@nwire/auth-better-auth 0.7.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Alex Gefter / 200apps Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,70 @@
+# @nwire/auth-better-auth
+
+> IdP adapter for [better-auth](https://better-auth.com) — the TypeScript-first default.
+
+## What it does
+
+Wraps better-auth's API so it conforms to Nwire's `IdpAdapter` contract. Supports `verifyToken`, `signIn`, `signOut`, `register`, `requestPasswordReset`, `resetPassword`. Pairs with Drizzle/Prisma adapters on better-auth's side; the rest of Nwire (RBAC, scoped containers, canonical resolvers) works unchanged.
+
+## Install
+
+```bash
+pnpm add @nwire/auth-better-auth @nwire/auth better-auth
+```
+
+## Quick start
+
+```ts
+import { betterAuth } from "better-auth";
+import { drizzleAdapter } from "better-auth/adapters/drizzle";
+import { betterAuthAdapter } from "@nwire/auth-better-auth";
+import { identityPlugin } from "@nwire/auth";
+import { defineApp } from "@nwire/forge";
+import { db } from "./db.js";
+
+const auth = betterAuth({
+  database: drizzleAdapter(db, { provider: "pg" }),
+  emailAndPassword: { enabled: true },
+  socialProviders: { github: { clientId: "...", clientSecret: "..." } },
+});
+
+defineApp("my-app", {
+  plugins: [identityPlugin({ adapter: betterAuthAdapter({ auth }) })],
+});
+```
+
+## API surface
+
+- `betterAuthAdapter({ auth })` — produces an `IdpAdapter` that conforms to the `@nwire/auth` contract.
+
+## When to use
+
+When you want a TS-first auth backend you own the DB schema for. Pair with `@nwire/data-drizzle` for the canonical L3 stack.
+
+## Standalone use
+
+For developers using `@nwire/auth-better-auth` **without the rest of Nwire** — pair it with any TypeScript project, any container, any HTTP framework.
+
+```ts
+// See the package's main entry (src/) for the standalone surface.
+// The exports below work without @nwire/app or @nwire/forge.
+import {} from /* ...standalone exports... */ "@nwire/auth-better-auth";
+```
+
+## Within nwire-app
+
+For developers using this package as part of the Nwire stack — register it via `app.use(...)` or it auto-wires when you compose `createApp({ modules })`.
+
+```ts
+import { createApp } from "@nwire/forge";
+
+const app = createApp({
+  /* ...config... */
+});
+// Adapter/plugin wiring happens here when applicable.
+```
+
+## See also
+
+- [Architecture sketch §05 — Adapters tier](../../architecture-sketch.html#packages)
+- Sibling packages: [@nwire/auth](../nwire-auth), [@nwire/auth-logto](../nwire-auth-logto), [@nwire/data-drizzle](../nwire-data-drizzle)

package/dist/__tests__/auth-better-auth.test.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Adapter tests — stub better-auth's `api.*` methods directly so the
+ * shape mapping is tested without spinning up better-auth itself.
+ *
+ * better-auth has its own extensive integration tests; we're verifying
+ * our glue: that `verifyToken` calls `getSession` with a Bearer header,
+ * that the session→User mapping pulls id/email/name + member.role into
+ * `roles`, that errors propagate, that optional flows degrade cleanly.
+ */
+export {};
+//# sourceMappingURL=auth-better-auth.test.d.ts.map

package/dist/__tests__/auth-better-auth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-better-auth.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/auth-better-auth.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/__tests__/auth-better-auth.test.js

@@ -0,0 +1,135 @@
+/**
+ * Adapter tests — stub better-auth's `api.*` methods directly so the
+ * shape mapping is tested without spinning up better-auth itself.
+ *
+ * better-auth has its own extensive integration tests; we're verifying
+ * our glue: that `verifyToken` calls `getSession` with a Bearer header,
+ * that the session→User mapping pulls id/email/name + member.role into
+ * `roles`, that errors propagate, that optional flows degrade cleanly.
+ */
+import { describe, it, expect, vi } from "vitest";
+import { betterAuthAdapter } from "../auth-better-auth.js";
+function fakeAuth(api) {
+    return { api };
+}
+function fakeSession(overrides = {}) {
+    return {
+        user: { id: "u_1", email: "alice@example.com", name: "Alice", ...(overrides.user ?? {}) },
+        session: {
+            id: "s_1",
+            token: "tok-1",
+            userId: "u_1",
+            expiresAt: new Date(Date.now() + 3_600_000),
+            ...(overrides.session ?? {}),
+        },
+        member: overrides.member,
+    };
+}
+describe("betterAuthAdapter — verifyToken", () => {
+    it("returns mapped User when session exists", async () => {
+        const getSession = vi.fn().mockResolvedValue(fakeSession());
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ getSession }) });
+        const user = await adapter.verifyToken("tok-1");
+        expect(user?.id).toBe("u_1");
+        expect(user?.email).toBe("alice@example.com");
+        expect(user?.name).toBe("Alice");
+        expect(user?.roles).toEqual([]);
+        expect(getSession).toHaveBeenCalledWith(expect.objectContaining({ headers: expect.any(Headers) }));
+    });
+    it("returns null when session is null", async () => {
+        const getSession = vi.fn().mockResolvedValue(null);
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ getSession }) });
+        expect(await adapter.verifyToken("bad")).toBeNull();
+    });
+    it("returns null when getSession throws", async () => {
+        const getSession = vi.fn().mockRejectedValue(new Error("boom"));
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ getSession }) });
+        expect(await adapter.verifyToken("x")).toBeNull();
+    });
+    it("pulls role from active organization member", async () => {
+        const getSession = vi.fn().mockResolvedValue(fakeSession({ member: { role: "admin", organizationId: "org_1" } }));
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ getSession }) });
+        const user = await adapter.verifyToken("tok-1");
+        expect(user?.roles).toEqual(["admin"]);
+    });
+    it("respects a custom toUser mapper", async () => {
+        const getSession = vi.fn().mockResolvedValue(fakeSession());
+        const adapter = betterAuthAdapter({
+            auth: fakeAuth({ getSession }),
+            toUser: (s) => ({
+                id: s.user.id,
+                email: s.user.email,
+                name: (s.user.name ?? "").toUpperCase(),
+                roles: ["app:custom"],
+            }),
+        });
+        const user = await adapter.verifyToken("tok-1");
+        expect(user?.name).toBe("ALICE");
+        expect(user?.roles).toEqual(["app:custom"]);
+    });
+});
+describe("betterAuthAdapter — signIn / signOut / register", () => {
+    it("signIn calls signInEmail with body + returns user + tokens", async () => {
+        const signInEmail = vi.fn().mockResolvedValue(fakeSession());
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ signInEmail }) });
+        const result = await adapter.signIn({ email: "alice@example.com", password: "secret" });
+        expect(signInEmail).toHaveBeenCalledWith({
+            body: { email: "alice@example.com", password: "secret" },
+        });
+        expect(result.user.id).toBe("u_1");
+        expect(result.tokens.accessToken).toBe("tok-1");
+        expect(result.tokens.tokenType).toBe("Bearer");
+    });
+    it("signIn throws when email/password missing", async () => {
+        const adapter = betterAuthAdapter({ auth: fakeAuth({}) });
+        await expect(adapter.signIn({ email: "a@b.c" })).rejects.toThrow(/password/);
+    });
+    it("signOut calls signOut with Bearer header", async () => {
+        const signOut = vi.fn().mockResolvedValue({});
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ signOut }) });
+        await adapter.signOut("tok-1");
+        const call = signOut.mock.calls[0][0];
+        expect(call.headers.get("Authorization")).toBe("Bearer tok-1");
+    });
+    it("register calls signUpEmail + returns user + initial tokens", async () => {
+        const signUpEmail = vi.fn().mockResolvedValue(fakeSession());
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ signUpEmail }) });
+        const result = await adapter.register({
+            email: "new@example.com",
+            password: "long-enough-password",
+            name: "New",
+        });
+        expect(signUpEmail).toHaveBeenCalledWith({
+            body: { email: "new@example.com", password: "long-enough-password", name: "New" },
+        });
+        expect(result.user.id).toBe("u_1");
+        expect(result.tokens?.accessToken).toBe("tok-1");
+    });
+});
+describe("betterAuthAdapter — optional flows", () => {
+    it("requestPasswordReset throws when not enabled", async () => {
+        const adapter = betterAuthAdapter({ auth: fakeAuth({}) });
+        await expect(adapter.requestPasswordReset("x@y.z")).rejects.toThrow(/reset/);
+    });
+    it("requestPasswordReset calls forgetPassword when enabled", async () => {
+        const forgetPassword = vi.fn().mockResolvedValue({});
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ forgetPassword }) });
+        await adapter.requestPasswordReset("alice@example.com");
+        expect(forgetPassword).toHaveBeenCalledWith({ body: { email: "alice@example.com" } });
+    });
+    it("resetPassword calls resetPassword with token + newPassword", async () => {
+        const resetPassword = vi.fn().mockResolvedValue({});
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ resetPassword }) });
+        await adapter.resetPassword("reset-tok", "newpass-long");
+        expect(resetPassword).toHaveBeenCalledWith({
+            body: { token: "reset-tok", newPassword: "newpass-long" },
+        });
+    });
+    it("verifyEmail calls verifyEmail with query token", async () => {
+        const verifyEmail = vi.fn().mockResolvedValue({});
+        const adapter = betterAuthAdapter({ auth: fakeAuth({ verifyEmail }) });
+        await adapter.verifyEmail("v-tok");
+        expect(verifyEmail).toHaveBeenCalledWith({ query: { token: "v-tok" } });
+    });
+});
+//# sourceMappingURL=auth-better-auth.test.js.map

package/dist/__tests__/auth-better-auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-better-auth.test.js","sourceRoot":"","sources":["../../src/__tests__/auth-better-auth.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAA2B,MAAM,qBAAqB,CAAC;AAEjF,SAAS,QAAQ,CAAC,GAA4B;IAC5C,OAAO,EAAE,GAAG,EAAwB,CAAC;AACvC,CAAC;AAED,SAAS,WAAW,CAAC,YAAqC,EAAE;IAC1D,OAAO;QACL,IAAI,EAAK,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,IAAc,IAAI,EAAE,CAAC,EAAE;QACtG,OAAO,EAAE;YACP,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,OAAO;YACd,MAAM,EAAE,KAAK;YACb,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC3C,GAAG,CAAC,SAAS,CAAC,OAAiB,IAAI,EAAE,CAAC;SACvC;QACD,MAAM,EAAE,SAAS,CAAC,MAAM;KACzB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CACrC,MAAM,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAC1D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAC1C,WAAW,CAAC,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE,CAAC,CACpE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,IAAI,EAAI,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC;YAChC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACd,EAAE,EAAK,CAAC,CAAC,IAAI,CAAC,EAAE;gBAChB,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK;gBACnB,IAAI,EAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;gBACxC,KAAK,EAAE,CAAC,YAAY,CAAC;aACtB,CAAC;SACH,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;IAC/D,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAExF,MAAM,CAAC,WAAW,CAAC,CAAC,oBAAoB,CAAC;YACvC,IAAI,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,EAAE;SACzD,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QAC1D,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;QACnE,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAyB,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAS,CAAC;YACrC,KAAK,EAAE,iBAAiB;YACxB,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QACH,MAAM,CAAC,WAAW,CAAC,CAAC,oBAAoB,CAAC;YACvC,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,sBAAsB,EAAE,IAAI,EAAE,KAAK,EAAE;SAClF,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QAC1D,MAAM,MAAM,CAAC,OAAO,CAAC,oBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,cAAc,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC,CAAC;QAC1E,MAAM,OAAO,CAAC,oBAAqB,CAAC,mBAAmB,CAAC,CAAC;QACzD,MAAM,CAAC,cAAc,CAAC,CAAC,oBAAoB,CAAC,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,aAAa,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC,CAAC;QACzE,MAAM,OAAO,CAAC,aAAc,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC1D,MAAM,CAAC,aAAa,CAAC,CAAC,oBAAoB,CAAC;YACzC,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE;SAC1D,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,MAAM,OAAO,CAAC,WAAY,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,CAAC,oBAAoB,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth-better-auth.d.ts

@@ -0,0 +1,93 @@
+/**
+ * `@nwire/auth-better-auth` — IdpAdapter for better-auth.
+ *
+ *   import { betterAuth }       from "better-auth";
+ *   import { drizzleAdapter }   from "better-auth/adapters/drizzle";
+ *   import { betterAuthAdapter } from "@nwire/auth-better-auth";
+ *   import { identityPlugin }   from "@nwire/auth";
+ *   import { db }               from "./db";
+ *
+ *   const auth = betterAuth({
+ *     database: drizzleAdapter(db, { provider: "pg" }),
+ *     emailAndPassword: { enabled: true },
+ *     socialProviders: { github: { clientId: "...", clientSecret: "..." } },
+ *     plugins: [organization()],
+ *   });
+ *
+ *   defineApp("my-app", {
+ *     plugins: [
+ *       identityPlugin({ adapter: betterAuthAdapter({ auth }) }),
+ *     ],
+ *   });
+ *
+ * What it does:
+ *   - `verifyToken(token)` — calls `auth.api.getSession({ headers })` with
+ *     a synthesized Bearer header; maps the session's `user` to ours.
+ *   - `signIn(input)` — `auth.api.signInEmail({ body: { email, password } })`
+ *   - `signOut(token)` — `auth.api.signOut({ headers })`
+ *   - `register(input)` — `auth.api.signUpEmail({ body })`
+ *   - `requestPasswordReset(email)` — `auth.api.forgetPassword`
+ *   - `resetPassword(token, newPassword)` — `auth.api.resetPassword`
+ *   - `verifyEmail(token)` — `auth.api.verifyEmail`
+ *   - `refresh` — not implemented (better-auth uses long-lived sessions
+ *     or its own refresh-token plugin; pass a refresh adapter explicitly
+ *     if you've enabled the JWT plugin).
+ *
+ * Roles map: if you've enabled better-auth's `organization` plugin and
+ * `member.role` is populated, this adapter pulls roles from the active
+ * organization member record. Otherwise `roles` is `[]` and you wire
+ * your own role storage.
+ *
+ * Why glue: better-auth owns 99% of the work — password hashing, session
+ * storage, OAuth providers, magic links, 2FA, passkeys, email
+ * verification, organization invitations. We're a thin shape mapper.
+ */
+import type { IdpAdapter, User } from "@nwire/auth";
+/**
+ * The minimal shape we need from a better-auth instance — structurally
+ * typed so this package doesn't take a hard dep on a specific
+ * better-auth version. Authors pass in whatever `betterAuth({...})`
+ * returned.
+ */
+export type BetterAuthInstance = {
+    readonly api: Record<string, any>;
+};
+interface BetterAuthUser {
+    readonly id: string;
+    readonly email?: string;
+    readonly name?: string;
+    readonly emailVerified?: boolean;
+    readonly image?: string;
+    readonly activeOrganizationId?: string;
+    readonly [k: string]: unknown;
+}
+interface BetterAuthSession {
+    readonly user: BetterAuthUser;
+    readonly session: {
+        readonly id: string;
+        readonly token: string;
+        readonly userId: string;
+        readonly expiresAt: string | Date;
+        readonly activeOrganizationId?: string;
+    };
+    readonly member?: {
+        readonly role?: string;
+        readonly organizationId?: string;
+    };
+}
+export interface BetterAuthAdapterOptions {
+    readonly auth: BetterAuthInstance;
+    /**
+     * Map a better-auth user (+ session/member) to our canonical User.
+     * Default extracts id/email/name + member.role into `roles`. Override
+     * when your app has custom user fields, multi-tenant logic, or a
+     * different role source.
+     */
+    readonly toUser?: (raw: BetterAuthSession) => User;
+}
+/**
+ * Build the IdpAdapter that wraps a configured better-auth instance.
+ */
+export declare function betterAuthAdapter(options: BetterAuthAdapterOptions): IdpAdapter;
+export {};
+//# sourceMappingURL=auth-better-auth.d.ts.map

package/dist/auth-better-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-better-auth.d.ts","sourceRoot":"","sources":["../src/auth-better-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,KAAK,EAAc,UAAU,EAA8B,IAAI,EAAE,MAAM,aAAa,CAAC;AAE5F;;;;;GAKG;AAEH,MAAM,MAAM,kBAAkB,GAAG;IAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;CAAE,CAAC;AAEvE,UAAU,cAAc;IACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAExB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CAC/B;AAED,UAAU,iBAAiB;IACzB,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,EAAE,EAAS,MAAM,CAAC;QAC3B,QAAQ,CAAC,KAAK,EAAM,MAAM,CAAC;QAC3B,QAAQ,CAAC,MAAM,EAAK,MAAM,CAAC;QAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QAClC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;KACxC,CAAC;IAEF,QAAQ,CAAC,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAChF;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,CAAC;CACpD;AAaD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,wBAAwB,GAAG,UAAU,CAgF/E"}

package/dist/auth-better-auth.js

@@ -0,0 +1,131 @@
+/**
+ * `@nwire/auth-better-auth` — IdpAdapter for better-auth.
+ *
+ *   import { betterAuth }       from "better-auth";
+ *   import { drizzleAdapter }   from "better-auth/adapters/drizzle";
+ *   import { betterAuthAdapter } from "@nwire/auth-better-auth";
+ *   import { identityPlugin }   from "@nwire/auth";
+ *   import { db }               from "./db";
+ *
+ *   const auth = betterAuth({
+ *     database: drizzleAdapter(db, { provider: "pg" }),
+ *     emailAndPassword: { enabled: true },
+ *     socialProviders: { github: { clientId: "...", clientSecret: "..." } },
+ *     plugins: [organization()],
+ *   });
+ *
+ *   defineApp("my-app", {
+ *     plugins: [
+ *       identityPlugin({ adapter: betterAuthAdapter({ auth }) }),
+ *     ],
+ *   });
+ *
+ * What it does:
+ *   - `verifyToken(token)` — calls `auth.api.getSession({ headers })` with
+ *     a synthesized Bearer header; maps the session's `user` to ours.
+ *   - `signIn(input)` — `auth.api.signInEmail({ body: { email, password } })`
+ *   - `signOut(token)` — `auth.api.signOut({ headers })`
+ *   - `register(input)` — `auth.api.signUpEmail({ body })`
+ *   - `requestPasswordReset(email)` — `auth.api.forgetPassword`
+ *   - `resetPassword(token, newPassword)` — `auth.api.resetPassword`
+ *   - `verifyEmail(token)` — `auth.api.verifyEmail`
+ *   - `refresh` — not implemented (better-auth uses long-lived sessions
+ *     or its own refresh-token plugin; pass a refresh adapter explicitly
+ *     if you've enabled the JWT plugin).
+ *
+ * Roles map: if you've enabled better-auth's `organization` plugin and
+ * `member.role` is populated, this adapter pulls roles from the active
+ * organization member record. Otherwise `roles` is `[]` and you wire
+ * your own role storage.
+ *
+ * Why glue: better-auth owns 99% of the work — password hashing, session
+ * storage, OAuth providers, magic links, 2FA, passkeys, email
+ * verification, organization invitations. We're a thin shape mapper.
+ */
+function defaultToUser(s) {
+    const roles = s.member?.role ? [s.member.role] : [];
+    return {
+        id: s.user.id,
+        email: s.user.email,
+        name: s.user.name,
+        roles,
+        tenant: s.session.activeOrganizationId ?? s.user.activeOrganizationId,
+    };
+}
+/**
+ * Build the IdpAdapter that wraps a configured better-auth instance.
+ */
+export function betterAuthAdapter(options) {
+    const api = options.auth.api;
+    const toUser = options.toUser ?? defaultToUser;
+    function bearer(token) {
+        const h = new Headers();
+        h.set("Authorization", `Bearer ${token}`);
+        return h;
+    }
+    function sessionToTokens(s) {
+        const expiresAt = typeof s.session.expiresAt === "string"
+            ? new Date(s.session.expiresAt).getTime()
+            : s.session.expiresAt.getTime();
+        return {
+            accessToken: s.session.token,
+            expiresAt,
+            tokenType: "Bearer",
+        };
+    }
+    return {
+        async verifyToken(token) {
+            try {
+                const session = (await api.getSession({ headers: bearer(token) }));
+                return session ? toUser(session) : null;
+            }
+            catch {
+                return null;
+            }
+        },
+        async signIn(input) {
+            if (!input.email || !input.password) {
+                throw new Error("@nwire/auth-better-auth: signIn requires email + password");
+            }
+            const result = (await api.signInEmail({
+                body: { email: input.email, password: input.password },
+            }));
+            return { user: toUser(result), tokens: sessionToTokens(result) };
+        },
+        async signOut(token) {
+            await api.signOut({ headers: bearer(token) });
+        },
+        async register(input) {
+            const result = (await api.signUpEmail({
+                body: {
+                    email: input.email,
+                    password: input.password ?? "",
+                    name: input.name,
+                },
+            }));
+            return {
+                user: toUser(result),
+                tokens: result.session ? sessionToTokens(result) : undefined,
+            };
+        },
+        async requestPasswordReset(email) {
+            if (!api.forgetPassword) {
+                throw new Error("@nwire/auth-better-auth: enable the email-and-password reset flow first");
+            }
+            await api.forgetPassword({ body: { email } });
+        },
+        async resetPassword(resetToken, newPassword) {
+            if (!api.resetPassword) {
+                throw new Error("@nwire/auth-better-auth: enable the email-and-password reset flow first");
+            }
+            await api.resetPassword({ body: { token: resetToken, newPassword } });
+        },
+        async verifyEmail(verificationToken) {
+            if (!api.verifyEmail) {
+                throw new Error("@nwire/auth-better-auth: email verification not enabled");
+            }
+            await api.verifyEmail({ query: { token: verificationToken } });
+        },
+    };
+}
+//# sourceMappingURL=auth-better-auth.js.map

package/dist/auth-better-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-better-auth.js","sourceRoot":"","sources":["../src/auth-better-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAgDH,SAAS,aAAa,CAAC,CAAoB;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,OAAO;QACL,EAAE,EAAM,CAAC,CAAC,IAAI,CAAC,EAAE;QACjB,KAAK,EAAG,CAAC,CAAC,IAAI,CAAC,KAAK;QACpB,IAAI,EAAI,CAAC,CAAC,IAAI,CAAC,IAAI;QACnB,KAAK;QACL,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,CAAC,CAAC,IAAI,CAAC,oBAAoB;KACtE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,aAAa,CAAC;IAE/C,SAAS,MAAM,CAAC,KAAa;QAC3B,MAAM,CAAC,GAAG,IAAI,OAAO,EAAE,CAAC;QACxB,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,KAAK,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,CAAC;IACX,CAAC;IAED,SAAS,eAAe,CAAC,CAAoB;QAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,OAAO,CAAC,SAAS,KAAK,QAAQ;YACvD,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO;YACL,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK;YAC5B,SAAS;YACT,SAAS,EAAI,QAAQ;SACtB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,CAAC,WAAW,CAAC,KAAa;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAA6B,CAAC;gBAC/F,OAAO,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,KAAkB;YAC7B,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;YAC/E,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC;gBACpC,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;aACvD,CAAC,CAA6D,CAAC;YAChE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,KAAa;YACzB,MAAM,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,KAAoB;YACjC,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC;gBACpC,IAAI,EAAE;oBACJ,KAAK,EAAK,KAAK,CAAC,KAAK;oBACrB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;oBAC9B,IAAI,EAAM,KAAK,CAAC,IAAI;iBACrB;aACF,CAAC,CAAsB,CAAC;YACzB,OAAO;gBACL,IAAI,EAAI,MAAM,CAAC,MAAM,CAAC;gBACtB,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;aAC7D,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,oBAAoB,CAAC,KAAa;YACtC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;YAC7F,CAAC;YACD,MAAM,GAAG,CAAC,cAAc,CAAC,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,UAAkB,EAAE,WAAmB;YACzD,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;YAC7F,CAAC;YACD,MAAM,GAAG,CAAC,aAAa,CAAC,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,iBAAyB;YACzC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;YACD,MAAM,GAAG,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC;KACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@nwire/auth-better-auth",
+  "version": "0.7.0",
+  "description": "Nwire — better-auth adapter. Wraps a configured better-auth instance as an IdpAdapter so canonical resolvers (SignIn/SignOut/Register/Refresh/Me/etc.) work against better-auth's database-first auth backend. For self-hosted apps that don't want a separate IdP service.",
+  "keywords": [
+    "adapter",
+    "auth",
+    "better-auth",
+    "idp",
+    "nwire"
+  ],
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "type": "module",
+  "main": "./dist/auth-better-auth.js",
+  "types": "./dist/auth-better-auth.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/auth-better-auth.js",
+      "types": "./dist/auth-better-auth.d.ts"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@nwire/auth": "0.7.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.19.9",
+    "better-auth": "^1.6.11",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.6"
+  },
+  "peerDependencies": {
+    "better-auth": ">=1.0.0"
+  },
+  "scripts": {
+    "build": "tsc && node ../../scripts/fix-dist-extensions.mjs dist",
+    "dev": "tsc --watch",
+    "typecheck": "tsc --noEmit"
+  }
+}