@onmax/nuxt-better-auth 0.0.2-alpha.31 → 0.0.2-alpha.32

package/dist/runtime/server/utils/auth.js

@@ -1,14 +1,27 @@
-import { createDatabase, db } from "#auth/database";
-import { createSecondaryStorage } from "#auth/secondary-storage";
-import createServerAuth from "#auth/server";
 import { betterAuth } from "better-auth";
 import { getRequestHost, getRequestProtocol } from "h3";
 import { useRuntimeConfig } from "nitropack/runtime";
 import { withoutProtocol } from "ufo";
+import { createDatabase, db } from "#auth/database";
+import { createSecondaryStorage } from "#auth/secondary-storage";
+import createServerAuth from "#auth/server";
 import { resolveCustomSecondaryStorageRequirement } from "./custom-secondary-storage.js";
 const _authCache = /* @__PURE__ */ new Map();
+const requestAuthKey = Symbol.for("nuxt-better-auth.requestAuth");
 let _baseURLInferenceLogged = false;
 let _customSecondaryStorageMisconfigWarned = false;
+const fallbackRequestAuthContext = /* @__PURE__ */ new WeakMap();
+function getRequestAuthContext(event) {
+  const eventWithContext = event;
+  if (eventWithContext.context && typeof eventWithContext.context === "object")
+    return eventWithContext.context;
+  let context = fallbackRequestAuthContext.get(event);
+  if (!context) {
+    context = {};
+    fallbackRequestAuthContext.set(event, context);
+  }
+  return context;
+}
 function normalizeLoopbackOrigin(origin) {
   if (!import.meta.dev)
     return origin;
@@ -155,8 +168,8 @@ function getRequestOrigin(request) {
     return void 0;
   }
 }
-function withDevTrustedOrigins(trustedOrigins, hasExplicitSiteUrl) {
-  if (!import.meta.dev || !hasExplicitSiteUrl)
+function withDevTrustedOrigins(trustedOrigins) {
+  if (!import.meta.dev)
     return trustedOrigins;
   const devOrigins = getDevTrustedOrigins();
   const mergeOrigins = (origins, request) => {
@@ -183,14 +196,15 @@ function withDevTrustedOrigins(trustedOrigins, hasExplicitSiteUrl) {
 export function serverAuth(event) {
   const runtimeConfig = useRuntimeConfig();
   const siteUrl = getBaseURL(event);
+  const requestOrigin = resolveEventOrigin(event);
   const hasExplicitSiteUrl = runtimeConfig.public.siteUrl && typeof runtimeConfig.public.siteUrl === "string";
   const cacheKey = hasExplicitSiteUrl ? "__explicit__" : siteUrl;
-  const cached = _authCache.get(cacheKey);
-  if (cached)
-    return cached;
-  const database = createDatabase();
-  const userConfig = createServerAuth({ runtimeConfig, db });
-  const trustedOrigins = withDevTrustedOrigins(userConfig.trustedOrigins, Boolean(hasExplicitSiteUrl));
+  const requestContext = event ? getRequestAuthContext(event) : void 0;
+  if (requestContext?.[requestAuthKey])
+    return requestContext[requestAuthKey];
+  const database = createDatabase(event);
+  const userConfig = createServerAuth({ runtimeConfig, db, requestOrigin });
+  const trustedOrigins = withDevTrustedOrigins(userConfig.trustedOrigins);
   const hubSecondaryStorage = runtimeConfig.auth?.hubSecondaryStorage;
   const customSecondaryStorage = resolveCustomSecondaryStorageRequirement(hubSecondaryStorage, userConfig.secondaryStorage != null, Boolean(import.meta.dev));
   if (customSecondaryStorage?.shouldThrow)
@@ -199,14 +213,26 @@ export function serverAuth(event) {
     _customSecondaryStorageMisconfigWarned = true;
     console.warn(customSecondaryStorage.message);
   }
-  const auth = betterAuth({
+  if (!database) {
+    const cached = _authCache.get(cacheKey);
+    if (cached) {
+      if (requestContext)
+        requestContext[requestAuthKey] = cached;
+      return cached;
+    }
+  }
+  const authOptions = {
     ...userConfig,
-    ...database && { database },
-    ...hubSecondaryStorage === true && { secondaryStorage: createSecondaryStorage() },
+    ...database ? { database } : {},
+    ...hubSecondaryStorage === true ? { secondaryStorage: createSecondaryStorage() } : {},
     secret: runtimeConfig.betterAuthSecret,
     baseURL: siteUrl,
     trustedOrigins
-  });
-  _authCache.set(cacheKey, auth);
+  };
+  const auth = betterAuth(authOptions);
+  if (requestContext)
+    requestContext[requestAuthKey] = auth;
+  if (!database)
+    _authCache.set(cacheKey, auth);
   return auth;
 }

package/dist/runtime/server/utils/session.d.ts

@@ -1,5 +1,7 @@
-import type { AppSession, RequireSessionOptions } from '#nuxt-better-auth';
 import type { H3Event } from 'h3';
+import type { AppSession, AuthSession, RequireSessionOptions } from '#nuxt-better-auth';
 export declare function getRequestSession(event: H3Event): Promise<AppSession | null>;
 export declare function getUserSession(event: H3Event): Promise<AppSession | null>;
+export declare function setSessionCookie(event: H3Event, token: string): Promise<void>;
+export declare function createSession(event: H3Event, userId: string): Promise<AuthSession>;
 export declare function requireUserSession(event: H3Event, options?: RequireSessionOptions): Promise<AppSession>;

package/dist/runtime/server/utils/session.js

@@ -2,6 +2,8 @@ import { createError } from "h3";
 import { matchesUser } from "../../utils/match-user.js";
 import { serverAuth } from "./auth.js";
 const requestSessionLoadKey = Symbol.for("nuxt-better-auth.requestSessionLoad");
+const signingAlgorithm = { name: "HMAC", hash: "SHA-256" };
+const cookiePairSeparatorRE = /;\s*/;
 const fallbackRequestSessionContext = /* @__PURE__ */ new WeakMap();
 function getRequestSessionContext(event) {
   const eventWithContext = event;
@@ -14,9 +16,155 @@ function getRequestSessionContext(event) {
   }
   return context;
 }
+function getRequestHeaders(event) {
+  return getRequestSessionContext(event).requestHeaders ?? event.headers;
+}
 function loadSession(event) {
   const auth = serverAuth(event);
-  return auth.api.getSession({ headers: event.headers });
+  return auth.api.getSession({ headers: getRequestHeaders(event) });
+}
+function getServerAuthContext(event) {
+  const auth = serverAuth(event);
+  return auth.$context;
+}
+function getCookieName(name, prefix) {
+  if (prefix === "secure")
+    return name.startsWith("__Secure-") ? name : `__Secure-${name}`;
+  if (prefix === "host")
+    return name.startsWith("__Host-") ? name : `__Host-${name}`;
+  if (prefix)
+    return void 0;
+  return name;
+}
+function serializeCookieHeader(name, value, attributes = {}, valueIsEncoded = false) {
+  const cookieName = getCookieName(name, attributes.prefix);
+  if (!cookieName)
+    throw new Error(`Unsupported cookie prefix: ${attributes.prefix}`);
+  const cookieValue = valueIsEncoded ? value : encodeURIComponent(value);
+  const cookie = [`${cookieName}=${cookieValue}`];
+  const options = { ...attributes };
+  if (cookieName.startsWith("__Secure-") && !options.secure)
+    options.secure = true;
+  if (cookieName.startsWith("__Host-")) {
+    options.secure = true;
+    options.path = "/";
+    delete options.domain;
+  }
+  if (typeof options.maxAge === "number" && options.maxAge >= 0)
+    cookie.push(`Max-Age=${Math.floor(options.maxAge)}`);
+  if (options.domain && options.prefix !== "host")
+    cookie.push(`Domain=${options.domain}`);
+  if (options.path)
+    cookie.push(`Path=${options.path}`);
+  if (options.expires)
+    cookie.push(`Expires=${options.expires.toUTCString()}`);
+  if (options.httpOnly)
+    cookie.push("HttpOnly");
+  if (options.partitioned)
+    options.secure = true;
+  if (options.secure)
+    cookie.push("Secure");
+  if (options.sameSite) {
+    const normalizedSameSite = options.sameSite.charAt(0).toUpperCase() + options.sameSite.slice(1);
+    cookie.push(`SameSite=${normalizedSameSite}`);
+  }
+  if (options.partitioned)
+    cookie.push("Partitioned");
+  return cookie.join("; ");
+}
+function serializeCookie(name, value, attributes = {}) {
+  return serializeCookieHeader(name, value, attributes);
+}
+async function signCookieValue(value, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    signingAlgorithm,
+    false,
+    ["sign", "verify"]
+  );
+  const signature = await crypto.subtle.sign(
+    signingAlgorithm.name,
+    key,
+    new TextEncoder().encode(value)
+  );
+  return encodeURIComponent(`${value}.${btoa(String.fromCharCode(...new Uint8Array(signature)))}`);
+}
+async function serializeSignedCookie(name, value, secret, attributes = {}) {
+  return serializeCookieHeader(name, await signCookieValue(value, secret), attributes, true);
+}
+function appendCookieHeader(event, header) {
+  const nodeResponse = event.node?.res;
+  if (nodeResponse?.setHeader) {
+    const current = nodeResponse.getHeader?.("set-cookie");
+    if (Array.isArray(current))
+      nodeResponse.setHeader("set-cookie", [...current, header]);
+    else if (typeof current === "string")
+      nodeResponse.setHeader("set-cookie", [current, header]);
+    else
+      nodeResponse.setHeader("set-cookie", [header]);
+    return;
+  }
+  const responseHeaders = event.response?.headers;
+  responseHeaders?.append("set-cookie", header);
+}
+function parseRequestCookies(cookieHeader) {
+  const cookies = /* @__PURE__ */ new Map();
+  if (!cookieHeader)
+    return cookies;
+  for (const pair of cookieHeader.split(cookiePairSeparatorRE)) {
+    if (!pair)
+      continue;
+    const separatorIndex = pair.indexOf("=");
+    if (separatorIndex < 0)
+      continue;
+    cookies.set(pair.slice(0, separatorIndex), pair.slice(separatorIndex + 1));
+  }
+  return cookies;
+}
+function serializeRequestCookies(cookies) {
+  if (!cookies.size)
+    return null;
+  return Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
+}
+function extractResponseCookieValue(header) {
+  const separatorIndex = header.indexOf(";");
+  const cookiePair = separatorIndex >= 0 ? header.slice(0, separatorIndex) : header;
+  return cookiePair.slice(cookiePair.indexOf("=") + 1);
+}
+function getChunkedCookieNames(event, cookieName) {
+  const cookieNames = /* @__PURE__ */ new Set([cookieName]);
+  for (const name of parseRequestCookies(event.headers.get("cookie")).keys()) {
+    if (name.startsWith(`${cookieName}.`))
+      cookieNames.add(name);
+  }
+  return Array.from(cookieNames);
+}
+function expireCookie(event, cookieName, attributes) {
+  appendCookieHeader(event, serializeCookie(cookieName, "", {
+    ...attributes,
+    expires: /* @__PURE__ */ new Date(0),
+    maxAge: 0
+  }));
+}
+function expireCookies(event, cookie) {
+  for (const cookieName of getChunkedCookieNames(event, cookie.name))
+    expireCookie(event, cookieName, cookie.attributes);
+}
+function updateRequestHeaders(event, sessionCookie, clearedCookieNames) {
+  const requestContext = getRequestSessionContext(event);
+  const requestHeaders = new Headers(event.headers);
+  const cookies = parseRequestCookies(event.headers.get("cookie"));
+  for (const name of clearedCookieNames)
+    cookies.delete(name);
+  const sessionTokenName = sessionCookie.slice(0, sessionCookie.indexOf("="));
+  cookies.set(sessionTokenName, extractResponseCookieValue(sessionCookie));
+  const nextCookieHeader = serializeRequestCookies(cookies);
+  if (nextCookieHeader)
+    requestHeaders.set("cookie", nextCookieHeader);
+  else
+    requestHeaders.delete("cookie");
+  requestContext.requestHeaders = requestHeaders;
 }
 export async function getRequestSession(event) {
   const context = getRequestSessionContext(event);
@@ -44,6 +192,32 @@ export async function getUserSession(event) {
     return inFlight;
   return loadSession(event);
 }
+export async function setSessionCookie(event, token) {
+  const context = await getServerAuthContext(event);
+  const sessionCookie = await serializeSignedCookie(
+    context.authCookies.sessionToken.name,
+    token,
+    context.secret,
+    {
+      ...context.authCookies.sessionToken.attributes,
+      maxAge: context.sessionConfig.expiresIn
+    }
+  );
+  appendCookieHeader(event, sessionCookie);
+  expireCookies(event, context.authCookies.sessionData);
+  expireCookies(event, context.authCookies.dontRememberToken);
+  const requestContext = getRequestSessionContext(event);
+  delete requestContext.requestSession;
+  delete requestContext[requestSessionLoadKey];
+  updateRequestHeaders(event, sessionCookie, [
+    ...getChunkedCookieNames(event, context.authCookies.sessionData.name),
+    ...getChunkedCookieNames(event, context.authCookies.dontRememberToken.name)
+  ]);
+}
+export async function createSession(event, userId) {
+  const context = await getServerAuthContext(event);
+  return context.internalAdapter.createSession?.(userId, false);
+}
 export async function requireUserSession(event, options) {
   const session = await getRequestSession(event);
   if (!session)

package/dist/runtime/server/virtual-modules.d.ts

@@ -3,6 +3,11 @@ declare module '#auth/database' {
   export function createDatabase(...args: any[]): any
 }
 
+declare module '#imports' {
+  export function getRouteRules(event: any): any
+  export function useRuntimeConfig(): any
+}
+
 declare module '#auth/secondary-storage' {
   export function createSecondaryStorage(...args: any[]): any
 }

package/dist/runtime/types/augment.d.ts

@@ -21,17 +21,15 @@ export interface AuthSession {
 export interface ServerAuthContext {
     runtimeConfig: Record<string, unknown>;
     db: unknown;
+    requestOrigin?: string;
 }
 export interface AuthSocialProviderRegistry {
 }
 export interface UserSessionComposable {
-    client: unknown;
     user: Ref<AuthUser | null>;
     session: Ref<AuthSession | null>;
     loggedIn: ComputedRef<boolean>;
     ready: ComputedRef<boolean>;
-    signIn: unknown;
-    signUp: unknown;
     fetchSession: (options?: {
         headers?: HeadersInit;
         force?: boolean;

package/dist/runtime/types.d.ts

@@ -1,5 +1,5 @@
-import type { AuthSocialProviderRegistry, AuthUser, UserMatch } from '#nuxt-better-auth';
 import type { NitroRouteRules } from 'nitropack/types';
+import type { AuthSocialProviderRegistry, AuthUser, UserMatch } from '#nuxt-better-auth';
 export type { AppSession, AuthSession, AuthSocialProviderRegistry, AuthUser, RequireSessionOptions, ServerAuthContext, UserMatch, UserSessionComposable } from './types/augment.js';
 export type AuthSocialProviderId = AuthSocialProviderRegistry extends {
     ids: infer T;

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@onmax/nuxt-better-auth",
   "type": "module",
-  "version": "0.0.2-alpha.31",
-  "packageManager": "pnpm@10.15.1",
+  "version": "0.0.2-alpha.32",
+  "packageManager": "pnpm@11.1.0",
   "description": "Nuxt module for Better Auth integration with NuxtHub, route protection, session management, and role-based access",
   "author": "onmax",
   "license": "MIT",
@@ -16,6 +16,10 @@
       "types": "./dist/types.d.mts",
       "import": "./dist/module.mjs"
     },
+    "./composables": {
+      "types": "./dist/runtime/composables.d.ts",
+      "import": "./dist/runtime/composables.js"
+    },
     "./config": {
       "types": "./dist/runtime/config.d.ts",
       "import": "./dist/runtime/config.js"
@@ -27,6 +31,9 @@
       ".": [
         "./dist/types.d.mts"
       ],
+      "composables": [
+        "./dist/runtime/composables.d.ts"
+      ],
       "config": [
         "./dist/runtime/config.d.ts"
       ]
@@ -46,7 +53,7 @@
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "typecheck": "vue-tsc --noEmit",
-    "typecheck:runtime-server": "tsc --noEmit --pretty false -p src/runtime/server/tsconfig.json",
+    "typecheck:runtime-server": "cd test/cases/plugins-type-inference && nuxi prepare && vue-tsc --noEmit --pretty false -p .nuxt/tsconfig.server.json",
     "typecheck:playground": "pnpm -C playground exec nuxi prepare && pnpm -C playground exec vue-tsc --noEmit -p .nuxt/tsconfig.app.json",
     "test": "vitest run",
     "test:watch": "vitest watch"
@@ -65,38 +72,47 @@
     "@nuxt/kit": "^4.3.1",
     "@nuxt/ui": "^4.5.0",
     "defu": "^6.1.4",
+    "h3": "^1.15.11",
     "jiti": "^2.6.1",
     "pathe": "^2.0.3",
     "radix3": "^1.1.2",
-    "std-env": "^4.0.0"
+    "std-env": "^4.0.0",
+    "ufo": "^1.6.4"
   },
   "devDependencies": {
-    "@antfu/eslint-config": "^7.6.1",
-    "@libsql/client": "^0.17.0",
-    "@libsql/linux-x64-gnu": "0.5.22",
+    "@antfu/eslint-config": "^9.0.0",
+    "@libsql/client": "^0.17.3",
+    "@libsql/linux-x64-gnu": "0.5.29",
     "@nuxt/devtools": "^3.2.3",
-    "@nuxt/devtools-kit": "^3.2.2",
+    "@nuxt/devtools-kit": "^3.2.4",
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.3.1",
     "@nuxt/test-utils": "^4.0.0",
     "@nuxthub/core": "^0.10.6",
+    "@pinia/nuxt": "^0.11.3",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "latest",
     "better-auth": "1.5.5",
+    "better-call": "1.3.2",
     "better-sqlite3": "^12.6.2",
     "bumpp": "^11.0.0",
     "changelogen": "^0.6.2",
     "consola": "^3.4.2",
-    "drizzle-kit": "^0.31.9",
+    "drizzle-kit": "^0.31.10",
     "drizzle-orm": "^0.45.1",
     "eslint": "^10.0.3",
+    "nitropack": "2.13.1",
     "npm-agentskills": "https://pkg.pr.new/onmax/npm-agentskills@394499e",
     "nuxt": "^4.3.1",
-    "tinyexec": "^1.0.2",
+    "pinia": "^3.0.4",
+    "postgres": "^3.4.9",
+    "tinyexec": "^1.1.1",
     "typescript": "~5.9.3",
+    "unstorage": "^1.17.5",
     "vitest": "^4.0.18",
     "vitest-package-exports": "^1.2.0",
-    "vue-tsc": "^3.2.5",
-    "yaml": "^2.8.2"
+    "vue": "3.5.29",
+    "vue-tsc": "^3.2.7",
+    "yaml": "^2.8.3"
   }
 }