@objectstack/plugin-auth 3.2.6 → 3.2.8

package/src/auth-manager.test.ts

@@ -410,4 +410,349 @@ describe('AuthManager', () => {
       );
     });
   });
+
+  describe('trustedOrigins passthrough', () => {
+    it('should forward trustedOrigins to betterAuth when provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        trustedOrigins: ['https://*.objectos.app', 'http://localhost:*'],
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.trustedOrigins).toEqual([
+        'https://*.objectos.app',
+        'http://localhost:*',
+      ]);
+    });
+
+    it('should NOT include trustedOrigins key when not provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+    });
+
+    it('should NOT include trustedOrigins key when array is empty', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        trustedOrigins: [],
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+    });
+  });
+
+  describe('setRuntimeBaseUrl', () => {
+    it('should update baseURL before auth instance is created', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+
+      manager.setRuntimeBaseUrl('http://localhost:3002');
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.baseURL).toBe('http://localhost:3002');
+    });
+
+    it('should be a no-op and warn when called after auth instance is created', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+
+      // Force auth instance creation
+      manager.getAuthInstance();
+      expect(capturedConfig.baseURL).toBe('http://localhost:3000');
+
+      // Now try to change — should warn and not affect the already-created instance
+      manager.setRuntimeBaseUrl('http://localhost:4000');
+
+      expect(warnSpy).toHaveBeenCalledWith(
+        expect.stringContaining('setRuntimeBaseUrl() called after the auth instance was already created'),
+      );
+      warnSpy.mockRestore();
+    });
+
+    it('should override the default fallback (localhost:3000) when no baseUrl was configured', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+      });
+
+      manager.setRuntimeBaseUrl('http://localhost:3002');
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.baseURL).toBe('http://localhost:3002');
+    });
+  });
+
+  describe('socialProviders passthrough', () => {
+    it('should forward socialProviders to betterAuth when provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        socialProviders: {
+          google: { clientId: 'gid', clientSecret: 'gsecret' },
+          github: { clientId: 'ghid', clientSecret: 'ghsecret' },
+        },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.socialProviders).toEqual({
+        google: { clientId: 'gid', clientSecret: 'gsecret' },
+        github: { clientId: 'ghid', clientSecret: 'ghsecret' },
+      });
+    });
+
+    it('should NOT include socialProviders when not provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig).not.toHaveProperty('socialProviders');
+    });
+  });
+
+  describe('emailAndPassword passthrough', () => {
+    it('should default emailAndPassword to enabled: true', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.emailAndPassword.enabled).toBe(true);
+    });
+
+    it('should forward extended emailAndPassword options', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        emailAndPassword: {
+          enabled: true,
+          minPasswordLength: 12,
+          maxPasswordLength: 64,
+          requireEmailVerification: true,
+          autoSignIn: false,
+          revokeSessionsOnPasswordReset: true,
+        },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.emailAndPassword).toEqual({
+        enabled: true,
+        minPasswordLength: 12,
+        maxPasswordLength: 64,
+        requireEmailVerification: true,
+        autoSignIn: false,
+        revokeSessionsOnPasswordReset: true,
+      });
+    });
+  });
+
+  describe('emailVerification passthrough', () => {
+    it('should forward emailVerification when provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        emailVerification: {
+          sendOnSignUp: true,
+          expiresIn: 1800,
+        },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.emailVerification).toEqual({
+        sendOnSignUp: true,
+        expiresIn: 1800,
+      });
+    });
+
+    it('should NOT include emailVerification when not provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig).not.toHaveProperty('emailVerification');
+    });
+  });
+
+  describe('advanced options passthrough', () => {
+    it('should forward crossSubDomainCookies when provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        advanced: {
+          crossSubDomainCookies: {
+            enabled: true,
+            domain: '.objectos.app',
+          },
+          useSecureCookies: true,
+        },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.advanced).toEqual({
+        crossSubDomainCookies: {
+          enabled: true,
+          domain: '.objectos.app',
+        },
+        useSecureCookies: true,
+      });
+    });
+
+    it('should forward cookiePrefix and disableCSRFCheck', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        advanced: {
+          disableCSRFCheck: true,
+          cookiePrefix: 'objectos',
+        },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.advanced.disableCSRFCheck).toBe(true);
+      expect(capturedConfig.advanced.cookiePrefix).toBe('objectos');
+    });
+
+    it('should NOT include advanced when not provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig).not.toHaveProperty('advanced');
+    });
+  });
 });

package/src/auth-manager.ts

@@ -106,11 +106,42 @@ export class AuthManager {
         ...AUTH_VERIFICATION_CONFIG,
       },
 
-      // Email configuration
+      // Social / OAuth providers
+      ...(this.config.socialProviders ? { socialProviders: this.config.socialProviders as any } : {}),
+
+      // Email and password configuration
       emailAndPassword: {
-        enabled: true,
+        enabled: this.config.emailAndPassword?.enabled ?? true,
+        ...(this.config.emailAndPassword?.disableSignUp != null
+          ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {}),
+        ...(this.config.emailAndPassword?.requireEmailVerification != null
+          ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {}),
+        ...(this.config.emailAndPassword?.minPasswordLength != null
+          ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {}),
+        ...(this.config.emailAndPassword?.maxPasswordLength != null
+          ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {}),
+        ...(this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null
+          ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {}),
+        ...(this.config.emailAndPassword?.autoSignIn != null
+          ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {}),
+        ...(this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null
+          ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}),
       },
 
+      // Email verification
+      ...(this.config.emailVerification ? {
+        emailVerification: {
+          ...(this.config.emailVerification.sendOnSignUp != null
+            ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {}),
+          ...(this.config.emailVerification.sendOnSignIn != null
+            ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {}),
+          ...(this.config.emailVerification.autoSignInAfterVerification != null
+            ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {}),
+          ...(this.config.emailVerification.expiresIn != null
+            ? { expiresIn: this.config.emailVerification.expiresIn } : {}),
+        },
+      } : {}),
+
       // Session configuration
       session: {
         ...AUTH_SESSION_CONFIG,
@@ -120,6 +151,23 @@ export class AuthManager {
 
       // better-auth plugins — registered based on AuthPluginConfig flags
       plugins: this.buildPluginList(),
+
+      // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
+      ...(this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {}),
+
+      // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
+      ...(this.config.advanced ? {
+        advanced: {
+          ...(this.config.advanced.crossSubDomainCookies
+            ? { crossSubDomainCookies: this.config.advanced.crossSubDomainCookies } : {}),
+          ...(this.config.advanced.useSecureCookies != null
+            ? { useSecureCookies: this.config.advanced.useSecureCookies } : {}),
+          ...(this.config.advanced.disableCSRFCheck != null
+            ? { disableCSRFCheck: this.config.advanced.disableCSRFCheck } : {}),
+          ...(this.config.advanced.cookiePrefix != null
+            ? { cookiePrefix: this.config.advanced.cookiePrefix } : {}),
+        },
+      } : {}),
     };
 
     return betterAuth(betterAuthConfig);
@@ -224,6 +272,27 @@ export class AuthManager {
     return envSecret;
   }
 
+  /**
+   * Update the base URL at runtime.
+   *
+   * This **must** be called before the first request triggers lazy
+   * initialisation of the better-auth instance — typically from a
+   * `kernel:ready` hook where the actual server port is known.
+   *
+   * If the auth instance has already been created this is a no-op and
+   * a warning is emitted.
+   */
+  setRuntimeBaseUrl(url: string): void {
+    if (this.auth) {
+      console.warn(
+        '[AuthManager] setRuntimeBaseUrl() called after the auth instance was already created — ignoring. ' +
+        'Ensure this method is called before the first request.',
+      );
+      return;
+    }
+    this.config = { ...this.config, baseUrl: url };
+  }
+
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases

package/src/auth-plugin.test.ts

@@ -265,6 +265,95 @@ describe('AuthPlugin', () => {
       // Should NOT throw
     });
 
+    it('should auto-detect baseUrl from http-server port when port differs', async () => {
+      const mockRawApp = { all: vi.fn() };
+      const mockHttpServer = {
+        post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
+        patch: vi.fn(), use: vi.fn(),
+        getRawApp: vi.fn(() => mockRawApp),
+        getPort: vi.fn(() => 3002),
+      };
+
+      mockContext.getService = vi.fn((name: string) => {
+        if (name === 'http-server') return mockHttpServer;
+        throw new Error(`Service not found: ${name}`);
+      });
+
+      // AuthPlugin configured with default port 3000, but server will be on 3002
+      const registeredAuthManager = (mockContext.registerService as any).mock.calls[0][1];
+      const setRuntimeSpy = vi.spyOn(registeredAuthManager, 'setRuntimeBaseUrl');
+
+      await authPlugin.start(mockContext);
+      await hookCapture.trigger('kernel:ready');
+
+      expect(setRuntimeSpy).toHaveBeenCalledWith('http://localhost:3002');
+      expect(mockContext.logger.info).toHaveBeenCalledWith(
+        expect.stringContaining('Auth baseUrl auto-updated to http://localhost:3002'),
+      );
+    });
+
+    it('should NOT update baseUrl when port matches configured value', async () => {
+      const localHookCapture = createHookCapture();
+      const localPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      mockContext.hook = localHookCapture.hookFn;
+      await localPlugin.init(mockContext);
+
+      const mockRawApp = { all: vi.fn() };
+      const mockHttpServer = {
+        post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
+        patch: vi.fn(), use: vi.fn(),
+        getRawApp: vi.fn(() => mockRawApp),
+        getPort: vi.fn(() => 3000),
+      };
+
+      mockContext.getService = vi.fn((name: string) => {
+        if (name === 'http-server') return mockHttpServer;
+        throw new Error(`Service not found: ${name}`);
+      });
+
+      const registeredAuthManager = (mockContext.registerService as any).mock.calls.at(-1)[1];
+      const setRuntimeSpy = vi.spyOn(registeredAuthManager, 'setRuntimeBaseUrl');
+
+      await localPlugin.start(mockContext);
+      await localHookCapture.trigger('kernel:ready');
+
+      expect(setRuntimeSpy).not.toHaveBeenCalled();
+    });
+
+    it('should auto-detect baseUrl when no baseUrl configured (uses default fallback)', async () => {
+      const localHookCapture = createHookCapture();
+      // No baseUrl — defaults to http://localhost:3000 internally
+      const localPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+      });
+      mockContext.hook = localHookCapture.hookFn;
+      await localPlugin.init(mockContext);
+
+      const mockRawApp = { all: vi.fn() };
+      const mockHttpServer = {
+        post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
+        patch: vi.fn(), use: vi.fn(),
+        getRawApp: vi.fn(() => mockRawApp),
+        getPort: vi.fn(() => 3002),
+      };
+
+      mockContext.getService = vi.fn((name: string) => {
+        if (name === 'http-server') return mockHttpServer;
+        throw new Error(`Service not found: ${name}`);
+      });
+
+      const registeredAuthManager = (mockContext.registerService as any).mock.calls.at(-1)[1];
+      const setRuntimeSpy = vi.spyOn(registeredAuthManager, 'setRuntimeBaseUrl');
+
+      await localPlugin.start(mockContext);
+      await localHookCapture.trigger('kernel:ready');
+
+      expect(setRuntimeSpy).toHaveBeenCalledWith('http://localhost:3002');
+    });
+
     it('should throw error if auth not initialized', async () => {
       const uninitializedPlugin = new AuthPlugin({
         secret: 'test-secret',

package/src/auth-plugin.ts

@@ -3,6 +3,12 @@
 import { Plugin, PluginContext, IHttpServer } from '@objectstack/core';
 import { AuthConfig } from '@objectstack/spec/system';
 import { AuthManager } from './auth-manager.js';
+import {
+  SysUser, SysSession, SysAccount, SysVerification,
+  SysOrganization, SysMember, SysInvitation,
+  SysTeam, SysTeamMember,
+  SysApiKey, SysTwoFactor,
+} from './objects/index.js';
 
 /**
  * Auth Plugin Options
@@ -43,6 +49,7 @@ export interface AuthPluginOptions extends Partial<AuthConfig> {
  * 
  * This plugin registers:
  * - `auth` service (auth manager instance) — always
+ * - `app.com.objectstack.system` service (system object definitions) — always
  * - HTTP routes for authentication endpoints — only when HTTP server is available
  * 
  * Integrates with better-auth library to provide comprehensive
@@ -88,7 +95,23 @@ export class AuthPlugin implements Plugin {
 
     // Register auth service
     ctx.registerService('auth', this.authManager);
-    
+
+    // Register system objects as an app service so ObjectQLPlugin
+    // auto-discovers them via the `app.*` convention.
+    ctx.registerService('app.com.objectstack.system', {
+      id: 'com.objectstack.system',
+      name: 'System',
+      version: '1.0.0',
+      type: 'plugin',
+      namespace: 'sys',
+      objects: [
+        SysUser, SysSession, SysAccount, SysVerification,
+        SysOrganization, SysMember, SysInvitation,
+        SysTeam, SysTeamMember,
+        SysApiKey, SysTwoFactor,
+      ],
+    });
+
     ctx.logger.info('Auth Plugin initialized successfully');
   }
 
@@ -114,6 +137,27 @@ export class AuthPlugin implements Plugin {
         }
 
         if (httpServer) {
+          // Auto-detect the actual server URL when no explicit baseUrl was
+          // configured, or when the configured baseUrl uses a different port
+          // than the running server (e.g. port 3000 configured but 3002 bound).
+          // getPort() is optional on IHttpServer; duck-type check for it.
+          const serverWithPort = httpServer as IHttpServer & { getPort?: () => number };
+          if (this.authManager && typeof serverWithPort.getPort === 'function') {
+            const actualPort = serverWithPort.getPort();
+            if (actualPort) {
+              const configuredUrl = this.options.baseUrl || 'http://localhost:3000';
+              const configuredOrigin = new URL(configuredUrl).origin;
+              const actualUrl = `http://localhost:${actualPort}`;
+
+              if (configuredOrigin !== actualUrl) {
+                this.authManager.setRuntimeBaseUrl(actualUrl);
+                ctx.logger.info(
+                  `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`,
+                );
+              }
+            }
+          }
+
           // Route registration errors should propagate (server misconfiguration)
           this.registerAuthRoutes(httpServer, ctx);
           ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);