@onmax/nuxt-better-auth 0.0.2-alpha.3 → 0.0.2-alpha.31

package/dist/module.mjs

@@ -1,14 +1,115 @@
-import { existsSync } from 'node:fs';
+import { existsSync, writeFileSync, readFileSync } from 'node:fs';
 import { mkdir, writeFile } from 'node:fs/promises';
-import { defineNuxtModule, createResolver, hasNuxtModule, addTemplate, addTypeTemplate, updateTemplates, addServerImportsDir, addServerScanDir, addServerHandler, addImportsDir, addPlugin, addComponentsDir, extendPages } from '@nuxt/kit';
+import { getLayerDirectories, updateTemplates, addServerImportsDir, addServerImports, addServerScanDir, addServerHandler, addImportsDir, addPlugin, addComponentsDir, hasNuxtModule, installModule, extendPages, addTemplate, addTypeTemplate, defineNuxtModule, createResolver } from '@nuxt/kit';
 import { consola as consola$1 } from 'consola';
+import { isAbsolute, join, relative, dirname } from 'pathe';
 import { defu } from 'defu';
-import { join } from 'pathe';
 import { toRouteMatcher, createRouter } from 'radix3';
+import { generateDrizzleSchema as generateDrizzleSchema$1 } from '@better-auth/cli/api';
+import { randomBytes } from 'node:crypto';
+import { isCI, isTest } from 'std-env';
 export { defineClientAuth, defineServerAuth } from '../dist/runtime/config.js';
 
+const version = "0.0.2-alpha.31";
+
+function resolveDatabaseProvider(input) {
+  const enabledProviders = Object.entries(input.providers).filter(([_id, provider]) => provider.isEnabled?.(input.context) ?? true);
+  if (!enabledProviders.length) {
+    throw new Error("[nuxt-better-auth] No database provider is enabled. Register one with the better-auth:database:providers hook.");
+  }
+  enabledProviders.sort((a, b) => (b[1].priority ?? 0) - (a[1].priority ?? 0));
+  const [id, definition] = enabledProviders[0];
+  return { id, definition };
+}
+
+const CONFIG_EXTENSIONS = [".ts", ".js"];
+const CONFIG_EXTENSION_RE = /\.(?:ts|js)$/;
+const DEFAULT_CONFIG_FILES = {
+  server: "server/auth.config",
+  client: "app/auth.config"
+};
+const OPTION_KEY_BY_KIND = {
+  server: "serverConfig",
+  client: "clientConfig"
+};
+function stripConfigExtension(path) {
+  return path.replace(CONFIG_EXTENSION_RE, "");
+}
+function configExists(path) {
+  return CONFIG_EXTENSIONS.some((ext) => existsSync(`${path}${ext}`));
+}
+function getLayerDirectoriesWithConfigs(nuxt) {
+  const directories = getLayerDirectories(nuxt);
+  const layers = nuxt.options._layers;
+  return directories.map((directory, index) => ({ directory, layer: layers[index] }));
+}
+function getProjectDirectory(nuxt) {
+  return getLayerDirectories(nuxt)[0];
+}
+function getDefaultConfigPath(nuxt, kind) {
+  const project = getProjectDirectory(nuxt);
+  return kind === "server" ? join(project.server, "auth.config") : join(project.app, "auth.config");
+}
+function getLayerDefaultConfigPath(nuxt, kind) {
+  for (const { directory } of getLayerDirectoriesWithConfigs(nuxt)) {
+    const candidate = kind === "server" ? join(directory.server, "auth.config") : join(directory.app, "auth.config");
+    if (configExists(candidate))
+      return candidate;
+  }
+}
+function resolveDeclaringLayerRoot(nuxt, kind, file) {
+  const optionKey = OPTION_KEY_BY_KIND[kind];
+  for (const { directory, layer } of getLayerDirectoriesWithConfigs(nuxt)) {
+    const declared = layer?.config?.auth?.[optionKey];
+    if (typeof declared === "string" && stripConfigExtension(declared) === file)
+      return directory.root;
+  }
+  return getProjectDirectory(nuxt).root;
+}
+function getRelativeConfigFile(nuxt, path) {
+  return relative(getProjectDirectory(nuxt).root, path);
+}
+function getEffectiveModuleConfigFile(nuxt, kind) {
+  const optionKey = OPTION_KEY_BY_KIND[kind];
+  const authOptions = nuxt.options.auth;
+  return authOptions?.[optionKey] ?? DEFAULT_CONFIG_FILES[kind];
+}
+function shouldCreateDefaultModuleConfig(nuxt, kind, file = getEffectiveModuleConfigFile(nuxt, kind)) {
+  const normalizedFile = stripConfigExtension(file);
+  if (normalizedFile !== DEFAULT_CONFIG_FILES[kind])
+    return false;
+  const resolved = resolveModuleConfigPath(nuxt, kind, normalizedFile);
+  return !configExists(resolved.path);
+}
+function resolveModuleConfigPath(nuxt, kind, file) {
+  const normalizedFile = stripConfigExtension(file);
+  if (isAbsolute(normalizedFile)) {
+    return {
+      file: normalizedFile,
+      path: normalizedFile,
+      isDefault: false
+    };
+  }
+  if (normalizedFile === DEFAULT_CONFIG_FILES[kind]) {
+    const discoveredPath = getLayerDefaultConfigPath(nuxt, kind) ?? getDefaultConfigPath(nuxt, kind);
+    return {
+      file: getRelativeConfigFile(nuxt, discoveredPath),
+      path: discoveredPath,
+      isDefault: true
+    };
+  }
+  const baseRoot = resolveDeclaringLayerRoot(nuxt, kind, normalizedFile);
+  const path = join(baseRoot, normalizedFile);
+  return {
+    file: getRelativeConfigFile(nuxt, path),
+    path,
+    isDefault: false
+  };
+}
+
 function setupDevTools(nuxt) {
-  nuxt.hook("devtools:customTabs", (tabs) => {
+  const hookable = nuxt;
+  hookable.hook("devtools:customTabs", (tabs) => {
     tabs.push({
       category: "server",
       name: "better-auth",
@@ -22,143 +123,201 @@ function setupDevTools(nuxt) {
   });
 }
 
-function generateDrizzleSchema(tables, dialect, options) {
-  const typedTables = tables;
-  const imports = getImports(dialect, options);
-  const tableDefinitions = Object.entries(typedTables).map(([tableName, table]) => generateTable(tableName, table, dialect, typedTables, options)).join("\n\n");
-  return `${imports}
+function registerTemplateHmrHook(nuxt) {
+  nuxt.hook("builder:watch", async (_event, relativePath) => {
+    if (relativePath.includes("auth.config"))
+      await updateTemplates({ filter: (t) => t.filename.includes("nuxt-better-auth") });
+  });
+}
+function registerServerRuntime(input) {
+  const { clientOnly, resolve } = input;
+  if (!clientOnly) {
+    addServerImportsDir(resolve("./runtime/server/utils"));
+    addServerImports([{ name: "defineServerAuth", from: resolve("./runtime/config") }]);
+    addServerScanDir(resolve("./runtime/server/middleware"));
+    addServerHandler({ route: "/api/auth/**", handler: resolve("./runtime/server/api/auth/[...all]") });
+  }
+  addImportsDir(resolve("./runtime/app/composables"));
+  addImportsDir(resolve("./runtime/utils"));
+  if (!clientOnly)
+    addPlugin({ src: resolve("./runtime/app/plugins/session.server"), mode: "server" });
+  addPlugin({ src: resolve("./runtime/app/plugins/session.client"), mode: "client" });
+  addComponentsDir({ path: resolve("./runtime/app/components") });
+}
+function registerAuthMiddlewareHook(nuxt, resolve) {
+  nuxt.hook("app:resolve", (app) => {
+    app.middleware.push({ name: "auth", path: resolve("./runtime/app/middleware/auth.global"), global: true });
+  });
+}
+async function registerDevtools(input) {
+  const { nuxt, clientOnly, hasHubDb, resolve } = input;
+  const isProduction = process.env.NODE_ENV === "production" || !nuxt.options.dev;
+  if (isProduction || clientOnly)
+    return;
+  if (!hasNuxtModule("@nuxt/ui"))
+    await installModule("@nuxt/ui");
+  setupDevTools(nuxt);
+  addServerHandler({ route: "/api/_better-auth/config", method: "get", handler: resolve("./runtime/server/api/_better-auth/config.get") });
+  if (hasHubDb) {
+    const handlers = [
+      { route: "/api/_better-auth/sessions", method: "get", handler: resolve("./runtime/server/api/_better-auth/sessions.get") },
+      { route: "/api/_better-auth/sessions", method: "delete", handler: resolve("./runtime/server/api/_better-auth/sessions.delete") },
+      { route: "/api/_better-auth/users", method: "get", handler: resolve("./runtime/server/api/_better-auth/users.get") },
+      { route: "/api/_better-auth/accounts", method: "get", handler: resolve("./runtime/server/api/_better-auth/accounts.get") }
+    ];
+    handlers.forEach((handler) => addServerHandler(handler));
+  }
+  extendPages((pages) => {
+    pages.push({ name: "better-auth-devtools", path: "/__better-auth-devtools", file: resolve("./runtime/app/pages/__better-auth-devtools.vue") });
+  });
+}
+function registerRouteRulesMetaHook(nuxt) {
+  nuxt.hook("pages:extend", (pages) => {
+    const options = nuxt.options;
+    const routeRules = options.nitro?.routeRules || options.routeRules || {};
+    if (!Object.keys(routeRules).length)
+      return;
+    const matcher = toRouteMatcher(createRouter({ routes: routeRules }));
+    const applyMetaFromRules = (page) => {
+      const matches = matcher.matchAll(page.path);
+      if (!matches.length)
+        return;
+      const matchedRules = defu({}, ...matches.reverse());
+      if (matchedRules.auth !== void 0) {
+        page.meta = page.meta || {};
+        page.meta.auth = matchedRules.auth;
+      }
+      page.children?.forEach((child) => applyMetaFromRules(child));
+    };
+    pages.forEach((page) => applyMetaFromRules(page));
+  });
+}
+
+function getHubDialect(hub) {
+  if (!hub?.db)
+    return void 0;
+  if (typeof hub.db === "string")
+    return hub.db;
+  if (typeof hub.db === "object" && hub.db !== null)
+    return hub.db.dialect;
+  return void 0;
+}
+function getHubCasing(hub) {
+  if (!hub?.db || typeof hub.db !== "object" || hub.db === null)
+    return void 0;
+  return hub.db.casing;
+}
 
-${tableDefinitions}
-`;
+function resolveSecondaryStorage(input) {
+  const { options, clientOnly, hasNuxtHub, hub } = input;
+  const opt = options.hubSecondaryStorage ?? false;
+  const useHubKV = opt === true;
+  const secondaryStorageEnabled = opt === true || opt === "custom";
+  if (secondaryStorageEnabled && clientOnly) {
+    throw new Error("[nuxt-better-auth] hubSecondaryStorage is not available in clientOnly mode. Either disable clientOnly or remove auth.hubSecondaryStorage.");
+  }
+  if (useHubKV && (!hasNuxtHub || !hub?.kv)) {
+    throw new Error("[nuxt-better-auth] hubSecondaryStorage: true requires @nuxthub/core with hub.kv: true. Either add hub.kv: true to your nuxt.config or remove auth.hubSecondaryStorage.");
+  }
+  return { useHubKV, secondaryStorageEnabled };
 }
-function getImports(dialect, options) {
-  switch (dialect) {
-    case "sqlite":
-      return `import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'`;
-    case "postgresql":
-      return options?.useUuid ? `import { boolean, integer, pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core'` : `import { boolean, integer, pgTable, text, timestamp } from 'drizzle-orm/pg-core'`;
-    case "mysql":
-      return `import { boolean, int, mysqlTable, text, timestamp, varchar } from 'drizzle-orm/mysql-core'`;
-  }
-}
-function generateTable(tableName, table, dialect, allTables, options) {
-  const tableFunc = dialect === "sqlite" ? "sqliteTable" : dialect === "postgresql" ? "pgTable" : "mysqlTable";
-  let dbTableName = table.modelName || tableName;
-  if (options?.usePlural && !table.modelName) {
-    dbTableName = `${tableName}s`;
-  }
-  const fields = Object.entries(table.fields).map(([fieldName, field]) => generateField(fieldName, field, dialect, allTables, options)).join(",\n    ");
-  const idField = generateIdField(dialect, options);
-  return `export const ${tableName} = ${tableFunc}('${dbTableName}', {
-    ${idField},
-    ${fields}
-  })`;
-}
-function generateIdField(dialect, options) {
-  switch (dialect) {
-    case "sqlite":
-      if (options?.useUuid)
-        consola$1.warn("[@onmax/nuxt-better-auth] useUuid ignored for SQLite (no native uuid type). Using text.");
-      return `id: text('id').primaryKey()`;
-    case "postgresql":
-      return options?.useUuid ? `id: uuid('id').defaultRandom().primaryKey()` : `id: text('id').primaryKey()`;
-    case "mysql":
-      return `id: varchar('id', { length: 36 }).primaryKey()`;
-  }
-}
-function generateField(fieldName, field, dialect, allTables, options) {
-  const dbFieldName = fieldName;
-  const isFkToId = options?.useUuid && field.references?.field === "id";
-  let fieldDef;
-  if (isFkToId && dialect === "postgresql")
-    fieldDef = `uuid('${dbFieldName}')`;
-  else if (isFkToId && dialect === "mysql")
-    fieldDef = `varchar('${dbFieldName}', { length: 36 })`;
-  else
-    fieldDef = getFieldType(field.type, dialect, dbFieldName);
-  if (field.required && field.defaultValue === void 0)
-    fieldDef += ".notNull()";
-  if (field.unique)
-    fieldDef += ".unique()";
-  if (field.defaultValue !== void 0) {
-    if (typeof field.defaultValue === "boolean")
-      fieldDef += `.default(${field.defaultValue})`;
-    else if (typeof field.defaultValue === "string")
-      fieldDef += `.default('${field.defaultValue}')`;
-    else
-      fieldDef += `.default(${field.defaultValue})`;
-    if (field.required)
-      fieldDef += ".notNull()";
-  }
-  if (field.references) {
-    const refTable = field.references.model;
-    if (allTables[refTable])
-      fieldDef += `.references(() => ${refTable}.${field.references.field})`;
-  }
-  return `${fieldName}: ${fieldDef}`;
-}
-function getFieldType(type, dialect, fieldName) {
-  const normalizedType = Array.isArray(type) ? "string" : type;
-  switch (dialect) {
-    case "sqlite":
-      return getSqliteType(normalizedType, fieldName);
-    case "postgresql":
-      return getPostgresType(normalizedType, fieldName);
-    case "mysql":
-      return getMysqlType(normalizedType, fieldName);
-  }
-}
-function getSqliteType(type, fieldName) {
-  switch (type) {
-    case "string":
-      return `text('${fieldName}')`;
-    case "boolean":
-      return `integer('${fieldName}', { mode: 'boolean' })`;
-    case "date":
-      return `integer('${fieldName}', { mode: 'timestamp' })`;
-    case "number":
-      return `integer('${fieldName}')`;
-    default:
-      return `text('${fieldName}')`;
-  }
-}
-function getPostgresType(type, fieldName) {
-  switch (type) {
-    case "string":
-      return `text('${fieldName}')`;
-    case "boolean":
-      return `boolean('${fieldName}')`;
-    case "date":
-      return `timestamp('${fieldName}')`;
-    case "number":
-      return `integer('${fieldName}')`;
-    default:
-      return `text('${fieldName}')`;
-  }
-}
-function getMysqlType(type, fieldName) {
-  switch (type) {
-    case "string":
-      return `text('${fieldName}')`;
-    case "boolean":
-      return `boolean('${fieldName}')`;
-    case "date":
-      return `timestamp('${fieldName}')`;
-    case "number":
-      return `int('${fieldName}')`;
-    default:
-      return `text('${fieldName}')`;
+function setupRuntimeConfig(input) {
+  const { nuxt, options, clientOnly, databaseProvider, consola } = input;
+  const { useHubKV, secondaryStorageEnabled } = resolveSecondaryStorage(input);
+  nuxt.options.runtimeConfig.public = nuxt.options.runtimeConfig.public || {};
+  const configuredSiteUrl = nuxt.options.runtimeConfig.public.siteUrl;
+  if (!configuredSiteUrl && process.env.NUXT_PUBLIC_SITE_URL)
+    nuxt.options.runtimeConfig.public.siteUrl = process.env.NUXT_PUBLIC_SITE_URL;
+  nuxt.options.runtimeConfig.public.auth = defu(nuxt.options.runtimeConfig.public.auth, {
+    redirects: {
+      login: options.redirects?.login ?? "/login",
+      guest: options.redirects?.guest ?? "/",
+      authenticated: options.redirects?.authenticated,
+      logout: options.redirects?.logout
+    },
+    preserveRedirect: options.preserveRedirect ?? true,
+    redirectQueryKey: options.redirectQueryKey ?? "redirect",
+    useDatabase: databaseProvider !== "none",
+    databaseProvider,
+    clientOnly,
+    session: {
+      skipHydratedSsrGetSession: options.session?.skipHydratedSsrGetSession ?? false
+    }
+  });
+  if (clientOnly) {
+    const siteUrl = nuxt.options.runtimeConfig.public.siteUrl;
+    if (!siteUrl)
+      consola.warn("clientOnly mode: set runtimeConfig.public.siteUrl (or NUXT_PUBLIC_SITE_URL) to your frontend URL");
+    consola.info("clientOnly mode enabled - server utilities (serverAuth, getRequestSession, getUserSession, requireUserSession) are not available");
+    return { useHubKV, secondaryStorageEnabled };
+  }
+  const currentSecret = nuxt.options.runtimeConfig.betterAuthSecret;
+  nuxt.options.runtimeConfig.betterAuthSecret = currentSecret || process.env.NUXT_BETTER_AUTH_SECRET || process.env.BETTER_AUTH_SECRET || "";
+  const betterAuthSecret = nuxt.options.runtimeConfig.betterAuthSecret;
+  if (!nuxt.options.dev && !nuxt.options._prepare && !betterAuthSecret) {
+    throw new Error("[nuxt-better-auth] NUXT_BETTER_AUTH_SECRET is required in production. Set NUXT_BETTER_AUTH_SECRET or BETTER_AUTH_SECRET environment variable.");
   }
+  if (betterAuthSecret && betterAuthSecret.length < 32) {
+    throw new Error("[nuxt-better-auth] NUXT_BETTER_AUTH_SECRET must be at least 32 characters for security");
+  }
+  nuxt.options.runtimeConfig.auth = defu(nuxt.options.runtimeConfig.auth, {
+    hubSecondaryStorage: options.hubSecondaryStorage ?? false
+  });
+  return { useHubKV, secondaryStorageEnabled };
+}
+
+function dialectToProvider(dialect) {
+  return dialect === "postgresql" ? "pg" : dialect;
+}
+async function generateDrizzleSchema(authOptions, dialect, schemaOptions) {
+  const provider = dialectToProvider(dialect);
+  const options = {
+    ...authOptions,
+    advanced: {
+      ...authOptions.advanced,
+      database: {
+        ...authOptions.advanced?.database,
+        ...schemaOptions?.useUuid && { generateId: "uuid" }
+      }
+    }
+  };
+  const adapter = {
+    id: "drizzle",
+    options: {
+      provider,
+      camelCase: schemaOptions?.casing !== "snake_case",
+      adapterConfig: { usePlural: schemaOptions?.usePlural ?? false }
+    }
+  };
+  const result = await generateDrizzleSchema$1({
+    adapter,
+    options
+  });
+  if (!result.code) {
+    throw new Error(`Schema generation returned empty result for ${dialect}`);
+  }
+  return result.code;
 }
 async function loadUserAuthConfig(configPath, throwOnError = false) {
   const { createJiti } = await import('jiti');
-  const jiti = createJiti(import.meta.url, { interopDefault: true });
+  const { defineServerAuth: runtimeDefineServerAuth } = await import('../dist/runtime/config.js');
+  const jiti = createJiti(import.meta.url, { interopDefault: true, moduleCache: false });
+  const schemaGlobals = globalThis;
+  if (!schemaGlobals.__nuxtBetterAuthDefineServerAuth) {
+    runtimeDefineServerAuth._count = 0;
+    schemaGlobals.__nuxtBetterAuthDefineServerAuth = runtimeDefineServerAuth;
+  }
+  if (!schemaGlobals.defineServerAuth) {
+    schemaGlobals.defineServerAuth = schemaGlobals.__nuxtBetterAuthDefineServerAuth;
+  }
+  schemaGlobals.__nuxtBetterAuthDefineServerAuth._count++;
   try {
     const mod = await jiti.import(configPath);
-    const configFn = typeof mod === "object" && mod !== null && "default" in mod ? mod.default : mod;
+    const configFn = mod.default;
     if (typeof configFn === "function") {
       return configFn({ runtimeConfig: {}, db: null });
     }
+    consola$1.warn("[@onmax/nuxt-better-auth] auth.config.ts does not export default. Expected: export default defineServerAuth(...)");
     if (throwOnError) {
       throw new Error("auth.config.ts must export default defineServerAuth(...)");
     }
@@ -169,84 +328,222 @@ async function loadUserAuthConfig(configPath, throwOnError = false) {
     }
     consola$1.error("[@onmax/nuxt-better-auth] Failed to load auth config for schema generation. Schema may be incomplete:", error);
     return {};
+  } finally {
+    const sharedDefineServerAuth = schemaGlobals.__nuxtBetterAuthDefineServerAuth;
+    if (sharedDefineServerAuth) {
+      sharedDefineServerAuth._count--;
+      if (!sharedDefineServerAuth._count) {
+        schemaGlobals.__nuxtBetterAuthDefineServerAuth = void 0;
+        if (schemaGlobals.defineServerAuth === sharedDefineServerAuth) {
+          schemaGlobals.defineServerAuth = void 0;
+        }
+      }
+    }
   }
 }
 
-const consola = consola$1.withTag("nuxt-better-auth");
-const module$1 = defineNuxtModule({
-  meta: { name: "@onmax/nuxt-better-auth", configKey: "auth", compatibility: { nuxt: ">=3.0.0" } },
-  defaults: {
-    serverConfig: "server/auth.config",
-    clientConfig: "app/auth.config",
-    redirects: { login: "/login", guest: "/" },
-    secondaryStorage: false
-  },
-  async setup(options, nuxt) {
-    const resolver = createResolver(import.meta.url);
-    const serverConfigFile = options.serverConfig;
-    const clientConfigFile = options.clientConfig;
-    const serverConfigPath = resolver.resolve(nuxt.options.rootDir, serverConfigFile);
-    const clientConfigPath = resolver.resolve(nuxt.options.rootDir, clientConfigFile);
-    const serverConfigExists = existsSync(`${serverConfigPath}.ts`) || existsSync(`${serverConfigPath}.js`);
-    const clientConfigExists = existsSync(`${clientConfigPath}.ts`) || existsSync(`${clientConfigPath}.js`);
-    if (!serverConfigExists)
-      throw new Error(`[nuxt-better-auth] Missing ${serverConfigFile}.ts - create with defineServerAuth()`);
-    if (!clientConfigExists)
-      throw new Error(`[nuxt-better-auth] Missing ${clientConfigFile}.ts - export createAppAuthClient()`);
-    const hasNuxtHub = hasNuxtModule("@nuxthub/core", nuxt);
-    const hub = hasNuxtHub ? nuxt.options.hub : void 0;
-    const hasHubDb = hasNuxtHub && !!hub?.db;
-    let secondaryStorageEnabled = options.secondaryStorage ?? false;
-    if (secondaryStorageEnabled && (!hasNuxtHub || !hub?.kv)) {
-      consola.warn("secondaryStorage requires @nuxthub/core with hub.kv: true. Disabling.");
-      secondaryStorageEnabled = false;
+const NODE_MODULES_SEGMENT_RE = /[\\/]/;
+function resolveSchemaSecondaryStorageInjection(hubSecondaryStorage, userHasSecondaryStorage, isProduction) {
+  if (hubSecondaryStorage === true)
+    return { inject: false };
+  if (hubSecondaryStorage !== "custom")
+    return { inject: false };
+  if (userHasSecondaryStorage)
+    return { inject: true };
+  const message = '[nuxt-better-auth] hubSecondaryStorage: "custom" requires secondaryStorage in defineServerAuth() to omit the session table from the generated schema.';
+  if (isProduction)
+    return { inject: false, error: message };
+  return { inject: false, warn: message };
+}
+function isInsideNodeModules(path) {
+  return path.split(NODE_MODULES_SEGMENT_RE).includes("node_modules");
+}
+function resolveHubSchemaPath(buildDir, rootDir, dialect, exists = existsSync) {
+  const rootTsPath = join(rootDir, ".nuxt", "better-auth", `schema.${dialect}.ts`);
+  if (isInsideNodeModules(buildDir) && exists(rootTsPath))
+    return rootTsPath;
+  const tsPath = join(buildDir, "better-auth", `schema.${dialect}.ts`);
+  if (exists(tsPath))
+    return tsPath;
+  const mjsPath = join(buildDir, "better-auth", `schema.${dialect}.mjs`);
+  if (exists(mjsPath))
+    return mjsPath;
+  return null;
+}
+async function loadAuthOptions(context) {
+  const isProduction = !context.nuxt.options.dev;
+  const configFile = `${context.serverConfigPath}.ts`;
+  const userConfig = await loadUserAuthConfig(configFile, isProduction);
+  const extendedConfig = {};
+  await context.nuxt.callHook("better-auth:config:extend", extendedConfig);
+  const plugins = [...userConfig.plugins || [], ...extendedConfig.plugins || []];
+  return { userConfig, plugins };
+}
+async function setupBetterAuthSchema(nuxt, serverConfigPath, options, consola, hubSecondaryStorage) {
+  const hub = nuxt.options.hub;
+  const dialect = getHubDialect(hub);
+  if (!dialect || !["sqlite", "postgresql", "mysql"].includes(dialect)) {
+    consola.warn(`Unsupported database dialect: ${dialect}`);
+    return;
+  }
+  const context = { nuxt, serverConfigPath };
+  try {
+    const { userConfig, plugins } = await loadAuthOptions(context);
+    const userHasSecondaryStorage = userConfig.secondaryStorage != null;
+    const secondaryStorageResolution = resolveSchemaSecondaryStorageInjection(hubSecondaryStorage, userHasSecondaryStorage, !nuxt.options.dev);
+    if (secondaryStorageResolution.error)
+      throw new Error(secondaryStorageResolution.error);
+    if (secondaryStorageResolution.warn)
+      consola.warn(secondaryStorageResolution.warn);
+    const authOptions = {
+      ...userConfig,
+      plugins,
+      secondaryStorage: secondaryStorageResolution.inject ? { get: async (_key) => null, set: async (_key, _value, _ttl) => {
+      }, delete: async (_key) => {
+      } } : void 0
+    };
+    const hubCasing = getHubCasing(hub);
+    const schemaOptions = { ...options.schema, useUuid: userConfig.advanced?.database?.generateId === "uuid", casing: options.schema?.casing ?? hubCasing };
+    const schemaCode = await generateDrizzleSchema(authOptions, dialect, schemaOptions);
+    const schemaDir = join(nuxt.options.buildDir, "better-auth");
+    const schemaPathTs = join(schemaDir, `schema.${dialect}.ts`);
+    const schemaPathMjs = join(schemaDir, `schema.${dialect}.mjs`);
+    await mkdir(schemaDir, { recursive: true });
+    await writeFile(schemaPathTs, schemaCode);
+    await writeFile(schemaPathMjs, schemaCode);
+    if (isInsideNodeModules(nuxt.options.buildDir)) {
+      const rootSchemaDir = join(nuxt.options.rootDir, ".nuxt", "better-auth");
+      const rootSchemaPathTs = join(rootSchemaDir, `schema.${dialect}.ts`);
+      await mkdir(rootSchemaDir, { recursive: true });
+      await writeFile(rootSchemaPathTs, schemaCode);
     }
-    nuxt.options.runtimeConfig.public = nuxt.options.runtimeConfig.public || {};
-    nuxt.options.runtimeConfig.public.auth = defu(nuxt.options.runtimeConfig.public.auth, {
-      redirects: { login: options.redirects?.login ?? "/login", guest: options.redirects?.guest ?? "/" },
-      useDatabase: hasHubDb
+    addTemplate({ filename: `better-auth/schema.${dialect}.ts`, getContents: () => schemaCode, write: true });
+    addTemplate({ filename: `better-auth/schema.${dialect}.mjs`, getContents: () => schemaCode, write: true });
+    consola.info(`Generated ${dialect} schema (.ts + .mjs)`);
+    const nuxtWithHubHooks = nuxt;
+    nuxtWithHubHooks.hook("hub:db:schema:extend", ({ paths, dialect: hookDialect }) => {
+      const schemaPath = resolveHubSchemaPath(nuxt.options.buildDir, nuxt.options.rootDir, hookDialect);
+      if (schemaPath)
+        paths.unshift(schemaPath);
     });
-    const betterAuthSecret = process.env.BETTER_AUTH_SECRET || process.env.NUXT_BETTER_AUTH_SECRET || nuxt.options.runtimeConfig.betterAuthSecret || "";
-    if (!nuxt.options.dev && !betterAuthSecret) {
-      throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET is required in production. Set BETTER_AUTH_SECRET or NUXT_BETTER_AUTH_SECRET environment variable.");
-    }
-    if (betterAuthSecret && betterAuthSecret.length < 32) {
-      throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET must be at least 32 characters for security");
+  } catch (error) {
+    const isProduction = !nuxt.options.dev;
+    if (isProduction)
+      throw error;
+    consola.error("Failed to generate schema:", error);
+    throw error;
+  }
+}
+
+const DEFAULT_SECRET_ENV = "NUXT_BETTER_AUTH_SECRET";
+const FALLBACK_SECRET_ENV = "BETTER_AUTH_SECRET";
+const generateSecret = () => randomBytes(32).toString("hex");
+function readEnvFile(rootDir) {
+  const envPath = join(rootDir, ".env");
+  return existsSync(envPath) ? readFileSync(envPath, "utf-8") : "";
+}
+function hasEnvSecret(rootDir) {
+  const envFile = readEnvFile(rootDir);
+  return [DEFAULT_SECRET_ENV, FALLBACK_SECRET_ENV].some((name) => {
+    const match = envFile.match(new RegExp(`^${name}=(.+)$`, "m"));
+    return !!match && !!match[1] && match[1].trim().length > 0;
+  });
+}
+function appendSecretToEnv(rootDir, secret) {
+  const envPath = join(rootDir, ".env");
+  let content = readEnvFile(rootDir);
+  if (content.length > 0 && !content.endsWith("\n"))
+    content += "\n";
+  content += `${DEFAULT_SECRET_ENV}=${secret}
+`;
+  writeFileSync(envPath, content, "utf-8");
+}
+async function promptForSecret(rootDir, consola, options = {}) {
+  const configuredSecret = options.configuredSecret?.trim();
+  if (configuredSecret)
+    return void 0;
+  if (process.env.NUXT_BETTER_AUTH_SECRET || process.env.BETTER_AUTH_SECRET || hasEnvSecret(rootDir))
+    return void 0;
+  const hasTty = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  if (options.prepare || !hasTty) {
+    consola.warn("[nuxt-better-auth] Skipping NUXT_BETTER_AUTH_SECRET prompt (non-interactive). Set NUXT_BETTER_AUTH_SECRET or BETTER_AUTH_SECRET.");
+    return void 0;
+  }
+  if (isCI || isTest) {
+    const secret2 = generateSecret();
+    appendSecretToEnv(rootDir, secret2);
+    consola.info("Generated NUXT_BETTER_AUTH_SECRET and added to .env (CI/test mode)");
+    return secret2;
+  }
+  consola.box("NUXT_BETTER_AUTH_SECRET is required for authentication.\nThis will be appended to your .env file.\nBETTER_AUTH_SECRET is still supported as a fallback.");
+  const choice = await consola.prompt("How do you want to set it?", {
+    type: "select",
+    options: [
+      { label: "Generate for me", value: "generate", hint: "uses crypto.randomBytes(32)" },
+      { label: "Enter manually", value: "paste" },
+      { label: "Skip", value: "skip", hint: "will fail in production" }
+    ],
+    cancel: "null"
+  });
+  if (typeof choice === "symbol" || choice === "skip") {
+    consola.warn("Skipping NUXT_BETTER_AUTH_SECRET. Auth will fail without it in production.");
+    return void 0;
+  }
+  let secret;
+  if (choice === "generate") {
+    secret = generateSecret();
+  } else {
+    const input = await consola.prompt("Paste your secret (min 32 chars):", { type: "text", cancel: "null" });
+    if (typeof input === "symbol" || !input || input.length < 32) {
+      consola.warn("Invalid secret. Skipping.");
+      return void 0;
     }
-    nuxt.options.runtimeConfig.betterAuthSecret = betterAuthSecret;
-    nuxt.options.runtimeConfig.auth = defu(nuxt.options.runtimeConfig.auth, {
-      secondaryStorage: secondaryStorageEnabled
-    });
-    nuxt.options.alias["#nuxt-better-auth"] = resolver.resolve("./runtime/types/augment");
-    nuxt.options.alias["#auth/server"] = serverConfigPath;
-    nuxt.options.alias["#auth/client"] = clientConfigPath;
-    const secondaryStorageCode = secondaryStorageEnabled ? `import { kv } from 'hub:kv'
+    secret = input;
+  }
+  const preview = `${secret.slice(0, 8)}...${secret.slice(-4)}`;
+  const confirm = await consola.prompt(`Add to .env:
+${DEFAULT_SECRET_ENV}=${preview}
+Proceed?`, { type: "confirm", initial: true, cancel: "null" });
+  if (typeof confirm === "symbol" || !confirm) {
+    consola.info("Cancelled. Secret not written.");
+    return void 0;
+  }
+  appendSecretToEnv(rootDir, secret);
+  consola.success("Added NUXT_BETTER_AUTH_SECRET to .env");
+  return secret;
+}
+
+function buildSecondaryStorageCode(useHubKV) {
+  if (!useHubKV)
+    return "export function createSecondaryStorage() { return undefined }";
+  return `import { kv } from '@nuxthub/kv'
 export function createSecondaryStorage() {
   return {
     get: async (key) => kv.get(\`_auth:\${key}\`),
     set: async (key, value, ttl) => kv.set(\`_auth:\${key}\`, value, { ttl }),
     delete: async (key) => kv.del(\`_auth:\${key}\`),
   }
-}` : `export function createSecondaryStorage() { return undefined }`;
-    const secondaryStorageTemplate = addTemplate({ filename: "better-auth/secondary-storage.mjs", getContents: () => secondaryStorageCode, write: true });
-    nuxt.options.alias["#auth/secondary-storage"] = secondaryStorageTemplate.dst;
-    const hubDbPath = nuxt.options.alias["hub:db"];
-    if (hasHubDb && !hubDbPath) {
-      throw new Error("[nuxt-better-auth] hub:db alias not found. Ensure @nuxthub/core is loaded before this module.");
-    }
-    const hubDialect = typeof hub?.db === "string" ? hub.db : (typeof hub?.db === "object" ? hub.db.dialect : void 0) ?? "sqlite";
-    const databaseCode = hasHubDb && hubDbPath ? `import { db, schema } from '${hubDbPath}'
+}`;
+}
+function buildDatabaseCode(input) {
+  if (input.provider === "nuxthub") {
+    return `import { db } from '@nuxthub/db'
+import * as schema from './schema.${input.hubDialect}.mjs'
 import { drizzleAdapter } from 'better-auth/adapters/drizzle'
-const rawDialect = '${hubDialect}'
+const rawDialect = '${input.hubDialect}'
 const dialect = rawDialect === 'postgresql' ? 'pg' : rawDialect
-export function createDatabase() { return drizzleAdapter(db, { provider: dialect, schema }) }
-export { db }` : `export function createDatabase() { return undefined }
+export function createDatabase() { return drizzleAdapter(db, { provider: dialect, schema, usePlural: ${input.usePlural}, camelCase: ${input.camelCase} }) }
+export { db }`;
+  }
+  return `export function createDatabase() { return undefined }
 export const db = undefined`;
-    const databaseTemplate = addTemplate({ filename: "better-auth/database.mjs", getContents: () => databaseCode, write: true });
-    nuxt.options.alias["#auth/database"] = databaseTemplate.dst;
-    addTypeTemplate({
-      filename: "types/auth-secondary-storage.d.ts",
-      getContents: () => `
+}
+
+function registerServerTypeTemplates(input) {
+  const { serverConfigPath, hasHubDb, runtimeTypesPath } = input;
+  addTypeTemplate({
+    filename: "types/auth-secondary-storage.d.ts",
+    getContents: () => `
 declare module '#auth/secondary-storage' {
   interface SecondaryStorage {
     get: (key: string) => Promise<string | null>
@@ -256,153 +553,508 @@ declare module '#auth/secondary-storage' {
   export function createSecondaryStorage(): SecondaryStorage | undefined
 }
 `
-    });
-    addTypeTemplate({
-      filename: "types/auth-database.d.ts",
-      getContents: () => `
+  }, { nitro: true, node: true });
+  addTypeTemplate({
+    filename: "types/auth-database.d.ts",
+    getContents: () => `
 declare module '#auth/database' {
-  import type { drizzleAdapter } from 'better-auth/adapters/drizzle'
-  export function createDatabase(): ReturnType<typeof drizzleAdapter> | undefined
-  export const db: unknown
+  import type { BetterAuthOptions } from 'better-auth'
+  export function createDatabase(): BetterAuthOptions['database']
+  export const db: ${hasHubDb ? `typeof import('@nuxthub/db')['db']` : "undefined"}
 }
 `
-    });
-    addTypeTemplate({
-      filename: "types/nuxt-better-auth.d.ts",
-      getContents: () => `
-export * from '${resolver.resolve("./runtime/types/augment")}'
-export type { AuthMeta, AuthMode, AuthRouteRules, UserMatch, RequireSessionOptions, Auth, InferUser, InferSession } from '${resolver.resolve("./runtime/types")}'
+  }, { nitro: true, node: true });
+  addTypeTemplate({
+    filename: "types/auth-schema.d.ts",
+    getContents: () => `
+declare module '#auth/schema' {
+  export const user: any
+  export const session: any
+  export const account: any
+  export const verification: any
+  export const schema: {
+    user: any
+    session: any
+    account: any
+    verification: any
+    [key: string]: any
+  } | undefined
+}
 `
-    });
-    addTypeTemplate({
-      filename: "types/nuxt-better-auth-infer.d.ts",
-      getContents: () => `
-import type { InferUser, InferSession } from 'better-auth'
+  }, { nitro: true, node: true });
+  addTypeTemplate({
+    filename: "types/nuxt-better-auth-infer.d.ts",
+    getContents: () => `
+import type { BetterAuthOptions, BetterAuthPlugin, InferPluginTypes, UnionToIntersection } from 'better-auth'
+import type { InferFieldsOutput } from 'better-auth/db'
 import type { RuntimeConfig } from 'nuxt/schema'
-import type configFn from '${serverConfigPath}'
+import type createServerAuth from '${serverConfigPath}'
+
+type _RawConfig = ReturnType<typeof createServerAuth>
+type _RawPlugins = _RawConfig extends { plugins: infer P } ? P : _RawConfig extends { plugins?: infer P } ? P : []
+type _NormalizedPlugins = _RawPlugins extends readonly (infer T)[]
+  ? Array<T & BetterAuthPlugin>
+  : _RawPlugins extends (infer T)[]
+      ? Array<T & BetterAuthPlugin>
+      : BetterAuthPlugin[]
+type _Config = Omit<BetterAuthOptions, 'plugins'> & Omit<_RawConfig, 'plugins'> & {
+  plugins?: _NormalizedPlugins
+}
+
+type _InferModelFieldsFromPlugins<P, M extends string> = P extends readonly (infer Plugin)[]
+  ? UnionToIntersection<Plugin extends { schema: { [K in M]: { fields: infer F } } } ? InferFieldsOutput<F> : {}>
+  : P extends (infer Plugin)[]
+      ? UnionToIntersection<Plugin extends { schema: { [K in M]: { fields: infer F } } } ? InferFieldsOutput<F> : {}>
+      : {}
 
-type _Config = ReturnType<typeof configFn>
+type _InferModelFieldsFromOptions<C, M extends 'user' | 'session'> = C extends { [K in M]: { additionalFields: infer F } }
+  ? InferFieldsOutput<F>
+  : {}
+
+type _UserFallback = _InferModelFieldsFromPlugins<_RawPlugins, 'user'> & _InferModelFieldsFromOptions<_RawConfig, 'user'>
+type _SessionFallback = _InferModelFieldsFromPlugins<_RawPlugins, 'session'> & _InferModelFieldsFromOptions<_RawConfig, 'session'>
 
 declare module '#nuxt-better-auth' {
-  interface AuthUser extends InferUser<_Config> {}
-  interface AuthSession { session: InferSession<_Config>['session'], user: InferUser<_Config> }
+  interface AuthUser extends _UserFallback {}
+  interface AuthSession extends _SessionFallback {}
   interface ServerAuthContext {
     runtimeConfig: RuntimeConfig
-    ${hasHubDb ? `db: typeof import('hub:db')['db']` : ""}
+    db: ${hasHubDb ? `typeof import('@nuxthub/db')['db']` : "undefined"}
   }
+  type PluginTypes = InferPluginTypes<_Config>
+}
+
+interface _AugmentedServerAuthContext {
+  runtimeConfig: RuntimeConfig
+  db: ${hasHubDb ? `typeof import('@nuxthub/db')['db']` : "undefined"}
+}
+
+declare module '@onmax/nuxt-better-auth/config' {
+  import type { BetterAuthOptions, BetterAuthPlugin } from 'better-auth'
+  type ServerAuthConfig = Omit<BetterAuthOptions, 'secret' | 'baseURL'> & {
+    plugins?: readonly BetterAuthPlugin[]
+  }
+  export function defineServerAuth<const R>(config: (ctx: _AugmentedServerAuthContext) => R & ServerAuthConfig): (ctx: _AugmentedServerAuthContext) => R
+  export function defineServerAuth<const R>(config: R & ServerAuthConfig): (ctx: _AugmentedServerAuthContext) => R
 }
 `
-    });
-    addTypeTemplate({
-      filename: "types/nuxt-better-auth-client.d.ts",
-      getContents: () => `
-import type { createAppAuthClient } from '${clientConfigPath}'
+  }, { nuxt: true, nitro: true, node: true });
+  addTypeTemplate({
+    filename: "types/nuxt-better-auth-social-providers.d.ts",
+    getContents: () => `
+import type createServerAuth from '${serverConfigPath}'
+
+type _RawConfig = ReturnType<typeof createServerAuth>
+type _RawSocialProviders = _RawConfig extends { socialProviders: infer S } ? S : _RawConfig extends { socialProviders?: infer S } ? S : {}
+type _SocialProviderIds = Extract<keyof NonNullable<_RawSocialProviders>, string>
+
 declare module '#nuxt-better-auth' {
-  export type AppAuthClient = ReturnType<typeof createAppAuthClient>
+  interface AuthSocialProviderRegistry {
+    ids: _SocialProviderIds
+  }
 }
 `
-    });
-    addTypeTemplate({
-      filename: "types/nuxt-better-auth-nitro.d.ts",
-      getContents: () => `
+  }, { nuxt: true, nitro: true, node: true });
+  addTypeTemplate({
+    filename: "types/nuxt-better-auth-nitro.d.ts",
+    getContents: () => `
+import type createServerAuth from '${serverConfigPath}'
+import type { BetterAuthOptions } from 'better-auth'
+import type { getEndpoints } from 'better-auth/api'
+import type { Serialize, Simplify } from 'nitropack/types'
+import type { FetchError } from 'ofetch'
+
+type _RawConfig = ReturnType<typeof createServerAuth>
+type _RawPlugins = _RawConfig extends { plugins: infer P } ? P : _RawConfig extends { plugins?: infer P } ? P : []
+type _Config = Omit<BetterAuthOptions, 'plugins'> & Omit<_RawConfig, 'plugins'> & {
+  plugins?: _RawPlugins
+}
+
+type _AuthApi = ReturnType<typeof getEndpoints<_Config>>['api']
+type _NormalizeMethod<M extends string> = M extends '*' ? 'default' : Lowercase<M>
+type _RouteMethodFromOption<M> = M extends readonly (infer T)[]
+  ? _NormalizeMethod<Extract<T, string>>
+  : M extends string
+      ? _NormalizeMethod<M>
+      : 'default'
+type _RouteMethodFromEndpoint<E> = E extends { options: { method: infer M } } ? _RouteMethodFromOption<M> : 'default'
+type _RoutePathFromEndpoint<E> = E extends { path: infer P extends string }
+  ? string extends P
+      ? never
+      : \`/api/auth\${P}\`
+  : never
+type _RouteResponseFromEndpoint<E> = E extends (...args: any[]) => Promise<infer R> ? Simplify<Serialize<Awaited<R>>> : never
+type _RouteDefaultResponse<E> = never
+type _UnionToIntersection<U> = (U extends unknown ? (value: U) => void : never) extends (value: infer I) => void ? I : never
+
+type _CoreAuthInternalApi = {
+  [K in keyof _AuthApi as _RoutePathFromEndpoint<_AuthApi[K]>]: {
+    [M in _RouteMethodFromEndpoint<_AuthApi[K]> | 'default']: M extends 'default' ? _RouteDefaultResponse<_AuthApi[K]> : _RouteResponseFromEndpoint<_AuthApi[K]>
+  }
+}
+type _PluginEndpointMaps<Plugins> = Plugins extends readonly (infer Plugin)[]
+  ? Plugin extends { endpoints: infer Endpoints extends Record<string, unknown> }
+      ? {
+          [K in keyof Endpoints as _RoutePathFromEndpoint<Endpoints[K]>]: {
+            [M in _RouteMethodFromEndpoint<Endpoints[K]> | 'default']: M extends 'default' ? _RouteDefaultResponse<Endpoints[K]> : _RouteResponseFromEndpoint<Endpoints[K]>
+          }
+        }
+      : {}
+  : Plugins extends (infer Plugin)[]
+      ? Plugin extends { endpoints: infer Endpoints extends Record<string, unknown> }
+          ? {
+              [K in keyof Endpoints as _RoutePathFromEndpoint<Endpoints[K]>]: {
+                [M in _RouteMethodFromEndpoint<Endpoints[K]> | 'default']: M extends 'default' ? _RouteDefaultResponse<Endpoints[K]> : _RouteResponseFromEndpoint<Endpoints[K]>
+              }
+            }
+          : {}
+      : {}
+type _PluginAuthInternalApi = _UnionToIntersection<_PluginEndpointMaps<_RawPlugins>>
+type _GeneratedAuthInternalApi = _CoreAuthInternalApi & _PluginAuthInternalApi
+
+type _RoutePathToRequestPath<Path extends string> = Path extends \`\${infer Prefix}:\${string}/\${infer Rest}\`
+  ? \`\${Prefix}\${string}/\${_RoutePathToRequestPath<Rest>}\`
+  : Path extends \`\${infer Prefix}:\${string}\`
+      ? \`\${Prefix}\${string}\`
+      : Path
+type _AuthApiPatternPath = Extract<keyof _GeneratedAuthInternalApi, string>
+type _AuthApiRequestPath = _RoutePathToRequestPath<_AuthApiPatternPath>
+type _AuthPatternFromRequestPath<Path extends string> = {
+  [Pattern in _AuthApiPatternPath]: Path extends _RoutePathToRequestPath<Pattern> ? Pattern : never
+}[_AuthApiPatternPath]
+type _AuthEndpointMethod<Path extends _AuthApiRequestPath> = Extract<keyof _GeneratedAuthInternalApi[_AuthPatternFromRequestPath<Path>], string>
+
+type _AuthFetchMethod<Path extends _AuthApiRequestPath> = Extract<Exclude<import('nitropack/types').NitroFetchOptions<Path>['method'], undefined>, string>
+type _AuthFetchDefaultMethod<Path extends _AuthApiRequestPath> = 'get'
+type _AuthFetchResolvedMethod<Path extends _AuthApiRequestPath, Method extends string> = Lowercase<Method> extends _AuthEndpointMethod<Path>
+  ? Lowercase<Method>
+  : never
+type _AuthFetchResult<Path extends _AuthApiRequestPath, Method extends string> = _GeneratedAuthInternalApi[_AuthPatternFromRequestPath<Path>][_AuthFetchResolvedMethod<Path, Method>]
+
+declare module '#nuxt-better-auth' {
+  export type AuthApiInternalRoutes = _GeneratedAuthInternalApi
+  export type AuthApiEndpointPatternPath = _AuthApiPatternPath
+  export type AuthApiEndpointPath = _AuthApiRequestPath
+  export type AuthApiEndpointMethod<Path extends AuthApiEndpointPath> = _AuthEndpointMethod<Path>
+  export type AuthApiEndpointResponse<
+    Path extends AuthApiEndpointPath,
+    Method extends AuthApiEndpointMethod<Path> = AuthApiEndpointMethod<Path>,
+  > = AuthApiInternalRoutes[_AuthPatternFromRequestPath<Path>][Method]
+}
+
+declare module 'nuxt/dist/app/composables/fetch' {
+  export function useFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = undefined,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+  export function useFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = DataT,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+
+  export function useLazyFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = undefined,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: Omit<import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>, 'lazy'>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+  export function useLazyFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = DataT,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: Omit<import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>, 'lazy'>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+}
+
+declare module 'nuxt/app' {
+  export function useFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = undefined,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+  export function useFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = DataT,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+
+  export function useLazyFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = undefined,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: Omit<import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>, 'lazy'>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+  export function useLazyFetch<
+    ErrorT = FetchError,
+    Path extends import('#nuxt-better-auth').AuthApiEndpointPath = import('#nuxt-better-auth').AuthApiEndpointPath,
+    Method extends _AuthFetchMethod<Path> = _AuthFetchDefaultMethod<Path>,
+    _ResT = _AuthFetchResult<Path, Method>,
+    DataT = _ResT,
+    PickKeys extends import('nuxt/dist/app/composables/asyncData').KeysOf<DataT> = import('nuxt/dist/app/composables/asyncData').KeysOf<DataT>,
+    DefaultT = DataT,
+  >(request: import('vue').Ref<Path> | Path | (() => Path), opts?: Omit<import('nuxt/dist/app/composables/fetch').UseFetchOptions<_ResT, DataT, PickKeys, DefaultT, Path, Method>, 'lazy'>): import('nuxt/dist/app/composables/asyncData').AsyncData<import('nuxt/dist/app/composables/asyncData').PickFrom<DataT, PickKeys> | DefaultT, ErrorT | undefined>
+}
+
+declare module 'nitropack' {
+  interface NitroRouteRules {
+    auth?: import('${runtimeTypesPath}').AuthMeta
+  }
+  interface NitroRouteConfig {
+    auth?: import('${runtimeTypesPath}').AuthMeta
+  }
+  interface InternalApi extends _GeneratedAuthInternalApi {}
+}
 declare module 'nitropack/types' {
   interface NitroRouteRules {
-    auth?: import('${resolver.resolve("./runtime/types")}').AuthMeta
+    auth?: import('${runtimeTypesPath}').AuthMeta
+  }
+  interface NitroRouteConfig {
+    auth?: import('${runtimeTypesPath}').AuthMeta
   }
+  interface InternalApi extends _GeneratedAuthInternalApi {}
 }
+export {}
 `
-    });
-    nuxt.hook("builder:watch", async (_event, relativePath) => {
-      if (relativePath.includes("auth.config")) {
-        await updateTemplates({ filter: (t) => t.filename.includes("nuxt-better-auth") });
+  }, { nuxt: true, nitro: true, node: true });
+}
+function registerSharedTypeTemplates(input) {
+  addTypeTemplate({
+    filename: "types/nuxt-better-auth.d.ts",
+    getContents: () => `
+import type { AppSession } from '${input.runtimeTypesAugmentPath}'
+export * from '${input.runtimeTypesAugmentPath}'
+export type { AuthMeta, AuthMode, AuthRouteRules, AuthSocialProviderId, Auth, InferUser, InferSession } from '${input.runtimeTypesPath}'
+declare module 'h3' {
+  interface H3EventContext {
+    requestSession?: AppSession | null
+  }
+}
+`
+  });
+  addTypeTemplate({
+    filename: "types/nuxt-better-auth-client.d.ts",
+    getContents: () => `
+import type createAppAuthClient from '${input.clientConfigPath}'
+declare module '#nuxt-better-auth' {
+  export type AppAuthClient = ReturnType<typeof createAppAuthClient>
+}
+`
+  });
+}
+
+const consola = consola$1.withTag("nuxt-better-auth");
+async function createDefaultAuthConfigFiles(nuxt) {
+  const project = getLayerDirectories(nuxt)[0];
+  const rootDir = project.root;
+  const serverPath = join(project.server, "auth.config.ts");
+  const clientPath = join(project.app, "auth.config.ts");
+  const serverConfigFile = getEffectiveModuleConfigFile(nuxt, "server");
+  const clientConfigFile = getEffectiveModuleConfigFile(nuxt, "client");
+  const serverTemplate = `import { defineServerAuth } from '@onmax/nuxt-better-auth/config'
+
+export default defineServerAuth({
+  emailAndPassword: { enabled: true },
+})
+`;
+  const clientTemplate = `import { defineClientAuth } from '@onmax/nuxt-better-auth/config'
+
+export default defineClientAuth({})
+`;
+  if (shouldCreateDefaultModuleConfig(nuxt, "server", serverConfigFile)) {
+    await mkdir(dirname(serverPath), { recursive: true });
+    await writeFile(serverPath, serverTemplate);
+    consola.success(`Created ${relative(rootDir, serverPath)}`);
+  }
+  if (shouldCreateDefaultModuleConfig(nuxt, "client", clientConfigFile)) {
+    await mkdir(dirname(clientPath), { recursive: true });
+    await writeFile(clientPath, clientTemplate);
+    consola.success(`Created ${relative(rootDir, clientPath)}`);
+  }
+}
+const module$1 = defineNuxtModule({
+  meta: { name: "@onmax/nuxt-better-auth", version, configKey: "auth", compatibility: { nuxt: ">=4.0.0" } },
+  defaults: {
+    clientOnly: false,
+    serverConfig: "server/auth.config",
+    clientConfig: "app/auth.config",
+    redirects: { login: "/login", guest: "/" },
+    preserveRedirect: true,
+    redirectQueryKey: "redirect",
+    hubSecondaryStorage: false
+  },
+  async onInstall(nuxt) {
+    const configuredSecret = nuxt.options.runtimeConfig?.betterAuthSecret;
+    const generatedSecret = await promptForSecret(nuxt.options.rootDir, consola, { configuredSecret, prepare: Boolean(nuxt.options._prepare) });
+    if (generatedSecret)
+      process.env.NUXT_BETTER_AUTH_SECRET = generatedSecret;
+    await createDefaultAuthConfigFiles(nuxt);
+  },
+  async setup(options, nuxt) {
+    const resolver = createResolver(import.meta.url);
+    const clientOnly = options.clientOnly;
+    const serverConfigFile = options.serverConfig;
+    const clientConfigFile = options.clientConfig;
+    const { file: resolvedServerConfigFile, path: serverConfigPath } = resolveModuleConfigPath(nuxt, "server", serverConfigFile);
+    const { file: resolvedClientConfigFile, path: clientConfigPath } = resolveModuleConfigPath(nuxt, "client", clientConfigFile);
+    const serverConfigExists = existsSync(`${serverConfigPath}.ts`) || existsSync(`${serverConfigPath}.js`);
+    const clientConfigExists = existsSync(`${clientConfigPath}.ts`) || existsSync(`${clientConfigPath}.js`);
+    if (!clientOnly && !serverConfigExists)
+      throw new Error(`[nuxt-better-auth] Missing ${resolvedServerConfigFile}.ts - export default defineServerAuth(...)`);
+    if (!clientConfigExists)
+      throw new Error(`[nuxt-better-auth] Missing ${resolvedClientConfigFile}.ts - export default defineClientAuth(...)`);
+    const hasNuxtHub = hasNuxtModule("@nuxthub/core", nuxt);
+    const hub = hasNuxtHub ? nuxt.options.hub : void 0;
+    const hasHubDbAvailable = !clientOnly && hasNuxtHub && !!hub?.db;
+    let databaseProvider = "none";
+    let hasHubDb = false;
+    nuxt.options.alias["#nuxt-better-auth"] = resolver.resolve("./runtime/types/augment");
+    if (!clientOnly)
+      nuxt.options.alias["#auth/server"] = serverConfigPath;
+    nuxt.options.alias["#auth/client"] = clientConfigPath;
+    if (clientOnly) {
+      setupRuntimeConfig({
+        nuxt,
+        options,
+        clientOnly,
+        databaseProvider,
+        hasNuxtHub,
+        hub,
+        consola
+      });
+    } else {
+      const hubDialect = getHubDialect(hub) ?? "sqlite";
+      const usePlural = options.schema?.usePlural ?? false;
+      const camelCase = (options.schema?.casing ?? getHubCasing(hub)) !== "snake_case";
+      const providers = {
+        nuxthub: {
+          priority: 100,
+          isEnabled: ({ hasHubDbAvailable: hasHubDbAvailable2 }) => hasHubDbAvailable2,
+          buildDatabaseCode: () => buildDatabaseCode({
+            provider: "nuxthub",
+            hubDialect,
+            usePlural,
+            camelCase
+          })
+        },
+        none: {
+          priority: 0,
+          buildDatabaseCode: () => buildDatabaseCode({
+            provider: "none",
+            hubDialect,
+            usePlural,
+            camelCase
+          })
+        }
+      };
+      const enabledCtx = { nuxt, options, clientOnly, hasHubDbAvailable };
+      await nuxt.callHook("better-auth:database:providers", providers);
+      const resolvedProvider = resolveDatabaseProvider({ providers, context: enabledCtx });
+      databaseProvider = resolvedProvider.id;
+      hasHubDb = databaseProvider === "nuxthub";
+      const { useHubKV } = setupRuntimeConfig({
+        nuxt,
+        options,
+        clientOnly,
+        databaseProvider,
+        hasNuxtHub,
+        hub,
+        consola
+      });
+      if (useHubKV && !nuxt.options.alias["hub:kv"]) {
+        throw new Error("[nuxt-better-auth] hub:kv not found. Ensure @nuxthub/core is loaded before this module and hub.kv is enabled.");
       }
-    });
-    addServerImportsDir(resolver.resolve("./runtime/server/utils"));
-    addServerScanDir(resolver.resolve("./runtime/server/middleware"));
-    addServerHandler({ route: "/api/auth/**", handler: resolver.resolve("./runtime/server/api/auth/[...all]") });
-    addImportsDir(resolver.resolve("./runtime/app/composables"));
-    addImportsDir(resolver.resolve("./runtime/utils"));
-    addPlugin({ src: resolver.resolve("./runtime/app/plugins/session.server"), mode: "server" });
-    addPlugin({ src: resolver.resolve("./runtime/app/plugins/session.client"), mode: "client" });
-    addComponentsDir({ path: resolver.resolve("./runtime/app/components") });
-    nuxt.hook("app:resolve", (app) => {
-      app.middleware.push({ name: "auth", path: resolver.resolve("./runtime/app/middleware/auth.global"), global: true });
-    });
-    if (hasHubDb) {
-      await setupBetterAuthSchema(nuxt, serverConfigPath, options);
-    }
-    const isProduction = process.env.NODE_ENV === "production" || !nuxt.options.dev;
-    if (!isProduction) {
-      setupDevTools(nuxt);
-      addServerHandler({ route: "/api/_better-auth/config", method: "get", handler: resolver.resolve("./runtime/server/api/_better-auth/config.get") });
-      if (hasHubDb) {
-        addServerHandler({ route: "/api/_better-auth/sessions", method: "get", handler: resolver.resolve("./runtime/server/api/_better-auth/sessions.get") });
-        addServerHandler({ route: "/api/_better-auth/sessions", method: "delete", handler: resolver.resolve("./runtime/server/api/_better-auth/sessions.delete") });
-        addServerHandler({ route: "/api/_better-auth/users", method: "get", handler: resolver.resolve("./runtime/server/api/_better-auth/users.get") });
-        addServerHandler({ route: "/api/_better-auth/accounts", method: "get", handler: resolver.resolve("./runtime/server/api/_better-auth/accounts.get") });
+      const secondaryStorageTemplate = addTemplate({
+        filename: "better-auth/secondary-storage.mjs",
+        getContents: () => buildSecondaryStorageCode(useHubKV),
+        write: true
+      });
+      nuxt.options.alias["#auth/secondary-storage"] = secondaryStorageTemplate.dst;
+      if (hasHubDb && !nuxt.options.alias["hub:db"]) {
+        throw new Error("[nuxt-better-auth] hub:db not found. Ensure @nuxthub/core is loaded before this module and hub.db is configured.");
       }
-      extendPages((pages) => {
-        pages.push({ name: "better-auth-devtools", path: "/__better-auth-devtools", file: resolver.resolve("./runtime/app/pages/__better-auth-devtools.vue") });
+      const setupCtx = { nuxt, options, clientOnly };
+      await resolvedProvider.definition.setup?.(setupCtx);
+      const buildCtx = { hubDialect, usePlural, camelCase };
+      const databaseTemplate = addTemplate({
+        filename: "better-auth/database.mjs",
+        getContents: () => resolvedProvider.definition.buildDatabaseCode(buildCtx),
+        write: true
+      });
+      nuxt.options.alias["#auth/database"] = databaseTemplate.dst;
+      const schemaTemplate = addTemplate({
+        filename: "better-auth/schema.mjs",
+        getContents: () => {
+          if (!hasHubDb)
+            return "export const schema = undefined\n";
+          return `export * from './schema.${hubDialect}.mjs'
+import * as schema from './schema.${hubDialect}.mjs'
+export { schema }
+`;
+        },
+        write: true
+      });
+      nuxt.options.alias["#auth/schema"] = schemaTemplate.dst;
+      registerServerTypeTemplates({
+        serverConfigPath,
+        hasHubDb,
+        runtimeTypesPath: resolver.resolve("./runtime/types")
       });
+      if (hasHubDb)
+        await setupBetterAuthSchema(nuxt, serverConfigPath, options, consola, options.hubSecondaryStorage ?? false);
     }
-    nuxt.hook("pages:extend", (pages) => {
-      const routeRules = nuxt.options.routeRules || {};
-      if (!Object.keys(routeRules).length)
-        return;
-      const matcher = toRouteMatcher(createRouter({ routes: routeRules }));
-      const applyMetaFromRules = (page) => {
-        const matches = matcher.matchAll(page.path);
-        if (!matches.length)
-          return;
-        const matchedRules = defu({}, ...matches.reverse());
-        if (matchedRules.auth !== void 0) {
-          page.meta = page.meta || {};
-          page.meta.auth = matchedRules.auth;
-        }
-        page.children?.forEach((child) => applyMetaFromRules(child));
-      };
-      pages.forEach((page) => applyMetaFromRules(page));
+    registerSharedTypeTemplates({
+      runtimeTypesAugmentPath: resolver.resolve("./runtime/types/augment"),
+      runtimeTypesPath: resolver.resolve("./runtime/types"),
+      clientConfigPath
+    });
+    const runtimeRouteRulesSource = nuxt.options.nitro?.routeRules || nuxt.options.routeRules || {};
+    const authRouteRules = Object.fromEntries(
+      Object.entries(runtimeRouteRulesSource).flatMap(([path, rule]) => {
+        if (!rule || typeof rule !== "object" || !("auth" in rule))
+          return [];
+        return [[path, { auth: rule.auth }]];
+      })
+    );
+    const authRouteRulesTemplate = addTemplate({
+      filename: "better-auth/route-rules.mjs",
+      getContents: () => `export const authRouteRules = ${JSON.stringify(authRouteRules, null, 2)}
+`,
+      write: true
     });
+    nuxt.options.alias["#auth/route-rules"] = authRouteRulesTemplate.dst;
+    registerTemplateHmrHook(nuxt);
+    registerServerRuntime({ clientOnly, resolve: resolver.resolve });
+    registerAuthMiddlewareHook(nuxt, resolver.resolve);
+    await registerDevtools({ nuxt, clientOnly, hasHubDb, resolve: resolver.resolve });
+    registerRouteRulesMetaHook(nuxt);
   }
 });
-async function setupBetterAuthSchema(nuxt, serverConfigPath, options) {
-  const hub = nuxt.options.hub;
-  const dialect = typeof hub?.db === "string" ? hub.db : typeof hub?.db === "object" ? hub.db.dialect : void 0;
-  if (!dialect || !["sqlite", "postgresql", "mysql"].includes(dialect)) {
-    consola.warn(`Unsupported database dialect: ${dialect}`);
-    return;
-  }
-  const isProduction = !nuxt.options.dev;
-  try {
-    const configFile = `${serverConfigPath}.ts`;
-    const userConfig = await loadUserAuthConfig(configFile, isProduction);
-    const extendedConfig = {};
-    await nuxt.callHook("better-auth:config:extend", extendedConfig);
-    const plugins = [...userConfig.plugins || [], ...extendedConfig.plugins || []];
-    const { getAuthTables } = await import('better-auth/db');
-    const tables = getAuthTables({ plugins });
-    const useUuid = userConfig.advanced?.database?.generateId === "uuid";
-    const schemaOptions = { ...options.schema, useUuid };
-    const schemaCode = generateDrizzleSchema(tables, dialect, schemaOptions);
-    const schemaDir = join(nuxt.options.buildDir, "better-auth");
-    const schemaPath = join(schemaDir, `schema.${dialect}.ts`);
-    await mkdir(schemaDir, { recursive: true });
-    await writeFile(schemaPath, schemaCode);
-    addTemplate({ filename: `better-auth/schema.${dialect}.ts`, getContents: () => schemaCode, write: true });
-    consola.info(`Generated ${dialect} schema with ${Object.keys(tables).length} tables`);
-  } catch (error) {
-    if (isProduction) {
-      throw error;
-    }
-    consola.error("Failed to generate schema:", error);
-  }
-  const nuxtWithHubHooks = nuxt;
-  nuxtWithHubHooks.hook("hub:db:schema:extend", ({ paths, dialect: hookDialect }) => {
-    const schemaPath = join(nuxt.options.buildDir, "better-auth", `schema.${hookDialect}.ts`);
-    if (existsSync(schemaPath)) {
-      paths.unshift(schemaPath);
-    }
-  });
-}
 
 export { module$1 as default };