@onmax/nuxt-better-auth 0.0.2-alpha.3 → 0.0.2-alpha.31

package/dist/runtime/server/utils/auth.d.ts

@@ -1,10 +1,8 @@
 import type { H3Event } from 'h3';
+import createServerAuth from '#auth/server';
 import { betterAuth } from 'better-auth';
-type AuthInstance = ReturnType<typeof betterAuth>;
-declare module 'h3' {
-    interface H3EventContext {
-        _betterAuth?: AuthInstance;
-    }
-}
-export declare function serverAuth(event: H3Event): Promise<AuthInstance>;
+type AuthOptions = ReturnType<typeof createServerAuth>;
+type AuthInstance = ReturnType<typeof betterAuth<AuthOptions>>;
+/** Returns Better Auth instance. Caches per resolved host (or single instance when siteUrl is explicit). */
+export declare function serverAuth(event?: H3Event): AuthInstance;
 export {};

package/dist/runtime/server/utils/auth.js

@@ -2,31 +2,211 @@ import { createDatabase, db } from "#auth/database";
 import { createSecondaryStorage } from "#auth/secondary-storage";
 import createServerAuth from "#auth/server";
 import { betterAuth } from "better-auth";
-import { consola } from "consola";
-import { getRequestURL } from "h3";
+import { getRequestHost, getRequestProtocol } from "h3";
 import { useRuntimeConfig } from "nitropack/runtime";
-const logger = consola.withTag("nuxt-better-auth");
-function getBaseURL(event, siteUrl) {
-  if (siteUrl)
-    return siteUrl;
-  const origin = getRequestURL(event).origin;
-  if (process.env.NODE_ENV === "production")
-    throw new Error("siteUrl must be configured in production. Set NUXT_PUBLIC_SITE_URL or configure in nuxt.config.");
-  logger.warn("siteUrl not set, auto-detected:", origin);
+import { withoutProtocol } from "ufo";
+import { resolveCustomSecondaryStorageRequirement } from "./custom-secondary-storage.js";
+const _authCache = /* @__PURE__ */ new Map();
+let _baseURLInferenceLogged = false;
+let _customSecondaryStorageMisconfigWarned = false;
+function normalizeLoopbackOrigin(origin) {
+  if (!import.meta.dev)
+    return origin;
+  try {
+    const url = new URL(origin);
+    if (url.hostname === "127.0.0.1" || url.hostname === "::1" || url.hostname === "[::1]") {
+      url.hostname = "localhost";
+      return url.origin;
+    }
+  } catch {
+  }
   return origin;
 }
-export async function serverAuth(event) {
-  if (event.context._betterAuth)
-    return event.context._betterAuth;
+function logInferredBaseURL(baseURL, source) {
+  if (!import.meta.dev || _baseURLInferenceLogged)
+    return;
+  _baseURLInferenceLogged = true;
+  console.warn(`[nuxt-better-auth] Using inferred baseURL "${baseURL}" from ${source}. Set runtimeConfig.public.siteUrl for deterministic OAuth callbacks.`);
+}
+function validateURL(url) {
+  try {
+    return normalizeLoopbackOrigin(new URL(url).origin);
+  } catch {
+    throw new Error(`Invalid siteUrl: "${url}". Must be a valid URL.`);
+  }
+}
+function resolveConfiguredSiteUrl(config) {
+  if (typeof config.public.siteUrl !== "string" || !config.public.siteUrl)
+    return void 0;
+  return validateURL(config.public.siteUrl);
+}
+function resolveEventOrigin(event) {
+  if (!event)
+    return void 0;
+  const host = getRequestHost(event, { xForwardedHost: true });
+  const protocol = getRequestProtocol(event, { xForwardedProto: true });
+  if (!host || !protocol)
+    return void 0;
+  try {
+    return validateURL(`${protocol}://${host}`);
+  } catch {
+    return void 0;
+  }
+}
+function getNitroOrigin() {
+  const cert = process.env.NITRO_SSL_CERT;
+  const key = process.env.NITRO_SSL_KEY;
+  let host = process.env.NITRO_HOST || process.env.HOST;
+  let port;
+  if (import.meta.dev)
+    port = process.env.NITRO_PORT || process.env.PORT || "3000";
+  let protocol = cert && key || !import.meta.dev ? "https" : "http";
+  try {
+    if ((import.meta.dev || import.meta.prerender) && process.env.__NUXT_DEV__) {
+      const origin = JSON.parse(process.env.__NUXT_DEV__).proxy.url;
+      host = withoutProtocol(origin);
+      protocol = origin.includes("https") ? "https" : "http";
+    } else if ((import.meta.dev || import.meta.prerender) && process.env.NUXT_VITE_NODE_OPTIONS) {
+      const origin = JSON.parse(process.env.NUXT_VITE_NODE_OPTIONS).baseURL.replace("/__nuxt_vite_node__", "");
+      host = withoutProtocol(origin);
+      protocol = origin.includes("https") ? "https" : "http";
+    }
+  } catch {
+  }
+  if (!host)
+    return void 0;
+  if (host.startsWith("[") && host.includes("]:")) {
+    const lastBracketColon = host.lastIndexOf("]:");
+    const extractedPort = host.slice(lastBracketColon + 2);
+    host = host.slice(0, lastBracketColon + 1);
+    if (extractedPort)
+      port = extractedPort;
+  } else if (host.includes(":") && !host.startsWith("[")) {
+    const hostParts = host.split(":");
+    port = hostParts.pop();
+    host = hostParts.join(":");
+  }
+  const portSuffix = port ? `:${port}` : "";
+  return `${protocol}://${host}${portSuffix}`;
+}
+function resolveEnvironmentOrigin() {
+  const nitroOrigin = getNitroOrigin();
+  if (nitroOrigin)
+    return { origin: validateURL(nitroOrigin), source: "Nitro environment detection" };
+  if (process.env.VERCEL_URL)
+    return { origin: validateURL(`https://${process.env.VERCEL_URL}`), source: "VERCEL_URL" };
+  if (process.env.CF_PAGES_URL)
+    return { origin: validateURL(`https://${process.env.CF_PAGES_URL}`), source: "CF_PAGES_URL" };
+  if (process.env.URL)
+    return { origin: validateURL(process.env.URL.startsWith("http") ? process.env.URL : `https://${process.env.URL}`), source: "URL" };
+  return void 0;
+}
+function resolveDevFallback() {
+  if (!import.meta.dev)
+    return void 0;
+  return { origin: "http://localhost:3000", source: "development fallback" };
+}
+function getBaseURL(event) {
+  const config = useRuntimeConfig();
+  const configuredSiteUrl = resolveConfiguredSiteUrl(config);
+  if (configuredSiteUrl)
+    return configuredSiteUrl;
+  const eventOrigin = resolveEventOrigin(event);
+  if (eventOrigin) {
+    logInferredBaseURL(eventOrigin, "request origin");
+    return eventOrigin;
+  }
+  const environmentOrigin = resolveEnvironmentOrigin();
+  if (environmentOrigin) {
+    logInferredBaseURL(environmentOrigin.origin, environmentOrigin.source);
+    return environmentOrigin.origin;
+  }
+  const devFallback = resolveDevFallback();
+  if (devFallback) {
+    logInferredBaseURL(devFallback.origin, devFallback.source);
+    return devFallback.origin;
+  }
+  throw new Error("siteUrl required. Set NUXT_PUBLIC_SITE_URL.");
+}
+function dedupeOrigins(origins) {
+  return [...new Set(origins)];
+}
+function getDevTrustedOrigins() {
+  const fallbackOrigin = "http://localhost:3000";
+  const nitroOrigin = getNitroOrigin();
+  if (!nitroOrigin)
+    return [fallbackOrigin];
+  try {
+    const url = new URL(nitroOrigin);
+    const protocol = url.protocol === "https:" ? "https" : "http";
+    const port = url.port || "3000";
+    const localhostOrigin = `${protocol}://localhost:${port}`;
+    return dedupeOrigins([localhostOrigin, url.origin]);
+  } catch {
+    return [fallbackOrigin];
+  }
+}
+function getRequestOrigin(request) {
+  if (!request)
+    return void 0;
+  try {
+    return new URL(request.url).origin;
+  } catch {
+    return void 0;
+  }
+}
+function withDevTrustedOrigins(trustedOrigins, hasExplicitSiteUrl) {
+  if (!import.meta.dev || !hasExplicitSiteUrl)
+    return trustedOrigins;
+  const devOrigins = getDevTrustedOrigins();
+  const mergeOrigins = (origins, request) => {
+    const validOrigins = origins.filter((origin) => typeof origin === "string");
+    const requestOrigin = getRequestOrigin(request);
+    return dedupeOrigins(requestOrigin ? [...validOrigins, ...devOrigins, requestOrigin] : [...validOrigins, ...devOrigins]);
+  };
+  if (typeof trustedOrigins === "function") {
+    return async (request) => {
+      const resolvedOrigins = await trustedOrigins(request);
+      return mergeOrigins(resolvedOrigins, request);
+    };
+  }
+  if (Array.isArray(trustedOrigins)) {
+    const baseOrigins = mergeOrigins(trustedOrigins);
+    return async (request) => {
+      return mergeOrigins(baseOrigins, request);
+    };
+  }
+  return async (request) => {
+    return mergeOrigins([], request);
+  };
+}
+export function serverAuth(event) {
   const runtimeConfig = useRuntimeConfig();
+  const siteUrl = getBaseURL(event);
+  const hasExplicitSiteUrl = runtimeConfig.public.siteUrl && typeof runtimeConfig.public.siteUrl === "string";
+  const cacheKey = hasExplicitSiteUrl ? "__explicit__" : siteUrl;
+  const cached = _authCache.get(cacheKey);
+  if (cached)
+    return cached;
   const database = createDatabase();
   const userConfig = createServerAuth({ runtimeConfig, db });
-  event.context._betterAuth = betterAuth({
+  const trustedOrigins = withDevTrustedOrigins(userConfig.trustedOrigins, Boolean(hasExplicitSiteUrl));
+  const hubSecondaryStorage = runtimeConfig.auth?.hubSecondaryStorage;
+  const customSecondaryStorage = resolveCustomSecondaryStorageRequirement(hubSecondaryStorage, userConfig.secondaryStorage != null, Boolean(import.meta.dev));
+  if (customSecondaryStorage?.shouldThrow)
+    throw new Error(customSecondaryStorage.message);
+  if (customSecondaryStorage?.shouldWarn && !_customSecondaryStorageMisconfigWarned) {
+    _customSecondaryStorageMisconfigWarned = true;
+    console.warn(customSecondaryStorage.message);
+  }
+  const auth = betterAuth({
     ...userConfig,
     ...database && { database },
-    secondaryStorage: createSecondaryStorage(),
+    ...hubSecondaryStorage === true && { secondaryStorage: createSecondaryStorage() },
     secret: runtimeConfig.betterAuthSecret,
-    baseURL: getBaseURL(event, runtimeConfig.public.siteUrl)
+    baseURL: siteUrl,
+    trustedOrigins
   });
-  return event.context._betterAuth;
+  _authCache.set(cacheKey, auth);
+  return auth;
 }

package/dist/runtime/server/utils/custom-secondary-storage.d.ts

@@ -0,0 +1,6 @@
+export type HubSecondaryStorageMode = boolean | 'custom' | undefined;
+export declare function resolveCustomSecondaryStorageRequirement(hubSecondaryStorage: HubSecondaryStorageMode, userHasSecondaryStorage: boolean, isDev: boolean): {
+    shouldThrow: boolean;
+    shouldWarn: boolean;
+    message: string;
+} | null;

package/dist/runtime/server/utils/custom-secondary-storage.js

@@ -0,0 +1,8 @@
+export function resolveCustomSecondaryStorageRequirement(hubSecondaryStorage, userHasSecondaryStorage, isDev) {
+  if (hubSecondaryStorage !== "custom")
+    return null;
+  if (userHasSecondaryStorage)
+    return null;
+  const message = '[nuxt-better-auth] hubSecondaryStorage: "custom" requires secondaryStorage in defineServerAuth().';
+  return { shouldThrow: !isDev, shouldWarn: isDev, message };
+}

package/dist/runtime/server/utils/session.d.ts

@@ -1,9 +1,5 @@
+import type { AppSession, RequireSessionOptions } from '#nuxt-better-auth';
 import type { H3Event } from 'h3';
-import type { AuthSession, AuthUser, RequireSessionOptions } from '../../types.js';
-interface FullSession {
-    user: AuthUser;
-    session: AuthSession;
-}
-export declare function getUserSession(event: H3Event): Promise<FullSession | null>;
-export declare function requireUserSession(event: H3Event, options?: RequireSessionOptions): Promise<FullSession>;
-export {};
+export declare function getRequestSession(event: H3Event): Promise<AppSession | null>;
+export declare function getUserSession(event: H3Event): Promise<AppSession | null>;
+export declare function requireUserSession(event: H3Event, options?: RequireSessionOptions): Promise<AppSession>;

package/dist/runtime/server/utils/session.js

@@ -1,12 +1,51 @@
 import { createError } from "h3";
 import { matchesUser } from "../../utils/match-user.js";
+import { serverAuth } from "./auth.js";
+const requestSessionLoadKey = Symbol.for("nuxt-better-auth.requestSessionLoad");
+const fallbackRequestSessionContext = /* @__PURE__ */ new WeakMap();
+function getRequestSessionContext(event) {
+  const eventWithContext = event;
+  if (eventWithContext.context && typeof eventWithContext.context === "object")
+    return eventWithContext.context;
+  let context = fallbackRequestSessionContext.get(event);
+  if (!context) {
+    context = {};
+    fallbackRequestSessionContext.set(event, context);
+  }
+  return context;
+}
+function loadSession(event) {
+  const auth = serverAuth(event);
+  return auth.api.getSession({ headers: event.headers });
+}
+export async function getRequestSession(event) {
+  const context = getRequestSessionContext(event);
+  if (context.requestSession !== void 0)
+    return context.requestSession;
+  const inFlight = context[requestSessionLoadKey];
+  if (inFlight)
+    return inFlight;
+  const load = loadSession(event);
+  context[requestSessionLoadKey] = load;
+  try {
+    const session = await load;
+    context.requestSession = session;
+    return session;
+  } finally {
+    delete context[requestSessionLoadKey];
+  }
+}
 export async function getUserSession(event) {
-  const auth = await serverAuth(event);
-  const session = await auth.api.getSession({ headers: event.headers });
-  return session;
+  const context = getRequestSessionContext(event);
+  if (context.requestSession !== void 0)
+    return context.requestSession;
+  const inFlight = context[requestSessionLoadKey];
+  if (inFlight)
+    return inFlight;
+  return loadSession(event);
 }
 export async function requireUserSession(event, options) {
-  const session = await getUserSession(event);
+  const session = await getRequestSession(event);
   if (!session)
     throw createError({ statusCode: 401, statusMessage: "Authentication required" });
   if (options?.user) {

package/dist/runtime/server/virtual-modules.d.ts

@@ -0,0 +1,22 @@
+declare module '#auth/database' {
+  export const db: any
+  export function createDatabase(...args: any[]): any
+}
+
+declare module '#auth/secondary-storage' {
+  export function createSecondaryStorage(...args: any[]): any
+}
+
+declare module '#auth/schema' {
+  export const schema: any
+}
+
+declare module '#auth/server' {
+  const createServerAuth: any
+  export default createServerAuth
+}
+
+declare module '@nuxthub/db' {
+  export const db: any
+  export const schema: any
+}

package/dist/runtime/types/augment.d.ts

@@ -22,6 +22,8 @@ export interface ServerAuthContext {
     runtimeConfig: Record<string, unknown>;
     db: unknown;
 }
+export interface AuthSocialProviderRegistry {
+}
 export interface UserSessionComposable {
     client: unknown;
     user: Ref<AuthUser | null>;
@@ -37,6 +39,20 @@ export interface UserSessionComposable {
     waitForSession: () => Promise<void>;
     signOut: (options?: {
         onSuccess?: () => void | Promise<void>;
-    }) => Promise<unknown>;
-    updateUser: (updates: Partial<AuthUser>) => void;
+    }) => Promise<void>;
+    updateUser: (updates: Partial<AuthUser>) => Promise<void>;
+}
+export type UserMatch<T> = {
+    [K in keyof T]?: T[K] | T[K][];
+};
+export interface AppSession {
+    user: AuthUser;
+    session: AuthSession;
+}
+export interface RequireSessionOptions {
+    user?: UserMatch<AuthUser>;
+    rule?: (ctx: {
+        user: AuthUser;
+        session: AuthSession;
+    }) => boolean | Promise<boolean>;
 }

package/dist/runtime/types.d.ts

@@ -1,11 +1,17 @@
+import type { AuthSocialProviderRegistry, AuthUser, UserMatch } from '#nuxt-better-auth';
 import type { NitroRouteRules } from 'nitropack/types';
-import type { AuthSession, AuthUser } from './types/augment.js';
-export type { AuthSession, AuthUser, ServerAuthContext, UserSessionComposable } from './types/augment.js';
-export type { Auth, InferSession, InferUser } from 'better-auth';
+export type { AppSession, AuthSession, AuthSocialProviderRegistry, AuthUser, RequireSessionOptions, ServerAuthContext, UserMatch, UserSessionComposable } from './types/augment.js';
+export type AuthSocialProviderId = AuthSocialProviderRegistry extends {
+    ids: infer T;
+} ? Extract<T, string> : never;
+export type { Auth, InferPluginTypes, InferSessionFromClient as InferSession, InferUserFromClient as InferUser } from 'better-auth';
+export interface AuthActionError {
+    message: string;
+    code?: string;
+    status?: number;
+    raw: unknown;
+}
 export type AuthMode = 'guest' | 'user';
-export type UserMatch<T> = {
-    [K in keyof T]?: T[K] | T[K][];
-};
 export type AuthMeta = false | AuthMode | {
     only?: AuthMode;
     redirectTo?: string;
@@ -14,10 +20,3 @@ export type AuthMeta = false | AuthMode | {
 export type AuthRouteRules = NitroRouteRules & {
     auth?: AuthMeta;
 };
-export interface RequireSessionOptions {
-    user?: UserMatch<AuthUser>;
-    rule?: (ctx: {
-        user: AuthUser;
-        session: AuthSession;
-    }) => boolean | Promise<boolean>;
-}

package/dist/types.d.mts

@@ -6,6 +6,6 @@ export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<
 
 export { type BetterAuthModuleOptions, type defineClientAuth, type defineServerAuth } from '../dist/runtime/config.js'
 
-export { type Auth, type AuthMeta, type AuthMode, type AuthRouteRules, type AuthSession, type AuthUser, type InferSession, type InferUser, type RequireSessionOptions, type ServerAuthContext, type UserMatch } from '../dist/runtime/types.js'
+export { type AppSession, type Auth, type AuthActionError, type AuthMeta, type AuthMode, type AuthRouteRules, type AuthSession, type AuthSocialProviderId, type AuthUser, type InferSession, type InferUser, type RequireSessionOptions, type ServerAuthContext, type UserMatch } from '../dist/runtime/types.js'
 
 export { default } from './module.mjs'

package/package.json

@@ -1,14 +1,15 @@
 {
   "name": "@onmax/nuxt-better-auth",
   "type": "module",
-  "version": "0.0.2-alpha.3",
+  "version": "0.0.2-alpha.31",
   "packageManager": "pnpm@10.15.1",
   "description": "Nuxt module for Better Auth integration with NuxtHub, route protection, session management, and role-based access",
   "author": "onmax",
   "license": "MIT",
+  "homepage": "https://better-auth.nuxt.dev",
   "repository": {
     "type": "git",
-    "url": "https://github.com/onmax/nuxt-better-auth"
+    "url": "https://github.com/nuxt-modules/better-auth"
   },
   "exports": {
     ".": {
@@ -41,16 +42,17 @@
     "dev:prepare": "nuxt-module-build build --stub && nuxi prepare playground",
     "dev:docs": "nuxi dev docs",
     "build:docs": "nuxi build docs",
-    "release": "bumpp && git push --follow-tags",
+    "release": "bumpp --push --no-push-all",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "typecheck": "vue-tsc --noEmit",
-    "typecheck:playground": "cd playground && vue-tsc --noEmit",
+    "typecheck:runtime-server": "tsc --noEmit --pretty false -p src/runtime/server/tsconfig.json",
+    "typecheck:playground": "pnpm -C playground exec nuxi prepare && pnpm -C playground exec vue-tsc --noEmit -p .nuxt/tsconfig.app.json",
     "test": "vitest run",
     "test:watch": "vitest watch"
   },
   "peerDependencies": {
-    "@nuxthub/core": ">=0.10.0",
+    "@nuxthub/core": ">=0.10.5",
     "better-auth": ">=1.0.0"
   },
   "peerDependenciesMeta": {
@@ -59,54 +61,42 @@
     }
   },
   "dependencies": {
-    "@nuxt/kit": "^4.2.2",
+    "@better-auth/cli": "1.5.0-beta.13",
+    "@nuxt/kit": "^4.3.1",
+    "@nuxt/ui": "^4.5.0",
     "defu": "^6.1.4",
-    "jiti": "^2.4.2",
+    "jiti": "^2.6.1",
     "pathe": "^2.0.3",
-    "radix3": "^1.1.2"
+    "radix3": "^1.1.2",
+    "std-env": "^4.0.0"
   },
   "devDependencies": {
-    "@antfu/eslint-config": "^4.12.0",
-    "@better-auth/cli": "^1.4.6",
-    "@libsql/client": "^0.15.15",
-    "@nuxt/devtools": "^3.1.1",
-    "@nuxt/devtools-kit": "^3.1.1",
+    "@antfu/eslint-config": "^7.6.1",
+    "@libsql/client": "^0.17.0",
+    "@libsql/linux-x64-gnu": "0.5.22",
+    "@nuxt/devtools": "^3.2.3",
+    "@nuxt/devtools-kit": "^3.2.2",
     "@nuxt/module-builder": "^1.0.2",
-    "@nuxt/schema": "^4.2.2",
-    "@nuxt/test-utils": "^3.21.0",
-    "@nuxthub/core": "^0.10.3",
+    "@nuxt/schema": "^4.3.1",
+    "@nuxt/test-utils": "^4.0.0",
+    "@nuxthub/core": "^0.10.6",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "latest",
-    "better-auth": "^1.4.7",
-    "better-sqlite3": "^11.9.1",
-    "bumpp": "^10.3.2",
+    "better-auth": "1.5.5",
+    "better-sqlite3": "^12.6.2",
+    "bumpp": "^11.0.0",
     "changelogen": "^0.6.2",
     "consola": "^3.4.2",
-    "drizzle-kit": "^0.31.8",
-    "drizzle-orm": "^0.38.4",
-    "eslint": "^9.39.1",
-    "nuxt": "^4.2.2",
+    "drizzle-kit": "^0.31.9",
+    "drizzle-orm": "^0.45.1",
+    "eslint": "^10.0.3",
+    "npm-agentskills": "https://pkg.pr.new/onmax/npm-agentskills@394499e",
+    "nuxt": "^4.3.1",
     "tinyexec": "^1.0.2",
     "typescript": "~5.9.3",
-    "vitest": "^4.0.15",
-    "vitest-package-exports": "^0.1.1",
-    "vue-tsc": "^3.1.7",
+    "vitest": "^4.0.18",
+    "vitest-package-exports": "^1.2.0",
+    "vue-tsc": "^3.2.5",
     "yaml": "^2.8.2"
-  },
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "@parcel/watcher",
-      "better-sqlite3",
-      "esbuild",
-      "sharp",
-      "workerd"
-    ],
-    "patchedDependencies": {
-      "@peculiar/x509@1.14.2": "patches/@peculiar__x509@1.14.2.patch",
-      "unenv@2.0.0-rc.24": "patches/unenv@2.0.0-rc.24.patch"
-    },
-    "overrides": {
-      "reka-ui": "^2.6.1"
-    }
   }
 }