(config: AuthConfig = {}): BetterAuthInstance {\n\tconst secret = config.secret ?? process.env[\"BETTER_AUTH_SECRET\"];\n\tconst baseURL = config.baseUrl ?? process.env[\"BETTER_AUTH_URL\"];\n\n\tif (!secret) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_SECRET is required. \" +\n\t\t\t\t\"Generate one with `openssl rand -base64 32` and add it to .env.\",\n\t\t);\n\t}\n\tif (!baseURL) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_URL is required (e.g. http://localhost:3000).\",\n\t\t);\n\t}\n\n\tconst plugins: Array<unknown> = [];\n\n\t// JWT plugin — opt-in.\n\tif (config.jwt?.enabled) {\n\t\t// Lazy import so the plugin's transitive dependencies don't load\n\t\t// when the user hasn't asked for JWT.\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { jwt } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tjwt({\n\t\t\t\tjwks: {\n\t\t\t\t\tpath: config.jwt.jwksPath ?? \"/api/auth/jwks\",\n\t\t\t\t},\n\t\t\t\tissuer: config.jwt.issuer ?? baseURL,\n\t\t\t\taudience: config.jwt.audience ?? baseURL,\n\t\t\t\texpiresIn: config.jwt.expiresIn ?? 60 * 15,\n\t\t\t}),\n\t\t);\n\t}\n\n\t// Passkey plugin — opt-in.\n\tif (config.passkey?.enabled) {\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { passkey } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tpasskey({\n\t\t\t\trpName: config.passkey.rpName,\n\t\t\t\trpID: config.passkey.rpId,\n\t\t\t\torigin: config.passkey.origin,\n\t\t\t}),\n\t\t);\n\t}\n\n\treturn betterAuth({\n\t\tsecret,\n\t\tbaseURL,\n\t\tbasePath: config.basePath ?? \"/api/auth\",\n\t\temailAndPassword: {\n\t\t\tenabled: config.emailAndPassword?.enabled ?? true,\n\t\t\trequireEmailVerification:\n\t\t\t\tconfig.emailAndPassword?.requireEmailVerification ?? false,\n\t\t\tminPasswordLength: config.emailAndPassword?.minPasswordLength ?? 8,\n\t\t\tmaxPasswordLength: config.emailAndPassword?.maxPasswordLength ?? 128,\n\t\t},\n\t\tsession: {\n\t\t\texpiresIn: config.sessionExpiresInSeconds ?? 60 * 60 * 24 * 7, // 7 days\n\t\t},\n\t\tsocialProviders: config.socialProviders as never,\n\t\tadvanced: {\n\t\t\tcookies: {\n\t\t\t\tsessionToken: {\n\t\t\t\t\tattributes: {\n\t\t\t\t\t\tsameSite: (config.cookieSameSite ?? \"lax\") as\n\t\t\t\t\t\t\t| \"lax\"\n\t\t\t\t\t\t\t| \"strict\"\n\t\t\t\t\t\t\t| \"none\",\n\t\t\t\t\t\tsecure:\n\t\t\t\t\t\t\tconfig.cookieSecure ?? process.env[\"NODE_ENV\"] === \"production\",\n\t\t\t\t\t\t...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tcrossSubDomainCookies: config.crossSubDomainCookies?.enabled\n\t\t\t\t? {\n\t\t\t\t\t\tenabled: true,\n\t\t\t\t\t\tdomain: config.crossSubDomainCookies.domain,\n\t\t\t\t\t}\n\t\t\t\t: undefined,\n\t\t},\n\t\tplugins,\n\t} as never) as unknown as BetterAuthInstance;\n}\n\n/**\n * Type alias for the returned auth instance — convenient for DI token\n * typings.\n */\nexport type NexusAuth = ReturnType<typeof createAuth>;\n",
+    "/**\n * `AuthService` — DI-friendly wrapper around a better-auth instance.\n *\n * Why a service wrapper?\n *   - Hides the raw better-auth object behind a stable NexusTS API.\n *   - Exposes the high-level operations controllers need:\n *     signUp, signIn, signOut, getSession, oauthUrl, jwt, passkey.\n *   - Allows tests to swap the implementation via DI.\n *\n * Usage:\n *   constructor(@Inject(AuthService.TOKEN) private auth: AuthService) {}\n *\n *   await this.auth.signUp.email({ email, password, name });\n *   const session = await this.auth.getSession({ headers: c.req.raw.headers });\n *   return this.auth.redirect('/dashboard');  // 302\n */\n\nimport { Inject, Injectable } from \"@nexusts/core/decorators/index.js\";\nimport type {\n\tAuthUser,\n\tAuthSessionRecord,\n\tAuthSession,\n\tAuthConfig,\n} from \"./types.js\";\nimport { createAuth, type NexusAuth } from \"./auth.js\";\nimport type { SessionService } from \"@nexusts/session/index.js\";\n\n@Injectable()\nexport class AuthService {\n\t/** DI token — use with `@Inject(AuthService.TOKEN)`. */\n\tstatic readonly TOKEN = Symbol.for(\"nexus:AuthService\");\n\n\t/** The underlying better-auth instance. */\n\treadonly instance: NexusAuth;\n\n\t/**\n\t * Optional SessionService binding. When set, `getSession()` will\n\t * first check the SessionService's cookie before falling back to\n\t * better-auth. This enables shared session state between the two\n\t * modules (e.g. flash messages, guest cart).\n\t *\n\t * Set via `bindSession()` from a feature module's `onInit`, or via\n\t * DI when both modules are present.\n\t */\n\t#sessionService: SessionService | null = null;\n\n\tconstructor(\n\t\t@Inject(\"AUTH_CONFIG\") private readonly config: AuthConfig,\n\t) {\n\t\t// Lazy: defer construction to the first call so module-load\n\t\t// order doesn't matter.\n\t\tthis.instance = createAuth(this.config);\n\t}\n\n\t// ===========================================================================\n\t// Session integration\n\t// ===========================================================================\n\n\t/**\n\t * Bind a SessionService. When bound, `getSession()` consults the\n\t * SessionService first and falls back to better-auth. Returns `this`\n\t * for chaining.\n\t */\n\tbindSession(sessionService: SessionService): this {\n\t\tthis.#sessionService = sessionService;\n\t\treturn this;\n\t}\n\n\t/**\n\t * Returns true when a SessionService has been bound.\n\t */\n\thasSessionBinding(): boolean {\n\t\treturn this.#sessionService !== null;\n\t}\n\n\t// ===========================================================================\n\t// Session\n\t// ===========================================================================\n\n\t/**\n\t * Get the current session from a request. Returns `null` if not\n\t * authenticated.\n\t *\n\t * When a SessionService is bound, we try it first (cookie-based,\n\t * stateless, edge-friendly); better-auth remains the source of\n\t * truth for `user` / `session` records. The cookie value carries\n\t * `userId` which lets you cross-reference both systems.\n\t */\n\tasync getSession(input: { headers: Headers }): Promise<AuthSession> {\n\t\t// 1) Try SessionService (cookie-based) first.\n\t\tif (this.#sessionService) {\n\t\t\tconst cookieName = this.#sessionService.cookieName;\n\t\t\tif (cookieName) {\n\t\t\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\t\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\t\t\tif (value) {\n\t\t\t\t\tconst decoded = this.#sessionService.decodeCookie(value);\n\t\t\t\t\tif (decoded?.userId) {\n\t\t\t\t\t\t// Hydrate the user from better-auth (so the returned\n\t\t\t\t\t\t// shape matches what controllers expect).\n\t\t\t\t\t\tconst fromBetterAuth = (await this.instance.api.getSession({\n\t\t\t\t\t\t\theaders: input.headers,\n\t\t\t\t\t\t})) as AuthSession | null;\n\t\t\t\t\t\tif (fromBetterAuth?.user) {\n\t\t\t\t\t\t\treturn fromBetterAuth;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// 2) Fallback to better-auth.\n\t\tconst result = await this.instance.api.getSession({\n\t\t\theaders: input.headers,\n\t\t});\n\t\treturn result as AuthSession;\n\t}\n\n\t/**\n\t * Read the raw SessionService record from a request (no better-auth\n\t * lookup). Returns null when no SessionService is bound or no\n\t * session is found.\n\t */\n\tasync getRawSession(input: { headers: Headers }) {\n\t\tif (!this.#sessionService) return null;\n\t\tconst cookieName = this.#sessionService.cookieName;\n\t\tif (!cookieName) return null;\n\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\tif (!value) return null;\n\t\treturn this.#sessionService.decodeCookie(value);\n\t}\n\n\t// ===========================================================================\n\t// Sign up / Sign in / Sign out\n\t// ===========================================================================\n\n\t/**\n\t * Email + password sign-up. Throws if email/password is disabled\n\t * in the auth config.\n\t */\n\tasync signUp(input: {\n\t\temail: string;\n\t\tpassword: string;\n\t\tname: string;\n\t\timage?: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signUpEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Email + password sign-in. */\n\tasync signIn(input: { email: string; password: string; callbackURL?: string }) {\n\t\treturn this.instance.api.signInEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Sign out — invalidates the current session. */\n\tasync signOut(input: { headers: Headers }) {\n\t\treturn this.instance.api.signOut({\n\t\t\theaders: input.headers,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// Social / OAuth\n\t// ===========================================================================\n\n\t/**\n\t * Get the URL the client should redirect to for a social sign-in.\n\t */\n\tasync getOAuthUrl(input: {\n\t\tprovider: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/**\n\t * Sign in / link a social account and return the user.\n\t */\n\tasync handleOAuthCallback(input: { headers: Headers; query: Record<string, string> }) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\theaders: input.headers,\n\t\t\tquery: input.query,\n\t\t\tbody: {} as never,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// JWT\n\t// ===========================================================================\n\n\t/**\n\t * Issue a JWT for the currently-authenticated user. Returns\n\t * `{ token, expiresAt }`. Requires the JWT plugin (`config.jwt.enabled`).\n\t */\n\tasync issueJwt(input: { userId: string }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tsignJWT?: (input: { body: { userId: string } }) => Promise<{\n\t\t\t\ttoken: string;\n\t\t\t\texpiresAt: Date;\n\t\t\t}>;\n\t\t};\n\t\tif (!api.signJWT) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] JWT plugin not enabled. Set `auth.jwt.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.signJWT({ body: { userId: input.userId } });\n\t}\n\n\t// ===========================================================================\n\t// Passkey\n\t// ===========================================================================\n\n\tasync registerPasskey(input: { headers: Headers }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tregister: (input: { headers: Headers }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] Passkey plugin not enabled. Set `auth.passkey.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.passkey.register({ headers: input.headers });\n\t}\n\n\tasync authenticatePasskey(input: { headers: Headers; body: unknown }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tauthenticate: (input: { headers: Headers; body: unknown }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\"[nexus/auth] Passkey plugin not enabled.\");\n\t\t}\n\t\treturn api.passkey.authenticate({ headers: input.headers, body: input.body });\n\t}\n\n\t// ===========================================================================\n\t// Helpers\n\t// ===========================================================================\n\n\t/**\n\t * Build a redirect Response. Used by controllers that need to send\n\t * the user to a different page after sign-in / sign-up.\n\t */\n\tredirect(to: string, status: 302 | 303 | 307 | 308 = 302): Response {\n\t\treturn new Response(null, { status, headers: { Location: to } });\n\t}\n\n\t/**\n\t * Convert a session into the `AuthVariables` shape Hono expects.\n\t */\n\ttoContextVariables(session: AuthSession): {\n\t\tuser: AuthUser | null;\n\t\tsession: AuthSessionRecord | null;\n\t} {\n\t\tif (!session) return { user: null, session: null };\n\t\treturn { user: session.user, session: session.session };\n\t}\n}\n\n/**\n * Extract a single cookie value from a `Cookie` header string.\n * Tiny helper to avoid pulling in a cookie-parsing dependency.\n */\nfunction parseCookie(cookieHeader: string, name: string): string | null {\n\tif (!cookieHeader) return null;\n\tconst parts = cookieHeader.split(\";\");\n\tfor (const part of parts) {\n\t\tconst eq = part.indexOf(\"=\");\n\t\tif (eq < 0) continue;\n\t\tconst k = part.slice(0, eq).trim();\n\t\tif (k === name) {\n\t\t\treturn decodeURIComponent(part.slice(eq + 1).trim());\n\t\t}\n\t}\n\treturn null;\n}",
+    "/**\n * `AuthController` — built-in controller exposing common auth endpoints.\n *\n * Mount it in any `@Module` to get a working auth API:\n *\n *   @Module({\n *     controllers: [AuthController],\n *     providers: [AuthService],\n *   })\n *   export class AuthModule {}\n *\n * Endpoints (all prefixed with `config.basePath`, default `/api/auth`):\n *   - GET  /session               → current session\n *   - POST /sign-up/email         → email/password registration\n *   - POST /sign-in/email         → email/password login\n *   - POST /sign-out              → invalidate session\n *   - GET  /sign-in/:provider     → start OAuth flow\n *   - GET  /callback/:provider    → OAuth callback\n *   - POST /jwt                   → issue JWT (JWT plugin only)\n *   - POST /passkey/register      → start passkey registration\n *   - POST /passkey/authenticate  → complete passkey auth\n *\n * Most of the actual logic is delegated to `auth.handler` from\n * better-auth. The controller exists to make the routes visible to\n * `nx route:list` and to add NexusTS-style DI.\n */\n\nimport {\n\tBody,\n\tController,\n\tGet,\n\tInject,\n\tPost,\n\tReq,\n\tRes,\n} from \"@nexusts/core/decorators/index.js\";\nimport type { Context } from \"hono\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthSession } from \"./types.js\";\n\n@Controller(\"/api/auth\")\nexport class AuthController {\n\tconstructor(@Inject(AuthService.TOKEN) private readonly auth: AuthService) {}\n\n\t/**\n\t * GET /api/auth/session\n\t * Returns the current session (or null if unauthenticated).\n\t */\n\t@Get(\"/session\")\n\tasync session(@Req() c: Context) {\n\t\tconst session: AuthSession = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(session ?? { user: null, session: null });\n\t}\n\n\t/**\n\t * POST /api/auth/sign-up/email\n\t * Body: { email, password, name, callbackURL? }\n\t */\n\t@Post(\"/sign-up/email\")\n\tasync signUpEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signUp(body);\n\t\treturn c.json(result, 201);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-in/email\n\t * Body: { email, password, callbackURL? }\n\t */\n\t@Post(\"/sign-in/email\")\n\tasync signInEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signIn(body);\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-out\n\t */\n\t@Post(\"/sign-out\")\n\tasync signOut(@Req() c: Context, @Res() _res: Response) {\n\t\tawait this.auth.signOut({ headers: c.req.raw.headers });\n\t\treturn c.json({ ok: true });\n\t}\n\n\t/**\n\t * GET /api/auth/sign-in/:provider\n\t * Returns a redirect to the social provider's auth page.\n\t */\n\t@Get(\"/sign-in/:provider\")\n\tasync socialSignIn(\n\t\t@Req() c: Context,\n\t\t@Body() _body: never,\n\t) {\n\t\tconst provider = c.req.param(\"provider\") ?? \"\";\n\t\tconst callbackURL = c.req.query(\"callbackURL\") ?? \"/\";\n\t\tconst result = await this.auth.getOAuthUrl({ provider, callbackURL });\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * GET /api/auth/callback/:provider\n\t * Social provider redirect target. The better-auth handler does the\n\t * real work; this is a passthrough for `route:list` visibility.\n\t */\n\t@Get(\"/callback/:provider\")\n\tasync oauthCallback(@Req() c: Context) {\n\t\tconst result = await this.auth.handleOAuthCallback({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tquery: c.req.query() as Record<string, string>,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/jwt\n\t * Issues a JWT for the current user. Requires the JWT plugin.\n\t */\n\t@Post(\"/jwt\")\n\tasync issueJwt(@Req() c: Context) {\n\t\tconst session = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\tif (!session) return c.json({ error: \"Unauthorized\" }, 401);\n\t\tconst token = await this.auth.issueJwt({ userId: session.user.id });\n\t\treturn c.json(token);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/register\n\t * Start passkey registration. Requires the passkey plugin.\n\t */\n\t@Post(\"/passkey/register\")\n\tasync passkeyRegister(@Req() c: Context) {\n\t\tconst result = await this.auth.registerPasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/authenticate\n\t * Body: passkey assertion\n\t */\n\t@Post(\"/passkey/authenticate\")\n\tasync passkeyAuthenticate(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.authenticatePasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tbody,\n\t\t});\n\t\treturn c.json(result);\n\t}\n}",
+    "/**\n * `AuthModule` — drop-in module for adding auth to any NexusTS app.\n *\n * Usage:\n *   // src/app/app.module.ts\n *   @Module({\n *     imports: [AuthModule.forRoot({ ... })],\n *   })\n *   export class AppModule {}\n *\n * The `forRoot` static factory builds a one-off `AuthModule` subclass\n * pre-configured with the user's `auth` config. The provider token\n * `'AUTH_CONFIG'` carries the config to the `AuthService` constructor.\n *\n * AuthService is registered under **both** its class token and\n * `AuthService.TOKEN` (a Symbol). The class token is what the\n * container scans; the Symbol is what `@Inject(AuthService.TOKEN)`\n * looks up. Both resolve to the same instance via `useExisting`.\n */\n\nimport \"reflect-metadata\";\nimport { Module } from \"@nexusts/core/decorators/module.js\";\nimport { AuthController } from \"./auth.controller.js\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthConfig } from \"./types.js\";\n\n@Module({\n\tcontrollers: [AuthController],\n\tproviders: [\n\t\tAuthService,\n\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t],\n\texports: [AuthService, AuthService.TOKEN],\n})\nexport class AuthModule {\n\t/**\n\t * Build a configured `AuthModule` class with the given config.\n\t *\n\t * The returned class can be `imports`-ed by any other module and\n\t * will provide the `AuthService` (and a `AUTH_CONFIG` value\n\t * provider) to its container.\n\t */\n\tstatic forRoot(config: AuthConfig) {\n\t\t@Module({\n\t\t\tcontrollers: [AuthController],\n\t\t\tproviders: [\n\t\t\t\tAuthService,\n\t\t\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t\t\t\t{ provide: \"AUTH_CONFIG\", useValue: config },\n\t\t\t],\n\t\t\texports: [AuthService, AuthService.TOKEN],\n\t\t})\n\t\tclass ConfiguredAuthModule {}\n\n\t\t// Tag the dynamic class so the user can see where it came from.\n\t\tObject.defineProperty(ConfiguredAuthModule, \"name\", {\n\t\t\tvalue: \"ConfiguredAuthModule\",\n\t\t});\n\n\t\treturn ConfiguredAuthModule;\n\t}\n}\n",
+    "/**\n * `authMiddleware` — populate `c.var.user` and `c.var.session` on\n * every request, optionally enforcing a \"must be logged in\" policy.\n *\n * This is a Hono middleware that wraps better-auth's `getSession`.\n * It runs after the better-auth handler has set its own cookies, so\n * subsequent reads are cheap (a single DB lookup).\n *\n * Three modes:\n *   - optional  → always allow; populate user/session if present\n *   - required  → 401 if no user\n *   - scoped    → require user only for paths matching a regex\n *\n * Usage:\n *   import { authMiddleware } from 'nexusjs/auth';\n *   app.use('*', authMiddleware(auth, { mode: 'optional' }));\n *   app.use('/api/*', authMiddleware(auth, { mode: 'required' }));\n */\n\nimport type { Context, MiddlewareHandler, Next } from \"hono\";\nimport type { Auth } from \"better-auth\";\nimport type { AuthVariables } from \"./types.js\";\n\nexport type AuthMiddlewareMode = \"optional\" | \"required\" | \"scoped\";\n\nexport interface AuthMiddlewareOptions {\n\t/** Auth mode. Default: `'optional'`. */\n\tmode?: AuthMiddlewareMode;\n\t/** Path matcher (only used in `'scoped'` mode). */\n\tscope?: RegExp;\n\t/** Path matcher for `'scoped'` mode's protected set. */\n\tprotectedPaths?: RegExp | RegExp[];\n\t/** Path matcher for paths that should be skipped entirely. */\n\tignoredPaths?: RegExp | RegExp[];\n\t/** Customize the 401 response. */\n\tonUnauthenticated?: (c: Context) => Response | Promise<Response>;\n\t/** Customize the 403 response when a scope check fails. */\n\tonForbidden?: (c: Context) => Response | Promise<Response>;\n}\n\nexport function authMiddleware(\n\tauth: Auth,\n\toptions: AuthMiddlewareOptions = {},\n): MiddlewareHandler<{ Variables: AuthVariables }> {\n\tconst {\n\t\tmode = \"optional\",\n\t\tscope,\n\t\tprotectedPaths,\n\t\tignoredPaths,\n\t\tonUnauthenticated = defaultUnauthenticated,\n\t\tonForbidden = defaultForbidden,\n\t} = options;\n\n\tconst ignored = toMatcher(ignoredPaths);\n\tconst protected_ =\n\t\tmode === \"scoped\"\n\t\t\t? toMatcher(scope ?? protectedPaths ?? /^\\/.+/) // everything\n\t\t\t: null;\n\n\treturn async (c, next) => {\n\t\tconst path = c.req.path;\n\n\t\t// Skip ignored paths entirely (e.g. health checks).\n\t\tif (ignored?.test(path)) {\n\t\t\treturn next();\n\t\t}\n\n\t\t// Populate the session.\n\t\tconst session = await auth.api.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\n\t\tif (session) {\n\t\t\tc.set(\"user\", session.user as never);\n\t\t\tc.set(\"session\", session.session as never);\n\t\t} else {\n\t\t\tc.set(\"user\", null);\n\t\t\tc.set(\"session\", null);\n\t\t}\n\n\t\t// Apply mode.\n\t\tif (mode === \"required\" || (protected_?.test(path) && session === null)) {\n\t\t\tif (session === null) return onUnauthenticated(c);\n\t\t}\n\n\t\t// Scope-based forbidden check (e.g. \"user must have a specific role\").\n\t\t// Skipped here — the route handler can call `requireRole(...)` itself.\n\n\t\treturn next();\n\t};\n}\n\nfunction toMatcher(input?: RegExp | RegExp[]): RegExp | null {\n\tif (!input) return null;\n\tif (Array.isArray(input)) {\n\t\treturn new RegExp(input.map((r) => `(?:${r.source})`).join(\"|\"));\n\t}\n\treturn input;\n}\n\nfunction defaultUnauthenticated(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Unauthorized\", message: \"Authentication required.\" },\n\t\t401,\n\t);\n}\n\nfunction defaultForbidden(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Forbidden\", message: \"Insufficient permissions.\" },\n\t\t403,\n\t);\n}\n\n/**\n * `authHandler` — mount better-auth's catch-all handler at a path.\n *\n * Use this instead of writing the `app.on(['POST', 'GET'], path, ...)`\n * boilerplate yourself.\n *\n *   app.use('/api/auth/*', cors({ ... }));\n *   app.all('/api/auth/*', authHandler(auth));\n */\nexport function authHandler(auth: Auth): MiddlewareHandler {\n\treturn async (c) => auth.handler(c.req.raw);\n}\n",
+    "/**\n * `@CurrentUser()` — controller parameter decorator that injects the\n * authenticated user (and optionally the session) into a handler.\n *\n * Usage:\n *   @Get('/me')\n *   me(@CurrentUser() user: AuthUser) {\n *     return user;\n *   }\n *\n *   @Get('/profile')\n *   profile(@CurrentUser({ session: true }) ctx: { user: AuthUser; session: AuthSessionRecord }) {\n *     return ctx;\n *   }\n *\n *   @Get('/dashboard')\n *   dashboard(@CurrentUser({ required: true }) user: AuthUser) {\n *     // 401 is thrown before the handler if no user is present.\n *     return this.dashboardService.forUser(user.id);\n *   }\n */\n\nimport \"reflect-metadata\";\nimport { createParamDecorator } from \"@nexusts/core/src/decorators/params.js\";\nimport { PARAM_TYPES } from \"@nexusts/core/src/constants.js\";\nimport type { AuthUser, AuthSessionRecord } from \"../types.js\";\n\nexport interface CurrentUserOptions {\n\t/**\n\t * Include the session in the injected value. Default: `false`.\n\t * When true, the value is `{ user, session }` instead of just the user.\n\t */\n\tsession?: boolean;\n\t/**\n\t * Throw 401 if no user is present. Default: `false`.\n\t * When true, the framework returns a 401 response without invoking\n\t * the handler.\n\t */\n\trequired?: boolean;\n\t/**\n\t * Throw 403 if the user does not satisfy the predicate.\n\t */\n\tassert?: (user: AuthUser) => boolean | Promise<boolean>;\n}\n\n/**\n * Inject the authenticated user (or `{ user, session }` if `session: true`).\n */\nexport function CurrentUser(\n\toptions: CurrentUserOptions = {},\n): ParameterDecorator {\n\treturn createParamDecorator(PARAM_TYPES.USER, options as never);\n}\n\n/**\n * Convenience: throw 401 with a JSON body when no user is present.\n * Exposed for users who want to enforce auth inside the handler.\n */\nexport class UnauthenticatedError extends Error {\n\treadonly status = 401;\n\tconstructor(message = \"Authentication required.\") {\n\t\tsuper(message);\n\t\tthis.name = \"UnauthenticatedError\";\n\t}\n}\n\nexport class ForbiddenError extends Error {\n\treadonly status = 403;\n\tconstructor(message = \"Insufficient permissions.\") {\n\t\tsuper(message);\n\t\tthis.name = \"ForbiddenError\";\n\t}\n}\n\n// Re-export session record type for convenience.\nexport type { AuthSessionRecord as AuthSession };\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;AA+BA;AAWO,SAAS,UAAU,CAAC,SAAqB,CAAC,GAAuB;AAAA,EACvE,MAAM,SAAS,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC5C,MAAM,UAAU,OAAO,WAAW,QAAQ,IAAI;AAAA,EAE9C,IAAI,CAAC,QAAQ;AAAA,IACZ,MAAM,IAAI,MACT,kDACC,iEACF;AAAA,EACD;AAAA,EACA,IAAI,CAAC,SAAS;AAAA,IACb,MAAM,IAAI,MACT,wEACD;AAAA,EACD;AAAA,EAEA,MAAM,UAA0B,CAAC;AAAA,EAGjC,IAAI,OAAO,KAAK,SAAS;AAAA,IAIxB,QAAQ;AAAA,IACR,QAAQ,KACP,IAAI;AAAA,MACH,MAAM;AAAA,QACL,MAAM,OAAO,IAAI,YAAY;AAAA,MAC9B;AAAA,MACA,QAAQ,OAAO,IAAI,UAAU;AAAA,MAC7B,UAAU,OAAO,IAAI,YAAY;AAAA,MACjC,WAAW,OAAO,IAAI,aAAa,KAAK;AAAA,IACzC,CAAC,CACF;AAAA,EACD;AAAA,EAGA,IAAI,OAAO,SAAS,SAAS;AAAA,IAE5B,QAAQ;AAAA,IACR,QAAQ,KACP,QAAQ;AAAA,MACP,QAAQ,OAAO,QAAQ;AAAA,MACvB,MAAM,OAAO,QAAQ;AAAA,MACrB,QAAQ,OAAO,QAAQ;AAAA,IACxB,CAAC,CACF;AAAA,EACD;AAAA,EAEA,OAAO,WAAW;AAAA,IACjB;AAAA,IACA;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB;AAAA,MACjB,SAAS,OAAO,kBAAkB,WAAW;AAAA,MAC7C,0BACC,OAAO,kBAAkB,4BAA4B;AAAA,MACtD,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,MACjE,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,IAClE;AAAA,IACA,SAAS;AAAA,MACR,WAAW,OAAO,2BAA2B,KAAK,KAAK,KAAK;AAAA,IAC7D;AAAA,IACA,iBAAiB,OAAO;AAAA,IACxB,UAAU;AAAA,MACT,SAAS;AAAA,QACR,cAAc;AAAA,UACb,YAAY;AAAA,YACX,UAAW,OAAO,kBAAkB;AAAA,YAIpC,QACC,OAAO,gBAAgB,QAAQ,IAAI,gBAAgB;AAAA,eAChD,OAAO,eAAe,EAAE,QAAQ,OAAO,aAAa,IAAI,CAAC;AAAA,UAC9D;AAAA,QACD;AAAA,MACD;AAAA,MACA,uBAAuB,OAAO,uBAAuB,UAClD;AAAA,QACA,SAAS;AAAA,QACT,QAAQ,OAAO,sBAAsB;AAAA,MACtC,IACC;AAAA,IACJ;AAAA,IACA;AAAA,EACD,CAAU;AAAA;;AC/GX;AAWO,MAAM,YAAY;AAAA,EAmBiB;AAAA,SAjBzB,QAAQ,OAAO,IAAI,mBAAmB;AAAA,EAG7C;AAAA,EAWT,kBAAyC;AAAA,EAEzC,WAAW,CAC8B,QACvC;AAAA,IADuC;AAAA,IAIxC,KAAK,WAAW,WAAW,KAAK,MAAM;AAAA;AAAA,EAYvC,WAAW,CAAC,gBAAsC;AAAA,IACjD,KAAK,kBAAkB;AAAA,IACvB,OAAO;AAAA;AAAA,EAMR,iBAAiB,GAAY;AAAA,IAC5B,OAAO,KAAK,oBAAoB;AAAA;AAAA,OAgB3B,WAAU,CAAC,OAAmD;AAAA,IAEnE,IAAI,KAAK,iBAAiB;AAAA,MACzB,MAAM,aAAa,KAAK,gBAAgB;AAAA,MACxC,IAAI,YAAY;AAAA,QACf,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,QACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,QAClD,IAAI,OAAO;AAAA,UACV,MAAM,UAAU,KAAK,gBAAgB,aAAa,KAAK;AAAA,UACvD,IAAI,SAAS,QAAQ;AAAA,YAGpB,MAAM,iBAAkB,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,cAC1D,SAAS,MAAM;AAAA,YAChB,CAAC;AAAA,YACD,IAAI,gBAAgB,MAAM;AAAA,cACzB,OAAO;AAAA,YACR;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAAA,IAGA,MAAM,SAAS,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,MACjD,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAQF,cAAa,CAAC,OAA6B;AAAA,IAChD,IAAI,CAAC,KAAK;AAAA,MAAiB,OAAO;AAAA,IAClC,MAAM,aAAa,KAAK,gBAAgB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAY,OAAO;AAAA,IACxB,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,IACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,IAClD,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,KAAK,gBAAgB,aAAa,KAAK;AAAA;AAAA,OAWzC,OAAM,CAAC,OAMV;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,OAAM,CAAC,OAAkE;AAAA,IAC9E,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,QAAO,CAAC,OAA6B;AAAA,IAC1C,OAAO,KAAK,SAAS,IAAI,QAAQ;AAAA,MAChC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA;AAAA,OAUI,YAAW,CAAC,OAGf;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAMI,oBAAmB,CAAC,OAA4D;AAAA,IACrF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,SAAS,MAAM;AAAA,MACf,OAAO,MAAM;AAAA,MACb,MAAM,CAAC;AAAA,IACR,CAAC;AAAA;AAAA,OAWI,SAAQ,CAAC,OAA2B;AAAA,IACzC,MAAM,MAAM,KAAK,SAAS;AAAA,IAM1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,oFACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,EAAE,MAAM,EAAE,QAAQ,MAAM,OAAO,EAAE,CAAC;AAAA;AAAA,OAOhD,gBAAe,CAAC,OAA6B;AAAA,IAClD,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,4FACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,SAAS,EAAE,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,OAGjD,oBAAmB,CAAC,OAA4C;AAAA,IACrE,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IACA,OAAO,IAAI,QAAQ,aAAa,EAAE,SAAS,MAAM,SAAS,MAAM,MAAM,KAAK,CAAC;AAAA;AAAA,EAW7E,QAAQ,CAAC,IAAY,SAAgC,KAAe;AAAA,IACnE,OAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,SAAS,EAAE,UAAU,GAAG,EAAE,CAAC;AAAA;AAAA,EAMhE,kBAAkB,CAAC,SAGjB;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,MAAM,MAAM,SAAS,KAAK;AAAA,IACjD,OAAO,EAAE,MAAM,QAAQ,MAAM,SAAS,QAAQ,QAAQ;AAAA;AAExD;AAjPa,cAAN;AAAA,EADN,WAAW;AAAA,EAoBT,kCAAO,aAAa;AAAA,EAnBhB;AAAA;AAAA;AAAA,GAAM;AAuPb,SAAS,WAAW,CAAC,cAAsB,MAA6B;AAAA,EACvE,IAAI,CAAC;AAAA,IAAc,OAAO;AAAA,EAC1B,MAAM,QAAQ,aAAa,MAAM,GAAG;AAAA,EACpC,WAAW,QAAQ,OAAO;AAAA,IACzB,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG;AAAA,IACZ,MAAM,IAAI,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AAAA,IACjC,IAAI,MAAM,MAAM;AAAA,MACf,OAAO,mBAAmB,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC;AAAA,IACpD;AAAA,EACD;AAAA,EACA,OAAO;AAAA;;ACnQR;AAAA;AAAA;AAAA;AAAA,YAIC;AAAA;AAAA;AAAA;AAAA;AAUM,MAAM,eAAe;AAAA,EAC6B;AAAA,EAAxD,WAAW,CAA6C,MAAmB;AAAA,IAAnB;AAAA;AAAA,OAOlD,QAAO,CAAQ,GAAY;AAAA,IAChC,MAAM,UAAuB,MAAM,KAAK,KAAK,WAAW;AAAA,MACvD,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,MAAM,SAAS,KAAK,CAAC;AAAA;AAAA,OAQjD,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,QAAQ,GAAG;AAAA;AAAA,OAQpB,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAOf,QAAO,CAAQ,GAAmB,MAAgB;AAAA,IACvD,MAAM,KAAK,KAAK,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,QAAQ,CAAC;AAAA,IACtD,OAAO,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA;AAAA,OAQrB,aAAY,CACV,GACC,OACP;AAAA,IACD,MAAM,WAAW,EAAE,IAAI,MAAM,UAAU,KAAK;AAAA,IAC5C,MAAM,cAAc,EAAE,IAAI,MAAM,aAAa,KAAK;AAAA,IAClD,MAAM,SAAS,MAAM,KAAK,KAAK,YAAY,EAAE,UAAU,YAAY,CAAC;AAAA,IACpE,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OASf,cAAa,CAAQ,GAAY;AAAA,IACtC,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB,OAAO,EAAE,IAAI,MAAM;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,SAAQ,CAAQ,GAAY;AAAA,IACjC,MAAM,UAAU,MAAM,KAAK,KAAK,WAAW;AAAA,MAC1C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,IAC1D,MAAM,QAAQ,MAAM,KAAK,KAAK,SAAS,EAAE,QAAQ,QAAQ,KAAK,GAAG,CAAC;AAAA,IAClE,OAAO,EAAE,KAAK,KAAK;AAAA;AAAA,OAQd,gBAAe,CAAQ,GAAY;AAAA,IACxC,MAAM,SAAS,MAAM,KAAK,KAAK,gBAAgB;AAAA,MAC9C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,oBAAmB,CAAQ,GAAoB,MAAW;AAAA,IAC/D,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB;AAAA,IACD,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAEtB;AAvGO;AAAA,EADL,IAAI,UAAU;AAAA,EACA,+BAAI;AAAA,EAAb;AAAA;AAAA;AAAA;AAAA;AAAA,GARM,eAQN;AAYA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GApBM,eAoBN;AAUA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GA9BM,eA8BN;AASA;AAAA,EADL,KAAK,WAAW;AAAA,EACF,+BAAI;AAAA,EAAe,+BAAI;AAAA,EAAhC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAvCM,eAuCN;AAUA;AAAA,EADL,IAAI,oBAAoB;AAAA,EAEvB,+BAAI;AAAA,EACJ,gCAAK;AAAA,EAFD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAjDM,eAiDN;AAgBA;AAAA,EADL,IAAI,qBAAqB;AAAA,EACL,+BAAI;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA,GAjEM,eAiEN;AAaA;AAAA,EADL,KAAK,MAAM;AAAA,EACI,+BAAI;AAAA,EAAd;AAAA;AAAA;AAAA;AAAA;AAAA,GA9EM,eA8EN;AAcA;AAAA,EADL,KAAK,mBAAmB;AAAA,EACF,+BAAI;AAAA,EAArB;AAAA;AAAA;AAAA;AAAA;AAAA,GA5FM,eA4FN;AAYA;AAAA,EADL,KAAK,uBAAuB;AAAA,EACF,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAA7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAxGM,eAwGN;AAxGM,iBAAN;AAAA,EADN,WAAW,WAAW;AAAA,EAET,mCAAO,YAAY,KAAK;AAAA,EAD/B;AAAA;AAAA;AAAA,GAAM;;ACrBb;AACA;AAaO,MAAM,WAAW;AAAA,SAQhB,OAAO,CAAC,QAAoB;AAAA,IAUlC,MAAM,qBAAqB;AAAA,IAAC;AAAA,IAAtB,uBAAN;AAAA,MATC,OAAO;AAAA,QACP,aAAa,CAAC,cAAc;AAAA,QAC5B,WAAW;AAAA,UACV;AAAA,UACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,UACvD,EAAE,SAAS,eAAe,UAAU,OAAO;AAAA,QAC5C;AAAA,QACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,MACzC,CAAC;AAAA,OACK;AAAA,IAGN,OAAO,eAAe,sBAAsB,QAAQ;AAAA,MACnD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AA3Ba,aAAN;AAAA,EARN,OAAO;AAAA,IACP,aAAa,CAAC,cAAc;AAAA,IAC5B,WAAW;AAAA,MACV;AAAA,MACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,IACxD;AAAA,IACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,EACzC,CAAC;AAAA,GACY;;ACMN,SAAS,cAAc,CAC7B,MACA,UAAiC,CAAC,GACgB;AAAA,EAClD;AAAA,IACC,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB;AAAA,IACpB,cAAc;AAAA,MACX;AAAA,EAEJ,MAAM,UAAU,UAAU,YAAY;AAAA,EACtC,MAAM,aACL,SAAS,WACN,UAAU,SAAS,kBAAkB,OAAO,IAC5C;AAAA,EAEJ,OAAO,OAAO,GAAG,SAAS;AAAA,IACzB,MAAM,OAAO,EAAE,IAAI;AAAA,IAGnB,IAAI,SAAS,KAAK,IAAI,GAAG;AAAA,MACxB,OAAO,KAAK;AAAA,IACb;AAAA,IAGA,MAAM,UAAU,MAAM,KAAK,IAAI,WAAW;AAAA,MACzC,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IAED,IAAI,SAAS;AAAA,MACZ,EAAE,IAAI,QAAQ,QAAQ,IAAa;AAAA,MACnC,EAAE,IAAI,WAAW,QAAQ,OAAgB;AAAA,IAC1C,EAAO;AAAA,MACN,EAAE,IAAI,QAAQ,IAAI;AAAA,MAClB,EAAE,IAAI,WAAW,IAAI;AAAA;AAAA,IAItB,IAAI,SAAS,cAAe,YAAY,KAAK,IAAI,KAAK,YAAY,MAAO;AAAA,MACxE,IAAI,YAAY;AAAA,QAAM,OAAO,kBAAkB,CAAC;AAAA,IACjD;AAAA,IAKA,OAAO,KAAK;AAAA;AAAA;AAId,SAAS,SAAS,CAAC,OAA0C;AAAA,EAC5D,IAAI,CAAC;AAAA,IAAO,OAAO;AAAA,EACnB,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,OAAO,IAAI,OAAO,MAAM,IAAI,CAAC,MAAM,MAAM,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC;AAAA,EAChE;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,sBAAsB,CAAC,GAAsB;AAAA,EACrD,OAAO,EAAE,KACR,EAAE,OAAO,gBAAgB,SAAS,2BAA2B,GAC7D,GACD;AAAA;AAGD,SAAS,gBAAgB,CAAC,GAAsB;AAAA,EAC/C,OAAO,EAAE,KACR,EAAE,OAAO,aAAa,SAAS,4BAA4B,GAC3D,GACD;AAAA;AAYM,SAAS,WAAW,CAAC,MAA+B;AAAA,EAC1D,OAAO,OAAO,MAAM,KAAK,QAAQ,EAAE,IAAI,GAAG;AAAA;;ACtG3C;AACA;AACA;AAwBO,SAAS,WAAW,CAC1B,UAA8B,CAAC,GACV;AAAA,EACrB,OAAO,qBAAqB,YAAY,MAAM,OAAgB;AAAA;AAAA;AAOxD,MAAM,6BAA6B,MAAM;AAAA,EACtC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,4BAA4B;AAAA,IACjD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;AAAA;AAEO,MAAM,uBAAuB,MAAM;AAAA,EAChC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,6BAA6B;AAAA,IAClD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;",
+  "debugId": "5736524FC5C13DE864756E2164756E21",
+  "names": []
+}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@nexusts/auth",
+  "version": "0.7.0",
+  "description": "Authentication via better-auth integration",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "bun run ../../build.ts"
+  },
+  "keywords": [
+    "nexusts",
+    "framework",
+    "bun"
+  ],
+  "license": "MIT",
+  "peerDependencies": {
+    "better-auth": "^1.6.0"
+  },
+  "peerDependenciesMeta": {
+    "better-auth": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@nexusts/core": "^0.7.0"
+  }
+}