@objectstack/plugin-auth 6.3.0 → 6.5.0

package/dist/index.d.mts

@@ -304,6 +304,16 @@ declare class AuthManager {
      * Use this for server-side operations (e.g., creating users, checking sessions)
      */
     getApi(): Promise<Auth<any>['api']>;
+    /**
+     * Get the underlying better-auth context for low-level operations such as
+     * `internalAdapter.createAccount` / `password.hash`.
+     *
+     * Used by routes that need to write to better-auth's tables outside the
+     * normal endpoint surface — currently only `set-initial-password`, which
+     * provisions a credential account for SSO-onboarded users so they can
+     * sign in with email/password going forward.
+     */
+    getAuthContext(): Promise<any>;
     getPublicConfig(): {
         emailPassword: {
             enabled: boolean;

package/dist/index.d.ts

@@ -304,6 +304,16 @@ declare class AuthManager {
      * Use this for server-side operations (e.g., creating users, checking sessions)
      */
     getApi(): Promise<Auth<any>['api']>;
+    /**
+     * Get the underlying better-auth context for low-level operations such as
+     * `internalAdapter.createAccount` / `password.hash`.
+     *
+     * Used by routes that need to write to better-auth's tables outside the
+     * normal endpoint surface — currently only `set-initial-password`, which
+     * provisions a credential account for SSO-onboarded users so they can
+     * sign in with email/password going forward.
+     */
+    getAuthContext(): Promise<any>;
     getPublicConfig(): {
         emailPassword: {
             enabled: boolean;

package/dist/index.js

@@ -1145,7 +1145,8 @@ var AuthManager = class {
    */
   async handleRequest(request) {
     const auth = await this.getOrCreateAuth();
-    const response = await auth.handler(request);
+    const { runWithRequestState } = await import("@better-auth/core/context");
+    const response = await runWithRequestState(/* @__PURE__ */ new WeakMap(), () => auth.handler(request));
     if (response.status >= 500) {
       try {
         const body = await response.clone().text();
@@ -1164,6 +1165,19 @@ var AuthManager = class {
     const auth = await this.getOrCreateAuth();
     return auth.api;
   }
+  /**
+   * Get the underlying better-auth context for low-level operations such as
+   * `internalAdapter.createAccount` / `password.hash`.
+   *
+   * Used by routes that need to write to better-auth's tables outside the
+   * normal endpoint surface — currently only `set-initial-password`, which
+   * provisions a credential account for SSO-onboarded users so they can
+   * sign in with email/password going forward.
+   */
+  async getAuthContext() {
+    const auth = await this.getOrCreateAuth();
+    return auth.$context;
+  }
   // ---------------------------------------------------------------------------
   // Device Flow (CLI browser-based login)
   //
@@ -1461,6 +1475,61 @@ var AuthPlugin = class {
         return c.json({ hasOwner: true });
       }
     });
+    rawApp.post(`${basePath}/set-initial-password`, async (c) => {
+      try {
+        let body = {};
+        try {
+          body = await c.req.json();
+        } catch {
+          body = {};
+        }
+        const newPassword = body?.newPassword;
+        if (typeof newPassword !== "string" || newPassword.length === 0) {
+          return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
+        }
+        const authApi = await this.authManager.getApi();
+        const session = await authApi.getSession({ headers: c.req.raw.headers });
+        if (!session?.user?.id) {
+          return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
+        }
+        const userId = session.user.id;
+        const authCtx = await this.authManager.getAuthContext();
+        if (!authCtx?.internalAdapter || !authCtx?.password) {
+          return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
+        }
+        const minLen = authCtx.password?.config?.minPasswordLength ?? 8;
+        const maxLen = authCtx.password?.config?.maxPasswordLength ?? 128;
+        if (newPassword.length < minLen) {
+          return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
+        }
+        if (newPassword.length > maxLen) {
+          return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
+        }
+        const accounts = await authCtx.internalAdapter.findAccounts(userId);
+        const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
+        if (existingCredential) {
+          return c.json({
+            success: false,
+            error: {
+              code: "credential_account_exists",
+              message: "A local password is already set for this account. Use change-password instead."
+            }
+          }, 409);
+        }
+        const passwordHash = await authCtx.password.hash(newPassword);
+        await authCtx.internalAdapter.createAccount({
+          userId,
+          providerId: "credential",
+          accountId: userId,
+          password: passwordHash
+        });
+        return c.json({ success: true });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] set-initial-password failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
     rawApp.all(`${basePath}/*`, async (c) => {
       try {
         const response = await this.authManager.handleRequest(c.req.raw);