@oglofus/auth 1.1.0 → 1.1.2

package/README.md

@@ -29,6 +29,7 @@ Optional for app-level integrations:
 
 - `arctic` for OAuth providers in your app code.
 - `@oslojs/otp` if you need direct OTP utilities in your app (the library already uses it internally for TOTP).
+- `stripe` if you use the Stripe billing plugin.
 
 ## Quick Start (Password)
 
@@ -127,15 +128,9 @@ You can build issues with helpers:
 ```ts
 import { createIssue, createIssueFactory } from "@oglofus/auth";
 
-const issue = createIssueFactory<{ email: string; profile: unknown }>([
-  "email",
-  "profile",
-] as const);
+const issue = createIssueFactory<{ email: string; profile: unknown }>(["email", "profile"] as const);
 issue.email("Email is required");
-issue.$path(
-  ["profile", { key: "addresses" }, { index: 0 }, "city"],
-  "City is required",
-);
+issue.$path(["profile", { key: "addresses" }, { index: 0 }, "city"], "City is required");
 createIssue("Generic failure");
 ```
 
@@ -240,6 +235,14 @@ const result = await auth.authenticate({
 - Multi-tenant orgs, memberships, role inheritance, feature/limit entitlements, invites.
 - Validates role topology on startup (default role, owner role presence, inheritance cycles).
 
+### Stripe (Domain Plugin)
+
+- Method: `"stripe"`
+- User and organization subscriptions with typed billing subjects.
+- Checkout session creation, billing portal sessions, webhook verification, local subscription snapshots.
+- Plan-level features and limits, trial tracking, and organization entitlement merge support.
+- Requires the `stripe` package in your application.
+
 ## Account Discovery
 
 Use `discover(...)` to support login/register routing logic before full auth:
@@ -257,6 +260,8 @@ See ready-to-copy integrations:
 - [`examples/sveltekit-email-otp`](./examples/sveltekit-email-otp)
 - [`examples/oauth2-google-arctic`](./examples/oauth2-google-arctic)
 - [`examples/two-factor-totp-oslo`](./examples/two-factor-totp-oslo)
+- [`examples/stripe-user-billing`](./examples/stripe-user-billing)
+- [`examples/stripe-organization-billing`](./examples/stripe-organization-billing)
 
 ## Scripts
 

package/dist/core/auth.d.ts

@@ -1,6 +1,6 @@
-import { type AuthResult, type OperationResult } from "../types/results.js";
-import type { AuthConfig, AuthenticateInputFromPlugins, AuthPublicApi, AnyPlugin, PluginApiMap, PluginMethodsWithApi, RegisterInputFromPlugins } from "../types/plugins.js";
 import type { AuthRequestContext, CompleteProfileInput, DiscoverAccountDecision, DiscoverAccountInput, TwoFactorVerifyInput, UserBase } from "../types/model.js";
+import type { AnyPlugin, AuthConfig, AuthPublicApi, AuthenticateInputFromPlugins, PluginApiForMethod, PluginMethodsWithApi, RegisterInputFromPlugins } from "../types/plugins.js";
+import { type AuthResult, type OperationResult } from "../types/results.js";
 export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugin<U>[]> implements AuthPublicApi<U, P> {
     private readonly config;
     private readonly pluginMap;
@@ -10,7 +10,7 @@ export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugi
     discover(input: DiscoverAccountInput, request?: AuthRequestContext): Promise<OperationResult<DiscoverAccountDecision>>;
     authenticate(input: AuthenticateInputFromPlugins<P>, request?: AuthRequestContext): Promise<AuthResult<U>>;
     register(input: RegisterInputFromPlugins<P>, request?: AuthRequestContext): Promise<AuthResult<U>>;
-    method<M extends PluginMethodsWithApi<P>>(method: M): PluginApiMap<P>[M];
+    method<M extends PluginMethodsWithApi<P>>(method: M): PluginApiForMethod<P, M>;
     verifySecondFactor(input: TwoFactorVerifyInput, request?: AuthRequestContext): Promise<AuthResult<U>>;
     completeProfile(input: CompleteProfileInput<U>, request?: AuthRequestContext): Promise<AuthResult<U>>;
     validateSession(sessionId: string, _request?: AuthRequestContext): Promise<{

package/dist/core/auth.js

@@ -1,7 +1,7 @@
 import { AuthError } from "../errors/index.js";
+import { createIssue } from "../issues/index.js";
 import { errorOperation, errorResult, successOperation, successResult, } from "../types/results.js";
 import { DEFAULT_SESSION_TTL_SECONDS, addSeconds, createId, deterministicTokenHash, normalizeEmailDefault, now, } from "./utils.js";
-import { createIssue } from "../issues/index.js";
 const hasEmail = (value) => typeof value === "object" && value !== null && "email" in value && typeof value.email === "string";
 const toAuthError = (error) => {
     if (error instanceof AuthError) {
@@ -26,6 +26,12 @@ export class OglofusAuth {
         this.config = config;
         this.normalizeEmail = config.normalize?.email ?? normalizeEmailDefault;
         this.validatePlugins();
+        const getPluginApi = (method) => {
+            if (!this.apiMap.has(method)) {
+                return null;
+            }
+            return this.apiMap.get(method);
+        };
         for (const plugin of config.plugins) {
             this.pluginMap.set(plugin.method, plugin);
             if (plugin.createApi) {
@@ -33,6 +39,7 @@ export class OglofusAuth {
                     adapters: this.config.adapters,
                     now,
                     security: this.config.security,
+                    getPluginApi,
                 }));
             }
         }
@@ -410,6 +417,12 @@ export class OglofusAuth {
             now,
             security: this.config.security,
             request,
+            getPluginApi: (method) => {
+                if (!this.apiMap.has(method)) {
+                    return null;
+                }
+                return this.apiMap.get(method);
+            },
         };
     }
     async createSession(userId) {
@@ -453,9 +466,7 @@ export class OglofusAuth {
         if (result.allowed) {
             return null;
         }
-        return new AuthError("RATE_LIMITED", "Too many requests.", 429, [], result.retryAfterSeconds === undefined
-            ? undefined
-            : { retryAfterSeconds: result.retryAfterSeconds });
+        return new AuthError("RATE_LIMITED", "Too many requests.", 429, [], result.retryAfterSeconds === undefined ? undefined : { retryAfterSeconds: result.retryAfterSeconds });
     }
     makeRateLimitKey(scope, identity, request) {
         if (!request?.ip) {
@@ -521,6 +532,7 @@ export class OglofusAuth {
         const methods = new Set();
         let twoFactorCount = 0;
         let organizationsCount = 0;
+        let stripeCount = 0;
         for (const plugin of this.config.plugins) {
             if (methods.has(plugin.method)) {
                 throw new AuthError("PLUGIN_METHOD_CONFLICT", `Plugin method conflict for '${plugin.method}'.`, 500);
@@ -532,6 +544,9 @@ export class OglofusAuth {
             if (plugin.method === "organizations") {
                 organizationsCount += 1;
             }
+            if (plugin.method === "stripe") {
+                stripeCount += 1;
+            }
             if (plugin.kind === "auth_method") {
                 if (plugin.supports.register && !plugin.register) {
                     throw new AuthError("PLUGIN_MISCONFIGURED", `Plugin '${plugin.method}' declares register support but no register handler.`, 500);
@@ -553,6 +568,9 @@ export class OglofusAuth {
         if (organizationsCount > 1) {
             throw new AuthError("PLUGIN_MISCONFIGURED", "At most one organizations plugin is allowed.", 500);
         }
+        if (stripeCount > 1) {
+            throw new AuthError("PLUGIN_MISCONFIGURED", "At most one stripe plugin is allowed.", 500);
+        }
         if ((this.config.accountDiscovery?.mode ?? "private") === "explicit" && !this.config.adapters.identity) {
             throw new AuthError("PLUGIN_MISCONFIGURED", "identity adapter is required when accountDiscovery.mode is explicit.", 500);
         }

package/dist/core/validators.js

@@ -1,5 +1,5 @@
-import { createIssue } from "../issues/index.js";
 import { AuthError } from "../errors/index.js";
+import { createIssue } from "../issues/index.js";
 export const ensureFields = (source, fields, basePath = []) => {
     const issues = fields
         .filter((field) => {

package/dist/errors/index.d.ts

@@ -1,7 +1,6 @@
-import type { UserBase } from "../types/model.js";
-import type { ProfileCompletionState, TwoFactorRequiredMeta } from "../types/model.js";
 import type { Issue } from "../issues/index.js";
-export type AuthErrorCode = "INVALID_INPUT" | "METHOD_DISABLED" | "METHOD_NOT_REGISTERABLE" | "ACCOUNT_NOT_FOUND" | "ACCOUNT_EXISTS" | "ACCOUNT_EXISTS_WITH_DIFFERENT_METHOD" | "ORGANIZATION_NOT_FOUND" | "MEMBERSHIP_NOT_FOUND" | "MEMBERSHIP_FORBIDDEN" | "ROLE_INVALID" | "ROLE_NOT_ASSIGNABLE" | "ORGANIZATION_INVITE_INVALID" | "ORGANIZATION_INVITE_EXPIRED" | "SEAT_LIMIT_REACHED" | "FEATURE_DISABLED" | "LIMIT_EXCEEDED" | "LAST_OWNER_GUARD" | "SESSION_NOT_FOUND" | "INVALID_CREDENTIALS" | "USER_NOT_FOUND" | "CONFLICT" | "RATE_LIMITED" | "DELIVERY_FAILED" | "EMAIL_NOT_VERIFIED" | "OTP_EXPIRED" | "OTP_INVALID" | "MAGIC_LINK_EXPIRED" | "MAGIC_LINK_INVALID" | "OAUTH2_PROVIDER_DISABLED" | "OAUTH2_EXCHANGE_FAILED" | "PASSKEY_INVALID_ASSERTION" | "PASSKEY_INVALID_ATTESTATION" | "PASSKEY_CHALLENGE_EXPIRED" | "PROFILE_COMPLETION_REQUIRED" | "PROFILE_COMPLETION_EXPIRED" | "TWO_FACTOR_REQUIRED" | "TWO_FACTOR_INVALID" | "TWO_FACTOR_EXPIRED" | "RECOVERY_CODE_INVALID" | "PLUGIN_METHOD_CONFLICT" | "PLUGIN_MISCONFIGURED" | "INTERNAL_ERROR";
+import type { ProfileCompletionState, TwoFactorRequiredMeta, UserBase } from "../types/model.js";
+export type AuthErrorCode = "INVALID_INPUT" | "METHOD_DISABLED" | "METHOD_NOT_REGISTERABLE" | "ACCOUNT_NOT_FOUND" | "ACCOUNT_EXISTS" | "ACCOUNT_EXISTS_WITH_DIFFERENT_METHOD" | "ORGANIZATION_NOT_FOUND" | "MEMBERSHIP_NOT_FOUND" | "MEMBERSHIP_FORBIDDEN" | "ROLE_INVALID" | "ROLE_NOT_ASSIGNABLE" | "ORGANIZATION_INVITE_INVALID" | "ORGANIZATION_INVITE_EXPIRED" | "SEAT_LIMIT_REACHED" | "FEATURE_DISABLED" | "LIMIT_EXCEEDED" | "LAST_OWNER_GUARD" | "SESSION_NOT_FOUND" | "INVALID_CREDENTIALS" | "USER_NOT_FOUND" | "CONFLICT" | "RATE_LIMITED" | "DELIVERY_FAILED" | "EMAIL_NOT_VERIFIED" | "OTP_EXPIRED" | "OTP_INVALID" | "MAGIC_LINK_EXPIRED" | "MAGIC_LINK_INVALID" | "OAUTH2_PROVIDER_DISABLED" | "OAUTH2_EXCHANGE_FAILED" | "PASSKEY_INVALID_ASSERTION" | "PASSKEY_INVALID_ATTESTATION" | "PASSKEY_CHALLENGE_EXPIRED" | "CUSTOMER_NOT_FOUND" | "SUBSCRIPTION_NOT_FOUND" | "SUBSCRIPTION_ALREADY_EXISTS" | "TRIAL_NOT_AVAILABLE" | "STRIPE_WEBHOOK_INVALID" | "PROFILE_COMPLETION_REQUIRED" | "PROFILE_COMPLETION_EXPIRED" | "TWO_FACTOR_REQUIRED" | "TWO_FACTOR_INVALID" | "TWO_FACTOR_EXPIRED" | "RECOVERY_CODE_INVALID" | "PLUGIN_METHOD_CONFLICT" | "PLUGIN_MISCONFIGURED" | "INTERNAL_ERROR";
 export declare class AuthError extends Error {
     readonly code: AuthErrorCode;
     readonly status: number;

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-export * from "./types/index.js";
-export * from "./issues/index.js";
-export * from "./errors/index.js";
-export * from "./core/events.js";
 export * from "./core/auth.js";
+export * from "./core/events.js";
+export * from "./errors/index.js";
+export * from "./issues/index.js";
 export * from "./plugins/index.js";
+export * from "./types/index.js";

package/dist/index.js

@@ -1,6 +1,6 @@
-export * from "./types/index.js";
-export * from "./issues/index.js";
-export * from "./errors/index.js";
-export * from "./core/events.js";
 export * from "./core/auth.js";
+export * from "./core/events.js";
+export * from "./errors/index.js";
+export * from "./issues/index.js";
 export * from "./plugins/index.js";
+export * from "./types/index.js";

package/dist/plugins/email-otp.d.ts

@@ -9,4 +9,4 @@ export type EmailOtpPluginConfig<U extends UserBase, K extends keyof U> = {
     maxAttempts?: number;
     codeLength?: number;
 };
-export declare const emailOtpPlugin: <U extends UserBase, K extends keyof U>(config: EmailOtpPluginConfig<U, K>) => AuthMethodPlugin<"email_otp", EmailOtpRegisterInput<U, K>, EmailOtpAuthenticateInput, U, EmailOtpPluginApi>;
+export declare const emailOtpPlugin: <U extends UserBase, K extends keyof U>(config: EmailOtpPluginConfig<U, K>) => AuthMethodPlugin<"email_otp", EmailOtpRegisterInput<U, K>, EmailOtpAuthenticateInput, U, EmailOtpPluginApi, true, true>;

package/dist/plugins/email-otp.js

@@ -1,9 +1,8 @@
+import { addSeconds, cloneWithout, createId, createNumericCode, secretHash, secretVerify } from "../core/utils.js";
+import { ensureFields } from "../core/validators.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { addSeconds, createId, createNumericCode, secretHash, secretVerify, } from "../core/utils.js";
-import { cloneWithout } from "../core/utils.js";
-import { ensureFields } from "../core/validators.js";
 const PENDING_PREFIX = "pending:";
 const EMAIL_OTP_REQUEST_POLICY = { limit: 3, windowSeconds: 300 };
 const OTP_VERIFY_POLICY = { limit: 10, windowSeconds: 300 };
@@ -38,9 +37,7 @@ export const emailOtpPlugin = (config) => {
         if (challenge.expiresAt.getTime() <= now.getTime()) {
             return {
                 ok: false,
-                error: new AuthError("OTP_EXPIRED", "OTP has expired.", 400, [
-                    createIssue("OTP expired", ["code"]),
-                ]),
+                error: new AuthError("OTP_EXPIRED", "OTP has expired.", 400, [createIssue("OTP expired", ["code"])]),
             };
         }
         if (challenge.attempts >= maxAttempts) {
@@ -60,9 +57,7 @@ export const emailOtpPlugin = (config) => {
             }
             return {
                 ok: false,
-                error: new AuthError("OTP_INVALID", "Invalid OTP code.", 400, [
-                    createIssue("Invalid code", ["code"]),
-                ]),
+                error: new AuthError("OTP_INVALID", "Invalid OTP code.", 400, [createIssue("Invalid code", ["code"])]),
             };
         }
         const consumed = await config.otp.consumeChallenge(challengeId);
@@ -96,9 +91,7 @@ export const emailOtpPlugin = (config) => {
                 const email = input.email.trim().toLowerCase();
                 if (ctx.adapters.rateLimiter) {
                     const policy = ctx.security?.rateLimits?.emailOtpRequest ?? EMAIL_OTP_REQUEST_POLICY;
-                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip
-                        ? `emailOtpRequest:ip:${request.ip}:identity:${email}`
-                        : `emailOtpRequest:identity:${email}`, policy.limit, policy.windowSeconds);
+                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip ? `emailOtpRequest:ip:${request.ip}:identity:${email}` : `emailOtpRequest:identity:${email}`, policy.limit, policy.windowSeconds);
                     if (!limited.allowed) {
                         return errorOperation(createRateLimitedError(limited.retryAfterSeconds));
                     }
@@ -154,11 +147,7 @@ export const emailOtpPlugin = (config) => {
             if (requiredError) {
                 return errorOperation(requiredError);
             }
-            const payload = cloneWithout(input, [
-                "method",
-                "challengeId",
-                "code",
-            ]);
+            const payload = cloneWithout(input, ["method", "challengeId", "code"]);
             payload.email = verified.email;
             payload.emailVerified = true;
             const user = await ctx.adapters.users.create(payload);

package/dist/plugins/index.d.ts

@@ -1,7 +1,8 @@
-export * from "./password.js";
 export * from "./email-otp.js";
 export * from "./magic-link.js";
 export * from "./oauth2.js";
+export * from "./organizations.js";
 export * from "./passkey.js";
+export * from "./password.js";
+export * from "./stripe.js";
 export * from "./two-factor.js";
-export * from "./organizations.js";

package/dist/plugins/index.js

@@ -1,7 +1,8 @@
-export * from "./password.js";
 export * from "./email-otp.js";
 export * from "./magic-link.js";
 export * from "./oauth2.js";
+export * from "./organizations.js";
 export * from "./passkey.js";
+export * from "./password.js";
+export * from "./stripe.js";
 export * from "./two-factor.js";
-export * from "./organizations.js";

package/dist/plugins/magic-link.d.ts

@@ -8,4 +8,4 @@ export type MagicLinkPluginConfig<U extends UserBase, K extends keyof U> = {
     tokenTtlSeconds?: number;
     baseVerifyUrl: string;
 };
-export declare const magicLinkPlugin: <U extends UserBase, K extends keyof U>(config: MagicLinkPluginConfig<U, K>) => AuthMethodPlugin<"magic_link", MagicLinkRegisterInput<U, K>, MagicLinkAuthenticateInput, U, MagicLinkPluginApi>;
+export declare const magicLinkPlugin: <U extends UserBase, K extends keyof U>(config: MagicLinkPluginConfig<U, K>) => AuthMethodPlugin<"magic_link", MagicLinkRegisterInput<U, K>, MagicLinkAuthenticateInput, U, MagicLinkPluginApi, true, true>;

package/dist/plugins/magic-link.js

@@ -1,9 +1,8 @@
+import { addSeconds, cloneWithout, createId, createToken, deterministicTokenHash } from "../core/utils.js";
+import { ensureFields } from "../core/validators.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { addSeconds, createId, createToken, deterministicTokenHash } from "../core/utils.js";
-import { cloneWithout } from "../core/utils.js";
-import { ensureFields } from "../core/validators.js";
 const MAGIC_LINK_REQUEST_POLICY = { limit: 3, windowSeconds: 300 };
 const createRateLimitedError = (retryAfterSeconds) => new AuthError("RATE_LIMITED", "Too many requests.", 429, [], retryAfterSeconds === undefined ? undefined : { retryAfterSeconds });
 export const magicLinkPlugin = (config) => {
@@ -56,9 +55,7 @@ export const magicLinkPlugin = (config) => {
                 const email = input.email.trim().toLowerCase();
                 if (ctx.adapters.rateLimiter) {
                     const policy = ctx.security?.rateLimits?.magicLinkRequest ?? MAGIC_LINK_REQUEST_POLICY;
-                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip
-                        ? `magicLinkRequest:ip:${request.ip}:identity:${email}`
-                        : `magicLinkRequest:identity:${email}`, policy.limit, policy.windowSeconds);
+                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip ? `magicLinkRequest:ip:${request.ip}:identity:${email}` : `magicLinkRequest:identity:${email}`, policy.limit, policy.windowSeconds);
                     if (!limited.allowed) {
                         return errorOperation(createRateLimitedError(limited.retryAfterSeconds));
                     }
@@ -115,10 +112,7 @@ export const magicLinkPlugin = (config) => {
             if (requiredError) {
                 return errorOperation(requiredError);
             }
-            const payload = cloneWithout(input, [
-                "method",
-                "token",
-            ]);
+            const payload = cloneWithout(input, ["method", "token"]);
             payload.email = verified.email;
             payload.emailVerified = true;
             const user = await ctx.adapters.users.create(payload);

package/dist/plugins/oauth2.d.ts

@@ -38,11 +38,11 @@ export type OAuth2ProviderConfig<U extends UserBase, P extends string> = {
 };
 export type OAuth2PluginConfig<U extends UserBase, P extends string, K extends keyof U = never> = {
     providers: {
-        [Provider in P]: OAuth2ProviderConfig<U, Provider>;
+        [Provider in P]?: OAuth2ProviderConfig<U, Provider>;
     };
     accounts: OAuth2AccountAdapter<P>;
     requiredProfileFields?: readonly K[];
     pendingProfileTtlSeconds?: number;
 };
 export declare const arcticAuthorizationCodeExchange: (client: ArcticAuthorizationCodeClient) => OAuth2AuthorizationCodeExchange;
-export declare const oauth2Plugin: <U extends UserBase, P extends string, K extends keyof U = never>(config: OAuth2PluginConfig<U, P, K>) => AuthMethodPlugin<"oauth2", OAuth2AuthenticateInput<P>, OAuth2AuthenticateInput<P>, U>;
+export declare const oauth2Plugin: <U extends UserBase, P extends string, K extends keyof U = never>(config: OAuth2PluginConfig<U, P, K>) => AuthMethodPlugin<"oauth2", OAuth2AuthenticateInput<P>, OAuth2AuthenticateInput<P>, U, never, false, false>;

package/dist/plugins/oauth2.js

@@ -1,9 +1,9 @@
 import { ArcticFetchError, OAuth2RequestError } from "arctic";
+import { addSeconds, createId } from "../core/utils.js";
+import { ensureFields } from "../core/validators.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { addSeconds, createId } from "../core/utils.js";
-import { ensureFields } from "../core/validators.js";
 export const arcticAuthorizationCodeExchange = (client) => {
     return async ({ authorizationCode, codeVerifier }) => {
         const validateAuthorizationCode = client.validateAuthorizationCode;
@@ -41,7 +41,9 @@ export const oauth2Plugin = (config) => {
         },
         completePendingProfile: async (_ctx, { record, user }) => {
             const continuation = record.continuation;
-            if (!continuation || typeof continuation.provider !== "string" || typeof continuation.providerUserId !== "string") {
+            if (!continuation ||
+                typeof continuation.provider !== "string" ||
+                typeof continuation.providerUserId !== "string") {
                 return errorOperation(new AuthError("PLUGIN_MISCONFIGURED", "Pending OAuth2 profile is missing provider continuation metadata.", 500));
             }
             await config.accounts.linkAccount({
@@ -93,7 +95,9 @@ export const oauth2Plugin = (config) => {
                     ]));
                 }
                 if (error instanceof ArcticFetchError) {
-                    return errorOperation(new AuthError("OAUTH2_EXCHANGE_FAILED", "OAuth2 provider is unreachable right now.", 502, [createIssue("Provider request failed", ["provider"])]));
+                    return errorOperation(new AuthError("OAUTH2_EXCHANGE_FAILED", "OAuth2 provider is unreachable right now.", 502, [
+                        createIssue("Provider request failed", ["provider"]),
+                    ]));
                 }
                 return errorOperation(new AuthError("OAUTH2_EXCHANGE_FAILED", "OAuth2 code exchange failed.", 502));
             }

package/dist/plugins/organizations.d.ts

@@ -1,5 +1,5 @@
 import type { MembershipBase, OrganizationBase, UserBase } from "../types/model.js";
-import type { OrganizationsPluginConfig, OrganizationsPluginApi, DomainPlugin } from "../types/plugins.js";
+import type { DomainPlugin, OrganizationsPluginApi, OrganizationsPluginConfig } from "../types/plugins.js";
 export type OrganizationsPluginOptions<O extends OrganizationBase, Role extends string, M extends MembershipBase<Role>, Permission extends string, Feature extends string, LimitKey extends string, RequiredOrgFields extends keyof O = never> = OrganizationsPluginConfig<O, Role, M, Permission, Feature, LimitKey, RequiredOrgFields> & {
     inviteBaseUrl: string;
     inviteTtlSeconds?: number;
@@ -9,4 +9,4 @@ export type OrganizationsPluginOptions<O extends OrganizationBase, Role extends
         nextRole: Role;
     }) => boolean | Promise<boolean>;
 };
-export declare const organizationsPlugin: <U extends UserBase, O extends OrganizationBase, Role extends string, M extends MembershipBase<Role>, Permission extends string, Feature extends string, LimitKey extends string, RequiredOrgFields extends keyof O = never>(config: OrganizationsPluginOptions<O, Role, M, Permission, Feature, LimitKey, RequiredOrgFields>) => DomainPlugin<"organizations", U, OrganizationsPluginApi<O, Role, M, Permission, Feature, LimitKey, RequiredOrgFields>>;
+export declare const organizationsPlugin: <U extends UserBase, O extends OrganizationBase, Role extends string, M extends MembershipBase<Role>, Permission extends string, Feature extends string, LimitKey extends string, RequiredOrgFields extends keyof O = never>(config: OrganizationsPluginOptions<O, Role, M, Permission, Feature, LimitKey, RequiredOrgFields>) => DomainPlugin<"organizations", U, OrganizationsPluginApi<O, Role, M, Permission, Feature, LimitKey, RequiredOrgFields>, true>;

package/dist/plugins/organizations.js

@@ -1,7 +1,7 @@
+import { addSeconds, createId, createToken, deterministicTokenHash } from "../core/utils.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { addSeconds, createId, createToken, deterministicTokenHash } from "../core/utils.js";
 const normalizeEmail = (value) => value.trim().toLowerCase();
 const findOwnerRoles = (roles) => Object.entries(roles)
     .filter(([, definition]) => definition.system?.owner)
@@ -75,15 +75,34 @@ export const organizationsPlugin = (config) => {
                     return membershipRes;
                 }
                 const resolved = resolveRole(membershipRes.data.role, config.handlers.roles);
+                const stripeApi = ctx.getPluginApi?.("stripe") ?? null;
+                let billingEntitlements = {
+                    features: {},
+                    limits: {},
+                };
+                if (stripeApi) {
+                    const stripeEntitlements = await stripeApi.getEntitlements({
+                        subject: {
+                            kind: "organization",
+                            organizationId,
+                        },
+                    });
+                    if (!stripeEntitlements.ok) {
+                        return stripeEntitlements;
+                    }
+                    billingEntitlements = stripeEntitlements.data;
+                }
                 const featureOverrides = await config.handlers.entitlements.getFeatureOverrides(organizationId);
                 const limitOverrides = await config.handlers.entitlements.getLimitOverrides(organizationId);
                 return successOperation({
                     features: {
                         ...resolved.features,
+                        ...billingEntitlements.features,
                         ...featureOverrides,
                     },
                     limits: {
                         ...resolved.limits,
+                        ...billingEntitlements.limits,
                         ...limitOverrides,
                     },
                 });
@@ -118,9 +137,7 @@ export const organizationsPlugin = (config) => {
                         });
                         return { organization, membership };
                     };
-                    const data = ctx.adapters.withTransaction
-                        ? await ctx.adapters.withTransaction(run)
-                        : await run();
+                    const data = ctx.adapters.withTransaction ? await ctx.adapters.withTransaction(run) : await run();
                     return successOperation(data);
                 },
                 inviteMember: async (input, request) => {

package/dist/plugins/passkey.d.ts

@@ -5,4 +5,4 @@ export type PasskeyPluginConfig<U extends UserBase, K extends keyof U> = {
     requiredProfileFields: readonly K[];
     passkeys: PasskeyAdapter;
 };
-export declare const passkeyPlugin: <U extends UserBase, K extends keyof U>(config: PasskeyPluginConfig<U, K>) => AuthMethodPlugin<"passkey", PasskeyRegisterInput<U, K>, PasskeyAuthenticateInput, U>;
+export declare const passkeyPlugin: <U extends UserBase, K extends keyof U>(config: PasskeyPluginConfig<U, K>) => AuthMethodPlugin<"passkey", PasskeyRegisterInput<U, K>, PasskeyAuthenticateInput, U, never, true, false>;

package/dist/plugins/passkey.js

@@ -1,8 +1,8 @@
+import { cloneWithout, createId } from "../core/utils.js";
+import { ensureFields } from "../core/validators.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { cloneWithout, createId } from "../core/utils.js";
-import { ensureFields } from "../core/validators.js";
 export const passkeyPlugin = (config) => ({
     kind: "auth_method",
     method: "passkey",
@@ -54,10 +54,7 @@ export const passkeyPlugin = (config) => ({
         }
         let user = await ctx.adapters.users.findByEmail(input.email);
         if (!user) {
-            const payload = cloneWithout(input, [
-                "method",
-                "registration",
-            ]);
+            const payload = cloneWithout(input, ["method", "registration"]);
             payload.emailVerified = true;
             user = await ctx.adapters.users.create(payload);
         }

package/dist/plugins/password.d.ts

@@ -7,4 +7,4 @@ export type PasswordPluginConfig<U extends UserBase, K extends keyof U> = {
     hashPassword?: (password: string) => string;
     verifyPassword?: (password: string, hash: string) => boolean;
 };
-export declare const passwordPlugin: <U extends UserBase, K extends keyof U>(config: PasswordPluginConfig<U, K>) => AuthMethodPlugin<"password", PasswordRegisterInput<U, K>, PasswordAuthenticateInput, U>;
+export declare const passwordPlugin: <U extends UserBase, K extends keyof U>(config: PasswordPluginConfig<U, K>) => AuthMethodPlugin<"password", PasswordRegisterInput<U, K>, PasswordAuthenticateInput, U, never, true, false>;

package/dist/plugins/password.js

@@ -1,8 +1,8 @@
+import { cloneWithout, secretHash, secretVerify } from "../core/utils.js";
+import { ensureFields } from "../core/validators.js";
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { cloneWithout, secretHash, secretVerify } from "../core/utils.js";
-import { ensureFields } from "../core/validators.js";
 export const passwordPlugin = (config) => ({
     kind: "auth_method",
     method: "password",
@@ -25,10 +25,7 @@ export const passwordPlugin = (config) => ({
         if (requiredError) {
             return errorOperation(requiredError);
         }
-        const payload = cloneWithout(input, [
-            "method",
-            "password",
-        ]);
+        const payload = cloneWithout(input, ["method", "password"]);
         if (payload.emailVerified === undefined) {
             payload.emailVerified = false;
         }

package/dist/plugins/stripe.d.ts

@@ -0,0 +1,25 @@
+import type Stripe from "stripe";
+import type { StripeCustomerAdapter, StripeSubscriptionAdapter, StripeTrialUsageAdapter, StripeWebhookEventAdapter } from "../types/adapters.js";
+import type { StripePlan, StripeSubject, UserBase } from "../types/model.js";
+import type { DomainPlugin, StripePlansResolver, StripePluginApi } from "../types/plugins.js";
+type StripePluginHandlers<Feature extends string, LimitKey extends string> = {
+    customers: StripeCustomerAdapter;
+    subscriptions: StripeSubscriptionAdapter<Feature, LimitKey>;
+    events: StripeWebhookEventAdapter;
+    trials?: StripeTrialUsageAdapter;
+};
+export type StripePluginConfig<U extends UserBase, Feature extends string, LimitKey extends string> = {
+    stripe: Stripe;
+    webhookSecret: string;
+    plans: StripePlansResolver<Feature, LimitKey>;
+    handlers: StripePluginHandlers<Feature, LimitKey>;
+    customerMode?: "user" | "organization" | "both";
+};
+type StripePlanCatalogEntry<Feature extends string, LimitKey extends string> = Omit<StripePlan<Feature, LimitKey>, "scope"> & {
+    scope: StripeSubject["kind"];
+};
+type StripePlanCatalog<Feature extends string, LimitKey extends string> = readonly StripePlanCatalogEntry<Feature, LimitKey>[];
+export declare const stripePlugin: <U extends UserBase, Feature extends string, LimitKey extends string, const Plans extends StripePlanCatalog<Feature, LimitKey>>(config: Omit<StripePluginConfig<U, Feature, LimitKey>, "plans"> & {
+    plans: StripePlansResolver<Feature, LimitKey, Plans>;
+}) => DomainPlugin<"stripe", U, StripePluginApi<Feature, LimitKey>, true>;
+export {};