@objectstack/plugin-auth 4.0.3 → 4.0.4

package/src/auth-manager.test.ts

@@ -434,7 +434,7 @@ describe('AuthManager', () => {
       ]);
     });
 
-    it('should NOT include trustedOrigins key when not provided', () => {
+    it('should default to localhost wildcard when trustedOrigins not provided', () => {
       let capturedConfig: any;
       (betterAuth as any).mockImplementation((config: any) => {
         capturedConfig = config;
@@ -449,10 +449,10 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+      expect(capturedConfig.trustedOrigins).toEqual(['http://localhost:*']);
     });
 
-    it('should NOT include trustedOrigins key when array is empty', () => {
+    it('should default to localhost wildcard when trustedOrigins array is empty', () => {
       let capturedConfig: any;
       (betterAuth as any).mockImplementation((config: any) => {
         capturedConfig = config;
@@ -468,7 +468,7 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+      expect(capturedConfig.trustedOrigins).toEqual(['http://localhost:*']);
     });
   });
 
@@ -755,4 +755,129 @@ describe('AuthManager', () => {
       expect(capturedConfig).not.toHaveProperty('advanced');
     });
   });
+
+  describe('getPublicConfig', () => {
+    it('should return safe public configuration', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        socialProviders: {
+          google: {
+            clientId: 'google-client-id',
+            clientSecret: 'google-client-secret',
+            enabled: true,
+          },
+          github: {
+            clientId: 'github-client-id',
+            clientSecret: 'github-client-secret',
+          },
+        },
+        emailAndPassword: {
+          enabled: true,
+          disableSignUp: false,
+          requireEmailVerification: true,
+        },
+        plugins: {
+          twoFactor: true,
+          organization: true,
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      // Should include social providers without secrets
+      expect(config.socialProviders).toHaveLength(2);
+      expect(config.socialProviders[0]).toEqual({
+        id: 'google',
+        name: 'Google',
+        enabled: true,
+      });
+      expect(config.socialProviders[1]).toEqual({
+        id: 'github',
+        name: 'GitHub',
+        enabled: true,
+      });
+
+      // Should NOT include sensitive data
+      expect(config).not.toHaveProperty('secret');
+      expect(config.socialProviders[0]).not.toHaveProperty('clientSecret');
+      expect(config.socialProviders[0]).not.toHaveProperty('clientId');
+
+      // Should include email/password config
+      expect(config.emailPassword).toEqual({
+        enabled: true,
+        disableSignUp: false,
+        requireEmailVerification: true,
+      });
+
+      // Should include features
+      expect(config.features).toEqual({
+        twoFactor: true,
+        passkeys: false,
+        magicLink: false,
+        organization: true,
+      });
+    });
+
+    it('should filter out disabled providers', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        socialProviders: {
+          google: {
+            clientId: 'google-client-id',
+            clientSecret: 'google-client-secret',
+            enabled: true,
+          },
+          github: {
+            clientId: 'github-client-id',
+            clientSecret: 'github-client-secret',
+            enabled: false,
+          },
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.socialProviders).toHaveLength(1);
+      expect(config.socialProviders[0].id).toBe('google');
+    });
+
+    it('should default email/password to enabled', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.emailPassword.enabled).toBe(true);
+    });
+
+    it('should handle unknown provider names', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        socialProviders: {
+          customProvider: {
+            clientId: 'custom-client-id',
+            clientSecret: 'custom-client-secret',
+          },
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.socialProviders[0]).toEqual({
+        id: 'customProvider',
+        name: 'CustomProvider',
+        enabled: true,
+      });
+    });
+  });
 });

package/src/auth-manager.ts

@@ -5,7 +5,11 @@ import type { Auth, BetterAuthOptions } from 'better-auth';
 import { organization } from 'better-auth/plugins/organization';
 import { twoFactor } from 'better-auth/plugins/two-factor';
 import { magicLink } from 'better-auth/plugins/magic-link';
-import type { AuthConfig } from '@objectstack/spec/system';
+import type {
+  AuthConfig,
+  EmailAndPasswordConfig,
+  AuthPluginConfig,
+} from '@objectstack/spec/system';
 import type { IDataEngine } from '@objectstack/core';
 import { createObjectQLAdapterFactory } from './objectql-adapter.js';
 import {
@@ -153,7 +157,23 @@ export class AuthManager {
       plugins: this.buildPluginList(),
 
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
-      ...(this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {}),
+      // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
+      ...(() => {
+        const origins: string[] = [...(this.config.trustedOrigins || [])];
+        // Sync with CORS_ORIGIN env var (comma-separated)
+        const corsOrigin = process.env.CORS_ORIGIN;
+        if (corsOrigin && corsOrigin !== '*') {
+          corsOrigin.split(',').map(s => s.trim()).filter(Boolean).forEach(o => {
+            if (!origins.includes(o)) origins.push(o);
+          });
+        }
+        // When CORS allows all origins (default) and no explicit trustedOrigins,
+        // trust all localhost ports in development for convenience.
+        if (!origins.length && (!corsOrigin || corsOrigin === '*')) {
+          origins.push('http://localhost:*');
+        }
+        return origins.length ? { trustedOrigins: origins } : {};
+      })(),
 
       // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
       ...(this.config.advanced ? {
@@ -335,4 +355,65 @@ export class AuthManager {
   get api() {
     return this.getOrCreateAuth().api;
   }
+
+  /**
+   * Get public authentication configuration
+   * Returns safe, non-sensitive configuration that can be exposed to the frontend
+   *
+   * This allows the frontend to discover:
+   * - Which social/OAuth providers are available
+   * - Whether email/password login is enabled
+   * - Which advanced features are enabled (2FA, magic links, etc.)
+   */
+  getPublicConfig() {
+    // Extract social providers info (without sensitive data)
+    const socialProviders = [];
+    if (this.config.socialProviders) {
+      for (const [id, providerConfig] of Object.entries(this.config.socialProviders)) {
+        if (providerConfig.enabled !== false) {
+          // Map provider ID to friendly name
+          const nameMap: Record<string, string> = {
+            google: 'Google',
+            github: 'GitHub',
+            microsoft: 'Microsoft',
+            apple: 'Apple',
+            facebook: 'Facebook',
+            twitter: 'Twitter',
+            discord: 'Discord',
+            gitlab: 'GitLab',
+            linkedin: 'LinkedIn',
+          };
+
+          socialProviders.push({
+            id,
+            name: nameMap[id] || id.charAt(0).toUpperCase() + id.slice(1),
+            enabled: true,
+          });
+        }
+      }
+    }
+
+    // Extract email/password config (safe fields only)
+    const emailPasswordConfig: Partial<EmailAndPasswordConfig> = this.config.emailAndPassword ?? {};
+    const emailPassword = {
+      enabled: emailPasswordConfig.enabled !== false, // Default to true
+      disableSignUp: emailPasswordConfig.disableSignUp ?? false,
+      requireEmailVerification: emailPasswordConfig.requireEmailVerification ?? false,
+    };
+
+    // Extract enabled features
+    const pluginConfig: Partial<AuthPluginConfig> = this.config.plugins ?? {};
+    const features = {
+      twoFactor: pluginConfig.twoFactor ?? false,
+      passkeys: pluginConfig.passkeys ?? false,
+      magicLink: pluginConfig.magicLink ?? false,
+      organization: pluginConfig.organization ?? false,
+    };
+
+    return {
+      emailPassword,
+      socialProviders,
+      features,
+    };
+  }
 }

package/src/auth-plugin.test.ts

@@ -137,6 +137,7 @@ describe('AuthPlugin', () => {
     it('should register routes with HTTP server on kernel:ready', async () => {
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {
@@ -173,6 +174,7 @@ describe('AuthPlugin', () => {
     it('should log via ctx.logger when better-auth returns a 500 response', async () => {
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {
@@ -270,7 +272,7 @@ describe('AuthPlugin', () => {
     });
 
     it('should auto-detect baseUrl from http-server port when port differs', async () => {
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -306,7 +308,7 @@ describe('AuthPlugin', () => {
       (mockContext.registerService as any).mockClear();
       await localPlugin.init(mockContext);
 
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -338,7 +340,7 @@ describe('AuthPlugin', () => {
       (mockContext.registerService as any).mockClear();
       await localPlugin.init(mockContext);
 
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -400,6 +402,7 @@ describe('AuthPlugin', () => {
 
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {

package/src/auth-plugin.ts

@@ -245,6 +245,28 @@ export class AuthPlugin implements Plugin {
 
     const rawApp = (httpServer as any).getRawApp();
 
+    // Register auth config endpoint - public endpoint for frontend discovery
+    rawApp.get(`${basePath}/config`, async (c: any) => {
+      try {
+        const config = this.authManager!.getPublicConfig();
+        return c.json({
+          success: true,
+          data: config,
+        });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Auth config error:', err);
+
+        return c.json({
+          success: false,
+          error: {
+            code: 'auth_config_error',
+            message: err.message,
+          },
+        }, 500);
+      }
+    });
+
     // Register wildcard route to forward all auth requests to better-auth.
     // better-auth is configured with basePath matching our route prefix, so we
     // forward the original request directly — no path rewriting needed.