@nexusts/auth 0.8.4 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/auth.module.d.ts +0 -1
  2. package/dist/decorators/current-user.d.ts +0 -1
  3. package/dist/index.js +5 -11
  4. package/dist/index.js.map +6 -6
  5. package/dist/middleware.d.ts +1 -1
  6. package/package.json +2 -2
package/dist/auth.module.d.ts CHANGED
@@ -17,7 +17,6 @@
17
17
  * container scans; the Symbol is what `@Inject(AuthService.TOKEN)`
18
18
  * looks up. Both resolve to the same instance via `useExisting`.
19
19
  */
20
- import "reflect-metadata";
21
20
  import type { AuthConfig } from "./types.js";
22
21
  export declare class AuthModule {
23
22
  /**
package/dist/decorators/current-user.d.ts CHANGED
@@ -19,7 +19,6 @@
19
19
  * return this.dashboardService.forUser(user.id);
20
20
  * }
21
21
  */
22
- import "reflect-metadata";
23
22
  import type { AuthUser, AuthSessionRecord } from "../types.js";
24
23
  export interface CurrentUserOptions {
25
24
  /**
package/dist/index.js CHANGED
@@ -18,8 +18,8 @@ var __require = import.meta.require;
18
18
  // packages/auth/src/auth.ts
19
19
  import { betterAuth } from "better-auth";
20
20
  function createAuth(config = {}) {
21
- const secret = config.secret ?? process.env["BETTER_AUTH_SECRET"];
22
- const baseURL = config.baseUrl ?? process.env["BETTER_AUTH_URL"];
21
+ const secret = config.secret ?? process.env.BETTER_AUTH_SECRET;
22
+ const baseURL = config.baseUrl ?? process.env.BETTER_AUTH_URL;
23
23
  if (!secret) {
24
24
  throw new Error("[nexus/auth] BETTER_AUTH_SECRET is required. " + "Generate one with `openssl rand -base64 32` and add it to .env.");
25
25
  }
@@ -65,7 +65,7 @@ function createAuth(config = {}) {
65
65
  sessionToken: {
66
66
  attributes: {
67
67
  sameSite: config.cookieSameSite ?? "lax",
68
- secure: config.cookieSecure ?? process.env["NODE_ENV"] === "production",
68
+ secure: config.cookieSecure ?? false,
69
69
  ...config.cookieDomain ? { domain: config.cookieDomain } : {}
70
70
  }
71
71
  }
@@ -379,7 +379,6 @@ AuthController = __legacyDecorateClassTS([
379
379
  ])
380
380
  ], AuthController);
381
381
  // packages/auth/src/auth.module.ts
382
- import"reflect-metadata";
383
382
  import { Module } from "@nexusts/core";
384
383
  class AuthModule {
385
384
  static forRoot(config) {
@@ -419,8 +418,7 @@ function authMiddleware(auth, options = {}) {
419
418
  scope,
420
419
  protectedPaths,
421
420
  ignoredPaths,
422
- onUnauthenticated = defaultUnauthenticated,
423
- onForbidden = defaultForbidden
421
+ onUnauthenticated = defaultUnauthenticated
424
422
  } = options;
425
423
  const ignored = toMatcher(ignoredPaths);
426
424
  const protected_ = mode === "scoped" ? toMatcher(scope ?? protectedPaths ?? /^\/.+/) : null;
@@ -457,14 +455,10 @@ function toMatcher(input) {
457
455
  function defaultUnauthenticated(c) {
458
456
  return c.json({ error: "Unauthorized", message: "Authentication required." }, 401);
459
457
  }
460
- function defaultForbidden(c) {
461
- return c.json({ error: "Forbidden", message: "Insufficient permissions." }, 403);
462
- }
463
458
  function authHandler(auth) {
464
459
  return async (c) => auth.handler(c.req.raw);
465
460
  }
466
461
  // packages/auth/src/decorators/current-user.ts
467
- import"reflect-metadata";
468
462
  import { createParamDecorator } from "@nexusts/core";
469
463
  import { PARAM_TYPES } from "@nexusts/core";
470
464
  function CurrentUser(options = {}) {
@@ -498,5 +492,5 @@ export {
498
492
  AuthController
499
493
  };
500
494
 
501
- //# debugId=EEADE08822BB72E964756E2164756E21
495
+ //# debugId=7EDCCD5DCE9F451764756E2164756E21
502
496
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -2,14 +2,14 @@
2
2
  "version": 3,
3
3
  "sources": ["../src/auth.ts", "../src/auth.service.ts", "../src/auth.controller.ts", "../src/auth.module.ts", "../src/middleware.ts", "../src/decorators/current-user.ts"],
4
4
  "sourcesContent": [
5
- "/**\n * `createAuth()` — wrap better-auth's `betterAuth()` factory with\n * NexusTS-friendly defaults.\n *\n * This is the **only** place that talks to better-auth directly. Every\n * other NexusTS auth module consumes the resulting `Auth` instance via\n * DI or the registered token.\n *\n * Why an adapter layer instead of calling `betterAuth()` directly?\n * 1. NexusTS users write `auth.config.ts`, not raw better-auth options.\n * The adapter translates between the two.\n * 2. Plugin selection (jwt, passkey) is toggled by boolean flags,\n * not by importing plugin objects.\n * 3. Cookie / CORS / cross-subdomain defaults match Hono's `cors()`\n * middleware so the two never conflict.\n *\n * Usage:\n * // src/auth/auth.ts\n * import { createAuth } from 'nexusjs/auth';\n * export const auth = createAuth({\n * basePath: '/api/auth',\n * emailAndPassword: { enabled: true },\n * socialProviders: {\n * github: {\n * clientId: process.env.GITHUB_CLIENT_ID!,\n * clientSecret: process.env.GITHUB_CLIENT_SECRET!,\n * },\n * },\n * });\n */\n\nimport { betterAuth } from \"better-auth\";\nimport type { AuthConfig } from \"./types.js\";\n\ntype BetterAuthInstance = ReturnType<typeof betterAuth>;\n\n/**\n * Create a better-auth instance with NexusTS-friendly defaults.\n *\n * @param config NexusTS-shaped config (see types.ts).\n * @returns A `better-auth` Auth instance.\n */\nexport function createAuth(config: AuthConfig = {}): BetterAuthInstance {\n\tconst secret = config.secret ?? process.env[\"BETTER_AUTH_SECRET\"];\n\tconst baseURL = config.baseUrl ?? process.env[\"BETTER_AUTH_URL\"];\n\n\tif (!secret) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_SECRET is required. \" +\n\t\t\t\t\"Generate one with `openssl rand -base64 32` and add it to .env.\",\n\t\t);\n\t}\n\tif (!baseURL) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_URL is required (e.g. http://localhost:3000).\",\n\t\t);\n\t}\n\n\tconst plugins: Array<unknown> = [];\n\n\t// JWT plugin — opt-in.\n\tif (config.jwt?.enabled) {\n\t\t// Lazy import so the plugin's transitive dependencies don't load\n\t\t// when the user hasn't asked for JWT.\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { jwt } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tjwt({\n\t\t\t\tjwks: {\n\t\t\t\t\tpath: config.jwt.jwksPath ?? \"/api/auth/jwks\",\n\t\t\t\t},\n\t\t\t\tissuer: config.jwt.issuer ?? baseURL,\n\t\t\t\taudience: config.jwt.audience ?? baseURL,\n\t\t\t\texpiresIn: config.jwt.expiresIn ?? 60 * 15,\n\t\t\t}),\n\t\t);\n\t}\n\n\t// Passkey plugin — opt-in.\n\tif (config.passkey?.enabled) {\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { passkey } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tpasskey({\n\t\t\t\trpName: config.passkey.rpName,\n\t\t\t\trpID: config.passkey.rpId,\n\t\t\t\torigin: config.passkey.origin,\n\t\t\t}),\n\t\t);\n\t}\n\n\treturn betterAuth({\n\t\tsecret,\n\t\tbaseURL,\n\t\tbasePath: config.basePath ?? \"/api/auth\",\n\t\temailAndPassword: {\n\t\t\tenabled: config.emailAndPassword?.enabled ?? true,\n\t\t\trequireEmailVerification:\n\t\t\t\tconfig.emailAndPassword?.requireEmailVerification ?? false,\n\t\t\tminPasswordLength: config.emailAndPassword?.minPasswordLength ?? 8,\n\t\t\tmaxPasswordLength: config.emailAndPassword?.maxPasswordLength ?? 128,\n\t\t},\n\t\tsession: {\n\t\t\texpiresIn: config.sessionExpiresInSeconds ?? 60 * 60 * 24 * 7, // 7 days\n\t\t},\n\t\tsocialProviders: config.socialProviders as never,\n\t\tadvanced: {\n\t\t\tcookies: {\n\t\t\t\tsessionToken: {\n\t\t\t\t\tattributes: {\n\t\t\t\t\t\tsameSite: (config.cookieSameSite ?? \"lax\") as\n\t\t\t\t\t\t\t| \"lax\"\n\t\t\t\t\t\t\t| \"strict\"\n\t\t\t\t\t\t\t| \"none\",\n\t\t\t\t\t\tsecure:\n\t\t\t\t\t\t\tconfig.cookieSecure ?? process.env[\"NODE_ENV\"] === \"production\",\n\t\t\t\t\t\t...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tcrossSubDomainCookies: config.crossSubDomainCookies?.enabled\n\t\t\t\t? {\n\t\t\t\t\t\tenabled: true,\n\t\t\t\t\t\tdomain: config.crossSubDomainCookies.domain,\n\t\t\t\t\t}\n\t\t\t\t: undefined,\n\t\t},\n\t\tplugins,\n\t} as never) as unknown as BetterAuthInstance;\n}\n\n/**\n * Type alias for the returned auth instance — convenient for DI token\n * typings.\n */\nexport type NexusAuth = ReturnType<typeof createAuth>;\n",
5
+ "/**\n * `createAuth()` — wrap better-auth's `betterAuth()` factory with\n * NexusTS-friendly defaults.\n *\n * This is the **only** place that talks to better-auth directly. Every\n * other NexusTS auth module consumes the resulting `Auth` instance via\n * DI or the registered token.\n *\n * Why an adapter layer instead of calling `betterAuth()` directly?\n * 1. NexusTS users write `auth.config.ts`, not raw better-auth options.\n * The adapter translates between the two.\n * 2. Plugin selection (jwt, passkey) is toggled by boolean flags,\n * not by importing plugin objects.\n * 3. Cookie / CORS / cross-subdomain defaults match Hono's `cors()`\n * middleware so the two never conflict.\n *\n * Usage:\n * // src/auth/auth.ts\n * import { createAuth } from 'nexusjs/auth';\n * export const auth = createAuth({\n * basePath: '/api/auth',\n * emailAndPassword: { enabled: true },\n * socialProviders: {\n * github: {\n * clientId: process.env.GITHUB_CLIENT_ID!,\n * clientSecret: process.env.GITHUB_CLIENT_SECRET!,\n * },\n * },\n * });\n */\n\nimport { betterAuth } from \"better-auth\";\nimport type { AuthConfig } from \"./types.js\";\n\ntype BetterAuthInstance = ReturnType<typeof betterAuth>;\n\n/**\n * Create a better-auth instance with NexusTS-friendly defaults.\n *\n * @param config NexusTS-shaped config (see types.ts).\n * @returns A `better-auth` Auth instance.\n */\nexport function createAuth(config: AuthConfig = {}): BetterAuthInstance {\n\tconst secret = config.secret ?? process.env.BETTER_AUTH_SECRET;\n\tconst baseURL = config.baseUrl ?? process.env.BETTER_AUTH_URL;\n\n\tif (!secret) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_SECRET is required. \" +\n\t\t\t\t\"Generate one with `openssl rand -base64 32` and add it to .env.\",\n\t\t);\n\t}\n\tif (!baseURL) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_URL is required (e.g. http://localhost:3000).\",\n\t\t);\n\t}\n\n\tconst plugins: Array<unknown> = [];\n\n\t// JWT plugin — opt-in.\n\tif (config.jwt?.enabled) {\n\t\t// Lazy import so the plugin's transitive dependencies don't load\n\t\t// when the user hasn't asked for JWT.\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { jwt } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tjwt({\n\t\t\t\tjwks: {\n\t\t\t\t\tpath: config.jwt.jwksPath ?? \"/api/auth/jwks\",\n\t\t\t\t},\n\t\t\t\tissuer: config.jwt.issuer ?? baseURL,\n\t\t\t\taudience: config.jwt.audience ?? baseURL,\n\t\t\t\texpiresIn: config.jwt.expiresIn ?? 60 * 15,\n\t\t\t}),\n\t\t);\n\t}\n\n\t// Passkey plugin — opt-in.\n\tif (config.passkey?.enabled) {\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { passkey } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tpasskey({\n\t\t\t\trpName: config.passkey.rpName,\n\t\t\t\trpID: config.passkey.rpId,\n\t\t\t\torigin: config.passkey.origin,\n\t\t\t}),\n\t\t);\n\t}\n\n\treturn betterAuth({\n\t\tsecret,\n\t\tbaseURL,\n\t\tbasePath: config.basePath ?? \"/api/auth\",\n\t\temailAndPassword: {\n\t\t\tenabled: config.emailAndPassword?.enabled ?? true,\n\t\t\trequireEmailVerification:\n\t\t\t\tconfig.emailAndPassword?.requireEmailVerification ?? false,\n\t\t\tminPasswordLength: config.emailAndPassword?.minPasswordLength ?? 8,\n\t\t\tmaxPasswordLength: config.emailAndPassword?.maxPasswordLength ?? 128,\n\t\t},\n\t\tsession: {\n\t\t\texpiresIn: config.sessionExpiresInSeconds ?? 60 * 60 * 24 * 7, // 7 days\n\t\t},\n\t\tsocialProviders: config.socialProviders as never,\n\t\tadvanced: {\n\t\t\tcookies: {\n\t\t\t\tsessionToken: {\n\t\t\t\t\tattributes: {\n\t\t\t\t\t\tsameSite: (config.cookieSameSite ?? \"lax\") as\n\t\t\t\t\t\t\t| \"lax\"\n\t\t\t\t\t\t\t| \"strict\"\n\t\t\t\t\t\t\t| \"none\",\n\t\t\t\t\t\tsecure:\n\t\t\t\t\t\t\tconfig.cookieSecure ?? process.env.NODE_ENV === \"production\",\n\t\t\t\t\t\t...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tcrossSubDomainCookies: config.crossSubDomainCookies?.enabled\n\t\t\t\t? {\n\t\t\t\t\t\tenabled: true,\n\t\t\t\t\t\tdomain: config.crossSubDomainCookies.domain,\n\t\t\t\t\t}\n\t\t\t\t: undefined,\n\t\t},\n\t\tplugins,\n\t} as never) as unknown as BetterAuthInstance;\n}\n\n/**\n * Type alias for the returned auth instance — convenient for DI token\n * typings.\n */\nexport type NexusAuth = ReturnType<typeof createAuth>;\n",
6
6
  "/**\n * `AuthService` — DI-friendly wrapper around a better-auth instance.\n *\n * Why a service wrapper?\n * - Hides the raw better-auth object behind a stable NexusTS API.\n * - Exposes the high-level operations controllers need:\n * signUp, signIn, signOut, getSession, oauthUrl, jwt, passkey.\n * - Allows tests to swap the implementation via DI.\n *\n * Usage:\n * constructor(@Inject(AuthService.TOKEN) private auth: AuthService) {}\n *\n * await this.auth.signUp.email({ email, password, name });\n * const session = await this.auth.getSession({ headers: c.req.raw.headers });\n * return this.auth.redirect('/dashboard'); // 302\n */\n\nimport { Inject, Injectable } from \"@nexusts/core\";\nimport type {\n\tAuthUser,\n\tAuthSessionRecord,\n\tAuthSession,\n\tAuthConfig,\n} from \"./types.js\";\nimport { createAuth, type NexusAuth } from \"./auth.js\";\nimport type { SessionService } from \"@nexusts/session\";\n\n@Injectable()\nexport class AuthService {\n\t/** DI token — use with `@Inject(AuthService.TOKEN)`. */\n\tstatic readonly TOKEN = Symbol.for(\"nexus:AuthService\");\n\n\t/** The underlying better-auth instance. */\n\treadonly instance: NexusAuth;\n\n\t/**\n\t * Optional SessionService binding. When set, `getSession()` will\n\t * first check the SessionService's cookie before falling back to\n\t * better-auth. This enables shared session state between the two\n\t * modules (e.g. flash messages, guest cart).\n\t *\n\t * Set via `bindSession()` from a feature module's `onInit`, or via\n\t * DI when both modules are present.\n\t */\n\t#sessionService: SessionService | null = null;\n\n\tconstructor(\n\t\t@Inject(\"AUTH_CONFIG\") private readonly config: AuthConfig,\n\t) {\n\t\t// Lazy: defer construction to the first call so module-load\n\t\t// order doesn't matter.\n\t\tthis.instance = createAuth(this.config);\n\t}\n\n\t// ===========================================================================\n\t// Session integration\n\t// ===========================================================================\n\n\t/**\n\t * Bind a SessionService. When bound, `getSession()` consults the\n\t * SessionService first and falls back to better-auth. Returns `this`\n\t * for chaining.\n\t */\n\tbindSession(sessionService: SessionService): this {\n\t\tthis.#sessionService = sessionService;\n\t\treturn this;\n\t}\n\n\t/**\n\t * Returns true when a SessionService has been bound.\n\t */\n\thasSessionBinding(): boolean {\n\t\treturn this.#sessionService !== null;\n\t}\n\n\t// ===========================================================================\n\t// Session\n\t// ===========================================================================\n\n\t/**\n\t * Get the current session from a request. Returns `null` if not\n\t * authenticated.\n\t *\n\t * When a SessionService is bound, we try it first (cookie-based,\n\t * stateless, edge-friendly); better-auth remains the source of\n\t * truth for `user` / `session` records. The cookie value carries\n\t * `userId` which lets you cross-reference both systems.\n\t */\n\tasync getSession(input: { headers: Headers }): Promise<AuthSession> {\n\t\t// 1) Try SessionService (cookie-based) first.\n\t\tif (this.#sessionService) {\n\t\t\tconst cookieName = this.#sessionService.cookieName;\n\t\t\tif (cookieName) {\n\t\t\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\t\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\t\t\tif (value) {\n\t\t\t\t\tconst decoded = this.#sessionService.decodeCookie(value);\n\t\t\t\t\tif (decoded?.userId) {\n\t\t\t\t\t\t// Hydrate the user from better-auth (so the returned\n\t\t\t\t\t\t// shape matches what controllers expect).\n\t\t\t\t\t\tconst fromBetterAuth = (await this.instance.api.getSession({\n\t\t\t\t\t\t\theaders: input.headers,\n\t\t\t\t\t\t})) as AuthSession | null;\n\t\t\t\t\t\tif (fromBetterAuth?.user) {\n\t\t\t\t\t\t\treturn fromBetterAuth;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// 2) Fallback to better-auth.\n\t\tconst result = await this.instance.api.getSession({\n\t\t\theaders: input.headers,\n\t\t});\n\t\treturn result as AuthSession;\n\t}\n\n\t/**\n\t * Read the raw SessionService record from a request (no better-auth\n\t * lookup). Returns null when no SessionService is bound or no\n\t * session is found.\n\t */\n\tasync getRawSession(input: { headers: Headers }) {\n\t\tif (!this.#sessionService) return null;\n\t\tconst cookieName = this.#sessionService.cookieName;\n\t\tif (!cookieName) return null;\n\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\tif (!value) return null;\n\t\treturn this.#sessionService.decodeCookie(value);\n\t}\n\n\t// ===========================================================================\n\t// Sign up / Sign in / Sign out\n\t// ===========================================================================\n\n\t/**\n\t * Email + password sign-up. Throws if email/password is disabled\n\t * in the auth config.\n\t */\n\tasync signUp(input: {\n\t\temail: string;\n\t\tpassword: string;\n\t\tname: string;\n\t\timage?: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signUpEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Email + password sign-in. */\n\tasync signIn(input: { email: string; password: string; callbackURL?: string }) {\n\t\treturn this.instance.api.signInEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Sign out — invalidates the current session. */\n\tasync signOut(input: { headers: Headers }) {\n\t\treturn this.instance.api.signOut({\n\t\t\theaders: input.headers,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// Social / OAuth\n\t// ===========================================================================\n\n\t/**\n\t * Get the URL the client should redirect to for a social sign-in.\n\t */\n\tasync getOAuthUrl(input: {\n\t\tprovider: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/**\n\t * Sign in / link a social account and return the user.\n\t */\n\tasync handleOAuthCallback(input: { headers: Headers; query: Record<string, string> }) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\theaders: input.headers,\n\t\t\tquery: input.query,\n\t\t\tbody: {} as never,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// JWT\n\t// ===========================================================================\n\n\t/**\n\t * Issue a JWT for the currently-authenticated user. Returns\n\t * `{ token, expiresAt }`. Requires the JWT plugin (`config.jwt.enabled`).\n\t */\n\tasync issueJwt(input: { userId: string }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tsignJWT?: (input: { body: { userId: string } }) => Promise<{\n\t\t\t\ttoken: string;\n\t\t\t\texpiresAt: Date;\n\t\t\t}>;\n\t\t};\n\t\tif (!api.signJWT) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] JWT plugin not enabled. Set `auth.jwt.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.signJWT({ body: { userId: input.userId } });\n\t}\n\n\t// ===========================================================================\n\t// Passkey\n\t// ===========================================================================\n\n\tasync registerPasskey(input: { headers: Headers }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tregister: (input: { headers: Headers }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] Passkey plugin not enabled. Set `auth.passkey.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.passkey.register({ headers: input.headers });\n\t}\n\n\tasync authenticatePasskey(input: { headers: Headers; body: unknown }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tauthenticate: (input: { headers: Headers; body: unknown }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\"[nexus/auth] Passkey plugin not enabled.\");\n\t\t}\n\t\treturn api.passkey.authenticate({ headers: input.headers, body: input.body });\n\t}\n\n\t// ===========================================================================\n\t// Helpers\n\t// ===========================================================================\n\n\t/**\n\t * Build a redirect Response. Used by controllers that need to send\n\t * the user to a different page after sign-in / sign-up.\n\t */\n\tredirect(to: string, status: 302 | 303 | 307 | 308 = 302): Response {\n\t\treturn new Response(null, { status, headers: { Location: to } });\n\t}\n\n\t/**\n\t * Convert a session into the `AuthVariables` shape Hono expects.\n\t */\n\ttoContextVariables(session: AuthSession): {\n\t\tuser: AuthUser | null;\n\t\tsession: AuthSessionRecord | null;\n\t} {\n\t\tif (!session) return { user: null, session: null };\n\t\treturn { user: session.user, session: session.session };\n\t}\n}\n\n/**\n * Extract a single cookie value from a `Cookie` header string.\n * Tiny helper to avoid pulling in a cookie-parsing dependency.\n */\nfunction parseCookie(cookieHeader: string, name: string): string | null {\n\tif (!cookieHeader) return null;\n\tconst parts = cookieHeader.split(\";\");\n\tfor (const part of parts) {\n\t\tconst eq = part.indexOf(\"=\");\n\t\tif (eq < 0) continue;\n\t\tconst k = part.slice(0, eq).trim();\n\t\tif (k === name) {\n\t\t\treturn decodeURIComponent(part.slice(eq + 1).trim());\n\t\t}\n\t}\n\treturn null;\n}",
7
7
  "/**\n * `AuthController` — built-in controller exposing common auth endpoints.\n *\n * Mount it in any `@Module` to get a working auth API:\n *\n * @Module({\n * controllers: [AuthController],\n * providers: [AuthService],\n * })\n * export class AuthModule {}\n *\n * Endpoints (all prefixed with `config.basePath`, default `/api/auth`):\n * - GET /session → current session\n * - POST /sign-up/email → email/password registration\n * - POST /sign-in/email → email/password login\n * - POST /sign-out → invalidate session\n * - GET /sign-in/:provider → start OAuth flow\n * - GET /callback/:provider → OAuth callback\n * - POST /jwt → issue JWT (JWT plugin only)\n * - POST /passkey/register → start passkey registration\n * - POST /passkey/authenticate → complete passkey auth\n *\n * Most of the actual logic is delegated to `auth.handler` from\n * better-auth. The controller exists to make the routes visible to\n * `nx route:list` and to add NexusTS-style DI.\n */\n\nimport {\n\tBody,\n\tController,\n\tGet,\n\tInject,\n\tPost,\n\tReq,\n\tRes,\n} from \"@nexusts/core\";\nimport type { Context } from \"hono\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthSession } from \"./types.js\";\n\n@Controller(\"/api/auth\")\nexport class AuthController {\n\tconstructor(@Inject(AuthService.TOKEN) private readonly auth: AuthService) {}\n\n\t/**\n\t * GET /api/auth/session\n\t * Returns the current session (or null if unauthenticated).\n\t */\n\t@Get(\"/session\")\n\tasync session(@Req() c: Context) {\n\t\tconst session: AuthSession = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(session ?? { user: null, session: null });\n\t}\n\n\t/**\n\t * POST /api/auth/sign-up/email\n\t * Body: { email, password, name, callbackURL? }\n\t */\n\t@Post(\"/sign-up/email\")\n\tasync signUpEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signUp(body);\n\t\treturn c.json(result, 201);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-in/email\n\t * Body: { email, password, callbackURL? }\n\t */\n\t@Post(\"/sign-in/email\")\n\tasync signInEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signIn(body);\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-out\n\t */\n\t@Post(\"/sign-out\")\n\tasync signOut(@Req() c: Context, @Res() _res: Response) {\n\t\tawait this.auth.signOut({ headers: c.req.raw.headers });\n\t\treturn c.json({ ok: true });\n\t}\n\n\t/**\n\t * GET /api/auth/sign-in/:provider\n\t * Returns a redirect to the social provider's auth page.\n\t */\n\t@Get(\"/sign-in/:provider\")\n\tasync socialSignIn(\n\t\t@Req() c: Context,\n\t\t@Body() _body: never,\n\t) {\n\t\tconst provider = c.req.param(\"provider\") ?? \"\";\n\t\tconst callbackURL = c.req.query(\"callbackURL\") ?? \"/\";\n\t\tconst result = await this.auth.getOAuthUrl({ provider, callbackURL });\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * GET /api/auth/callback/:provider\n\t * Social provider redirect target. The better-auth handler does the\n\t * real work; this is a passthrough for `route:list` visibility.\n\t */\n\t@Get(\"/callback/:provider\")\n\tasync oauthCallback(@Req() c: Context) {\n\t\tconst result = await this.auth.handleOAuthCallback({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tquery: c.req.query() as Record<string, string>,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/jwt\n\t * Issues a JWT for the current user. Requires the JWT plugin.\n\t */\n\t@Post(\"/jwt\")\n\tasync issueJwt(@Req() c: Context) {\n\t\tconst session = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\tif (!session) return c.json({ error: \"Unauthorized\" }, 401);\n\t\tconst token = await this.auth.issueJwt({ userId: session.user.id });\n\t\treturn c.json(token);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/register\n\t * Start passkey registration. Requires the passkey plugin.\n\t */\n\t@Post(\"/passkey/register\")\n\tasync passkeyRegister(@Req() c: Context) {\n\t\tconst result = await this.auth.registerPasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/authenticate\n\t * Body: passkey assertion\n\t */\n\t@Post(\"/passkey/authenticate\")\n\tasync passkeyAuthenticate(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.authenticatePasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tbody,\n\t\t});\n\t\treturn c.json(result);\n\t}\n}",
8
- "/**\n * `AuthModule` — drop-in module for adding auth to any NexusTS app.\n *\n * Usage:\n * // src/app/app.module.ts\n * @Module({\n * imports: [AuthModule.forRoot({ ... })],\n * })\n * export class AppModule {}\n *\n * The `forRoot` static factory builds a one-off `AuthModule` subclass\n * pre-configured with the user's `auth` config. The provider token\n * `'AUTH_CONFIG'` carries the config to the `AuthService` constructor.\n *\n * AuthService is registered under **both** its class token and\n * `AuthService.TOKEN` (a Symbol). The class token is what the\n * container scans; the Symbol is what `@Inject(AuthService.TOKEN)`\n * looks up. Both resolve to the same instance via `useExisting`.\n */\n\nimport \"reflect-metadata\";\nimport { Module } from \"@nexusts/core\";\nimport { AuthController } from \"./auth.controller.js\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthConfig } from \"./types.js\";\n\n@Module({\n\tcontrollers: [AuthController],\n\tproviders: [\n\t\tAuthService,\n\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t],\n\texports: [AuthService, AuthService.TOKEN],\n})\nexport class AuthModule {\n\t/**\n\t * Build a configured `AuthModule` class with the given config.\n\t *\n\t * The returned class can be `imports`-ed by any other module and\n\t * will provide the `AuthService` (and a `AUTH_CONFIG` value\n\t * provider) to its container.\n\t */\n\tstatic forRoot(config: AuthConfig) {\n\t\t@Module({\n\t\t\tcontrollers: [AuthController],\n\t\t\tproviders: [\n\t\t\t\tAuthService,\n\t\t\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t\t\t\t{ provide: \"AUTH_CONFIG\", useValue: config },\n\t\t\t],\n\t\t\texports: [AuthService, AuthService.TOKEN],\n\t\t})\n\t\tclass ConfiguredAuthModule {}\n\n\t\t// Tag the dynamic class so the user can see where it came from.\n\t\tObject.defineProperty(ConfiguredAuthModule, \"name\", {\n\t\t\tvalue: \"ConfiguredAuthModule\",\n\t\t});\n\n\t\treturn ConfiguredAuthModule;\n\t}\n}\n",
9
- "/**\n * `authMiddleware` — populate `c.var.user` and `c.var.session` on\n * every request, optionally enforcing a \"must be logged in\" policy.\n *\n * This is a Hono middleware that wraps better-auth's `getSession`.\n * It runs after the better-auth handler has set its own cookies, so\n * subsequent reads are cheap (a single DB lookup).\n *\n * Three modes:\n * - optional → always allow; populate user/session if present\n * - required → 401 if no user\n * - scoped → require user only for paths matching a regex\n *\n * Usage:\n * import { authMiddleware } from 'nexusjs/auth';\n * app.use('*', authMiddleware(auth, { mode: 'optional' }));\n * app.use('/api/*', authMiddleware(auth, { mode: 'required' }));\n */\n\nimport type { Context, MiddlewareHandler, Next } from \"hono\";\nimport type { Auth } from \"better-auth\";\nimport type { AuthVariables } from \"./types.js\";\n\nexport type AuthMiddlewareMode = \"optional\" | \"required\" | \"scoped\";\n\nexport interface AuthMiddlewareOptions {\n\t/** Auth mode. Default: `'optional'`. */\n\tmode?: AuthMiddlewareMode;\n\t/** Path matcher (only used in `'scoped'` mode). */\n\tscope?: RegExp;\n\t/** Path matcher for `'scoped'` mode's protected set. */\n\tprotectedPaths?: RegExp | RegExp[];\n\t/** Path matcher for paths that should be skipped entirely. */\n\tignoredPaths?: RegExp | RegExp[];\n\t/** Customize the 401 response. */\n\tonUnauthenticated?: (c: Context) => Response | Promise<Response>;\n\t/** Customize the 403 response when a scope check fails. */\n\tonForbidden?: (c: Context) => Response | Promise<Response>;\n}\n\nexport function authMiddleware(\n\tauth: Auth,\n\toptions: AuthMiddlewareOptions = {},\n): MiddlewareHandler<{ Variables: AuthVariables }> {\n\tconst {\n\t\tmode = \"optional\",\n\t\tscope,\n\t\tprotectedPaths,\n\t\tignoredPaths,\n\t\tonUnauthenticated = defaultUnauthenticated,\n\t\tonForbidden = defaultForbidden,\n\t} = options;\n\n\tconst ignored = toMatcher(ignoredPaths);\n\tconst protected_ =\n\t\tmode === \"scoped\"\n\t\t\t? toMatcher(scope ?? protectedPaths ?? /^\\/.+/) // everything\n\t\t\t: null;\n\n\treturn async (c, next) => {\n\t\tconst path = c.req.path;\n\n\t\t// Skip ignored paths entirely (e.g. health checks).\n\t\tif (ignored?.test(path)) {\n\t\t\treturn next();\n\t\t}\n\n\t\t// Populate the session.\n\t\tconst session = await auth.api.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\n\t\tif (session) {\n\t\t\tc.set(\"user\", session.user as never);\n\t\t\tc.set(\"session\", session.session as never);\n\t\t} else {\n\t\t\tc.set(\"user\", null);\n\t\t\tc.set(\"session\", null);\n\t\t}\n\n\t\t// Apply mode.\n\t\tif (mode === \"required\" || (protected_?.test(path) && session === null)) {\n\t\t\tif (session === null) return onUnauthenticated(c);\n\t\t}\n\n\t\t// Scope-based forbidden check (e.g. \"user must have a specific role\").\n\t\t// Skipped here — the route handler can call `requireRole(...)` itself.\n\n\t\treturn next();\n\t};\n}\n\nfunction toMatcher(input?: RegExp | RegExp[]): RegExp | null {\n\tif (!input) return null;\n\tif (Array.isArray(input)) {\n\t\treturn new RegExp(input.map((r) => `(?:${r.source})`).join(\"|\"));\n\t}\n\treturn input;\n}\n\nfunction defaultUnauthenticated(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Unauthorized\", message: \"Authentication required.\" },\n\t\t401,\n\t);\n}\n\nfunction defaultForbidden(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Forbidden\", message: \"Insufficient permissions.\" },\n\t\t403,\n\t);\n}\n\n/**\n * `authHandler` — mount better-auth's catch-all handler at a path.\n *\n * Use this instead of writing the `app.on(['POST', 'GET'], path, ...)`\n * boilerplate yourself.\n *\n * app.use('/api/auth/*', cors({ ... }));\n * app.all('/api/auth/*', authHandler(auth));\n */\nexport function authHandler(auth: Auth): MiddlewareHandler {\n\treturn async (c) => auth.handler(c.req.raw);\n}\n",
10
- "/**\n * `@CurrentUser()` — controller parameter decorator that injects the\n * authenticated user (and optionally the session) into a handler.\n *\n * Usage:\n * @Get('/me')\n * me(@CurrentUser() user: AuthUser) {\n * return user;\n * }\n *\n * @Get('/profile')\n * profile(@CurrentUser({ session: true }) ctx: { user: AuthUser; session: AuthSessionRecord }) {\n * return ctx;\n * }\n *\n * @Get('/dashboard')\n * dashboard(@CurrentUser({ required: true }) user: AuthUser) {\n * // 401 is thrown before the handler if no user is present.\n * return this.dashboardService.forUser(user.id);\n * }\n */\n\nimport \"reflect-metadata\";\nimport { createParamDecorator } from \"@nexusts/core\";\nimport { PARAM_TYPES } from \"@nexusts/core\";\nimport type { AuthUser, AuthSessionRecord } from \"../types.js\";\n\nexport interface CurrentUserOptions {\n\t/**\n\t * Include the session in the injected value. Default: `false`.\n\t * When true, the value is `{ user, session }` instead of just the user.\n\t */\n\tsession?: boolean;\n\t/**\n\t * Throw 401 if no user is present. Default: `false`.\n\t * When true, the framework returns a 401 response without invoking\n\t * the handler.\n\t */\n\trequired?: boolean;\n\t/**\n\t * Throw 403 if the user does not satisfy the predicate.\n\t */\n\tassert?: (user: AuthUser) => boolean | Promise<boolean>;\n}\n\n/**\n * Inject the authenticated user (or `{ user, session }` if `session: true`).\n */\nexport function CurrentUser(\n\toptions: CurrentUserOptions = {},\n): ParameterDecorator {\n\treturn createParamDecorator(PARAM_TYPES.USER, options as never);\n}\n\n/**\n * Convenience: throw 401 with a JSON body when no user is present.\n * Exposed for users who want to enforce auth inside the handler.\n */\nexport class UnauthenticatedError extends Error {\n\treadonly status = 401;\n\tconstructor(message = \"Authentication required.\") {\n\t\tsuper(message);\n\t\tthis.name = \"UnauthenticatedError\";\n\t}\n}\n\nexport class ForbiddenError extends Error {\n\treadonly status = 403;\n\tconstructor(message = \"Insufficient permissions.\") {\n\t\tsuper(message);\n\t\tthis.name = \"ForbiddenError\";\n\t}\n}\n\n// Re-export session record type for convenience.\nexport type { AuthSessionRecord as AuthSession };\n"
8
+ "/**\n * `AuthModule` — drop-in module for adding auth to any NexusTS app.\n *\n * Usage:\n * // src/app/app.module.ts\n * @Module({\n * imports: [AuthModule.forRoot({ ... })],\n * })\n * export class AppModule {}\n *\n * The `forRoot` static factory builds a one-off `AuthModule` subclass\n * pre-configured with the user's `auth` config. The provider token\n * `'AUTH_CONFIG'` carries the config to the `AuthService` constructor.\n *\n * AuthService is registered under **both** its class token and\n * `AuthService.TOKEN` (a Symbol). The class token is what the\n * container scans; the Symbol is what `@Inject(AuthService.TOKEN)`\n * looks up. Both resolve to the same instance via `useExisting`.\n */\n\nimport { Module } from \"@nexusts/core\";\nimport { AuthController } from \"./auth.controller.js\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthConfig } from \"./types.js\";\nimport { safeGetMeta, safeDefineMeta, safeHasMeta } from \"@nexusts/core/di/safe-reflect\";\n\n@Module({\n\tcontrollers: [AuthController],\n\tproviders: [\n\t\tAuthService,\n\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t],\n\texports: [AuthService, AuthService.TOKEN],\n})\nexport class AuthModule {\n\t/**\n\t * Build a configured `AuthModule` class with the given config.\n\t *\n\t * The returned class can be `imports`-ed by any other module and\n\t * will provide the `AuthService` (and a `AUTH_CONFIG` value\n\t * provider) to its container.\n\t */\n\tstatic forRoot(config: AuthConfig) {\n\t\t@Module({\n\t\t\tcontrollers: [AuthController],\n\t\t\tproviders: [\n\t\t\t\tAuthService,\n\t\t\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t\t\t\t{ provide: \"AUTH_CONFIG\", useValue: config },\n\t\t\t],\n\t\t\texports: [AuthService, AuthService.TOKEN],\n\t\t})\n\t\tclass ConfiguredAuthModule {}\n\n\t\t// Tag the dynamic class so the user can see where it came from.\n\t\tObject.defineProperty(ConfiguredAuthModule, \"name\", {\n\t\t\tvalue: \"ConfiguredAuthModule\",\n\t\t});\n\n\t\treturn ConfiguredAuthModule;\n\t}\n}\n",
9
+ "/**\n * `authMiddleware` — populate `c.var.user` and `c.var.session` on\n * every request, optionally enforcing a \"must be logged in\" policy.\n *\n * This is a Hono middleware that wraps better-auth's `getSession`.\n * It runs after the better-auth handler has set its own cookies, so\n * subsequent reads are cheap (a single DB lookup).\n *\n * Three modes:\n * - optional → always allow; populate user/session if present\n * - required → 401 if no user\n * - scoped → require user only for paths matching a regex\n *\n * Usage:\n * import { authMiddleware } from 'nexusjs/auth';\n * app.use('*', authMiddleware(auth, { mode: 'optional' }));\n * app.use('/api/*', authMiddleware(auth, { mode: 'required' }));\n */\n\nimport type { Auth } from \"better-auth\";\nimport type { Context, MiddlewareHandler, } from \"hono\";\nimport type { AuthVariables } from \"./types.js\";\n\nexport type AuthMiddlewareMode = \"optional\" | \"required\" | \"scoped\";\n\nexport interface AuthMiddlewareOptions {\n\t/** Auth mode. Default: `'optional'`. */\n\tmode?: AuthMiddlewareMode;\n\t/** Path matcher (only used in `'scoped'` mode). */\n\tscope?: RegExp;\n\t/** Path matcher for `'scoped'` mode's protected set. */\n\tprotectedPaths?: RegExp | RegExp[];\n\t/** Path matcher for paths that should be skipped entirely. */\n\tignoredPaths?: RegExp | RegExp[];\n\t/** Customize the 401 response. */\n\tonUnauthenticated?: (c: Context) => Response | Promise<Response>;\n\t/** Customize the 403 response when a scope check fails. */\n\tonForbidden?: (c: Context) => Response | Promise<Response>;\n}\n\nexport function authMiddleware(\n\tauth: Auth,\n\toptions: AuthMiddlewareOptions = {},\n): MiddlewareHandler<{ Variables: AuthVariables }> {\n\tconst {\n\t\tmode = \"optional\",\n\t\tscope,\n\t\tprotectedPaths,\n\t\tignoredPaths,\n\t\tonUnauthenticated = defaultUnauthenticated,\n\t} = options;\n\n\tconst ignored = toMatcher(ignoredPaths);\n\tconst protected_ =\n\t\tmode === \"scoped\"\n\t\t\t? toMatcher(scope ?? protectedPaths ?? /^\\/.+/) // everything\n\t\t\t: null;\n\n\treturn async (c, next) => {\n\t\tconst path = c.req.path;\n\n\t\t// Skip ignored paths entirely (e.g. health checks).\n\t\tif (ignored?.test(path)) {\n\t\t\treturn next();\n\t\t}\n\n\t\t// Populate the session.\n\t\tconst session = await auth.api.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\n\t\tif (session) {\n\t\t\tc.set(\"user\", session.user as never);\n\t\t\tc.set(\"session\", session.session as never);\n\t\t} else {\n\t\t\tc.set(\"user\", null);\n\t\t\tc.set(\"session\", null);\n\t\t}\n\n\t\t// Apply mode.\n\t\tif (mode === \"required\" || (protected_?.test(path) && session === null)) {\n\t\t\tif (session === null) return onUnauthenticated(c);\n\t\t}\n\n\t\t// Scope-based forbidden check (e.g. \"user must have a specific role\").\n\t\t// Skipped here — the route handler can call `requireRole(...)` itself.\n\n\t\treturn next();\n\t};\n}\n\nfunction toMatcher(input?: RegExp | RegExp[]): RegExp | null {\n\tif (!input) return null;\n\tif (Array.isArray(input)) {\n\t\treturn new RegExp(input.map((r) => `(?:${r.source})`).join(\"|\"));\n\t}\n\treturn input;\n}\n\nfunction defaultUnauthenticated(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Unauthorized\", message: \"Authentication required.\" },\n\t\t401,\n\t);\n}\n\n/**\n * `authHandler` — mount better-auth's catch-all handler at a path.\n *\n * Use this instead of writing the `app.on(['POST', 'GET'], path, ...)`\n * boilerplate yourself.\n *\n * app.use('/api/auth/*', cors({ ... }));\n * app.all('/api/auth/*', authHandler(auth));\n */\nexport function authHandler(auth: Auth): MiddlewareHandler {\n\treturn async (c) => auth.handler(c.req.raw);\n}\n",
10
+ "/**\n * `@CurrentUser()` — controller parameter decorator that injects the\n * authenticated user (and optionally the session) into a handler.\n *\n * Usage:\n * @Get('/me')\n * me(@CurrentUser() user: AuthUser) {\n * return user;\n * }\n *\n * @Get('/profile')\n * profile(@CurrentUser({ session: true }) ctx: { user: AuthUser; session: AuthSessionRecord }) {\n * return ctx;\n * }\n *\n * @Get('/dashboard')\n * dashboard(@CurrentUser({ required: true }) user: AuthUser) {\n * // 401 is thrown before the handler if no user is present.\n * return this.dashboardService.forUser(user.id);\n * }\n */\n\nimport { createParamDecorator } from \"@nexusts/core\";\nimport { PARAM_TYPES } from \"@nexusts/core\";\nimport type { AuthUser, AuthSessionRecord } from \"../types.js\";\nimport { safeGetMeta, safeDefineMeta, safeHasMeta } from \"@nexusts/core/di/safe-reflect\";\n\nexport interface CurrentUserOptions {\n\t/**\n\t * Include the session in the injected value. Default: `false`.\n\t * When true, the value is `{ user, session }` instead of just the user.\n\t */\n\tsession?: boolean;\n\t/**\n\t * Throw 401 if no user is present. Default: `false`.\n\t * When true, the framework returns a 401 response without invoking\n\t * the handler.\n\t */\n\trequired?: boolean;\n\t/**\n\t * Throw 403 if the user does not satisfy the predicate.\n\t */\n\tassert?: (user: AuthUser) => boolean | Promise<boolean>;\n}\n\n/**\n * Inject the authenticated user (or `{ user, session }` if `session: true`).\n */\nexport function CurrentUser(\n\toptions: CurrentUserOptions = {},\n): ParameterDecorator {\n\treturn createParamDecorator(PARAM_TYPES.USER, options as never);\n}\n\n/**\n * Convenience: throw 401 with a JSON body when no user is present.\n * Exposed for users who want to enforce auth inside the handler.\n */\nexport class UnauthenticatedError extends Error {\n\treadonly status = 401;\n\tconstructor(message = \"Authentication required.\") {\n\t\tsuper(message);\n\t\tthis.name = \"UnauthenticatedError\";\n\t}\n}\n\nexport class ForbiddenError extends Error {\n\treadonly status = 403;\n\tconstructor(message = \"Insufficient permissions.\") {\n\t\tsuper(message);\n\t\tthis.name = \"ForbiddenError\";\n\t}\n}\n\n// Re-export session record type for convenience.\nexport type { AuthSessionRecord as AuthSession };\n"
11
11
  ],
12
- "mappings": ";;;;;;;;;;;;;;;;;;AA+BA;AAWO,SAAS,UAAU,CAAC,SAAqB,CAAC,GAAuB;AAAA,EACvE,MAAM,SAAS,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC5C,MAAM,UAAU,OAAO,WAAW,QAAQ,IAAI;AAAA,EAE9C,IAAI,CAAC,QAAQ;AAAA,IACZ,MAAM,IAAI,MACT,kDACC,iEACF;AAAA,EACD;AAAA,EACA,IAAI,CAAC,SAAS;AAAA,IACb,MAAM,IAAI,MACT,wEACD;AAAA,EACD;AAAA,EAEA,MAAM,UAA0B,CAAC;AAAA,EAGjC,IAAI,OAAO,KAAK,SAAS;AAAA,IAIxB,QAAQ;AAAA,IACR,QAAQ,KACP,IAAI;AAAA,MACH,MAAM;AAAA,QACL,MAAM,OAAO,IAAI,YAAY;AAAA,MAC9B;AAAA,MACA,QAAQ,OAAO,IAAI,UAAU;AAAA,MAC7B,UAAU,OAAO,IAAI,YAAY;AAAA,MACjC,WAAW,OAAO,IAAI,aAAa,KAAK;AAAA,IACzC,CAAC,CACF;AAAA,EACD;AAAA,EAGA,IAAI,OAAO,SAAS,SAAS;AAAA,IAE5B,QAAQ;AAAA,IACR,QAAQ,KACP,QAAQ;AAAA,MACP,QAAQ,OAAO,QAAQ;AAAA,MACvB,MAAM,OAAO,QAAQ;AAAA,MACrB,QAAQ,OAAO,QAAQ;AAAA,IACxB,CAAC,CACF;AAAA,EACD;AAAA,EAEA,OAAO,WAAW;AAAA,IACjB;AAAA,IACA;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB;AAAA,MACjB,SAAS,OAAO,kBAAkB,WAAW;AAAA,MAC7C,0BACC,OAAO,kBAAkB,4BAA4B;AAAA,MACtD,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,MACjE,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,IAClE;AAAA,IACA,SAAS;AAAA,MACR,WAAW,OAAO,2BAA2B,KAAK,KAAK,KAAK;AAAA,IAC7D;AAAA,IACA,iBAAiB,OAAO;AAAA,IACxB,UAAU;AAAA,MACT,SAAS;AAAA,QACR,cAAc;AAAA,UACb,YAAY;AAAA,YACX,UAAW,OAAO,kBAAkB;AAAA,YAIpC,QACC,OAAO,gBAAgB,QAAQ,IAAI,gBAAgB;AAAA,eAChD,OAAO,eAAe,EAAE,QAAQ,OAAO,aAAa,IAAI,CAAC;AAAA,UAC9D;AAAA,QACD;AAAA,MACD;AAAA,MACA,uBAAuB,OAAO,uBAAuB,UAClD;AAAA,QACA,SAAS;AAAA,QACT,QAAQ,OAAO,sBAAsB;AAAA,MACtC,IACC;AAAA,IACJ;AAAA,IACA;AAAA,EACD,CAAU;AAAA;;AC/GX;AAWO,MAAM,YAAY;AAAA,EAmBiB;AAAA,SAjBzB,QAAQ,OAAO,IAAI,mBAAmB;AAAA,EAG7C;AAAA,EAWT,kBAAyC;AAAA,EAEzC,WAAW,CAC8B,QACvC;AAAA,IADuC;AAAA,IAIxC,KAAK,WAAW,WAAW,KAAK,MAAM;AAAA;AAAA,EAYvC,WAAW,CAAC,gBAAsC;AAAA,IACjD,KAAK,kBAAkB;AAAA,IACvB,OAAO;AAAA;AAAA,EAMR,iBAAiB,GAAY;AAAA,IAC5B,OAAO,KAAK,oBAAoB;AAAA;AAAA,OAgB3B,WAAU,CAAC,OAAmD;AAAA,IAEnE,IAAI,KAAK,iBAAiB;AAAA,MACzB,MAAM,aAAa,KAAK,gBAAgB;AAAA,MACxC,IAAI,YAAY;AAAA,QACf,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,QACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,QAClD,IAAI,OAAO;AAAA,UACV,MAAM,UAAU,KAAK,gBAAgB,aAAa,KAAK;AAAA,UACvD,IAAI,SAAS,QAAQ;AAAA,YAGpB,MAAM,iBAAkB,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,cAC1D,SAAS,MAAM;AAAA,YAChB,CAAC;AAAA,YACD,IAAI,gBAAgB,MAAM;AAAA,cACzB,OAAO;AAAA,YACR;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAAA,IAGA,MAAM,SAAS,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,MACjD,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAQF,cAAa,CAAC,OAA6B;AAAA,IAChD,IAAI,CAAC,KAAK;AAAA,MAAiB,OAAO;AAAA,IAClC,MAAM,aAAa,KAAK,gBAAgB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAY,OAAO;AAAA,IACxB,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,IACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,IAClD,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,KAAK,gBAAgB,aAAa,KAAK;AAAA;AAAA,OAWzC,OAAM,CAAC,OAMV;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,OAAM,CAAC,OAAkE;AAAA,IAC9E,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,QAAO,CAAC,OAA6B;AAAA,IAC1C,OAAO,KAAK,SAAS,IAAI,QAAQ;AAAA,MAChC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA;AAAA,OAUI,YAAW,CAAC,OAGf;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAMI,oBAAmB,CAAC,OAA4D;AAAA,IACrF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,SAAS,MAAM;AAAA,MACf,OAAO,MAAM;AAAA,MACb,MAAM,CAAC;AAAA,IACR,CAAC;AAAA;AAAA,OAWI,SAAQ,CAAC,OAA2B;AAAA,IACzC,MAAM,MAAM,KAAK,SAAS;AAAA,IAM1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,oFACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,EAAE,MAAM,EAAE,QAAQ,MAAM,OAAO,EAAE,CAAC;AAAA;AAAA,OAOhD,gBAAe,CAAC,OAA6B;AAAA,IAClD,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,4FACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,SAAS,EAAE,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,OAGjD,oBAAmB,CAAC,OAA4C;AAAA,IACrE,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IACA,OAAO,IAAI,QAAQ,aAAa,EAAE,SAAS,MAAM,SAAS,MAAM,MAAM,KAAK,CAAC;AAAA;AAAA,EAW7E,QAAQ,CAAC,IAAY,SAAgC,KAAe;AAAA,IACnE,OAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,SAAS,EAAE,UAAU,GAAG,EAAE,CAAC;AAAA;AAAA,EAMhE,kBAAkB,CAAC,SAGjB;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,MAAM,MAAM,SAAS,KAAK;AAAA,IACjD,OAAO,EAAE,MAAM,QAAQ,MAAM,SAAS,QAAQ,QAAQ;AAAA;AAExD;AAjPa,cAAN;AAAA,EADN,WAAW;AAAA,EAoBT,kCAAO,aAAa;AAAA,EAnBhB;AAAA;AAAA;AAAA,GAAM;AAuPb,SAAS,WAAW,CAAC,cAAsB,MAA6B;AAAA,EACvE,IAAI,CAAC;AAAA,IAAc,OAAO;AAAA,EAC1B,MAAM,QAAQ,aAAa,MAAM,GAAG;AAAA,EACpC,WAAW,QAAQ,OAAO;AAAA,IACzB,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG;AAAA,IACZ,MAAM,IAAI,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AAAA,IACjC,IAAI,MAAM,MAAM;AAAA,MACf,OAAO,mBAAmB,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC;AAAA,IACpD;AAAA,EACD;AAAA,EACA,OAAO;AAAA;;ACnQR;AAAA;AAAA;AAAA;AAAA,YAIC;AAAA;AAAA;AAAA;AAAA;AAUM,MAAM,eAAe;AAAA,EAC6B;AAAA,EAAxD,WAAW,CAA6C,MAAmB;AAAA,IAAnB;AAAA;AAAA,OAOlD,QAAO,CAAQ,GAAY;AAAA,IAChC,MAAM,UAAuB,MAAM,KAAK,KAAK,WAAW;AAAA,MACvD,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,MAAM,SAAS,KAAK,CAAC;AAAA;AAAA,OAQjD,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,QAAQ,GAAG;AAAA;AAAA,OAQpB,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAOf,QAAO,CAAQ,GAAmB,MAAgB;AAAA,IACvD,MAAM,KAAK,KAAK,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,QAAQ,CAAC;AAAA,IACtD,OAAO,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA;AAAA,OAQrB,aAAY,CACV,GACC,OACP;AAAA,IACD,MAAM,WAAW,EAAE,IAAI,MAAM,UAAU,KAAK;AAAA,IAC5C,MAAM,cAAc,EAAE,IAAI,MAAM,aAAa,KAAK;AAAA,IAClD,MAAM,SAAS,MAAM,KAAK,KAAK,YAAY,EAAE,UAAU,YAAY,CAAC;AAAA,IACpE,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OASf,cAAa,CAAQ,GAAY;AAAA,IACtC,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB,OAAO,EAAE,IAAI,MAAM;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,SAAQ,CAAQ,GAAY;AAAA,IACjC,MAAM,UAAU,MAAM,KAAK,KAAK,WAAW;AAAA,MAC1C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,IAC1D,MAAM,QAAQ,MAAM,KAAK,KAAK,SAAS,EAAE,QAAQ,QAAQ,KAAK,GAAG,CAAC;AAAA,IAClE,OAAO,EAAE,KAAK,KAAK;AAAA;AAAA,OAQd,gBAAe,CAAQ,GAAY;AAAA,IACxC,MAAM,SAAS,MAAM,KAAK,KAAK,gBAAgB;AAAA,MAC9C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,oBAAmB,CAAQ,GAAoB,MAAW;AAAA,IAC/D,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB;AAAA,IACD,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAEtB;AAvGO;AAAA,EADL,IAAI,UAAU;AAAA,EACA,+BAAI;AAAA,EAAb;AAAA;AAAA;AAAA;AAAA;AAAA,GARM,eAQN;AAYA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GApBM,eAoBN;AAUA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GA9BM,eA8BN;AASA;AAAA,EADL,KAAK,WAAW;AAAA,EACF,+BAAI;AAAA,EAAe,+BAAI;AAAA,EAAhC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAvCM,eAuCN;AAUA;AAAA,EADL,IAAI,oBAAoB;AAAA,EAEvB,+BAAI;AAAA,EACJ,gCAAK;AAAA,EAFD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAjDM,eAiDN;AAgBA;AAAA,EADL,IAAI,qBAAqB;AAAA,EACL,+BAAI;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA,GAjEM,eAiEN;AAaA;AAAA,EADL,KAAK,MAAM;AAAA,EACI,+BAAI;AAAA,EAAd;AAAA;AAAA;AAAA;AAAA;AAAA,GA9EM,eA8EN;AAcA;AAAA,EADL,KAAK,mBAAmB;AAAA,EACF,+BAAI;AAAA,EAArB;AAAA;AAAA;AAAA;AAAA;AAAA,GA5FM,eA4FN;AAYA;AAAA,EADL,KAAK,uBAAuB;AAAA,EACF,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAA7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAxGM,eAwGN;AAxGM,iBAAN;AAAA,EADN,WAAW,WAAW;AAAA,EAET,mCAAO,YAAY,KAAK;AAAA,EAD/B;AAAA;AAAA;AAAA,GAAM;;ACrBb;AACA;AAaO,MAAM,WAAW;AAAA,SAQhB,OAAO,CAAC,QAAoB;AAAA,IAUlC,MAAM,qBAAqB;AAAA,IAAC;AAAA,IAAtB,uBAAN;AAAA,MATC,OAAO;AAAA,QACP,aAAa,CAAC,cAAc;AAAA,QAC5B,WAAW;AAAA,UACV;AAAA,UACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,UACvD,EAAE,SAAS,eAAe,UAAU,OAAO;AAAA,QAC5C;AAAA,QACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,MACzC,CAAC;AAAA,OACK;AAAA,IAGN,OAAO,eAAe,sBAAsB,QAAQ;AAAA,MACnD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AA3Ba,aAAN;AAAA,EARN,OAAO;AAAA,IACP,aAAa,CAAC,cAAc;AAAA,IAC5B,WAAW;AAAA,MACV;AAAA,MACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,IACxD;AAAA,IACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,EACzC,CAAC;AAAA,GACY;;ACMN,SAAS,cAAc,CAC7B,MACA,UAAiC,CAAC,GACgB;AAAA,EAClD;AAAA,IACC,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB;AAAA,IACpB,cAAc;AAAA,MACX;AAAA,EAEJ,MAAM,UAAU,UAAU,YAAY;AAAA,EACtC,MAAM,aACL,SAAS,WACN,UAAU,SAAS,kBAAkB,OAAO,IAC5C;AAAA,EAEJ,OAAO,OAAO,GAAG,SAAS;AAAA,IACzB,MAAM,OAAO,EAAE,IAAI;AAAA,IAGnB,IAAI,SAAS,KAAK,IAAI,GAAG;AAAA,MACxB,OAAO,KAAK;AAAA,IACb;AAAA,IAGA,MAAM,UAAU,MAAM,KAAK,IAAI,WAAW;AAAA,MACzC,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IAED,IAAI,SAAS;AAAA,MACZ,EAAE,IAAI,QAAQ,QAAQ,IAAa;AAAA,MACnC,EAAE,IAAI,WAAW,QAAQ,OAAgB;AAAA,IAC1C,EAAO;AAAA,MACN,EAAE,IAAI,QAAQ,IAAI;AAAA,MAClB,EAAE,IAAI,WAAW,IAAI;AAAA;AAAA,IAItB,IAAI,SAAS,cAAe,YAAY,KAAK,IAAI,KAAK,YAAY,MAAO;AAAA,MACxE,IAAI,YAAY;AAAA,QAAM,OAAO,kBAAkB,CAAC;AAAA,IACjD;AAAA,IAKA,OAAO,KAAK;AAAA;AAAA;AAId,SAAS,SAAS,CAAC,OAA0C;AAAA,EAC5D,IAAI,CAAC;AAAA,IAAO,OAAO;AAAA,EACnB,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,OAAO,IAAI,OAAO,MAAM,IAAI,CAAC,MAAM,MAAM,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC;AAAA,EAChE;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,sBAAsB,CAAC,GAAsB;AAAA,EACrD,OAAO,EAAE,KACR,EAAE,OAAO,gBAAgB,SAAS,2BAA2B,GAC7D,GACD;AAAA;AAGD,SAAS,gBAAgB,CAAC,GAAsB;AAAA,EAC/C,OAAO,EAAE,KACR,EAAE,OAAO,aAAa,SAAS,4BAA4B,GAC3D,GACD;AAAA;AAYM,SAAS,WAAW,CAAC,MAA+B;AAAA,EAC1D,OAAO,OAAO,MAAM,KAAK,QAAQ,EAAE,IAAI,GAAG;AAAA;;ACtG3C;AACA;AACA;AAwBO,SAAS,WAAW,CAC1B,UAA8B,CAAC,GACV;AAAA,EACrB,OAAO,qBAAqB,YAAY,MAAM,OAAgB;AAAA;AAAA;AAOxD,MAAM,6BAA6B,MAAM;AAAA,EACtC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,4BAA4B;AAAA,IACjD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;AAAA;AAEO,MAAM,uBAAuB,MAAM;AAAA,EAChC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,6BAA6B;AAAA,IAClD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;",
13
- "debugId": "EEADE08822BB72E964756E2164756E21",
12
+ "mappings": ";;;;;;;;;;;;;;;;;;AA+BA;AAWO,SAAS,UAAU,CAAC,SAAqB,CAAC,GAAuB;AAAA,EACvE,MAAM,SAAS,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC5C,MAAM,UAAU,OAAO,WAAW,QAAQ,IAAI;AAAA,EAE9C,IAAI,CAAC,QAAQ;AAAA,IACZ,MAAM,IAAI,MACT,kDACC,iEACF;AAAA,EACD;AAAA,EACA,IAAI,CAAC,SAAS;AAAA,IACb,MAAM,IAAI,MACT,wEACD;AAAA,EACD;AAAA,EAEA,MAAM,UAA0B,CAAC;AAAA,EAGjC,IAAI,OAAO,KAAK,SAAS;AAAA,IAIxB,QAAQ;AAAA,IACR,QAAQ,KACP,IAAI;AAAA,MACH,MAAM;AAAA,QACL,MAAM,OAAO,IAAI,YAAY;AAAA,MAC9B;AAAA,MACA,QAAQ,OAAO,IAAI,UAAU;AAAA,MAC7B,UAAU,OAAO,IAAI,YAAY;AAAA,MACjC,WAAW,OAAO,IAAI,aAAa,KAAK;AAAA,IACzC,CAAC,CACF;AAAA,EACD;AAAA,EAGA,IAAI,OAAO,SAAS,SAAS;AAAA,IAE5B,QAAQ;AAAA,IACR,QAAQ,KACP,QAAQ;AAAA,MACP,QAAQ,OAAO,QAAQ;AAAA,MACvB,MAAM,OAAO,QAAQ;AAAA,MACrB,QAAQ,OAAO,QAAQ;AAAA,IACxB,CAAC,CACF;AAAA,EACD;AAAA,EAEA,OAAO,WAAW;AAAA,IACjB;AAAA,IACA;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB;AAAA,MACjB,SAAS,OAAO,kBAAkB,WAAW;AAAA,MAC7C,0BACC,OAAO,kBAAkB,4BAA4B;AAAA,MACtD,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,MACjE,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,IAClE;AAAA,IACA,SAAS;AAAA,MACR,WAAW,OAAO,2BAA2B,KAAK,KAAK,KAAK;AAAA,IAC7D;AAAA,IACA,iBAAiB,OAAO;AAAA,IACxB,UAAU;AAAA,MACT,SAAS;AAAA,QACR,cAAc;AAAA,UACb,YAAY;AAAA,YACX,UAAW,OAAO,kBAAkB;AAAA,YAIpC,QACC,OAAO,gBAAgB;AAAA,eACpB,OAAO,eAAe,EAAE,QAAQ,OAAO,aAAa,IAAI,CAAC;AAAA,UAC9D;AAAA,QACD;AAAA,MACD;AAAA,MACA,uBAAuB,OAAO,uBAAuB,UAClD;AAAA,QACA,SAAS;AAAA,QACT,QAAQ,OAAO,sBAAsB;AAAA,MACtC,IACC;AAAA,IACJ;AAAA,IACA;AAAA,EACD,CAAU;AAAA;;AC/GX;AAWO,MAAM,YAAY;AAAA,EAmBiB;AAAA,SAjBzB,QAAQ,OAAO,IAAI,mBAAmB;AAAA,EAG7C;AAAA,EAWT,kBAAyC;AAAA,EAEzC,WAAW,CAC8B,QACvC;AAAA,IADuC;AAAA,IAIxC,KAAK,WAAW,WAAW,KAAK,MAAM;AAAA;AAAA,EAYvC,WAAW,CAAC,gBAAsC;AAAA,IACjD,KAAK,kBAAkB;AAAA,IACvB,OAAO;AAAA;AAAA,EAMR,iBAAiB,GAAY;AAAA,IAC5B,OAAO,KAAK,oBAAoB;AAAA;AAAA,OAgB3B,WAAU,CAAC,OAAmD;AAAA,IAEnE,IAAI,KAAK,iBAAiB;AAAA,MACzB,MAAM,aAAa,KAAK,gBAAgB;AAAA,MACxC,IAAI,YAAY;AAAA,QACf,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,QACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,QAClD,IAAI,OAAO;AAAA,UACV,MAAM,UAAU,KAAK,gBAAgB,aAAa,KAAK;AAAA,UACvD,IAAI,SAAS,QAAQ;AAAA,YAGpB,MAAM,iBAAkB,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,cAC1D,SAAS,MAAM;AAAA,YAChB,CAAC;AAAA,YACD,IAAI,gBAAgB,MAAM;AAAA,cACzB,OAAO;AAAA,YACR;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAAA,IAGA,MAAM,SAAS,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,MACjD,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAQF,cAAa,CAAC,OAA6B;AAAA,IAChD,IAAI,CAAC,KAAK;AAAA,MAAiB,OAAO;AAAA,IAClC,MAAM,aAAa,KAAK,gBAAgB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAY,OAAO;AAAA,IACxB,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,IACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,IAClD,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,KAAK,gBAAgB,aAAa,KAAK;AAAA;AAAA,OAWzC,OAAM,CAAC,OAMV;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,OAAM,CAAC,OAAkE;AAAA,IAC9E,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,QAAO,CAAC,OAA6B;AAAA,IAC1C,OAAO,KAAK,SAAS,IAAI,QAAQ;AAAA,MAChC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA;AAAA,OAUI,YAAW,CAAC,OAGf;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAMI,oBAAmB,CAAC,OAA4D;AAAA,IACrF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,SAAS,MAAM;AAAA,MACf,OAAO,MAAM;AAAA,MACb,MAAM,CAAC;AAAA,IACR,CAAC;AAAA;AAAA,OAWI,SAAQ,CAAC,OAA2B;AAAA,IACzC,MAAM,MAAM,KAAK,SAAS;AAAA,IAM1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,oFACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,EAAE,MAAM,EAAE,QAAQ,MAAM,OAAO,EAAE,CAAC;AAAA;AAAA,OAOhD,gBAAe,CAAC,OAA6B;AAAA,IAClD,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,4FACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,SAAS,EAAE,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,OAGjD,oBAAmB,CAAC,OAA4C;AAAA,IACrE,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IACA,OAAO,IAAI,QAAQ,aAAa,EAAE,SAAS,MAAM,SAAS,MAAM,MAAM,KAAK,CAAC;AAAA;AAAA,EAW7E,QAAQ,CAAC,IAAY,SAAgC,KAAe;AAAA,IACnE,OAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,SAAS,EAAE,UAAU,GAAG,EAAE,CAAC;AAAA;AAAA,EAMhE,kBAAkB,CAAC,SAGjB;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,MAAM,MAAM,SAAS,KAAK;AAAA,IACjD,OAAO,EAAE,MAAM,QAAQ,MAAM,SAAS,QAAQ,QAAQ;AAAA;AAExD;AAjPa,cAAN;AAAA,EADN,WAAW;AAAA,EAoBT,kCAAO,aAAa;AAAA,EAnBhB;AAAA;AAAA;AAAA,GAAM;AAuPb,SAAS,WAAW,CAAC,cAAsB,MAA6B;AAAA,EACvE,IAAI,CAAC;AAAA,IAAc,OAAO;AAAA,EAC1B,MAAM,QAAQ,aAAa,MAAM,GAAG;AAAA,EACpC,WAAW,QAAQ,OAAO;AAAA,IACzB,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG;AAAA,IACZ,MAAM,IAAI,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AAAA,IACjC,IAAI,MAAM,MAAM;AAAA,MACf,OAAO,mBAAmB,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC;AAAA,IACpD;AAAA,EACD;AAAA,EACA,OAAO;AAAA;;ACnQR;AAAA;AAAA;AAAA;AAAA,YAIC;AAAA;AAAA;AAAA;AAAA;AAUM,MAAM,eAAe;AAAA,EAC6B;AAAA,EAAxD,WAAW,CAA6C,MAAmB;AAAA,IAAnB;AAAA;AAAA,OAOlD,QAAO,CAAQ,GAAY;AAAA,IAChC,MAAM,UAAuB,MAAM,KAAK,KAAK,WAAW;AAAA,MACvD,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,MAAM,SAAS,KAAK,CAAC;AAAA;AAAA,OAQjD,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,QAAQ,GAAG;AAAA;AAAA,OAQpB,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAOf,QAAO,CAAQ,GAAmB,MAAgB;AAAA,IACvD,MAAM,KAAK,KAAK,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,QAAQ,CAAC;AAAA,IACtD,OAAO,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA;AAAA,OAQrB,aAAY,CACV,GACC,OACP;AAAA,IACD,MAAM,WAAW,EAAE,IAAI,MAAM,UAAU,KAAK;AAAA,IAC5C,MAAM,cAAc,EAAE,IAAI,MAAM,aAAa,KAAK;AAAA,IAClD,MAAM,SAAS,MAAM,KAAK,KAAK,YAAY,EAAE,UAAU,YAAY,CAAC;AAAA,IACpE,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OASf,cAAa,CAAQ,GAAY;AAAA,IACtC,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB,OAAO,EAAE,IAAI,MAAM;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,SAAQ,CAAQ,GAAY;AAAA,IACjC,MAAM,UAAU,MAAM,KAAK,KAAK,WAAW;AAAA,MAC1C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,IAC1D,MAAM,QAAQ,MAAM,KAAK,KAAK,SAAS,EAAE,QAAQ,QAAQ,KAAK,GAAG,CAAC;AAAA,IAClE,OAAO,EAAE,KAAK,KAAK;AAAA;AAAA,OAQd,gBAAe,CAAQ,GAAY;AAAA,IACxC,MAAM,SAAS,MAAM,KAAK,KAAK,gBAAgB;AAAA,MAC9C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,oBAAmB,CAAQ,GAAoB,MAAW;AAAA,IAC/D,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB;AAAA,IACD,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAEtB;AAvGO;AAAA,EADL,IAAI,UAAU;AAAA,EACA,+BAAI;AAAA,EAAb;AAAA;AAAA;AAAA;AAAA;AAAA,GARM,eAQN;AAYA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GApBM,eAoBN;AAUA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GA9BM,eA8BN;AASA;AAAA,EADL,KAAK,WAAW;AAAA,EACF,+BAAI;AAAA,EAAe,+BAAI;AAAA,EAAhC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAvCM,eAuCN;AAUA;AAAA,EADL,IAAI,oBAAoB;AAAA,EAEvB,+BAAI;AAAA,EACJ,gCAAK;AAAA,EAFD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAjDM,eAiDN;AAgBA;AAAA,EADL,IAAI,qBAAqB;AAAA,EACL,+BAAI;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA,GAjEM,eAiEN;AAaA;AAAA,EADL,KAAK,MAAM;AAAA,EACI,+BAAI;AAAA,EAAd;AAAA;AAAA;AAAA;AAAA;AAAA,GA9EM,eA8EN;AAcA;AAAA,EADL,KAAK,mBAAmB;AAAA,EACF,+BAAI;AAAA,EAArB;AAAA;AAAA;AAAA;AAAA;AAAA,GA5FM,eA4FN;AAYA;AAAA,EADL,KAAK,uBAAuB;AAAA,EACF,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAA7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAxGM,eAwGN;AAxGM,iBAAN;AAAA,EADN,WAAW,WAAW;AAAA,EAET,mCAAO,YAAY,KAAK;AAAA,EAD/B;AAAA;AAAA;AAAA,GAAM;;ACrBb;AAcO,MAAM,WAAW;AAAA,SAQhB,OAAO,CAAC,QAAoB;AAAA,IAUlC,MAAM,qBAAqB;AAAA,IAAC;AAAA,IAAtB,uBAAN;AAAA,MATC,OAAO;AAAA,QACP,aAAa,CAAC,cAAc;AAAA,QAC5B,WAAW;AAAA,UACV;AAAA,UACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,UACvD,EAAE,SAAS,eAAe,UAAU,OAAO;AAAA,QAC5C;AAAA,QACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,MACzC,CAAC;AAAA,OACK;AAAA,IAGN,OAAO,eAAe,sBAAsB,QAAQ;AAAA,MACnD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AA3Ba,aAAN;AAAA,EARN,OAAO;AAAA,IACP,aAAa,CAAC,cAAc;AAAA,IAC5B,WAAW;AAAA,MACV;AAAA,MACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,IACxD;AAAA,IACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,EACzC,CAAC;AAAA,GACY;;ACMN,SAAS,cAAc,CAC7B,MACA,UAAiC,CAAC,GACgB;AAAA,EAClD;AAAA,IACC,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB;AAAA,MACjB;AAAA,EAEJ,MAAM,UAAU,UAAU,YAAY;AAAA,EACtC,MAAM,aACL,SAAS,WACN,UAAU,SAAS,kBAAkB,OAAO,IAC5C;AAAA,EAEJ,OAAO,OAAO,GAAG,SAAS;AAAA,IACzB,MAAM,OAAO,EAAE,IAAI;AAAA,IAGnB,IAAI,SAAS,KAAK,IAAI,GAAG;AAAA,MACxB,OAAO,KAAK;AAAA,IACb;AAAA,IAGA,MAAM,UAAU,MAAM,KAAK,IAAI,WAAW;AAAA,MACzC,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IAED,IAAI,SAAS;AAAA,MACZ,EAAE,IAAI,QAAQ,QAAQ,IAAa;AAAA,MACnC,EAAE,IAAI,WAAW,QAAQ,OAAgB;AAAA,IAC1C,EAAO;AAAA,MACN,EAAE,IAAI,QAAQ,IAAI;AAAA,MAClB,EAAE,IAAI,WAAW,IAAI;AAAA;AAAA,IAItB,IAAI,SAAS,cAAe,YAAY,KAAK,IAAI,KAAK,YAAY,MAAO;AAAA,MACxE,IAAI,YAAY;AAAA,QAAM,OAAO,kBAAkB,CAAC;AAAA,IACjD;AAAA,IAKA,OAAO,KAAK;AAAA;AAAA;AAId,SAAS,SAAS,CAAC,OAA0C;AAAA,EAC5D,IAAI,CAAC;AAAA,IAAO,OAAO;AAAA,EACnB,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,OAAO,IAAI,OAAO,MAAM,IAAI,CAAC,MAAM,MAAM,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC;AAAA,EAChE;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,sBAAsB,CAAC,GAAsB;AAAA,EACrD,OAAO,EAAE,KACR,EAAE,OAAO,gBAAgB,SAAS,2BAA2B,GAC7D,GACD;AAAA;AAYM,SAAS,WAAW,CAAC,MAA+B;AAAA,EAC1D,OAAO,OAAO,MAAM,KAAK,QAAQ,EAAE,IAAI,GAAG;AAAA;;AC9F3C;AACA;AAyBO,SAAS,WAAW,CAC1B,UAA8B,CAAC,GACV;AAAA,EACrB,OAAO,qBAAqB,YAAY,MAAM,OAAgB;AAAA;AAAA;AAOxD,MAAM,6BAA6B,MAAM;AAAA,EACtC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,4BAA4B;AAAA,IACjD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;AAAA;AAEO,MAAM,uBAAuB,MAAM;AAAA,EAChC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,6BAA6B;AAAA,IAClD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;",
13
+ "debugId": "7EDCCD5DCE9F451764756E2164756E21",
14
14
  "names": []
15
15
  }
package/dist/middleware.d.ts CHANGED
@@ -16,8 +16,8 @@
16
16
  * app.use('*', authMiddleware(auth, { mode: 'optional' }));
17
17
  * app.use('/api/*', authMiddleware(auth, { mode: 'required' }));
18
18
  */
19
- import type { Context, MiddlewareHandler } from "hono";
20
19
  import type { Auth } from "better-auth";
20
+ import type { Context, MiddlewareHandler } from "hono";
21
21
  import type { AuthVariables } from "./types.js";
22
22
  export type AuthMiddlewareMode = "optional" | "required" | "scoped";
23
23
  export interface AuthMiddlewareOptions {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nexusts/auth",
3
- "version": "0.8.4",
3
+ "version": "0.9.0",
4
4
  "description": "Authentication via better-auth integration",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
@@ -34,7 +34,7 @@
34
34
  }
35
35
  },
36
36
  "dependencies": {
37
- "@nexusts/core": "^0.8.4"
37
+ "@nexusts/core": "^0.9.0"
38
38
  },
39
39
  "repository": {
40
40
  "type": "git",