@opensaas/stack-auth 0.1.0 → 0.1.2

package/src/server/schema-converter.ts

@@ -0,0 +1,299 @@
+/**
+ * Convert Better Auth database schema to OpenSaaS list configs
+ * Allows dynamic list generation from Better Auth plugins
+ */
+
+import { list } from '@opensaas/stack-core'
+import { text, timestamp, checkbox, integer } from '@opensaas/stack-core/fields'
+import type { ListConfig, FieldConfig } from '@opensaas/stack-core'
+
+/**
+ * Better Auth field attribute structure
+ * Inferred from better-auth internal types
+ */
+type BetterAuthFieldAttribute = {
+  type: string // 'string' | 'number' | 'boolean' | 'date' | etc.
+  required?: boolean
+  unique?: boolean
+  references?: {
+    model: string
+    field: string
+    onDelete?: 'cascade' | 'set null' | 'restrict'
+  }
+  defaultValue?: unknown
+  returned?: boolean
+  input?: boolean
+}
+
+/**
+ * Better Auth table schema structure
+ */
+type BetterAuthTableSchema = {
+  modelName: string
+  fields: Record<string, BetterAuthFieldAttribute>
+}
+
+/**
+ * Convert Better Auth field type to OpenSaaS field config
+ */
+function convertField(
+  fieldName: string,
+  betterAuthField: BetterAuthFieldAttribute,
+): FieldConfig | null {
+  const { type, required, unique, defaultValue, references } = betterAuthField
+
+  // System fields are auto-generated by OpenSaaS
+  if (fieldName === 'id' || fieldName === 'createdAt' || fieldName === 'updatedAt') {
+    return null
+  }
+
+  // Handle references (relationships)
+  if (references) {
+    // Relationships are handled separately
+    // Return null here and handle in relationship pass
+    return null
+  }
+
+  // Map Better Auth types to OpenSaaS field types
+  switch (type) {
+    case 'string':
+      return text({
+        validation: { isRequired: required },
+        isIndexed: unique ? 'unique' : undefined,
+        defaultValue: typeof defaultValue === 'string' ? defaultValue : undefined,
+      })
+
+    case 'number':
+      return integer({
+        validation: { isRequired: required },
+        defaultValue: typeof defaultValue === 'number' ? defaultValue : undefined,
+      })
+
+    case 'boolean':
+      return checkbox({
+        defaultValue: typeof defaultValue === 'boolean' ? defaultValue : false,
+      })
+
+    case 'date':
+      return timestamp({
+        defaultValue: defaultValue === 'now' ? { kind: 'now' } : undefined,
+      })
+
+    default:
+      // Unknown type - default to text
+      console.warn(
+        `[stack-auth] Unknown Better Auth field type "${type}" for field "${fieldName}", defaulting to text field`,
+      )
+      return text({
+        validation: { isRequired: required },
+      })
+  }
+}
+
+/**
+ * Get default access control for auth tables
+ * Most auth tables should only be accessible to their owners
+ */
+function getDefaultAccess(tableName: string): ListConfig['access'] {
+  const lowerTableName = tableName.toLowerCase()
+
+  // User table - special access control
+  if (lowerTableName === 'user') {
+    return {
+      operation: {
+        query: () => true, // Anyone can query users
+        create: () => true, // Anyone can create (sign up)
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+      },
+    }
+  }
+
+  // Session table
+  if (lowerTableName === 'session') {
+    return {
+      operation: {
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          return {
+            user: { id: { equals: userId } },
+          } as Record<string, unknown>
+        },
+        create: () => true, // Better-auth handles session creation
+        update: () => false, // No manual updates
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    }
+  }
+
+  // Account table
+  if (lowerTableName === 'account') {
+    return {
+      operation: {
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          return {
+            user: { id: { equals: userId } },
+          } as Record<string, unknown>
+        },
+        create: () => true, // Better-auth handles account creation
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    }
+  }
+
+  // Verification table
+  if (lowerTableName === 'verification') {
+    return {
+      operation: {
+        query: () => false, // No public querying
+        create: () => true, // Better-auth creates verification tokens
+        update: () => false, // No updates
+        delete: () => true, // Better-auth deletes used/expired tokens
+      },
+    }
+  }
+
+  // OAuth tables (from MCP/OIDC plugins)
+  if (
+    lowerTableName === 'oauthapplication' ||
+    lowerTableName === 'oauthaccesstoken' ||
+    lowerTableName === 'oauthconsent'
+  ) {
+    return {
+      operation: {
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          // Filter by userId if field exists
+          return {
+            userId: { equals: userId },
+          } as Record<string, unknown>
+        },
+        create: () => true, // Better-auth/plugins handle creation
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { userId?: string })?.userId
+          return userId === itemUserId
+        },
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { userId?: string })?.userId
+          return userId === itemUserId
+        },
+      },
+    }
+  }
+
+  // Default: restrict all access (safest default)
+  return {
+    operation: {
+      query: () => false,
+      create: () => false,
+      update: () => false,
+      delete: () => false,
+    },
+  }
+}
+
+/**
+ * Convert Better Auth table schema to OpenSaaS ListConfig
+ */
+export function convertTableToList(
+  tableName: string,
+  tableSchema: BetterAuthTableSchema,
+): ListConfig {
+  const fields: Record<string, FieldConfig> = {}
+
+  // First pass: convert regular fields
+  for (const [fieldName, fieldAttr] of Object.entries(tableSchema.fields)) {
+    const fieldConfig = convertField(fieldName, fieldAttr)
+    if (fieldConfig) {
+      fields[fieldName] = fieldConfig
+    }
+  }
+
+  // Second pass: add relationships
+  // NOTE: Better Auth uses one-way references, but OpenSaaS requires bidirectional relationships
+  // We skip relationship conversion for now and rely on the foreign key fields
+  // Users can manually add bidirectional relationships if needed by extending the User list
+  for (const [fieldName, fieldAttr] of Object.entries(tableSchema.fields)) {
+    if (fieldAttr.references) {
+      // For now, treat reference fields as regular text fields (foreign keys)
+      // This preserves the userId, clientId, etc. fields that Better Auth expects
+      if (!fields[fieldName]) {
+        fields[fieldName] = text({
+          validation: { isRequired: fieldAttr.required },
+        })
+      }
+    }
+  }
+
+  // Create list config with default access control
+  return list({
+    fields,
+    access: getDefaultAccess(tableName),
+  })
+}
+
+/**
+ * Convert all Better Auth tables to OpenSaaS list configs
+ * This is called by withAuth() to generate lists from Better Auth + plugins
+ */
+export function convertBetterAuthSchema(
+  tables: Record<string, BetterAuthTableSchema>,
+): Record<string, ListConfig> {
+  const lists: Record<string, ListConfig> = {}
+
+  for (const [tableName, tableSchema] of Object.entries(tables)) {
+    // Convert table name to PascalCase for OpenSaaS list key
+    const listKey = tableSchema.modelName || toPascalCase(tableName)
+    lists[listKey] = convertTableToList(tableName, tableSchema)
+  }
+
+  return lists
+}
+
+/**
+ * Convert table name to PascalCase
+ * e.g., "oauth_application" -> "OauthApplication"
+ */
+function toPascalCase(str: string): string {
+  return str
+    .split(/[_-]/)
+    .map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase())
+    .join('')
+}

package/tests/config.test.ts

@@ -0,0 +1,270 @@
+import { describe, it, expect } from 'vitest'
+import { normalizeAuthConfig, authConfig, withAuth } from '../src/config/index.js'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { AuthConfig } from '../src/config/types.js'
+
+describe('normalizeAuthConfig', () => {
+  it('should apply default values for disabled features', () => {
+    const result = normalizeAuthConfig({})
+
+    expect(result.emailAndPassword.enabled).toBe(false)
+    expect(result.emailAndPassword.minPasswordLength).toBe(8)
+    expect(result.emailVerification.enabled).toBe(false)
+    expect(result.passwordReset.enabled).toBe(false)
+    expect(result.session.expiresIn).toBe(604800) // 7 days
+    expect(result.sessionFields).toEqual(['userId', 'email', 'name'])
+    expect(result.socialProviders).toEqual({})
+    expect(result.betterAuthPlugins).toEqual([])
+  })
+
+  it('should normalize email and password config', () => {
+    const result = normalizeAuthConfig({
+      emailAndPassword: {
+        enabled: true,
+        minPasswordLength: 12,
+        requireConfirmation: false,
+      },
+    })
+
+    expect(result.emailAndPassword.enabled).toBe(true)
+    expect(result.emailAndPassword.minPasswordLength).toBe(12)
+    expect(result.emailAndPassword.requireConfirmation).toBe(false)
+  })
+
+  it('should apply defaults for partial email and password config', () => {
+    const result = normalizeAuthConfig({
+      emailAndPassword: { enabled: true },
+    })
+
+    expect(result.emailAndPassword.enabled).toBe(true)
+    expect(result.emailAndPassword.minPasswordLength).toBe(8)
+    expect(result.emailAndPassword.requireConfirmation).toBe(true)
+  })
+
+  it('should normalize email verification config', () => {
+    const result = normalizeAuthConfig({
+      emailVerification: {
+        enabled: true,
+        sendOnSignUp: false,
+        tokenExpiration: 3600,
+      },
+    })
+
+    expect(result.emailVerification.enabled).toBe(true)
+    expect(result.emailVerification.sendOnSignUp).toBe(false)
+    expect(result.emailVerification.tokenExpiration).toBe(3600)
+  })
+
+  it('should normalize password reset config', () => {
+    const result = normalizeAuthConfig({
+      passwordReset: {
+        enabled: true,
+        tokenExpiration: 7200,
+      },
+    })
+
+    expect(result.passwordReset.enabled).toBe(true)
+    expect(result.passwordReset.tokenExpiration).toBe(7200)
+  })
+
+  it('should normalize session config', () => {
+    const result = normalizeAuthConfig({
+      session: {
+        expiresIn: 86400, // 1 day
+        updateAge: false,
+      },
+    })
+
+    expect(result.session.expiresIn).toBe(86400)
+    expect(result.session.updateAge).toBe(false)
+  })
+
+  it('should normalize custom session fields', () => {
+    const result = normalizeAuthConfig({
+      sessionFields: ['userId', 'email', 'role'],
+    })
+
+    expect(result.sessionFields).toEqual(['userId', 'email', 'role'])
+  })
+
+  it('should include social providers', () => {
+    const result = normalizeAuthConfig({
+      socialProviders: {
+        github: {
+          clientId: 'github-id',
+          clientSecret: 'github-secret',
+        },
+      },
+    })
+
+    expect(result.socialProviders).toEqual({
+      github: {
+        clientId: 'github-id',
+        clientSecret: 'github-secret',
+      },
+    })
+  })
+
+  it('should include extendUserList config', () => {
+    const result = normalizeAuthConfig({
+      extendUserList: {
+        fields: {
+          role: text(),
+        },
+      },
+    })
+
+    expect(result.extendUserList).toHaveProperty('fields')
+    expect(result.extendUserList.fields).toHaveProperty('role')
+  })
+
+  it('should include custom sendEmail function', () => {
+    const mockSendEmail = async () => {}
+
+    const result = normalizeAuthConfig({
+      sendEmail: mockSendEmail,
+    })
+
+    expect(result.sendEmail).toBe(mockSendEmail)
+  })
+
+  it('should provide default sendEmail that logs to console', () => {
+    const result = normalizeAuthConfig({})
+
+    expect(typeof result.sendEmail).toBe('function')
+    // Default sendEmail should be a function that accepts email params
+    expect(result.sendEmail.length).toBe(1)
+  })
+
+  it('should include betterAuthPlugins', () => {
+    const mockPlugin = { id: 'test-plugin' }
+
+    const result = normalizeAuthConfig({
+      betterAuthPlugins: [mockPlugin],
+    })
+
+    expect(result.betterAuthPlugins).toEqual([mockPlugin])
+  })
+})
+
+describe('authConfig', () => {
+  it('should return the input config unchanged', () => {
+    const input: AuthConfig = {
+      emailAndPassword: { enabled: true },
+      sessionFields: ['userId', 'email'],
+    }
+
+    const result = authConfig(input)
+
+    expect(result).toEqual(input)
+  })
+
+  it('should work with empty config', () => {
+    const result = authConfig({})
+
+    expect(result).toEqual({})
+  })
+})
+
+describe('withAuth', () => {
+  it('should merge auth lists into opensaas config', () => {
+    const baseConfig = config({
+      db: {
+        provider: 'sqlite',
+        url: 'file:./test.db',
+      },
+      lists: {
+        Post: list({
+          fields: {
+            title: text(),
+          },
+        }),
+      },
+    })
+
+    const result = withAuth(baseConfig, authConfig({}))
+
+    // Should have both user lists and auth lists
+    expect(result.lists).toHaveProperty('Post')
+    expect(result.lists).toHaveProperty('User')
+    expect(result.lists).toHaveProperty('Session')
+    expect(result.lists).toHaveProperty('Account')
+    expect(result.lists).toHaveProperty('Verification')
+  })
+
+  it('should preserve database config', () => {
+    const baseConfig = config({
+      db: {
+        provider: 'postgresql',
+        url: 'postgresql://test',
+      },
+      lists: {},
+    })
+
+    const result = withAuth(baseConfig, authConfig({}))
+
+    expect(result.db.provider).toBe('postgresql')
+    expect(result.db.url).toBe('postgresql://test')
+  })
+
+  it('should attach normalized auth config internally', () => {
+    const baseConfig = config({
+      db: { provider: 'sqlite', url: 'file:./test.db' },
+      lists: {},
+    })
+
+    const result = withAuth(
+      baseConfig,
+      authConfig({
+        emailAndPassword: { enabled: true },
+      }),
+    ) as typeof baseConfig & { __authConfig?: unknown }
+
+    expect(result.__authConfig).toBeDefined()
+    expect(
+      (result.__authConfig as { emailAndPassword: { enabled: boolean } }).emailAndPassword.enabled,
+    ).toBe(true)
+  })
+
+  it('should handle empty lists in base config', () => {
+    const baseConfig = config({
+      db: { provider: 'sqlite', url: 'file:./test.db' },
+      lists: {},
+    })
+
+    const result = withAuth(baseConfig, authConfig({}))
+
+    expect(result.lists).toHaveProperty('User')
+    expect(result.lists).toHaveProperty('Session')
+    expect(result.lists).toHaveProperty('Account')
+    expect(result.lists).toHaveProperty('Verification')
+  })
+
+  it('should extend User list with custom fields', () => {
+    const baseConfig = config({
+      db: { provider: 'sqlite', url: 'file:./test.db' },
+      lists: {},
+    })
+
+    const result = withAuth(
+      baseConfig,
+      authConfig({
+        extendUserList: {
+          fields: {
+            role: text(),
+            company: text(),
+          },
+        },
+      }),
+    )
+
+    const userList = result.lists.User
+    expect(userList).toBeDefined()
+    expect(userList.fields).toHaveProperty('role')
+    expect(userList.fields).toHaveProperty('company')
+    // Should also have base auth fields
+    expect(userList.fields).toHaveProperty('email')
+    expect(userList.fields).toHaveProperty('name')
+  })
+})