npm - @objectstack/plugin-auth - Versions diffs - 3.2.6 → 3.2.8 - Mend

@objectstack/plugin-auth 3.2.6 → 3.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/.turbo/turbo-build.log +10 -10
package/CHANGELOG.md +16 -0
package/dist/index.d.mts +49 -22
package/dist/index.d.ts +49 -22
package/dist/index.js +210 -127
package/dist/index.js.map +1 -1
package/dist/index.mjs +210 -127
package/dist/index.mjs.map +1 -1
package/package.json +7 -7
package/src/auth-manager.test.ts +345 -0
package/src/auth-manager.ts +71 -2
package/src/auth-plugin.test.ts +89 -0
package/src/auth-plugin.ts +45 -1

package/dist/index.mjs CHANGED Viewed

@@ -339,10 +339,28 @@ var AuthManager = class {
       verification: {
         ...AUTH_VERIFICATION_CONFIG
       },
-      // Email configuration
+      // Social / OAuth providers
+      ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
+      // Email and password configuration
       emailAndPassword: {
-        enabled: true
+        enabled: this.config.emailAndPassword?.enabled ?? true,
+        ...this.config.emailAndPassword?.disableSignUp != null ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {},
+        ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
+        ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
+        ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
+        ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
+        ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
+        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}
       },
+      // Email verification
+      ...this.config.emailVerification ? {
+        emailVerification: {
+          ...this.config.emailVerification.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
+          ...this.config.emailVerification.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
+          ...this.config.emailVerification.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
+          ...this.config.emailVerification.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {}
+        }
+      } : {},
       // Session configuration
       session: {
         ...AUTH_SESSION_CONFIG,
@@ -352,7 +370,18 @@ var AuthManager = class {
         // 1 day default
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
-      plugins: this.buildPluginList()
+      plugins: this.buildPluginList(),
+      // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
+      ...this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {},
+      // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
+      ...this.config.advanced ? {
+        advanced: {
+          ...this.config.advanced.crossSubDomainCookies ? { crossSubDomainCookies: this.config.advanced.crossSubDomainCookies } : {},
+          ...this.config.advanced.useSecureCookies != null ? { useSecureCookies: this.config.advanced.useSecureCookies } : {},
+          ...this.config.advanced.disableCSRFCheck != null ? { disableCSRFCheck: this.config.advanced.disableCSRFCheck } : {},
+          ...this.config.advanced.cookiePrefix != null ? { cookiePrefix: this.config.advanced.cookiePrefix } : {}
+        }
+      } : {}
     };
     return betterAuth(betterAuthConfig);
   }
@@ -422,6 +451,25 @@ var AuthManager = class {
     }
     return envSecret;
   }
+  /**
+   * Update the base URL at runtime.
+   *
+   * This **must** be called before the first request triggers lazy
+   * initialisation of the better-auth instance — typically from a
+   * `kernel:ready` hook where the actual server port is known.
+   *
+   * If the auth instance has already been created this is a no-op and
+   * a warning is emitted.
+   */
+  setRuntimeBaseUrl(url) {
+    if (this.auth) {
+      console.warn(
+        "[AuthManager] setRuntimeBaseUrl() called after the auth instance was already created \u2014 ignoring. Ensure this method is called before the first request."
+      );
+      return;
+    }
+    this.config = { ...this.config, baseUrl: url };
+  }
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases
@@ -462,130 +510,6 @@ var AuthManager = class {
   }
 };
-// src/auth-plugin.ts
-var AuthPlugin = class {
-  constructor(options = {}) {
-    this.name = "com.objectstack.auth";
-    this.type = "standard";
-    this.version = "1.0.0";
-    this.dependencies = [];
-    this.authManager = null;
-    this.options = {
-      registerRoutes: true,
-      basePath: "/api/v1/auth",
-      ...options
-    };
-  }
-  async init(ctx) {
-    ctx.logger.info("Initializing Auth Plugin...");
-    if (!this.options.secret) {
-      throw new Error("AuthPlugin: secret is required");
-    }
-    const dataEngine = ctx.getService("data");
-    if (!dataEngine) {
-      ctx.logger.warn("No data engine service found - auth will use in-memory storage");
-    }
-    this.authManager = new AuthManager({
-      ...this.options,
-      dataEngine
-    });
-    ctx.registerService("auth", this.authManager);
-    ctx.logger.info("Auth Plugin initialized successfully");
-  }
-  async start(ctx) {
-    ctx.logger.info("Starting Auth Plugin...");
-    if (!this.authManager) {
-      throw new Error("Auth manager not initialized");
-    }
-    if (this.options.registerRoutes) {
-      ctx.hook("kernel:ready", async () => {
-        let httpServer = null;
-        try {
-          httpServer = ctx.getService("http-server");
-        } catch {
-        }
-        if (httpServer) {
-          this.registerAuthRoutes(httpServer, ctx);
-          ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
-        } else {
-          ctx.logger.warn(
-            "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
-          );
-        }
-      });
-    }
-    try {
-      const ql = ctx.getService("objectql");
-      if (ql && typeof ql.registerMiddleware === "function") {
-        ql.registerMiddleware(async (opCtx, next) => {
-          if (opCtx.context?.userId || opCtx.context?.isSystem) {
-            return next();
-          }
-          await next();
-        });
-        ctx.logger.info("Auth middleware registered on ObjectQL engine");
-      }
-    } catch (_e) {
-      ctx.logger.debug("ObjectQL engine not available, skipping auth middleware registration");
-    }
-    ctx.logger.info("Auth Plugin started successfully");
-  }
-  async destroy() {
-    this.authManager = null;
-  }
-  /**
-   * Register authentication routes with HTTP server
-   *
-   * Uses better-auth's universal handler for all authentication requests.
-   * This forwards all requests under basePath to better-auth, which handles:
-   * - Email/password authentication
-   * - OAuth providers (Google, GitHub, etc.)
-   * - Session management
-   * - Password reset
-   * - Email verification
-   * - 2FA, passkeys, magic links (if enabled)
-   */
-  registerAuthRoutes(httpServer, ctx) {
-    if (!this.authManager) return;
-    const basePath = this.options.basePath || "/api/v1/auth";
-    if (!("getRawApp" in httpServer) || typeof httpServer.getRawApp !== "function") {
-      ctx.logger.error("HTTP server does not support getRawApp() - wildcard routing requires Hono server");
-      throw new Error(
-        "AuthPlugin requires HonoServerPlugin for wildcard routing support. Please ensure HonoServerPlugin is loaded before AuthPlugin."
-      );
-    }
-    const rawApp = httpServer.getRawApp();
-    rawApp.all(`${basePath}/*`, async (c) => {
-      try {
-        const response = await this.authManager.handleRequest(c.req.raw);
-        if (response.status >= 500) {
-          try {
-            const body = await response.clone().text();
-            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: ${body}`));
-          } catch {
-            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
-          }
-        }
-        return response;
-      } catch (error) {
-        const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Auth request error:", err);
-        return new Response(
-          JSON.stringify({
-            success: false,
-            error: err.message
-          }),
-          {
-            status: 500,
-            headers: { "Content-Type": "application/json" }
-          }
-        );
-      }
-    });
-    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
-  }
-};
 // src/objects/sys-user.object.ts
 import { ObjectSchema, Field } from "@objectstack/spec/data";
 var SysUser = ObjectSchema.create({
@@ -1295,6 +1219,165 @@ var SysTwoFactor = ObjectSchema11.create({
     mru: false
   }
 });
+// src/auth-plugin.ts
+var AuthPlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.auth";
+    this.type = "standard";
+    this.version = "1.0.0";
+    this.dependencies = [];
+    this.authManager = null;
+    this.options = {
+      registerRoutes: true,
+      basePath: "/api/v1/auth",
+      ...options
+    };
+  }
+  async init(ctx) {
+    ctx.logger.info("Initializing Auth Plugin...");
+    if (!this.options.secret) {
+      throw new Error("AuthPlugin: secret is required");
+    }
+    const dataEngine = ctx.getService("data");
+    if (!dataEngine) {
+      ctx.logger.warn("No data engine service found - auth will use in-memory storage");
+    }
+    this.authManager = new AuthManager({
+      ...this.options,
+      dataEngine
+    });
+    ctx.registerService("auth", this.authManager);
+    ctx.registerService("app.com.objectstack.system", {
+      id: "com.objectstack.system",
+      name: "System",
+      version: "1.0.0",
+      type: "plugin",
+      namespace: "sys",
+      objects: [
+        SysUser,
+        SysSession,
+        SysAccount,
+        SysVerification,
+        SysOrganization,
+        SysMember,
+        SysInvitation,
+        SysTeam,
+        SysTeamMember,
+        SysApiKey,
+        SysTwoFactor
+      ]
+    });
+    ctx.logger.info("Auth Plugin initialized successfully");
+  }
+  async start(ctx) {
+    ctx.logger.info("Starting Auth Plugin...");
+    if (!this.authManager) {
+      throw new Error("Auth manager not initialized");
+    }
+    if (this.options.registerRoutes) {
+      ctx.hook("kernel:ready", async () => {
+        let httpServer = null;
+        try {
+          httpServer = ctx.getService("http-server");
+        } catch {
+        }
+        if (httpServer) {
+          const serverWithPort = httpServer;
+          if (this.authManager && typeof serverWithPort.getPort === "function") {
+            const actualPort = serverWithPort.getPort();
+            if (actualPort) {
+              const configuredUrl = this.options.baseUrl || "http://localhost:3000";
+              const configuredOrigin = new URL(configuredUrl).origin;
+              const actualUrl = `http://localhost:${actualPort}`;
+              if (configuredOrigin !== actualUrl) {
+                this.authManager.setRuntimeBaseUrl(actualUrl);
+                ctx.logger.info(
+                  `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`
+                );
+              }
+            }
+          }
+          this.registerAuthRoutes(httpServer, ctx);
+          ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
+        } else {
+          ctx.logger.warn(
+            "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
+          );
+        }
+      });
+    }
+    try {
+      const ql = ctx.getService("objectql");
+      if (ql && typeof ql.registerMiddleware === "function") {
+        ql.registerMiddleware(async (opCtx, next) => {
+          if (opCtx.context?.userId || opCtx.context?.isSystem) {
+            return next();
+          }
+          await next();
+        });
+        ctx.logger.info("Auth middleware registered on ObjectQL engine");
+      }
+    } catch (_e) {
+      ctx.logger.debug("ObjectQL engine not available, skipping auth middleware registration");
+    }
+    ctx.logger.info("Auth Plugin started successfully");
+  }
+  async destroy() {
+    this.authManager = null;
+  }
+  /**
+   * Register authentication routes with HTTP server
+   *
+   * Uses better-auth's universal handler for all authentication requests.
+   * This forwards all requests under basePath to better-auth, which handles:
+   * - Email/password authentication
+   * - OAuth providers (Google, GitHub, etc.)
+   * - Session management
+   * - Password reset
+   * - Email verification
+   * - 2FA, passkeys, magic links (if enabled)
+   */
+  registerAuthRoutes(httpServer, ctx) {
+    if (!this.authManager) return;
+    const basePath = this.options.basePath || "/api/v1/auth";
+    if (!("getRawApp" in httpServer) || typeof httpServer.getRawApp !== "function") {
+      ctx.logger.error("HTTP server does not support getRawApp() - wildcard routing requires Hono server");
+      throw new Error(
+        "AuthPlugin requires HonoServerPlugin for wildcard routing support. Please ensure HonoServerPlugin is loaded before AuthPlugin."
+      );
+    }
+    const rawApp = httpServer.getRawApp();
+    rawApp.all(`${basePath}/*`, async (c) => {
+      try {
+        const response = await this.authManager.handleRequest(c.req.raw);
+        if (response.status >= 500) {
+          try {
+            const body = await response.clone().text();
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: ${body}`));
+          } catch {
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
+          }
+        }
+        return response;
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("Auth request error:", err);
+        return new Response(
+          JSON.stringify({
+            success: false,
+            error: err.message
+          }),
+          {
+            status: 500,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+    });
+    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
+  }
+};
 export {
   AUTH_ACCOUNT_CONFIG,
   AUTH_INVITATION_SCHEMA,