@objectstack/plugin-auth 2.0.2 → 2.0.5

package/dist/index.mjs

@@ -1,3 +1,210 @@
+// src/auth-manager.ts
+import { betterAuth } from "better-auth";
+
+// src/objectql-adapter.ts
+function createObjectQLAdapter(dataEngine) {
+  function convertWhere(where) {
+    const filter = {};
+    for (const condition of where) {
+      const fieldName = condition.field;
+      if (condition.operator === "eq") {
+        filter[fieldName] = condition.value;
+      } else if (condition.operator === "ne") {
+        filter[fieldName] = { $ne: condition.value };
+      } else if (condition.operator === "in") {
+        filter[fieldName] = { $in: condition.value };
+      } else if (condition.operator === "gt") {
+        filter[fieldName] = { $gt: condition.value };
+      } else if (condition.operator === "gte") {
+        filter[fieldName] = { $gte: condition.value };
+      } else if (condition.operator === "lt") {
+        filter[fieldName] = { $lt: condition.value };
+      } else if (condition.operator === "lte") {
+        filter[fieldName] = { $lte: condition.value };
+      } else if (condition.operator === "contains") {
+        filter[fieldName] = { $regex: condition.value };
+      }
+    }
+    return filter;
+  }
+  return {
+    create: async ({ model, data, select: _select }) => {
+      const objectName = model;
+      const result = await dataEngine.insert(objectName, data);
+      return result;
+    },
+    findOne: async ({ model, where, select, join: _join }) => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      const result = await dataEngine.findOne(objectName, {
+        filter,
+        select
+      });
+      return result ? result : null;
+    },
+    findMany: async ({ model, where, limit, offset, sortBy, join: _join }) => {
+      const objectName = model;
+      const filter = where ? convertWhere(where) : {};
+      const sort = sortBy ? [{
+        field: sortBy.field,
+        order: sortBy.direction
+      }] : void 0;
+      const results = await dataEngine.find(objectName, {
+        filter,
+        limit: limit || 100,
+        skip: offset,
+        sort
+      });
+      return results;
+    },
+    count: async ({ model, where }) => {
+      const objectName = model;
+      const filter = where ? convertWhere(where) : {};
+      return await dataEngine.count(objectName, { filter });
+    },
+    update: async ({ model, where, update }) => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      const record = await dataEngine.findOne(objectName, { filter });
+      if (!record) {
+        return null;
+      }
+      const result = await dataEngine.update(objectName, {
+        ...update,
+        id: record.id
+      });
+      return result ? result : null;
+    },
+    updateMany: async ({ model, where, update }) => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      const records = await dataEngine.find(objectName, { filter });
+      for (const record of records) {
+        await dataEngine.update(objectName, {
+          ...update,
+          id: record.id
+        });
+      }
+      return records.length;
+    },
+    delete: async ({ model, where }) => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      const record = await dataEngine.findOne(objectName, { filter });
+      if (!record) {
+        return;
+      }
+      await dataEngine.delete(objectName, { filter: { id: record.id } });
+    },
+    deleteMany: async ({ model, where }) => {
+      const objectName = model;
+      const filter = convertWhere(where);
+      const records = await dataEngine.find(objectName, { filter });
+      for (const record of records) {
+        await dataEngine.delete(objectName, { filter: { id: record.id } });
+      }
+      return records.length;
+    }
+  };
+}
+
+// src/auth-manager.ts
+var AuthManager = class {
+  constructor(config) {
+    this.auth = null;
+    this.config = config;
+    if (config.authInstance) {
+      this.auth = config.authInstance;
+    }
+  }
+  /**
+   * Get or create the better-auth instance (lazy initialization)
+   */
+  getOrCreateAuth() {
+    if (!this.auth) {
+      this.auth = this.createAuthInstance();
+    }
+    return this.auth;
+  }
+  /**
+   * Create a better-auth instance from configuration
+   */
+  createAuthInstance() {
+    const betterAuthConfig = {
+      // Base configuration
+      secret: this.config.secret || this.generateSecret(),
+      baseURL: this.config.baseUrl || "http://localhost:3000",
+      // Database adapter configuration
+      // For now, we configure a basic setup that will be enhanced
+      // when database URL is provided and drizzle-orm is available
+      database: this.createDatabaseConfig(),
+      // Email configuration
+      emailAndPassword: {
+        enabled: true
+      },
+      // Session configuration
+      session: {
+        expiresIn: this.config.session?.expiresIn || 60 * 60 * 24 * 7,
+        // 7 days default
+        updateAge: this.config.session?.updateAge || 60 * 60 * 24
+        // 1 day default
+      }
+    };
+    return betterAuth(betterAuthConfig);
+  }
+  /**
+   * Create database configuration using ObjectQL adapter
+   */
+  createDatabaseConfig() {
+    if (this.config.dataEngine) {
+      return createObjectQLAdapter(this.config.dataEngine);
+    }
+    console.warn(
+      "\u26A0\uFE0F  WARNING: No dataEngine provided to AuthManager! Using in-memory storage. This is NOT suitable for production. Please provide a dataEngine instance (e.g., ObjectQL) in AuthManagerOptions."
+    );
+    return void 0;
+  }
+  /**
+   * Generate a secure secret if not provided
+   */
+  generateSecret() {
+    const envSecret = process.env.AUTH_SECRET;
+    if (!envSecret) {
+      const fallbackSecret = "dev-secret-" + Date.now();
+      console.warn(
+        "\u26A0\uFE0F  WARNING: No AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set AUTH_SECRET in your environment variables."
+      );
+      return fallbackSecret;
+    }
+    return envSecret;
+  }
+  /**
+   * Get the underlying better-auth instance
+   * Useful for advanced use cases
+   */
+  getAuthInstance() {
+    return this.getOrCreateAuth();
+  }
+  /**
+   * Handle an authentication request
+   * Forwards the request directly to better-auth's universal handler
+   * 
+   * @param request - Web standard Request object
+   * @returns Web standard Response object
+   */
+  async handleRequest(request) {
+    const auth = this.getOrCreateAuth();
+    return await auth.handler(request);
+  }
+  /**
+   * Get the better-auth API for programmatic access
+   * Use this for server-side operations (e.g., creating users, checking sessions)
+   */
+  get api() {
+    return this.getOrCreateAuth().api;
+  }
+};
+
 // src/auth-plugin.ts
 var AuthPlugin = class {
   constructor(options = {}) {
@@ -17,7 +224,14 @@ var AuthPlugin = class {
     if (!this.options.secret) {
       throw new Error("AuthPlugin: secret is required");
     }
-    this.authManager = new AuthManager(this.options);
+    const dataEngine = ctx.getService("data");
+    if (!dataEngine) {
+      ctx.logger.warn("No data engine service found - auth will use in-memory storage");
+    }
+    this.authManager = new AuthManager({
+      ...this.options,
+      dataEngine
+    });
     ctx.registerService("auth", this.authManager);
     ctx.logger.info("Auth Plugin initialized successfully");
   }
@@ -37,6 +251,20 @@ var AuthPlugin = class {
         throw err;
       }
     }
+    try {
+      const ql = ctx.getService("objectql");
+      if (ql && typeof ql.registerMiddleware === "function") {
+        ql.registerMiddleware(async (opCtx, next) => {
+          if (opCtx.context?.userId || opCtx.context?.isSystem) {
+            return next();
+          }
+          await next();
+        });
+        ctx.logger.info("Auth middleware registered on ObjectQL engine");
+      }
+    } catch (_e) {
+      ctx.logger.debug("ObjectQL engine not available, skipping auth middleware registration");
+    }
     ctx.logger.info("Auth Plugin started successfully");
   }
   async destroy() {
@@ -44,95 +272,357 @@ var AuthPlugin = class {
   }
   /**
    * Register authentication routes with HTTP server
+   * 
+   * Uses better-auth's universal handler for all authentication requests.
+   * This forwards all requests under basePath to better-auth, which handles:
+   * - Email/password authentication
+   * - OAuth providers (Google, GitHub, etc.)
+   * - Session management
+   * - Password reset
+   * - Email verification
+   * - 2FA, passkeys, magic links (if enabled)
    */
   registerAuthRoutes(httpServer, ctx) {
     if (!this.authManager) return;
     const basePath = this.options.basePath || "/api/v1/auth";
-    httpServer.post(`${basePath}/login`, async (req, res) => {
-      try {
-        const body = req.body;
-        const result = await this.authManager.login(body);
-        res.status(200).json(result);
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Login error:", err);
-        res.status(401).json({
-          success: false,
-          error: err.message
-        });
-      }
-    });
-    httpServer.post(`${basePath}/register`, async (req, res) => {
-      try {
-        const body = req.body;
-        const result = await this.authManager.register(body);
-        res.status(201).json(result);
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Registration error:", err);
-        res.status(400).json({
-          success: false,
-          error: err.message
-        });
-      }
-    });
-    httpServer.post(`${basePath}/logout`, async (req, res) => {
+    if (!("getRawApp" in httpServer) || typeof httpServer.getRawApp !== "function") {
+      ctx.logger.error("HTTP server does not support getRawApp() - wildcard routing requires Hono server");
+      throw new Error(
+        "AuthPlugin requires HonoServerPlugin for wildcard routing support. Please ensure HonoServerPlugin is loaded before AuthPlugin."
+      );
+    }
+    const rawApp = httpServer.getRawApp();
+    rawApp.all(`${basePath}/*`, async (c) => {
       try {
-        const authHeader = req.headers["authorization"];
-        const token = typeof authHeader === "string" ? authHeader.replace("Bearer ", "") : void 0;
-        await this.authManager.logout(token);
-        res.status(200).json({ success: true });
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Logout error:", err);
-        res.status(400).json({
-          success: false,
-          error: err.message
+        const request = c.req.raw;
+        const url = new URL(request.url);
+        const authPath = url.pathname.replace(basePath, "");
+        const rewrittenUrl = new URL(authPath || "/", url.origin);
+        rewrittenUrl.search = url.search;
+        const rewrittenRequest = new Request(rewrittenUrl, {
+          method: request.method,
+          headers: request.headers,
+          body: request.body,
+          duplex: "half"
+          // Required for Request with body
         });
-      }
-    });
-    httpServer.get(`${basePath}/session`, async (req, res) => {
-      try {
-        const authHeader = req.headers["authorization"];
-        const token = typeof authHeader === "string" ? authHeader.replace("Bearer ", "") : void 0;
-        const session = await this.authManager.getSession(token);
-        res.status(200).json({ success: true, data: session });
+        const response = await this.authManager.handleRequest(rewrittenRequest);
+        return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
-        res.status(401).json({
-          success: false,
-          error: err.message
-        });
+        ctx.logger.error("Auth request error:", err);
+        return new Response(
+          JSON.stringify({
+            success: false,
+            error: err.message
+          }),
+          {
+            status: 500,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
       }
     });
-    ctx.logger.debug("Auth routes registered:", {
-      basePath,
-      routes: [
-        `POST ${basePath}/login`,
-        `POST ${basePath}/register`,
-        `POST ${basePath}/logout`,
-        `GET ${basePath}/session`
-      ]
-    });
+    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
   }
 };
-var AuthManager = class {
-  constructor(_config) {
-  }
-  async login(_credentials) {
-    throw new Error("Login not yet implemented");
-  }
-  async register(_userData) {
-    throw new Error("Registration not yet implemented");
+
+// src/objects/auth-user.object.ts
+import { ObjectSchema, Field } from "@objectstack/spec/data";
+var AuthUser = ObjectSchema.create({
+  name: "user",
+  label: "User",
+  pluralLabel: "Users",
+  icon: "user",
+  description: "User accounts for authentication",
+  titleFormat: "{name} ({email})",
+  compactLayout: ["name", "email", "emailVerified"],
+  fields: {
+    // ID is auto-generated by ObjectQL
+    id: Field.text({
+      label: "User ID",
+      required: true,
+      readonly: true
+    }),
+    createdAt: Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updatedAt: Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    email: Field.email({
+      label: "Email",
+      required: true,
+      searchable: true
+    }),
+    emailVerified: Field.boolean({
+      label: "Email Verified",
+      defaultValue: false
+    }),
+    name: Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255
+    }),
+    image: Field.url({
+      label: "Profile Image",
+      required: false
+    })
+  },
+  // Database indexes for performance
+  indexes: [
+    { fields: ["email"], unique: true },
+    { fields: ["createdAt"], unique: false }
+  ],
+  // Enable features
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: true
+  },
+  // Validation Rules
+  validations: [
+    {
+      name: "email_unique",
+      type: "unique",
+      severity: "error",
+      message: "Email must be unique",
+      fields: ["email"],
+      caseSensitive: false
+    }
+  ]
+});
+
+// src/objects/auth-session.object.ts
+import { ObjectSchema as ObjectSchema2, Field as Field2 } from "@objectstack/spec/data";
+var AuthSession = ObjectSchema2.create({
+  name: "session",
+  label: "Session",
+  pluralLabel: "Sessions",
+  icon: "key",
+  description: "Active user sessions",
+  titleFormat: "Session {token}",
+  compactLayout: ["userId", "expiresAt", "ipAddress"],
+  fields: {
+    id: Field2.text({
+      label: "Session ID",
+      required: true,
+      readonly: true
+    }),
+    createdAt: Field2.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updatedAt: Field2.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    userId: Field2.text({
+      label: "User ID",
+      required: true
+    }),
+    expiresAt: Field2.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    token: Field2.text({
+      label: "Session Token",
+      required: true
+    }),
+    ipAddress: Field2.text({
+      label: "IP Address",
+      required: false,
+      maxLength: 45
+      // Support IPv6
+    }),
+    userAgent: Field2.textarea({
+      label: "User Agent",
+      required: false
+    })
+  },
+  // Database indexes for performance
+  indexes: [
+    { fields: ["token"], unique: true },
+    { fields: ["userId"], unique: false },
+    { fields: ["expiresAt"], unique: false }
+  ],
+  // Enable features
+  enable: {
+    trackHistory: false,
+    // Sessions don't need history tracking
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "delete"],
+    // No update for sessions
+    trash: false,
+    // Sessions should be hard deleted
+    mru: false
   }
-  async logout(_token) {
-    throw new Error("Logout not yet implemented");
+});
+
+// src/objects/auth-account.object.ts
+import { ObjectSchema as ObjectSchema3, Field as Field3 } from "@objectstack/spec/data";
+var AuthAccount = ObjectSchema3.create({
+  name: "account",
+  label: "Account",
+  pluralLabel: "Accounts",
+  icon: "link",
+  description: "OAuth and authentication provider accounts",
+  titleFormat: "{providerId} - {accountId}",
+  compactLayout: ["providerId", "userId", "accountId"],
+  fields: {
+    id: Field3.text({
+      label: "Account ID",
+      required: true,
+      readonly: true
+    }),
+    createdAt: Field3.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updatedAt: Field3.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    providerId: Field3.text({
+      label: "Provider ID",
+      required: true,
+      description: "OAuth provider identifier (google, github, etc.)"
+    }),
+    accountId: Field3.text({
+      label: "Provider Account ID",
+      required: true,
+      description: "User's ID in the provider's system"
+    }),
+    userId: Field3.text({
+      label: "User ID",
+      required: true,
+      description: "Link to user table"
+    }),
+    accessToken: Field3.textarea({
+      label: "Access Token",
+      required: false
+    }),
+    refreshToken: Field3.textarea({
+      label: "Refresh Token",
+      required: false
+    }),
+    idToken: Field3.textarea({
+      label: "ID Token",
+      required: false
+    }),
+    accessTokenExpiresAt: Field3.datetime({
+      label: "Access Token Expires At",
+      required: false
+    }),
+    refreshTokenExpiresAt: Field3.datetime({
+      label: "Refresh Token Expires At",
+      required: false
+    }),
+    scope: Field3.text({
+      label: "OAuth Scope",
+      required: false
+    }),
+    password: Field3.text({
+      label: "Password Hash",
+      required: false,
+      description: "Hashed password for email/password provider"
+    })
+  },
+  // Database indexes for performance
+  indexes: [
+    { fields: ["userId"], unique: false },
+    { fields: ["providerId", "accountId"], unique: true }
+  ],
+  // Enable features
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
   }
-  async getSession(_token) {
-    throw new Error("Session retrieval not yet implemented");
+});
+
+// src/objects/auth-verification.object.ts
+import { ObjectSchema as ObjectSchema4, Field as Field4 } from "@objectstack/spec/data";
+var AuthVerification = ObjectSchema4.create({
+  name: "verification",
+  label: "Verification",
+  pluralLabel: "Verifications",
+  icon: "shield-check",
+  description: "Email and phone verification tokens",
+  titleFormat: "Verification for {identifier}",
+  compactLayout: ["identifier", "expiresAt", "createdAt"],
+  fields: {
+    id: Field4.text({
+      label: "Verification ID",
+      required: true,
+      readonly: true
+    }),
+    createdAt: Field4.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updatedAt: Field4.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    value: Field4.text({
+      label: "Verification Token",
+      required: true,
+      description: "Token or code for verification"
+    }),
+    expiresAt: Field4.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    identifier: Field4.text({
+      label: "Identifier",
+      required: true,
+      description: "Email address or phone number"
+    })
+  },
+  // Database indexes for performance
+  indexes: [
+    { fields: ["value"], unique: true },
+    { fields: ["identifier"], unique: false },
+    { fields: ["expiresAt"], unique: false }
+  ],
+  // Enable features
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "create", "delete"],
+    // No list or update
+    trash: false,
+    // Hard delete expired tokens
+    mru: false
   }
-};
+});
 export {
-  AuthPlugin
+  AuthAccount,
+  AuthManager,
+  AuthPlugin,
+  AuthSession,
+  AuthUser,
+  AuthVerification,
+  createObjectQLAdapter
 };
 //# sourceMappingURL=index.mjs.map