@objectstack/plugin-auth 3.2.6 → 3.2.7

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/plugin-auth@3.2.6 build /home/runner/work/spec/spec/packages/plugins/plugin-auth
+> @objectstack/plugin-auth@3.2.7 build /home/runner/work/spec/spec/packages/plugins/plugin-auth
 > tsup --config ../../../tsup.config.ts
 
 ▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
@@ -66,13 +66,13 @@
          ╵       ~~~~~~~~~
 
 
-ESM dist/index.mjs     37.46 KB
-ESM dist/index.mjs.map 85.74 KB
-ESM ⚡️ Build success in 68ms
-CJS dist/index.js     40.94 KB
-CJS dist/index.js.map 86.26 KB
-CJS ⚡️ Build success in 67ms
+CJS dist/index.js     45.05 KB
+CJS dist/index.js.map 93.22 KB
+CJS ⚡️ Build success in 95ms
+ESM dist/index.mjs     41.57 KB
+ESM dist/index.mjs.map 92.69 KB
+ESM ⚡️ Build success in 95ms
 DTS Build start
-DTS ⚡️ Build success in 8794ms
-DTS dist/index.d.mts 866.35 KB
-DTS dist/index.d.ts  866.35 KB
+DTS ⚡️ Build success in 9346ms
+DTS dist/index.d.mts 866.76 KB
+DTS dist/index.d.ts  866.76 KB

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 3.2.7
+
+### Patch Changes
+
+- 35a1ebb: fix auth
+  - @objectstack/spec@3.2.7
+  - @objectstack/core@3.2.7
+
 ## 3.2.6
 
 ### Patch Changes

package/dist/index.d.mts

@@ -148,6 +148,17 @@ declare class AuthManager {
      * Generate a secure secret if not provided
      */
     private generateSecret;
+    /**
+     * Update the base URL at runtime.
+     *
+     * This **must** be called before the first request triggers lazy
+     * initialisation of the better-auth instance — typically from a
+     * `kernel:ready` hook where the actual server port is known.
+     *
+     * If the auth instance has already been created this is a no-op and
+     * a warning is emitted.
+     */
+    setRuntimeBaseUrl(url: string): void;
     /**
      * Get the underlying better-auth instance
      * Useful for advanced use cases

package/dist/index.d.ts

@@ -148,6 +148,17 @@ declare class AuthManager {
      * Generate a secure secret if not provided
      */
     private generateSecret;
+    /**
+     * Update the base URL at runtime.
+     *
+     * This **must** be called before the first request triggers lazy
+     * initialisation of the better-auth instance — typically from a
+     * `kernel:ready` hook where the actual server port is known.
+     *
+     * If the auth instance has already been created this is a no-op and
+     * a warning is emitted.
+     */
+    setRuntimeBaseUrl(url: string): void;
     /**
      * Get the underlying better-auth instance
      * Useful for advanced use cases

package/dist/index.js

@@ -399,10 +399,28 @@ var AuthManager = class {
       verification: {
         ...AUTH_VERIFICATION_CONFIG
       },
-      // Email configuration
+      // Social / OAuth providers
+      ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
+      // Email and password configuration
       emailAndPassword: {
-        enabled: true
+        enabled: this.config.emailAndPassword?.enabled ?? true,
+        ...this.config.emailAndPassword?.disableSignUp != null ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {},
+        ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
+        ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
+        ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
+        ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
+        ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
+        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}
       },
+      // Email verification
+      ...this.config.emailVerification ? {
+        emailVerification: {
+          ...this.config.emailVerification.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
+          ...this.config.emailVerification.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
+          ...this.config.emailVerification.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
+          ...this.config.emailVerification.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {}
+        }
+      } : {},
       // Session configuration
       session: {
         ...AUTH_SESSION_CONFIG,
@@ -412,7 +430,18 @@ var AuthManager = class {
         // 1 day default
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
-      plugins: this.buildPluginList()
+      plugins: this.buildPluginList(),
+      // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
+      ...this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {},
+      // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
+      ...this.config.advanced ? {
+        advanced: {
+          ...this.config.advanced.crossSubDomainCookies ? { crossSubDomainCookies: this.config.advanced.crossSubDomainCookies } : {},
+          ...this.config.advanced.useSecureCookies != null ? { useSecureCookies: this.config.advanced.useSecureCookies } : {},
+          ...this.config.advanced.disableCSRFCheck != null ? { disableCSRFCheck: this.config.advanced.disableCSRFCheck } : {},
+          ...this.config.advanced.cookiePrefix != null ? { cookiePrefix: this.config.advanced.cookiePrefix } : {}
+        }
+      } : {}
     };
     return (0, import_better_auth.betterAuth)(betterAuthConfig);
   }
@@ -482,6 +511,25 @@ var AuthManager = class {
     }
     return envSecret;
   }
+  /**
+   * Update the base URL at runtime.
+   *
+   * This **must** be called before the first request triggers lazy
+   * initialisation of the better-auth instance — typically from a
+   * `kernel:ready` hook where the actual server port is known.
+   *
+   * If the auth instance has already been created this is a no-op and
+   * a warning is emitted.
+   */
+  setRuntimeBaseUrl(url) {
+    if (this.auth) {
+      console.warn(
+        "[AuthManager] setRuntimeBaseUrl() called after the auth instance was already created \u2014 ignoring. Ensure this method is called before the first request."
+      );
+      return;
+    }
+    this.config = { ...this.config, baseUrl: url };
+  }
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases
@@ -565,6 +613,21 @@ var AuthPlugin = class {
         } catch {
         }
         if (httpServer) {
+          const serverWithPort = httpServer;
+          if (this.authManager && typeof serverWithPort.getPort === "function") {
+            const actualPort = serverWithPort.getPort();
+            if (actualPort) {
+              const configuredUrl = this.options.baseUrl || "http://localhost:3000";
+              const configuredOrigin = new URL(configuredUrl).origin;
+              const actualUrl = `http://localhost:${actualPort}`;
+              if (configuredOrigin !== actualUrl) {
+                this.authManager.setRuntimeBaseUrl(actualUrl);
+                ctx.logger.info(
+                  `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`
+                );
+              }
+            }
+          }
           this.registerAuthRoutes(httpServer, ctx);
           ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
         } else {