@objectstack/plugin-auth 7.1.0 → 7.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.js +19 -14
  2. package/dist/index.js.map +1 -1
  3. package/dist/index.mjs +19 -14
  4. package/dist/index.mjs.map +1 -1
  5. package/package.json +5 -4
package/dist/index.mjs CHANGED
@@ -7,6 +7,9 @@ import {
7
7
  } from "@objectstack/platform-objects/apps";
8
8
  import { SysOrganizationDetailPage, SysUserDetailPage } from "@objectstack/platform-objects/pages";
9
9
 
10
+ // src/auth-manager.ts
11
+ import { readEnvWithDeprecation } from "@objectstack/types";
12
+
10
13
  // src/objectql-adapter.ts
11
14
  import { createAdapterFactory } from "better-auth/adapters";
12
15
  import { SystemObjectName } from "@objectstack/spec/system";
@@ -719,10 +722,10 @@ var AuthManager = class {
719
722
  })
720
723
  },
721
724
  // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
722
- // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
725
+ // Auto-includes origins from OS_CORS_ORIGIN env var so CORS and CSRF stay in sync.
723
726
  ...(() => {
724
727
  const origins = [...this.config.trustedOrigins || []];
725
- const corsOrigin = process.env.CORS_ORIGIN;
728
+ const corsOrigin = readEnvWithDeprecation("OS_CORS_ORIGIN", "CORS_ORIGIN");
726
729
  if (corsOrigin && corsOrigin !== "*") {
727
730
  corsOrigin.split(",").map((s) => s.trim()).filter(Boolean).forEach((o) => {
728
731
  if (!origins.includes(o)) origins.push(o);
@@ -884,9 +887,8 @@ var AuthManager = class {
884
887
  beforeCreateOrganization: async () => {
885
888
  const env = globalThis?.process?.env ?? {};
886
889
  const explicit = env.OS_MULTI_ORG_ENABLED;
887
- const flag = String(
888
- explicit ?? env.OS_MULTI_TENANT ?? "false"
889
- ).toLowerCase();
890
+ const legacy = explicit === void 0 ? readEnvWithDeprecation("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") : explicit;
891
+ const flag = String(legacy ?? "false").toLowerCase();
890
892
  if (flag === "false") {
891
893
  const { APIError } = await import("better-auth/api");
892
894
  throw new APIError("FORBIDDEN", {
@@ -1028,18 +1030,22 @@ var AuthManager = class {
1028
1030
  plugins.push(jwt({ schema: buildJwtPluginSchema() }));
1029
1031
  const { oauthProvider } = await import("@better-auth/oauth-provider");
1030
1032
  const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
1033
+ const uiBase = (this.config.uiBasePath ?? "/_console").replace(/\/$/, "");
1031
1034
  plugins.push(oauthProvider({
1032
- // Account SPA renders both pages see apps/account.
1033
- loginPage: `${baseUrl}/_account/login`,
1034
- consentPage: `${baseUrl}/_account/oauth/consent`,
1035
+ // Console SPA renders both pages (replaces the legacy Account SPA at
1036
+ // /_account). Override `uiBasePath` in AuthConfig if Console is
1037
+ // mounted elsewhere.
1038
+ loginPage: `${baseUrl}${uiBase}/login`,
1039
+ consentPage: `${baseUrl}${uiBase}/oauth/consent`,
1035
1040
  schema: buildOauthProviderPluginSchema()
1036
1041
  }));
1037
1042
  }
1038
1043
  if (enabled.deviceAuthorization) {
1039
1044
  const { deviceAuthorization } = await import("better-auth/plugins/device-authorization");
1040
1045
  const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
1046
+ const uiBase = (this.config.uiBasePath ?? "/_console").replace(/\/$/, "");
1041
1047
  plugins.push(deviceAuthorization({
1042
- verificationUri: `${baseUrl}/_account/auth/device`,
1048
+ verificationUri: `${baseUrl}${uiBase}/auth/device`,
1043
1049
  schema: buildDeviceAuthorizationPluginSchema()
1044
1050
  }));
1045
1051
  }
@@ -1119,11 +1125,11 @@ var AuthManager = class {
1119
1125
  * Generate a secure secret if not provided
1120
1126
  */
1121
1127
  generateSecret() {
1122
- const envSecret = process.env.AUTH_SECRET;
1128
+ const envSecret = readEnvWithDeprecation("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]);
1123
1129
  if (!envSecret) {
1124
1130
  const fallbackSecret = "dev-secret-" + Date.now();
1125
1131
  console.warn(
1126
- "\u26A0\uFE0F WARNING: No AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set AUTH_SECRET in your environment variables."
1132
+ "\u26A0\uFE0F WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
1127
1133
  );
1128
1134
  return fallbackSecret;
1129
1135
  }
@@ -1276,9 +1282,8 @@ var AuthManager = class {
1276
1282
  };
1277
1283
  const pluginConfig = this.config.plugins ?? {};
1278
1284
  const multiOrgEnv = globalThis?.process?.env ?? {};
1279
- const multiOrgEnabled = String(
1280
- multiOrgEnv.OS_MULTI_ORG_ENABLED ?? multiOrgEnv.OS_MULTI_TENANT ?? "false"
1281
- ).toLowerCase() !== "false";
1285
+ const multiOrgRaw = multiOrgEnv.OS_MULTI_ORG_ENABLED !== void 0 ? multiOrgEnv.OS_MULTI_ORG_ENABLED : readEnvWithDeprecation("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false";
1286
+ const multiOrgEnabled = String(multiOrgRaw).toLowerCase() !== "false";
1282
1287
  const DEFAULT_TERMS_URL = "https://objectstack.ai/terms";
1283
1288
  const DEFAULT_PRIVACY_URL = "https://objectstack.ai/privacy";
1284
1289
  const rawTermsUrl = globalThis?.process?.env?.OS_TERMS_URL;