@objectstack/plugin-auth 6.2.0 → 6.4.0

package/dist/index.d.mts

@@ -217,13 +217,19 @@ declare class AuthManager {
      *
      * better-auth defaults to `@better-auth/utils/password.node`, which calls
      * `node:crypto.scrypt`. WebContainer polyfills that API incompletely and
-     * signup throws `TypeError: y.run is not a function`. The pure-JS variant
-     * at `@better-auth/utils/password` uses `@noble/hashes/scrypt` with
-     * identical params (N=16384, r=16, p=1, dkLen=64) and emits the same
-     * `{salt}:{keyHex}` format, so existing hashes remain verifiable.
+     * signup throws `TypeError: y.run is not a function`.
+     *
+     * We can't dynamic-import `@better-auth/utils/password` because that
+     * package's `exports` map gates the pure-JS build behind a non-`"node"`
+     * condition — Node-the-runtime (which WebContainer reports itself as)
+     * always resolves to `password.node.mjs`. So we reimplement the same hash
+     * here using `@noble/hashes/scrypt` directly, with byte-identical params
+     * (N=16384, r=16, p=1, dkLen=64) and the same `{saltHex}:{keyHex}` storage
+     * format. Hashes produced by either implementation verify against the
+     * other — no migration needed.
      *
      * Returns `undefined` outside WebContainer so production deployments keep
-     * the native (fast) hasher and never load the JS fallback.
+     * the native (fast) hasher and never load `@noble/hashes`.
      */
     private resolvePasswordHasher;
     /**
@@ -298,6 +304,16 @@ declare class AuthManager {
      * Use this for server-side operations (e.g., creating users, checking sessions)
      */
     getApi(): Promise<Auth<any>['api']>;
+    /**
+     * Get the underlying better-auth context for low-level operations such as
+     * `internalAdapter.createAccount` / `password.hash`.
+     *
+     * Used by routes that need to write to better-auth's tables outside the
+     * normal endpoint surface — currently only `set-initial-password`, which
+     * provisions a credential account for SSO-onboarded users so they can
+     * sign in with email/password going forward.
+     */
+    getAuthContext(): Promise<any>;
     getPublicConfig(): {
         emailPassword: {
             enabled: boolean;

package/dist/index.d.ts

@@ -217,13 +217,19 @@ declare class AuthManager {
      *
      * better-auth defaults to `@better-auth/utils/password.node`, which calls
      * `node:crypto.scrypt`. WebContainer polyfills that API incompletely and
-     * signup throws `TypeError: y.run is not a function`. The pure-JS variant
-     * at `@better-auth/utils/password` uses `@noble/hashes/scrypt` with
-     * identical params (N=16384, r=16, p=1, dkLen=64) and emits the same
-     * `{salt}:{keyHex}` format, so existing hashes remain verifiable.
+     * signup throws `TypeError: y.run is not a function`.
+     *
+     * We can't dynamic-import `@better-auth/utils/password` because that
+     * package's `exports` map gates the pure-JS build behind a non-`"node"`
+     * condition — Node-the-runtime (which WebContainer reports itself as)
+     * always resolves to `password.node.mjs`. So we reimplement the same hash
+     * here using `@noble/hashes/scrypt` directly, with byte-identical params
+     * (N=16384, r=16, p=1, dkLen=64) and the same `{saltHex}:{keyHex}` storage
+     * format. Hashes produced by either implementation verify against the
+     * other — no migration needed.
      *
      * Returns `undefined` outside WebContainer so production deployments keep
-     * the native (fast) hasher and never load the JS fallback.
+     * the native (fast) hasher and never load `@noble/hashes`.
      */
     private resolvePasswordHasher;
     /**
@@ -298,6 +304,16 @@ declare class AuthManager {
      * Use this for server-side operations (e.g., creating users, checking sessions)
      */
     getApi(): Promise<Auth<any>['api']>;
+    /**
+     * Get the underlying better-auth context for low-level operations such as
+     * `internalAdapter.createAccount` / `password.hash`.
+     *
+     * Used by routes that need to write to better-auth's tables outside the
+     * normal endpoint surface — currently only `set-initial-password`, which
+     * provisions a credential account for SSO-onboarded users so they can
+     * sign in with email/password going forward.
+     */
+    getAuthContext(): Promise<any>;
     getPublicConfig(): {
         emailPassword: {
             enabled: boolean;

package/dist/index.js

@@ -729,26 +729,49 @@ var AuthManager = class {
    *
    * better-auth defaults to `@better-auth/utils/password.node`, which calls
    * `node:crypto.scrypt`. WebContainer polyfills that API incompletely and
-   * signup throws `TypeError: y.run is not a function`. The pure-JS variant
-   * at `@better-auth/utils/password` uses `@noble/hashes/scrypt` with
-   * identical params (N=16384, r=16, p=1, dkLen=64) and emits the same
-   * `{salt}:{keyHex}` format, so existing hashes remain verifiable.
+   * signup throws `TypeError: y.run is not a function`.
+   *
+   * We can't dynamic-import `@better-auth/utils/password` because that
+   * package's `exports` map gates the pure-JS build behind a non-`"node"`
+   * condition — Node-the-runtime (which WebContainer reports itself as)
+   * always resolves to `password.node.mjs`. So we reimplement the same hash
+   * here using `@noble/hashes/scrypt` directly, with byte-identical params
+   * (N=16384, r=16, p=1, dkLen=64) and the same `{saltHex}:{keyHex}` storage
+   * format. Hashes produced by either implementation verify against the
+   * other — no migration needed.
    *
    * Returns `undefined` outside WebContainer so production deployments keep
-   * the native (fast) hasher and never load the JS fallback.
+   * the native (fast) hasher and never load `@noble/hashes`.
    */
   async resolvePasswordHasher() {
     const isWebContainer = typeof globalThis !== "undefined" && (Boolean(globalThis.process?.versions?.webcontainer) || Boolean(globalThis.process?.env?.SHELL?.includes?.("jsh")) || Boolean(globalThis.process?.env?.STACKBLITZ));
     if (!isWebContainer) return void 0;
     try {
-      const mod = await import("@better-auth/utils/password");
+      const { scryptAsync } = await import("@noble/hashes/scrypt.js");
+      const PARAMS = { N: 16384, r: 16, p: 1, dkLen: 64, maxmem: 128 * 16384 * 16 * 2 };
+      const toHex = (b) => {
+        let s = "";
+        for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+        return s;
+      };
+      const generateKey = (password, saltHex) => scryptAsync(password.normalize("NFKC"), saltHex, PARAMS);
       return {
-        hash: (password) => mod.hashPassword(password),
-        verify: ({ hash, password }) => mod.verifyPassword(hash, password)
+        hash: async (password) => {
+          const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+          const saltHex = toHex(saltBytes);
+          const key = await generateKey(password, saltHex);
+          return `${saltHex}:${toHex(key)}`;
+        },
+        verify: async ({ hash, password }) => {
+          const [saltHex, keyHex] = hash.split(":");
+          if (!saltHex || !keyHex) throw new Error("Invalid password hash");
+          const target = await generateKey(password, saltHex);
+          return toHex(target) === keyHex;
+        }
       };
     } catch (err) {
       console.warn(
-        `[AuthManager] WebContainer detected but pure-JS password hasher unavailable: ${err?.message ?? err}. Falling back to default.`
+        `[AuthManager] WebContainer detected but pure-JS scrypt unavailable: ${err?.message ?? err}. Falling back to default.`
       );
       return void 0;
     }
@@ -1122,7 +1145,8 @@ var AuthManager = class {
    */
   async handleRequest(request) {
     const auth = await this.getOrCreateAuth();
-    const response = await auth.handler(request);
+    const { runWithRequestState } = await import("@better-auth/core/context");
+    const response = await runWithRequestState(/* @__PURE__ */ new WeakMap(), () => auth.handler(request));
     if (response.status >= 500) {
       try {
         const body = await response.clone().text();
@@ -1141,6 +1165,19 @@ var AuthManager = class {
     const auth = await this.getOrCreateAuth();
     return auth.api;
   }
+  /**
+   * Get the underlying better-auth context for low-level operations such as
+   * `internalAdapter.createAccount` / `password.hash`.
+   *
+   * Used by routes that need to write to better-auth's tables outside the
+   * normal endpoint surface — currently only `set-initial-password`, which
+   * provisions a credential account for SSO-onboarded users so they can
+   * sign in with email/password going forward.
+   */
+  async getAuthContext() {
+    const auth = await this.getOrCreateAuth();
+    return auth.$context;
+  }
   // ---------------------------------------------------------------------------
   // Device Flow (CLI browser-based login)
   //
@@ -1438,6 +1475,61 @@ var AuthPlugin = class {
         return c.json({ hasOwner: true });
       }
     });
+    rawApp.post(`${basePath}/set-initial-password`, async (c) => {
+      try {
+        let body = {};
+        try {
+          body = await c.req.json();
+        } catch {
+          body = {};
+        }
+        const newPassword = body?.newPassword;
+        if (typeof newPassword !== "string" || newPassword.length === 0) {
+          return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
+        }
+        const authApi = await this.authManager.getApi();
+        const session = await authApi.getSession({ headers: c.req.raw.headers });
+        if (!session?.user?.id) {
+          return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
+        }
+        const userId = session.user.id;
+        const authCtx = await this.authManager.getAuthContext();
+        if (!authCtx?.internalAdapter || !authCtx?.password) {
+          return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
+        }
+        const minLen = authCtx.password?.config?.minPasswordLength ?? 8;
+        const maxLen = authCtx.password?.config?.maxPasswordLength ?? 128;
+        if (newPassword.length < minLen) {
+          return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
+        }
+        if (newPassword.length > maxLen) {
+          return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
+        }
+        const accounts = await authCtx.internalAdapter.findAccounts(userId);
+        const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
+        if (existingCredential) {
+          return c.json({
+            success: false,
+            error: {
+              code: "credential_account_exists",
+              message: "A local password is already set for this account. Use change-password instead."
+            }
+          }, 409);
+        }
+        const passwordHash = await authCtx.password.hash(newPassword);
+        await authCtx.internalAdapter.createAccount({
+          userId,
+          providerId: "credential",
+          accountId: userId,
+          password: passwordHash
+        });
+        return c.json({ success: true });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] set-initial-password failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
     rawApp.all(`${basePath}/*`, async (c) => {
       try {
         const response = await this.authManager.handleRequest(c.req.raw);