npm - @objectstack/plugin-auth - Versions diffs - 6.2.0 → 6.4.0 - Mend

@objectstack/plugin-auth 6.2.0 → 6.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -665,26 +665,49 @@ var AuthManager = class {
    *
    * better-auth defaults to `@better-auth/utils/password.node`, which calls
    * `node:crypto.scrypt`. WebContainer polyfills that API incompletely and
-   * signup throws `TypeError: y.run is not a function`. The pure-JS variant
-   * at `@better-auth/utils/password` uses `@noble/hashes/scrypt` with
-   * identical params (N=16384, r=16, p=1, dkLen=64) and emits the same
-   * `{salt}:{keyHex}` format, so existing hashes remain verifiable.
+   * signup throws `TypeError: y.run is not a function`.
+   *
+   * We can't dynamic-import `@better-auth/utils/password` because that
+   * package's `exports` map gates the pure-JS build behind a non-`"node"`
+   * condition — Node-the-runtime (which WebContainer reports itself as)
+   * always resolves to `password.node.mjs`. So we reimplement the same hash
+   * here using `@noble/hashes/scrypt` directly, with byte-identical params
+   * (N=16384, r=16, p=1, dkLen=64) and the same `{saltHex}:{keyHex}` storage
+   * format. Hashes produced by either implementation verify against the
+   * other — no migration needed.
    *
    * Returns `undefined` outside WebContainer so production deployments keep
-   * the native (fast) hasher and never load the JS fallback.
+   * the native (fast) hasher and never load `@noble/hashes`.
    */
   async resolvePasswordHasher() {
     const isWebContainer = typeof globalThis !== "undefined" && (Boolean(globalThis.process?.versions?.webcontainer) || Boolean(globalThis.process?.env?.SHELL?.includes?.("jsh")) || Boolean(globalThis.process?.env?.STACKBLITZ));
     if (!isWebContainer) return void 0;
     try {
-      const mod = await import("@better-auth/utils/password");
+      const { scryptAsync } = await import("@noble/hashes/scrypt.js");
+      const PARAMS = { N: 16384, r: 16, p: 1, dkLen: 64, maxmem: 128 * 16384 * 16 * 2 };
+      const toHex = (b) => {
+        let s = "";
+        for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+        return s;
+      };
+      const generateKey = (password, saltHex) => scryptAsync(password.normalize("NFKC"), saltHex, PARAMS);
       return {
-        hash: (password) => mod.hashPassword(password),
-        verify: ({ hash, password }) => mod.verifyPassword(hash, password)
+        hash: async (password) => {
+          const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+          const saltHex = toHex(saltBytes);
+          const key = await generateKey(password, saltHex);
+          return `${saltHex}:${toHex(key)}`;
+        },
+        verify: async ({ hash, password }) => {
+          const [saltHex, keyHex] = hash.split(":");
+          if (!saltHex || !keyHex) throw new Error("Invalid password hash");
+          const target = await generateKey(password, saltHex);
+          return toHex(target) === keyHex;
+        }
       };
     } catch (err) {
       console.warn(
-        `[AuthManager] WebContainer detected but pure-JS password hasher unavailable: ${err?.message ?? err}. Falling back to default.`
+        `[AuthManager] WebContainer detected but pure-JS scrypt unavailable: ${err?.message ?? err}. Falling back to default.`
       );
       return void 0;
     }
@@ -1058,7 +1081,8 @@ var AuthManager = class {
    */
   async handleRequest(request) {
     const auth = await this.getOrCreateAuth();
-    const response = await auth.handler(request);
+    const { runWithRequestState } = await import("@better-auth/core/context");
+    const response = await runWithRequestState(/* @__PURE__ */ new WeakMap(), () => auth.handler(request));
     if (response.status >= 500) {
       try {
         const body = await response.clone().text();
@@ -1077,6 +1101,19 @@ var AuthManager = class {
     const auth = await this.getOrCreateAuth();
     return auth.api;
   }
+  /**
+   * Get the underlying better-auth context for low-level operations such as
+   * `internalAdapter.createAccount` / `password.hash`.
+   *
+   * Used by routes that need to write to better-auth's tables outside the
+   * normal endpoint surface — currently only `set-initial-password`, which
+   * provisions a credential account for SSO-onboarded users so they can
+   * sign in with email/password going forward.
+   */
+  async getAuthContext() {
+    const auth = await this.getOrCreateAuth();
+    return auth.$context;
+  }
   // ---------------------------------------------------------------------------
   // Device Flow (CLI browser-based login)
   //
@@ -1393,6 +1430,61 @@ var AuthPlugin = class {
         return c.json({ hasOwner: true });
       }
     });
+    rawApp.post(`${basePath}/set-initial-password`, async (c) => {
+      try {
+        let body = {};
+        try {
+          body = await c.req.json();
+        } catch {
+          body = {};
+        }
+        const newPassword = body?.newPassword;
+        if (typeof newPassword !== "string" || newPassword.length === 0) {
+          return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
+        }
+        const authApi = await this.authManager.getApi();
+        const session = await authApi.getSession({ headers: c.req.raw.headers });
+        if (!session?.user?.id) {
+          return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
+        }
+        const userId = session.user.id;
+        const authCtx = await this.authManager.getAuthContext();
+        if (!authCtx?.internalAdapter || !authCtx?.password) {
+          return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
+        }
+        const minLen = authCtx.password?.config?.minPasswordLength ?? 8;
+        const maxLen = authCtx.password?.config?.maxPasswordLength ?? 128;
+        if (newPassword.length < minLen) {
+          return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
+        }
+        if (newPassword.length > maxLen) {
+          return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
+        }
+        const accounts = await authCtx.internalAdapter.findAccounts(userId);
+        const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
+        if (existingCredential) {
+          return c.json({
+            success: false,
+            error: {
+              code: "credential_account_exists",
+              message: "A local password is already set for this account. Use change-password instead."
+            }
+          }, 409);
+        }
+        const passwordHash = await authCtx.password.hash(newPassword);
+        await authCtx.internalAdapter.createAccount({
+          userId,
+          providerId: "credential",
+          accountId: userId,
+          password: passwordHash
+        });
+        return c.json({ success: true });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] set-initial-password failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
     rawApp.all(`${basePath}/*`, async (c) => {
       try {
         const response = await this.authManager.handleRequest(c.req.raw);