npm - @objectstack/plugin-auth - Versions diffs - 5.0.0 → 5.2.0 - Mend

@objectstack/plugin-auth 5.0.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { Plugin, PluginContext, IDataEngine } from '@objectstack/core';
+import * as better_auth from 'better-auth';
+import { BetterAuthOptions, Auth } from 'better-auth';
 import { AuthConfig, OidcProvidersConfig } from '@objectstack/spec/system';
 export { AuthConfig, AuthPluginConfig, AuthProviderConfig } from '@objectstack/spec/system';
-import * as better_auth from 'better-auth';
-import { Auth } from 'better-auth';
 import { IEmailService } from '@objectstack/spec/contracts';
 import * as better_auth_adapters from 'better-auth/adapters';
 import { CleanedWhere } from 'better-auth/adapters';
@@ -39,6 +39,16 @@ interface AuthPluginOptions extends Partial<AuthConfig> {
      * {@link AuthManagerOptions.additionalOrgRoles} for details.
      */
     additionalOrgRoles?: string[];
+    /**
+     * Pass-through to better-auth's `databaseHooks` option. Used by
+     * platform consumers (objectos kernel) to attach a
+     * `user.create.after` hook that auto-provisions a personal
+     * organization for JIT-created SSO users — better-auth's adapter
+     * bypasses kernel-level ObjectQL middleware, so this is the only
+     * hook point that fires for every user creation path (email signup,
+     * social/OIDC sign-in, admin-created accounts).
+     */
+    databaseHooks?: BetterAuthOptions['databaseHooks'];
 }
 /**
  * Authentication Plugin
@@ -163,6 +173,20 @@ interface AuthManagerOptions extends Partial<AuthConfig> {
      * placeholder). Defaults to `'ObjectStack'` when omitted.
      */
     appName?: string;
+    /**
+     * Pass-through to better-auth's `databaseHooks` option. better-auth fires
+     * these around its own adapter writes (e.g. when `genericOAuth` creates
+     * a JIT user during SSO login), which the kernel-level ObjectQL
+     * middleware does NOT observe — better-auth's adapter goes through
+     * `dataEngine` directly, bypassing the `ql.registerMiddleware` chain.
+     *
+     * The platform uses this to attach a `user.create.after` hook that
+     * auto-provisions a personal organization for every newly-created user
+     * (mirroring what SecurityPlugin's middleware does for direct
+     * ObjectQL inserts) so SSO-arriving users don't land on the empty
+     * "create organization" screen.
+     */
+    databaseHooks?: BetterAuthOptions['databaseHooks'];
 }
 /**
  * Authentication Manager

package/dist/index.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { Plugin, PluginContext, IDataEngine } from '@objectstack/core';
+import * as better_auth from 'better-auth';
+import { BetterAuthOptions, Auth } from 'better-auth';
 import { AuthConfig, OidcProvidersConfig } from '@objectstack/spec/system';
 export { AuthConfig, AuthPluginConfig, AuthProviderConfig } from '@objectstack/spec/system';
-import * as better_auth from 'better-auth';
-import { Auth } from 'better-auth';
 import { IEmailService } from '@objectstack/spec/contracts';
 import * as better_auth_adapters from 'better-auth/adapters';
 import { CleanedWhere } from 'better-auth/adapters';
@@ -39,6 +39,16 @@ interface AuthPluginOptions extends Partial<AuthConfig> {
      * {@link AuthManagerOptions.additionalOrgRoles} for details.
      */
     additionalOrgRoles?: string[];
+    /**
+     * Pass-through to better-auth's `databaseHooks` option. Used by
+     * platform consumers (objectos kernel) to attach a
+     * `user.create.after` hook that auto-provisions a personal
+     * organization for JIT-created SSO users — better-auth's adapter
+     * bypasses kernel-level ObjectQL middleware, so this is the only
+     * hook point that fires for every user creation path (email signup,
+     * social/OIDC sign-in, admin-created accounts).
+     */
+    databaseHooks?: BetterAuthOptions['databaseHooks'];
 }
 /**
  * Authentication Plugin
@@ -163,6 +173,20 @@ interface AuthManagerOptions extends Partial<AuthConfig> {
      * placeholder). Defaults to `'ObjectStack'` when omitted.
      */
     appName?: string;
+    /**
+     * Pass-through to better-auth's `databaseHooks` option. better-auth fires
+     * these around its own adapter writes (e.g. when `genericOAuth` creates
+     * a JIT user during SSO login), which the kernel-level ObjectQL
+     * middleware does NOT observe — better-auth's adapter goes through
+     * `dataEngine` directly, bypassing the `ql.registerMiddleware` chain.
+     *
+     * The platform uses this to attach a `user.create.after` hook that
+     * auto-provisions a personal organization for every newly-created user
+     * (mirroring what SecurityPlugin's middleware does for direct
+     * ObjectQL inserts) so SSO-arriving users don't land on the empty
+     * "create organization" screen.
+     */
+    databaseHooks?: BetterAuthOptions['databaseHooks'];
 }
 /**
  * Authentication Manager

package/dist/index.js CHANGED Viewed

@@ -689,6 +689,10 @@ var AuthManager = class {
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
       plugins,
+      // Database hooks (fired by better-auth's adapter writes — these run
+      // for SSO JIT-provisioning too, unlike kernel-level ObjectQL
+      // middleware which better-auth's adapter bypasses).
+      ...this.config.databaseHooks ? { databaseHooks: this.config.databaseHooks } : {},
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
       // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
       ...(() => {