@objectstack/plugin-auth 6.1.1 → 6.3.0

package/dist/index.mjs

@@ -483,6 +483,7 @@ var AuthManager = class {
   async createAuthInstance() {
     const { betterAuth } = await import("better-auth");
     const plugins = await this.buildPluginList();
+    const passwordHasher = await this.resolvePasswordHasher();
     const betterAuthConfig = {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
@@ -542,6 +543,7 @@ var AuthManager = class {
       // Email and password configuration
       emailAndPassword: {
         enabled: this.config.emailAndPassword?.enabled ?? true,
+        ...passwordHasher ? { password: passwordHasher } : {},
         ...this.config.emailAndPassword?.disableSignUp != null ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {},
         ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
         ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
@@ -658,6 +660,58 @@ var AuthManager = class {
     };
     return betterAuth(betterAuthConfig);
   }
+  /**
+   * Detect WebContainer (StackBlitz) and swap in a pure-JS scrypt hasher.
+   *
+   * better-auth defaults to `@better-auth/utils/password.node`, which calls
+   * `node:crypto.scrypt`. WebContainer polyfills that API incompletely and
+   * signup throws `TypeError: y.run is not a function`.
+   *
+   * We can't dynamic-import `@better-auth/utils/password` because that
+   * package's `exports` map gates the pure-JS build behind a non-`"node"`
+   * condition — Node-the-runtime (which WebContainer reports itself as)
+   * always resolves to `password.node.mjs`. So we reimplement the same hash
+   * here using `@noble/hashes/scrypt` directly, with byte-identical params
+   * (N=16384, r=16, p=1, dkLen=64) and the same `{saltHex}:{keyHex}` storage
+   * format. Hashes produced by either implementation verify against the
+   * other — no migration needed.
+   *
+   * Returns `undefined` outside WebContainer so production deployments keep
+   * the native (fast) hasher and never load `@noble/hashes`.
+   */
+  async resolvePasswordHasher() {
+    const isWebContainer = typeof globalThis !== "undefined" && (Boolean(globalThis.process?.versions?.webcontainer) || Boolean(globalThis.process?.env?.SHELL?.includes?.("jsh")) || Boolean(globalThis.process?.env?.STACKBLITZ));
+    if (!isWebContainer) return void 0;
+    try {
+      const { scryptAsync } = await import("@noble/hashes/scrypt.js");
+      const PARAMS = { N: 16384, r: 16, p: 1, dkLen: 64, maxmem: 128 * 16384 * 16 * 2 };
+      const toHex = (b) => {
+        let s = "";
+        for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+        return s;
+      };
+      const generateKey = (password, saltHex) => scryptAsync(password.normalize("NFKC"), saltHex, PARAMS);
+      return {
+        hash: async (password) => {
+          const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+          const saltHex = toHex(saltBytes);
+          const key = await generateKey(password, saltHex);
+          return `${saltHex}:${toHex(key)}`;
+        },
+        verify: async ({ hash, password }) => {
+          const [saltHex, keyHex] = hash.split(":");
+          if (!saltHex || !keyHex) throw new Error("Invalid password hash");
+          const target = await generateKey(password, saltHex);
+          return toHex(target) === keyHex;
+        }
+      };
+    } catch (err) {
+      console.warn(
+        `[AuthManager] WebContainer detected but pure-JS scrypt unavailable: ${err?.message ?? err}. Falling back to default.`
+      );
+      return void 0;
+    }
+  }
   /**
    * Build the list of better-auth plugins based on AuthPluginConfig flags.
    *