@objectstack/plugin-auth 4.0.5 → 4.1.0

package/dist/index.js

@@ -31,6 +31,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   AUTH_ACCOUNT_CONFIG: () => AUTH_ACCOUNT_CONFIG,
+  AUTH_ADMIN_SESSION_FIELDS: () => AUTH_ADMIN_SESSION_FIELDS,
+  AUTH_ADMIN_USER_FIELDS: () => AUTH_ADMIN_USER_FIELDS,
   AUTH_DEVICE_CODE_SCHEMA: () => AUTH_DEVICE_CODE_SCHEMA,
   AUTH_INVITATION_SCHEMA: () => AUTH_INVITATION_SCHEMA,
   AUTH_JWKS_SCHEMA: () => AUTH_JWKS_SCHEMA,
@@ -52,6 +54,7 @@ __export(index_exports, {
   AUTH_VERIFICATION_CONFIG: () => AUTH_VERIFICATION_CONFIG,
   AuthManager: () => AuthManager,
   AuthPlugin: () => AuthPlugin,
+  buildAdminPluginSchema: () => buildAdminPluginSchema,
   buildDeviceAuthorizationPluginSchema: () => buildDeviceAuthorizationPluginSchema,
   buildJwtPluginSchema: () => buildJwtPluginSchema,
   buildOauthProviderPluginSchema: () => buildOauthProviderPluginSchema,
@@ -79,6 +82,41 @@ var AUTH_MODEL_TO_PROTOCOL = {
 function resolveProtocolName(model) {
   return AUTH_MODEL_TO_PROTOCOL[model] ?? model;
 }
+var LEGACY_DATETIME_FIELDS_BY_MODEL = {
+  user: ["created_at", "updated_at"],
+  session: ["expires_at", "created_at", "updated_at"],
+  account: [
+    "access_token_expires_at",
+    "refresh_token_expires_at",
+    "created_at",
+    "updated_at"
+  ],
+  verification: ["expires_at", "created_at", "updated_at"]
+};
+var NUMERIC_STRING_RE = /^-?\d+(\.\d+)?$/;
+function normaliseLegacyDate(value) {
+  if (typeof value !== "string") return value;
+  if (!NUMERIC_STRING_RE.test(value)) return value;
+  const n = parseFloat(value);
+  if (!Number.isFinite(n)) return value;
+  if (Math.abs(n) < 1e10) return value;
+  const d = new Date(n);
+  if (Number.isNaN(d.getTime())) return value;
+  return d.toISOString();
+}
+function normaliseLegacyDates(model, record) {
+  if (!record) return record;
+  const cols = LEGACY_DATETIME_FIELDS_BY_MODEL[model];
+  if (!cols) return record;
+  for (const col of cols) {
+    if (col in record) {
+      record[col] = normaliseLegacyDate(
+        record[col]
+      );
+    }
+  }
+  return record;
+}
 function convertWhere(where) {
   const filter = {};
   for (const condition of where) {
@@ -107,20 +145,24 @@ function createObjectQLAdapterFactory(dataEngine) {
   return (0, import_adapters.createAdapterFactory)({
     config: {
       adapterId: "objectql",
-      // ObjectQL natively supports these types — no extra conversion needed
-      supportsBooleans: true,
-      supportsDates: true,
+      // We let better-auth handle Date↔string and boolean↔0/1 conversion so
+      // that values land in the underlying SQL driver as primitive strings
+      // and integers. Some drivers (e.g. libsql over the HTTP transport)
+      // otherwise mangle `Date` objects into `"<epoch>.0"` strings that
+      // break the client-side session parser.
+      supportsBooleans: false,
+      supportsDates: false,
       supportsJSON: true
     },
     adapter: () => ({
       create: async ({ model, data, select: _select }) => {
         const result = await dataEngine.insert(model, data);
-        return result;
+        return normaliseLegacyDates(model, result);
       },
       findOne: async ({ model, where, select, join: _join }) => {
         const filter = convertWhere(where);
         const result = await dataEngine.findOne(model, { where: filter, fields: select });
-        return result ? result : null;
+        return result ? normaliseLegacyDates(model, result) : null;
       },
       findMany: async ({ model, where, limit, offset, sortBy, join: _join }) => {
         const filter = where ? convertWhere(where) : {};
@@ -131,7 +173,7 @@ function createObjectQLAdapterFactory(dataEngine) {
           offset,
           orderBy
         });
-        return results;
+        return results.map((r) => normaliseLegacyDates(model, r));
       },
       count: async ({ model, where }) => {
         const filter = where ? convertWhere(where) : {};
@@ -142,7 +184,7 @@ function createObjectQLAdapterFactory(dataEngine) {
         const record = await dataEngine.findOne(model, { where: filter });
         if (!record) return null;
         const result = await dataEngine.update(model, { ...update, id: record.id });
-        return result ? result : null;
+        return result ? normaliseLegacyDates(model, result) : null;
       },
       updateMany: async ({ model, where, update }) => {
         const filter = convertWhere(where);
@@ -339,6 +381,13 @@ var AUTH_TWO_FACTOR_SCHEMA = {
 var AUTH_TWO_FACTOR_USER_FIELDS = {
   twoFactorEnabled: "two_factor_enabled"
 };
+var AUTH_ADMIN_USER_FIELDS = {
+  banReason: "ban_reason",
+  banExpires: "ban_expires"
+};
+var AUTH_ADMIN_SESSION_FIELDS = {
+  impersonatedBy: "impersonated_by"
+};
 var AUTH_OAUTH_CLIENT_SCHEMA = {
   modelName: import_system2.SystemObjectName.OAUTH_APPLICATION,
   // 'sys_oauth_application'
@@ -422,6 +471,16 @@ function buildTwoFactorPluginSchema() {
     }
   };
 }
+function buildAdminPluginSchema() {
+  return {
+    user: {
+      fields: AUTH_ADMIN_USER_FIELDS
+    },
+    session: {
+      fields: AUTH_ADMIN_SESSION_FIELDS
+    }
+  };
+}
 function buildOrganizationPluginSchema() {
   return {
     organization: AUTH_ORGANIZATION_SCHEMA,
@@ -503,7 +562,41 @@ var AuthManager = class {
         ...AUTH_USER_CONFIG
       },
       account: {
-        ...AUTH_ACCOUNT_CONFIG
+        ...AUTH_ACCOUNT_CONFIG,
+        // Allow OIDC/OAuth callbacks to implicitly link the incoming
+        // identity to a pre-existing local user when the emails match.
+        //
+        // ObjectStack's platform SSO ("objectstack-cloud" provider) is the
+        // canonical case: cloud is the IdP for every project, so a user
+        // arriving via SSO is — by construction — the same person who was
+        // auto-seeded as the project owner when the project was created.
+        // Without trusting the provider, better-auth's safety check rejects
+        // the link with `error=account_not_linked` because the seeded user
+        // row has `emailVerified=false` (no actual verification ever runs
+        // in the IdP-mediated flow). See packages/plugins/plugin-auth/
+        // node_modules/better-auth/dist/oauth2/link-account.mjs:22.
+        //
+        // Custom-deployment consumers can extend the trusted set via
+        // `config.account.accountLinking.trustedProviders`; we always
+        // include `objectstack-cloud` because it is the platform IdP.
+        accountLinking: {
+          enabled: true,
+          // better-auth's account-linking gate has TWO independent clauses
+          // (see link-account.mjs:22). Trusting the provider only satisfies
+          // the first clause; the second — `requireLocalEmailVerified &&
+          // !dbUser.user.emailVerified` — still blocks linking when the
+          // pre-existing local user row has `emailVerified=false` (the
+          // default for owner-seeded rows). Disabling the local-email gate
+          // is safe here because the OAuth side is what we actually trust:
+          // the incoming identity was verified by the IdP. Consumers who
+          // need the stricter behavior can override via config.
+          requireLocalEmailVerified: false,
+          ...this.config?.account?.accountLinking ?? {},
+          trustedProviders: Array.from(/* @__PURE__ */ new Set([
+            "objectstack-cloud",
+            ...this.config?.account?.accountLinking?.trustedProviders ?? []
+          ]))
+        }
       },
       verification: {
         ...AUTH_VERIFICATION_CONFIG
@@ -519,15 +612,71 @@ var AuthManager = class {
         ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
         ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
         ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
-        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}
+        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {},
+        sendResetPassword: async ({ user, url, token }) => {
+          const email = this.getEmailService();
+          if (!email) {
+            console.warn(
+              `[AuthManager] Password-reset requested for ${user.email} but no email service is wired. URL: ${url}`
+            );
+            return;
+          }
+          const ttlSec = this.config.emailAndPassword?.resetPasswordTokenExpiresIn ?? 60 * 60;
+          try {
+            await email.sendTemplate({
+              template: "auth.password_reset",
+              to: { address: user.email, ...user.name ? { name: user.name } : {} },
+              data: {
+                user: { name: user.name || user.email, email: user.email, id: user.id },
+                resetUrl: url,
+                token,
+                expiresInMinutes: Math.round(ttlSec / 60),
+                appName: this.getAppName()
+              },
+              relatedObject: "sys_user",
+              relatedId: user.id
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
+            throw err;
+          }
+        }
       },
       // Email verification
-      ...this.config.emailVerification ? {
+      ...this.config.emailVerification || this.config.emailService ? {
         emailVerification: {
-          ...this.config.emailVerification.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
-          ...this.config.emailVerification.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
-          ...this.config.emailVerification.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
-          ...this.config.emailVerification.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {}
+          ...this.config.emailVerification?.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
+          ...this.config.emailVerification?.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
+          ...this.config.emailVerification?.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
+          ...this.config.emailVerification?.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {},
+          sendVerificationEmail: async ({ user, url, token }) => {
+            const email = this.getEmailService();
+            if (!email) {
+              console.warn(
+                `[AuthManager] Verification email requested for ${user.email} but no email service is wired. URL: ${url}`
+              );
+              return;
+            }
+            const ttlSec = this.config.emailVerification?.expiresIn ?? 60 * 60;
+            try {
+              await email.sendTemplate({
+                template: "auth.verify_email",
+                to: { address: user.email, ...user.name ? { name: user.name } : {} },
+                data: {
+                  user: { name: user.name || user.email, email: user.email, id: user.id },
+                  verificationUrl: url,
+                  token,
+                  expiresInMinutes: Math.round(ttlSec / 60),
+                  appName: this.getAppName()
+                },
+                relatedObject: "sys_user",
+                relatedId: user.id
+              });
+            } catch (err) {
+              console.error(`[AuthManager] sendVerificationEmail failed: ${err?.message ?? err}`);
+              throw err;
+            }
+          }
         }
       } : {},
       // Session configuration
@@ -552,6 +701,8 @@ var AuthManager = class {
         }
         if (!origins.length && (!corsOrigin || corsOrigin === "*")) {
           origins.push("http://localhost:*");
+          origins.push("http://*.localhost:*");
+          origins.push("https://*.localhost:*");
         }
         return origins.length ? { trustedOrigins: origins } : {};
       })(),
@@ -583,12 +734,34 @@ var AuthManager = class {
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       oidcProvider: pluginConfig.oidcProvider ?? false,
-      deviceAuthorization: pluginConfig.deviceAuthorization ?? false
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
+      admin: pluginConfig.admin ?? false
     };
     const { bearer } = await import("better-auth/plugins/bearer");
     plugins.push(bearer());
     if (enabled.organization) {
       const { organization } = await import("better-auth/plugins/organization");
+      let customOrgRoles;
+      const extra = this.config.additionalOrgRoles;
+      if (extra && extra.length > 0) {
+        try {
+          const accessMod = await import("better-auth/plugins/organization/access");
+          const { defaultAc, memberAc, defaultRoles: importedDefaultRoles } = accessMod;
+          const defaultRoles = importedDefaultRoles || null;
+          if (defaultAc && memberAc && typeof memberAc.statements === "object") {
+            const built = defaultRoles ? { ...defaultRoles } : {};
+            const stmts = memberAc.statements;
+            for (const name of extra) {
+              if (!name) continue;
+              if (built[name]) continue;
+              built[name] = defaultAc.newRole(stmts);
+            }
+            customOrgRoles = built;
+          }
+        } catch {
+          customOrgRoles = void 0;
+        }
+      }
       plugins.push(organization({
         schema: buildOrganizationPluginSchema(),
         // Enable the team sub-feature so the framework's `sys_team` /
@@ -599,15 +772,47 @@ var AuthManager = class {
         // portal exposes a Teams page; without this flag those endpoints
         // 404 and the section silently breaks.
         teams: { enabled: true },
+        // Without a mailer wired in framework, requiring email verification
+        // before accepting invitations dead-ends every invite flow with
+        // FORBIDDEN EMAIL_VERIFICATION_REQUIRED…. Default-off here keeps
+        // the built-in /accept-invitation route usable for pilots; operators
+        // who wire a real mailer can re-enable downstream.
+        requireEmailVerificationOnInvitation: false,
+        ...customOrgRoles ? { roles: customOrgRoles } : {},
         // No mailer is wired in framework yet — log the accept URL so
         // operators / UI can fall back to copy-paste flows. Replace this
         // with a real mail integration when available.
-        sendInvitationEmail: async ({ email, invitation, organization: org, inviter }) => {
+        sendInvitationEmail: async ({ email: recipientEmail, invitation, organization: org, inviter }) => {
           const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
           const acceptUrl = `${baseUrl}/accept-invitation/${invitation.id}`;
-          console.warn(
-            `[AuthManager] Invitation email not configured. To: ${email} (org: ${org?.name ?? invitation.organizationId}, role: ${invitation.role}, inviter: ${inviter?.user?.email ?? "unknown"}) URL: ${acceptUrl}`
-          );
+          const emailService = this.getEmailService();
+          if (!emailService) {
+            console.warn(
+              `[AuthManager] Invitation email not configured. To: ${recipientEmail} (org: ${org?.name ?? invitation.organizationId}, role: ${invitation.role}, inviter: ${inviter?.user?.email ?? "unknown"}) URL: ${acceptUrl}`
+            );
+            return;
+          }
+          try {
+            await emailService.sendTemplate({
+              template: "auth.invitation",
+              to: recipientEmail,
+              data: {
+                inviter: {
+                  name: inviter?.user?.name ?? inviter?.user?.email ?? "A teammate",
+                  email: inviter?.user?.email ?? ""
+                },
+                organization: { name: org?.name ?? invitation.organizationId },
+                role: invitation.role || "",
+                acceptUrl,
+                appName: this.getAppName()
+              },
+              relatedObject: "sys_invitation",
+              relatedId: invitation.id
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendInvitationEmail failed: ${err?.message ?? err}`);
+            throw err;
+          }
         }
       }));
     }
@@ -617,13 +822,38 @@ var AuthManager = class {
         schema: buildTwoFactorPluginSchema()
       }));
     }
+    if (enabled.admin) {
+      const { admin } = await import("better-auth/plugins/admin");
+      plugins.push(admin({
+        schema: buildAdminPluginSchema()
+      }));
+    }
     if (enabled.magicLink) {
       const { magicLink } = await import("better-auth/plugins/magic-link");
       plugins.push(magicLink({
-        sendMagicLink: async ({ email, url }) => {
-          console.warn(
-            `[AuthManager] Magic-link requested for ${email} but no sendMagicLink handler configured. URL: ${url}`
-          );
+        sendMagicLink: async ({ email: recipientEmail, url, token }) => {
+          const emailService = this.getEmailService();
+          if (!emailService) {
+            console.warn(
+              `[AuthManager] Magic-link requested for ${recipientEmail} but no email service is wired. URL: ${url}`
+            );
+            return;
+          }
+          try {
+            await emailService.sendTemplate({
+              template: "auth.magic_link",
+              to: recipientEmail,
+              data: {
+                magicLinkUrl: url,
+                token,
+                expiresInMinutes: 10,
+                appName: this.getAppName()
+              }
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendMagicLink failed: ${err?.message ?? err}`);
+            throw err;
+          }
         }
       }));
     }
@@ -664,6 +894,55 @@ var AuthManager = class {
         schema: buildDeviceAuthorizationPluginSchema()
       }));
     }
+    const dataEngine = this.config.dataEngine;
+    if (dataEngine) {
+      const { customSession } = await import("better-auth/plugins/custom-session");
+      plugins.push(customSession(async ({ user, session }) => {
+        if (!user?.id) return { user, session };
+        const isPlatformAdmin = async () => {
+          try {
+            const links = await dataEngine.find("sys_user_permission_set", {
+              where: { user_id: user.id },
+              limit: 50
+            });
+            const platformLinks = (Array.isArray(links) ? links : []).filter(
+              (l) => !l.organization_id
+            );
+            if (platformLinks.length === 0) return false;
+            const sets = await dataEngine.find("sys_permission_set", { limit: 50 });
+            const adminSet = (Array.isArray(sets) ? sets : []).find(
+              (r) => r.name === "admin_full_access"
+            );
+            if (!adminSet) return false;
+            return platformLinks.some(
+              (l) => l.permission_set_id === adminSet.id
+            );
+          } catch {
+            return false;
+          }
+        };
+        const isActiveOrgAdmin = async () => {
+          try {
+            const orgId = session?.activeOrganizationId;
+            if (!orgId) return false;
+            const members = await dataEngine.find("sys_member", {
+              where: { user_id: user.id, organization_id: orgId },
+              limit: 5
+            });
+            return (Array.isArray(members) ? members : []).some((m) => {
+              const raw = typeof m?.role === "string" ? m.role : "";
+              const roles = raw.split(",").map((s) => s.trim().toLowerCase());
+              return roles.includes("owner") || roles.includes("admin");
+            });
+          } catch {
+            return false;
+          }
+        };
+        const promote = await isPlatformAdmin() || await isActiveOrgAdmin();
+        if (!promote) return { user, session };
+        return { user: { ...user, role: "admin" }, session };
+      }));
+    }
     return plugins;
   }
   /**
@@ -720,6 +999,26 @@ var AuthManager = class {
     }
     this.config = { ...this.config, baseUrl: url };
   }
+  /**
+   * Inject (or replace) the outbound email service used by better-auth
+   * callbacks. Safe to call after construction but BEFORE the first
+   * request hits the auth handler — callbacks read this via
+   * {@link getEmailService} when invoked.
+   *
+   * AuthPlugin calls this on `kernel:ready` once `ctx.getService('email')`
+   * resolves. For tests / serverless, callers may invoke directly.
+   */
+  setEmailService(email) {
+    this.config.emailService = email;
+  }
+  /** @internal Used by callback closures. */
+  getEmailService() {
+    return this.config.emailService;
+  }
+  /** @internal `{{appName}}` placeholder value for built-in templates. */
+  getAppName() {
+    return this.config.appName ?? "ObjectStack";
+  }
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases
@@ -900,24 +1199,22 @@ var AuthPlugin = class {
     ctx.registerService("auth", this.authManager);
     ctx.getService("manifest").register({
       ...authPluginManifestHeader,
+      ...this.options.manifestDatasource ? { defaultDatasource: this.options.manifestDatasource } : {},
       objects: authIdentityObjects,
       // The platform Setup App is a static metadata artifact (lives in
       // @objectstack/platform-objects/apps). plugin-auth is the natural
       // owner of its registration since it loads first among the trio
       // (auth + security + audit) that supplies the underlying objects.
       apps: [import_apps.SETUP_APP],
-      // Curated list views and dashboards consumed by the Setup App's
-      // navigation entries. The manifest service does NOT auto-discover
-      // these from the app definition — they must be registered as
-      // explicit top-level arrays per ObjectStackDefinitionSchema.
-      views: [
-        import_apps.UsersView,
-        import_apps.OrganizationsView,
-        import_apps.RolesView,
-        import_apps.SessionsView,
-        import_apps.AuditLogsView,
-        import_apps.PackageInstallationsView
-      ],
+      // List views for each Setup-nav object are defined on the schema
+      // itself via the canonical `listViews` map (e.g.
+      // sys_user.listViews.{all_users,unverified,two_factor}). Registering
+      // top-level views here is the legacy pre-M10.30c pattern — it caused
+      // duplicate "Users"/"Roles"/"Sessions" tabs to appear alongside the
+      // schema-derived ones, sometimes referencing nonexistent fields
+      // (e.g. legacy `users.view` had phone/status/active columns that do
+      // not exist on sys_user). Schema-embedded listViews is the single
+      // source of truth.
       dashboards: [import_apps.SystemOverviewDashboard, import_apps.SecurityOverviewDashboard]
     });
     ctx.logger.info("Auth Plugin initialized successfully");
@@ -929,6 +1226,17 @@ var AuthPlugin = class {
     }
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
+        if (this.authManager) {
+          try {
+            const emailSvc = ctx.getService("email");
+            if (emailSvc) {
+              this.authManager.setEmailService(emailSvc);
+              ctx.logger.info("Auth: email service wired (transactional mail enabled)");
+            }
+          } catch {
+            ctx.logger.info("Auth: no email service registered \u2014 auth callbacks will log instead of sending");
+          }
+        }
         let httpServer = null;
         try {
           httpServer = ctx.getService("http-server");
@@ -1034,6 +1342,19 @@ var AuthPlugin = class {
             ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
           }
         }
+        try {
+          const url = c.req.url;
+          if (response.ok && /\/jwks(\?|$)/.test(url)) {
+            const existing = response.headers.get("cache-control");
+            if (!existing) {
+              response.headers.set(
+                "cache-control",
+                "public, max-age=300, stale-while-revalidate=86400"
+              );
+            }
+          }
+        } catch {
+        }
         return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
@@ -1068,8 +1389,19 @@ var AuthPlugin = class {
     const { oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata } = await import("@better-auth/oauth-provider");
     const authServerHandler = oauthProviderAuthServerMetadata(auth);
     const openidConfigHandler = oauthProviderOpenIdConfigMetadata(auth);
-    rawApp.get("/.well-known/oauth-authorization-server", (c) => authServerHandler(c.req.raw));
-    rawApp.get("/.well-known/openid-configuration", (c) => openidConfigHandler(c.req.raw));
+    const DISCOVERY_CACHE = "public, max-age=300, stale-while-revalidate=86400";
+    const withDiscoveryCache = async (handler, req) => {
+      const resp = await handler(req);
+      try {
+        if (resp.ok && !resp.headers.get("cache-control")) {
+          resp.headers.set("cache-control", DISCOVERY_CACHE);
+        }
+      } catch {
+      }
+      return resp;
+    };
+    rawApp.get("/.well-known/oauth-authorization-server", (c) => withDiscoveryCache(authServerHandler, c.req.raw));
+    rawApp.get("/.well-known/openid-configuration", (c) => withDiscoveryCache(openidConfigHandler, c.req.raw));
     ctx.logger.info(
       "OIDC discovery endpoints mounted at /.well-known/{oauth-authorization-server,openid-configuration}"
     );
@@ -1078,6 +1410,8 @@ var AuthPlugin = class {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AUTH_ACCOUNT_CONFIG,
+  AUTH_ADMIN_SESSION_FIELDS,
+  AUTH_ADMIN_USER_FIELDS,
   AUTH_DEVICE_CODE_SCHEMA,
   AUTH_INVITATION_SCHEMA,
   AUTH_JWKS_SCHEMA,
@@ -1099,6 +1433,7 @@ var AuthPlugin = class {
   AUTH_VERIFICATION_CONFIG,
   AuthManager,
   AuthPlugin,
+  buildAdminPluginSchema,
   buildDeviceAuthorizationPluginSchema,
   buildJwtPluginSchema,
   buildOauthProviderPluginSchema,