@objectstack/plugin-auth 2.0.2 → 2.0.3

package/src/auth-plugin.ts

@@ -2,6 +2,7 @@
 
 import { Plugin, PluginContext, IHttpServer } from '@objectstack/core';
 import { AuthConfig } from '@objectstack/spec/system';
+import { AuthManager } from './auth-manager.js';
 
 /**
  * Auth Plugin Options
@@ -37,9 +38,9 @@ export interface AuthPluginOptions extends Partial<AuthConfig> {
  * - `auth` service (auth manager instance)
  * - HTTP routes for authentication endpoints
  * 
- * @planned This is a stub implementation. Full better-auth integration
- * will be added in a future version. For now, it provides the plugin
- * structure and basic route registration.
+ * Integrates with better-auth library to provide comprehensive
+ * authentication capabilities including email/password, OAuth, 2FA,
+ * magic links, passkeys, and organization support.
  */
 export class AuthPlugin implements Plugin {
   name = 'com.objectstack.auth';
@@ -66,8 +67,17 @@ export class AuthPlugin implements Plugin {
       throw new Error('AuthPlugin: secret is required');
     }
 
-    // Initialize auth manager
-    this.authManager = new AuthManager(this.options);
+    // Get data engine service for database operations
+    const dataEngine = ctx.getService<any>('data');
+    if (!dataEngine) {
+      ctx.logger.warn('No data engine service found - auth will use in-memory storage');
+    }
+
+    // Initialize auth manager with data engine
+    this.authManager = new AuthManager({
+      ...this.options,
+      dataEngine,
+    });
 
     // Register auth service
     ctx.registerService('auth', this.authManager);
@@ -105,118 +115,80 @@ export class AuthPlugin implements Plugin {
 
   /**
    * Register authentication routes with HTTP server
+   * 
+   * Uses better-auth's universal handler for all authentication requests.
+   * This forwards all requests under basePath to better-auth, which handles:
+   * - Email/password authentication
+   * - OAuth providers (Google, GitHub, etc.)
+   * - Session management
+   * - Password reset
+   * - Email verification
+   * - 2FA, passkeys, magic links (if enabled)
    */
   private registerAuthRoutes(httpServer: IHttpServer, ctx: PluginContext): void {
     if (!this.authManager) return;
 
     const basePath = this.options.basePath || '/api/v1/auth';
 
-    // Login endpoint
-    httpServer.post(`${basePath}/login`, async (req, res) => {
-      try {
-        const body = req.body;
-        const result = await this.authManager!.login(body);
-        res.status(200).json(result);
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error('Login error:', err);
-        res.status(401).json({
-          success: false,
-          error: err.message,
-        });
-      }
-    });
+    // Get raw Hono app to use native wildcard routing
+    // Type assertion is safe here because we explicitly require Hono server as a dependency
+    if (!('getRawApp' in httpServer) || typeof (httpServer as any).getRawApp !== 'function') {
+      ctx.logger.error('HTTP server does not support getRawApp() - wildcard routing requires Hono server');
+      throw new Error(
+        'AuthPlugin requires HonoServerPlugin for wildcard routing support. ' +
+        'Please ensure HonoServerPlugin is loaded before AuthPlugin.'
+      );
+    }
 
-    // Register endpoint
-    httpServer.post(`${basePath}/register`, async (req, res) => {
-      try {
-        const body = req.body;
-        const result = await this.authManager!.register(body);
-        res.status(201).json(result);
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error('Registration error:', err);
-        res.status(400).json({
-          success: false,
-          error: err.message,
-        });
-      }
-    });
+    const rawApp = (httpServer as any).getRawApp();
 
-    // Logout endpoint
-    httpServer.post(`${basePath}/logout`, async (req, res) => {
+    // Register wildcard route to forward all auth requests to better-auth
+    // Better-auth expects requests at its baseURL, so we need to preserve the full path
+    rawApp.all(`${basePath}/*`, async (c: any) => {
       try {
-        const authHeader = req.headers['authorization'];
-        const token = typeof authHeader === 'string' ? authHeader.replace('Bearer ', '') : undefined;
-        await this.authManager!.logout(token);
-        res.status(200).json({ success: true });
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error('Logout error:', err);
-        res.status(400).json({
-          success: false,
-          error: err.message,
+        // Get the Web standard Request from Hono context
+        const request = c.req.raw as Request;
+        
+        // Create a new Request with the path rewritten to match better-auth's expectations
+        // Better-auth expects paths like /sign-in/email, /sign-up/email, etc.
+        // We need to strip our basePath prefix
+        const url = new URL(request.url);
+        const authPath = url.pathname.replace(basePath, '');
+        const rewrittenUrl = new URL(authPath || '/', url.origin);
+        rewrittenUrl.search = url.search; // Preserve query params
+        
+        const rewrittenRequest = new Request(rewrittenUrl, {
+          method: request.method,
+          headers: request.headers,
+          body: request.body,
+          duplex: 'half' as any, // Required for Request with body
         });
-      }
-    });
 
-    // Session endpoint
-    httpServer.get(`${basePath}/session`, async (req, res) => {
-      try {
-        const authHeader = req.headers['authorization'];
-        const token = typeof authHeader === 'string' ? authHeader.replace('Bearer ', '') : undefined;
-        const session = await this.authManager!.getSession(token);
-        res.status(200).json({ success: true, data: session });
+        // Forward to better-auth handler
+        const response = await this.authManager!.handleRequest(rewrittenRequest);
+        
+        return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
-        res.status(401).json({
-          success: false,
-          error: err.message,
-        });
+        ctx.logger.error('Auth request error:', err);
+        
+        // Return error response
+        return new Response(
+          JSON.stringify({
+            success: false,
+            error: err.message,
+          }),
+          {
+            status: 500,
+            headers: { 'Content-Type': 'application/json' },
+          }
+        );
       }
     });
 
-    ctx.logger.debug('Auth routes registered:', {
-      basePath,
-      routes: [
-        `POST ${basePath}/login`,
-        `POST ${basePath}/register`,
-        `POST ${basePath}/logout`,
-        `GET ${basePath}/session`,
-      ],
-    });
+    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
   }
 }
 
-/**
- * Auth Manager
- * 
- * @planned This is a stub implementation. Real authentication logic
- * will be implemented using better-auth or similar library in future versions.
- */
-class AuthManager {
-  constructor(_config: AuthPluginOptions) {
-    // Store config for future use
-  }
 
-  async login(_credentials: any): Promise<any> {
-    // @planned Implement actual login logic with better-auth
-    throw new Error('Login not yet implemented');
-  }
-
-  async register(_userData: any): Promise<any> {
-    // @planned Implement actual registration logic with better-auth
-    throw new Error('Registration not yet implemented');
-  }
-
-  async logout(_token?: string): Promise<void> {
-    // @planned Implement actual logout logic
-    throw new Error('Logout not yet implemented');
-  }
-
-  async getSession(_token?: string): Promise<any> {
-    // @planned Implement actual session retrieval
-    throw new Error('Session retrieval not yet implemented');
-  }
-}
 

package/src/index.ts

@@ -5,7 +5,11 @@
  * 
  * Authentication & Identity Plugin for ObjectStack
  * Powered by better-auth for robust, secure authentication
+ * Uses ObjectQL for data persistence (no third-party ORM required)
  */
 
-export * from './auth-plugin';
+export * from './auth-plugin.js';
+export * from './auth-manager.js';
+export * from './objectql-adapter.js';
+export * from './objects/index.js';
 export type { AuthConfig, AuthProviderConfig, AuthPluginConfig } from '@objectstack/spec/system';

package/src/objectql-adapter.ts

@@ -0,0 +1,181 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import type { IDataEngine } from '@objectstack/core';
+import type { CleanedWhere } from 'better-auth/adapters';
+
+/**
+ * ObjectQL Adapter for better-auth
+ * 
+ * Bridges better-auth's database adapter interface with ObjectQL's IDataEngine.
+ * This allows better-auth to use ObjectQL for data persistence instead of
+ * third-party ORMs like drizzle-orm.
+ * 
+ * Uses better-auth's native naming conventions (camelCase) for seamless migration.
+ * 
+ * @param dataEngine - ObjectQL data engine instance
+ * @returns better-auth CustomAdapter
+ */
+export function createObjectQLAdapter(dataEngine: IDataEngine) {
+  /**
+   * Convert better-auth where clause to ObjectQL query format
+   */
+  function convertWhere(where: CleanedWhere[]): Record<string, any> {
+    const filter: Record<string, any> = {};
+    
+    for (const condition of where) {
+      // Use field names as-is (no conversion needed)
+      const fieldName = condition.field;
+      
+      if (condition.operator === 'eq') {
+        filter[fieldName] = condition.value;
+      } else if (condition.operator === 'ne') {
+        filter[fieldName] = { $ne: condition.value };
+      } else if (condition.operator === 'in') {
+        filter[fieldName] = { $in: condition.value };
+      } else if (condition.operator === 'gt') {
+        filter[fieldName] = { $gt: condition.value };
+      } else if (condition.operator === 'gte') {
+        filter[fieldName] = { $gte: condition.value };
+      } else if (condition.operator === 'lt') {
+        filter[fieldName] = { $lt: condition.value };
+      } else if (condition.operator === 'lte') {
+        filter[fieldName] = { $lte: condition.value };
+      } else if (condition.operator === 'contains') {
+        filter[fieldName] = { $regex: condition.value };
+      }
+    }
+    
+    return filter;
+  }
+
+  return {
+    create: async <T extends Record<string, any>>({ model, data, select: _select }: { model: string; data: T; select?: string[] }): Promise<T> => {
+      // Use model name as-is (no conversion needed)
+      const objectName = model;
+      
+      // Note: select parameter is currently not supported by ObjectQL's insert operation
+      // The full record is always returned after insertion
+      const result = await dataEngine.insert(objectName, data);
+      return result as T;
+    },
+    
+    findOne: async <T>({ model, where, select, join: _join }: { model: string; where: CleanedWhere[]; select?: string[]; join?: any }): Promise<T | null> => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      
+      // Note: join parameter is not currently supported by ObjectQL's findOne operation
+      // Joins/populate functionality is planned for future ObjectQL releases
+      // For now, related data must be fetched separately
+      
+      const result = await dataEngine.findOne(objectName, {
+        filter,
+        select,
+      });
+      
+      return result ? result as T : null;
+    },
+    
+    findMany: async <T>({ model, where, limit, offset, sortBy, join: _join }: { model: string; where?: CleanedWhere[]; limit: number; offset?: number; sortBy?: { field: string; direction: 'asc' | 'desc' }; join?: any }): Promise<T[]> => {
+      const objectName = model;
+      const filter = where ? convertWhere(where) : {};
+      
+      // Note: join parameter is not currently supported by ObjectQL's find operation
+      // Joins/populate functionality is planned for future ObjectQL releases
+      
+      const sort = sortBy ? [{
+        field: sortBy.field,
+        order: sortBy.direction as 'asc' | 'desc',
+      }] : undefined;
+      
+      const results = await dataEngine.find(objectName, {
+        filter,
+        limit: limit || 100,
+        skip: offset,
+        sort,
+      });
+      
+      return results as T[];
+    },
+    
+    count: async ({ model, where }: { model: string; where?: CleanedWhere[] }): Promise<number> => {
+      const objectName = model;
+      const filter = where ? convertWhere(where) : {};
+      
+      return await dataEngine.count(objectName, { filter });
+    },
+    
+    update: async <T>({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<T | null> => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      
+      // Find the record first to get its ID
+      const record = await dataEngine.findOne(objectName, { filter });
+      if (!record) {
+        return null;
+      }
+      
+      const result = await dataEngine.update(objectName, {
+        ...update,
+        id: record.id,
+      });
+      
+      return result ? result as T : null;
+    },
+    
+    updateMany: async ({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<number> => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      
+      // Note: Sequential updates are used here because ObjectQL's IDataEngine interface
+      // requires an ID for updates. A future optimization could use a bulk update
+      // operation if ObjectQL adds support for filter-based updates without IDs.
+      
+      // Find all matching records
+      const records = await dataEngine.find(objectName, { filter });
+      
+      // Update each record
+      for (const record of records) {
+        await dataEngine.update(objectName, {
+          ...update,
+          id: record.id,
+        });
+      }
+      
+      return records.length;
+    },
+    
+    delete: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<void> => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      
+      // Note: We need to find the record first to get its ID because ObjectQL's
+      // delete operation requires an ID. Direct filter-based delete would be more
+      // efficient if supported by ObjectQL in the future.
+      const record = await dataEngine.findOne(objectName, { filter });
+      if (!record) {
+        return;
+      }
+      
+      await dataEngine.delete(objectName, { filter: { id: record.id } });
+    },
+    
+    deleteMany: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<number> => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      
+      // Note: Sequential deletes are used here because ObjectQL's delete operation
+      // requires an ID in the filter. A future optimization could use a single
+      // delete call with the original filter if ObjectQL supports it.
+      
+      // Find all matching records
+      const records = await dataEngine.find(objectName, { filter });
+      
+      // Delete each record
+      for (const record of records) {
+        await dataEngine.delete(objectName, { filter: { id: record.id } });
+      }
+      
+      return records.length;
+    },
+  };
+}

package/src/objects/auth-account.object.ts

@@ -0,0 +1,121 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * Auth Account Object
+ * 
+ * Uses better-auth's native schema for seamless migration:
+ * - id: string
+ * - createdAt: Date
+ * - updatedAt: Date
+ * - providerId: string (e.g., 'google', 'github')
+ * - accountId: string (provider's user ID)
+ * - userId: string (link to user table)
+ * - accessToken: string | null
+ * - refreshToken: string | null
+ * - idToken: string | null
+ * - accessTokenExpiresAt: Date | null
+ * - refreshTokenExpiresAt: Date | null
+ * - scope: string | null
+ * - password: string | null (for email/password provider)
+ */
+export const AuthAccount = ObjectSchema.create({
+  name: 'account',
+  label: 'Account',
+  pluralLabel: 'Accounts',
+  icon: 'link',
+  description: 'OAuth and authentication provider accounts',
+  titleFormat: '{providerId} - {accountId}',
+  compactLayout: ['providerId', 'userId', 'accountId'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Account ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    createdAt: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    updatedAt: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    providerId: Field.text({
+      label: 'Provider ID',
+      required: true,
+      description: 'OAuth provider identifier (google, github, etc.)',
+    }),
+    
+    accountId: Field.text({
+      label: 'Provider Account ID',
+      required: true,
+      description: "User's ID in the provider's system",
+    }),
+    
+    userId: Field.text({
+      label: 'User ID',
+      required: true,
+      description: 'Link to user table',
+    }),
+    
+    accessToken: Field.textarea({
+      label: 'Access Token',
+      required: false,
+    }),
+    
+    refreshToken: Field.textarea({
+      label: 'Refresh Token',
+      required: false,
+    }),
+    
+    idToken: Field.textarea({
+      label: 'ID Token',
+      required: false,
+    }),
+    
+    accessTokenExpiresAt: Field.datetime({
+      label: 'Access Token Expires At',
+      required: false,
+    }),
+    
+    refreshTokenExpiresAt: Field.datetime({
+      label: 'Refresh Token Expires At',
+      required: false,
+    }),
+    
+    scope: Field.text({
+      label: 'OAuth Scope',
+      required: false,
+    }),
+    
+    password: Field.text({
+      label: 'Password Hash',
+      required: false,
+      description: 'Hashed password for email/password provider',
+    }),
+  },
+  
+  // Database indexes for performance
+  indexes: [
+    { fields: ['userId'], unique: false },
+    { fields: ['providerId', 'accountId'], unique: true },
+  ],
+  
+  // Enable features
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: true,
+    mru: false,
+  },
+});

package/src/objects/auth-session.object.ts

@@ -0,0 +1,89 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * Auth Session Object
+ * 
+ * Uses better-auth's native schema for seamless migration:
+ * - id: string
+ * - createdAt: Date
+ * - updatedAt: Date
+ * - userId: string
+ * - expiresAt: Date
+ * - token: string
+ * - ipAddress: string | null
+ * - userAgent: string | null
+ */
+export const AuthSession = ObjectSchema.create({
+  name: 'session',
+  label: 'Session',
+  pluralLabel: 'Sessions',
+  icon: 'key',
+  description: 'Active user sessions',
+  titleFormat: 'Session {token}',
+  compactLayout: ['userId', 'expiresAt', 'ipAddress'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Session ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    createdAt: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    updatedAt: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    userId: Field.text({
+      label: 'User ID',
+      required: true,
+    }),
+    
+    expiresAt: Field.datetime({
+      label: 'Expires At',
+      required: true,
+    }),
+    
+    token: Field.text({
+      label: 'Session Token',
+      required: true,
+    }),
+    
+    ipAddress: Field.text({
+      label: 'IP Address',
+      required: false,
+      maxLength: 45, // Support IPv6
+    }),
+    
+    userAgent: Field.textarea({
+      label: 'User Agent',
+      required: false,
+    }),
+  },
+  
+  // Database indexes for performance
+  indexes: [
+    { fields: ['token'], unique: true },
+    { fields: ['userId'], unique: false },
+    { fields: ['expiresAt'], unique: false },
+  ],
+  
+  // Enable features
+  enable: {
+    trackHistory: false, // Sessions don't need history tracking
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'delete'], // No update for sessions
+    trash: false, // Sessions should be hard deleted
+    mru: false,
+  },
+});