@objectstack/plugin-auth 7.1.0 → 7.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.js +19 -14
  2. package/dist/index.js.map +1 -1
  3. package/dist/index.mjs +19 -14
  4. package/dist/index.mjs.map +1 -1
  5. package/package.json +5 -4
package/dist/index.js CHANGED
@@ -71,6 +71,9 @@ module.exports = __toCommonJS(index_exports);
71
71
  var import_apps = require("@objectstack/platform-objects/apps");
72
72
  var import_pages = require("@objectstack/platform-objects/pages");
73
73
 
74
+ // src/auth-manager.ts
75
+ var import_types = require("@objectstack/types");
76
+
74
77
  // src/objectql-adapter.ts
75
78
  var import_adapters = require("better-auth/adapters");
76
79
  var import_system = require("@objectstack/spec/system");
@@ -783,10 +786,10 @@ var AuthManager = class {
783
786
  })
784
787
  },
785
788
  // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
786
- // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
789
+ // Auto-includes origins from OS_CORS_ORIGIN env var so CORS and CSRF stay in sync.
787
790
  ...(() => {
788
791
  const origins = [...this.config.trustedOrigins || []];
789
- const corsOrigin = process.env.CORS_ORIGIN;
792
+ const corsOrigin = (0, import_types.readEnvWithDeprecation)("OS_CORS_ORIGIN", "CORS_ORIGIN");
790
793
  if (corsOrigin && corsOrigin !== "*") {
791
794
  corsOrigin.split(",").map((s) => s.trim()).filter(Boolean).forEach((o) => {
792
795
  if (!origins.includes(o)) origins.push(o);
@@ -948,9 +951,8 @@ var AuthManager = class {
948
951
  beforeCreateOrganization: async () => {
949
952
  const env = globalThis?.process?.env ?? {};
950
953
  const explicit = env.OS_MULTI_ORG_ENABLED;
951
- const flag = String(
952
- explicit ?? env.OS_MULTI_TENANT ?? "false"
953
- ).toLowerCase();
954
+ const legacy = explicit === void 0 ? (0, import_types.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") : explicit;
955
+ const flag = String(legacy ?? "false").toLowerCase();
954
956
  if (flag === "false") {
955
957
  const { APIError } = await import("better-auth/api");
956
958
  throw new APIError("FORBIDDEN", {
@@ -1092,18 +1094,22 @@ var AuthManager = class {
1092
1094
  plugins.push(jwt({ schema: buildJwtPluginSchema() }));
1093
1095
  const { oauthProvider } = await import("@better-auth/oauth-provider");
1094
1096
  const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
1097
+ const uiBase = (this.config.uiBasePath ?? "/_console").replace(/\/$/, "");
1095
1098
  plugins.push(oauthProvider({
1096
- // Account SPA renders both pages see apps/account.
1097
- loginPage: `${baseUrl}/_account/login`,
1098
- consentPage: `${baseUrl}/_account/oauth/consent`,
1099
+ // Console SPA renders both pages (replaces the legacy Account SPA at
1100
+ // /_account). Override `uiBasePath` in AuthConfig if Console is
1101
+ // mounted elsewhere.
1102
+ loginPage: `${baseUrl}${uiBase}/login`,
1103
+ consentPage: `${baseUrl}${uiBase}/oauth/consent`,
1099
1104
  schema: buildOauthProviderPluginSchema()
1100
1105
  }));
1101
1106
  }
1102
1107
  if (enabled.deviceAuthorization) {
1103
1108
  const { deviceAuthorization } = await import("better-auth/plugins/device-authorization");
1104
1109
  const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
1110
+ const uiBase = (this.config.uiBasePath ?? "/_console").replace(/\/$/, "");
1105
1111
  plugins.push(deviceAuthorization({
1106
- verificationUri: `${baseUrl}/_account/auth/device`,
1112
+ verificationUri: `${baseUrl}${uiBase}/auth/device`,
1107
1113
  schema: buildDeviceAuthorizationPluginSchema()
1108
1114
  }));
1109
1115
  }
@@ -1183,11 +1189,11 @@ var AuthManager = class {
1183
1189
  * Generate a secure secret if not provided
1184
1190
  */
1185
1191
  generateSecret() {
1186
- const envSecret = process.env.AUTH_SECRET;
1192
+ const envSecret = (0, import_types.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]);
1187
1193
  if (!envSecret) {
1188
1194
  const fallbackSecret = "dev-secret-" + Date.now();
1189
1195
  console.warn(
1190
- "\u26A0\uFE0F WARNING: No AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set AUTH_SECRET in your environment variables."
1196
+ "\u26A0\uFE0F WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
1191
1197
  );
1192
1198
  return fallbackSecret;
1193
1199
  }
@@ -1340,9 +1346,8 @@ var AuthManager = class {
1340
1346
  };
1341
1347
  const pluginConfig = this.config.plugins ?? {};
1342
1348
  const multiOrgEnv = globalThis?.process?.env ?? {};
1343
- const multiOrgEnabled = String(
1344
- multiOrgEnv.OS_MULTI_ORG_ENABLED ?? multiOrgEnv.OS_MULTI_TENANT ?? "false"
1345
- ).toLowerCase() !== "false";
1349
+ const multiOrgRaw = multiOrgEnv.OS_MULTI_ORG_ENABLED !== void 0 ? multiOrgEnv.OS_MULTI_ORG_ENABLED : (0, import_types.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false";
1350
+ const multiOrgEnabled = String(multiOrgRaw).toLowerCase() !== "false";
1346
1351
  const DEFAULT_TERMS_URL = "https://objectstack.ai/terms";
1347
1352
  const DEFAULT_PRIVACY_URL = "https://objectstack.ai/privacy";
1348
1353
  const rawTermsUrl = globalThis?.process?.env?.OS_TERMS_URL;