@opensaas/stack-auth 0.1.0

package/src/config/types.ts

@@ -0,0 +1,166 @@
+import type { ExtendUserListConfig } from '../lists/index.js'
+
+/**
+ * OAuth provider configuration
+ */
+export type OAuthProvider = {
+  clientId: string
+  clientSecret: string
+  enabled?: boolean
+}
+
+/**
+ * Social provider configurations
+ */
+export type SocialProvidersConfig = {
+  github?: OAuthProvider
+  google?: OAuthProvider
+  discord?: OAuthProvider
+  twitter?: OAuthProvider
+  [key: string]: OAuthProvider | undefined
+}
+
+/**
+ * Email and password configuration
+ */
+export type EmailPasswordConfig = {
+  enabled: boolean
+  /**
+   * Minimum password length
+   * @default 8
+   */
+  minPasswordLength?: number
+  /**
+   * Require password confirmation
+   * @default true
+   */
+  requireConfirmation?: boolean
+}
+
+/**
+ * Email verification configuration
+ */
+export type EmailVerificationConfig = {
+  enabled: boolean
+  /**
+   * Send verification email on sign up
+   * @default true
+   */
+  sendOnSignUp?: boolean
+  /**
+   * Token expiration in seconds
+   * @default 86400 (24 hours)
+   */
+  tokenExpiration?: number
+}
+
+/**
+ * Password reset configuration
+ */
+export type PasswordResetConfig = {
+  enabled: boolean
+  /**
+   * Token expiration in seconds
+   * @default 3600 (1 hour)
+   */
+  tokenExpiration?: number
+}
+
+/**
+ * Session configuration
+ */
+export type SessionConfig = {
+  /**
+   * Session expiration in seconds
+   * @default 604800 (7 days)
+   */
+  expiresIn?: number
+  /**
+   * Update session expiration on each request
+   * @default true
+   */
+  updateAge?: boolean
+}
+
+/**
+ * Auth configuration options
+ */
+export type AuthConfig = {
+  /**
+   * Email and password authentication
+   */
+  emailAndPassword?: EmailPasswordConfig | { enabled: true }
+
+  /**
+   * Email verification
+   */
+  emailVerification?: EmailVerificationConfig | { enabled: true }
+
+  /**
+   * Password reset
+   */
+  passwordReset?: PasswordResetConfig | { enabled: true }
+
+  /**
+   * OAuth/social providers
+   */
+  socialProviders?: SocialProvidersConfig
+
+  /**
+   * Session configuration
+   */
+  session?: SessionConfig
+
+  /**
+   * Which fields to include in the session object
+   * This determines what data is available in access control functions
+   * @default ['userId', 'email', 'name']
+   *
+   * @example
+   * ```typescript
+   * sessionFields: ['userId', 'email', 'name', 'role']
+   * // session will be: { userId: string, email: string, name: string, role: string }
+   * ```
+   */
+  sessionFields?: string[]
+
+  /**
+   * Extend the auto-generated User list with custom fields
+   *
+   * @example
+   * ```typescript
+   * extendUserList: {
+   *   fields: {
+   *     role: text({ defaultValue: 'user' }),
+   *     company: text(),
+   *   }
+   * }
+   * ```
+   */
+  extendUserList?: ExtendUserListConfig
+
+  /**
+   * Custom email sending function for verification and password reset
+   * If not provided, emails will be logged to console
+   *
+   * @example
+   * ```typescript
+   * sendEmail: async ({ to, subject, html }) => {
+   *   await resend.emails.send({ to, subject, html })
+   * }
+   * ```
+   */
+  sendEmail?: (params: { to: string; subject: string; html: string }) => Promise<void>
+}
+
+/**
+ * Internal normalized auth configuration
+ * Used after parsing user config
+ */
+export type NormalizedAuthConfig = Required<
+  Omit<AuthConfig, 'emailAndPassword' | 'emailVerification' | 'passwordReset'>
+> & {
+  emailAndPassword: Required<EmailPasswordConfig>
+  emailVerification: Required<EmailVerificationConfig>
+  passwordReset: Required<PasswordResetConfig>
+}

package/src/index.ts

@@ -0,0 +1,44 @@
+/**
+ * @opensaas/stack-auth
+ *
+ * Better-auth integration for OpenSaas Stack
+ *
+ * This package provides:
+ * - Auto-generated User, Session, Account, Verification lists
+ * - Session integration with OpenSaas access control
+ * - Pre-built auth UI components (SignIn, SignUp, ForgotPassword)
+ * - Easy configuration with withAuth() wrapper
+ *
+ * @example
+ * ```typescript
+ * // opensaas.config.ts
+ * import { config } from '@opensaas/stack-core'
+ * import { withAuth, authConfig } from '@opensaas/stack-auth'
+ *
+ * export default withAuth(
+ *   config({
+ *     db: { provider: 'sqlite', url: 'file:./dev.db' },
+ *     lists: { ... }
+ *   }),
+ *   authConfig({
+ *     emailAndPassword: { enabled: true },
+ *     emailVerification: { enabled: true },
+ *   })
+ * )
+ * ```
+ */
+
+// Config exports
+export { withAuth, authConfig, normalizeAuthConfig } from './config/index.js'
+export type { AuthConfig, NormalizedAuthConfig } from './config/index.js'
+export type * from './config/types.js'
+
+// List generators (for advanced use cases)
+export {
+  getAuthLists,
+  createUserList,
+  createSessionList,
+  createAccountList,
+  createVerificationList,
+} from './lists/index.js'
+export type { ExtendUserListConfig } from './lists/index.js'

package/src/lists/index.ts

@@ -0,0 +1,245 @@
+import { list } from '@opensaas/stack-core'
+import { text, timestamp, checkbox, relationship } from '@opensaas/stack-core/fields'
+import type { ListConfig, FieldConfig } from '@opensaas/stack-core'
+
+/**
+ * Configuration for extending the auto-generated User list
+ */
+export type ExtendUserListConfig = {
+  /**
+   * Additional fields to add to the User list
+   * You can add custom fields beyond the basic better-auth fields
+   */
+  fields?: Record<string, FieldConfig>
+  /**
+   * Access control for the User list
+   * If not provided, defaults to basic access control (users can update their own records)
+   */
+  access?: ListConfig['access']
+  /**
+   * Hooks for the User list
+   */
+  hooks?: ListConfig['hooks']
+}
+
+/**
+ * Create the base User list with better-auth required fields
+ * This matches the better-auth user schema
+ */
+export function createUserList(config?: ExtendUserListConfig): ListConfig {
+  return list({
+    fields: {
+      // Better-auth required fields
+      name: text({
+        validation: { isRequired: true },
+      }),
+      email: text({
+        validation: { isRequired: true },
+        isIndexed: 'unique',
+      }),
+      emailVerified: checkbox({
+        defaultValue: false,
+      }),
+      image: text(),
+
+      // Relationships to other auth tables
+      sessions: relationship({
+        ref: 'Session.user',
+        many: true,
+      }),
+      accounts: relationship({
+        ref: 'Account.user',
+        many: true,
+      }),
+
+      // Custom fields from user config
+      ...(config?.fields || {}),
+    },
+    access: config?.access || {
+      operation: {
+        // Anyone can query users (for displaying names, etc.)
+        query: () => true,
+        // Anyone can create a user (sign up)
+        create: () => true,
+        // Only update your own user record
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+        // Only delete your own user record
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+      },
+    },
+    hooks: config?.hooks,
+  })
+}
+
+/**
+ * Create the Session list for better-auth
+ * Stores active user sessions
+ */
+export function createSessionList(): ListConfig {
+  return list({
+    fields: {
+      // Session token (stored in cookie, used as primary key)
+      token: text({
+        validation: { isRequired: true },
+        isIndexed: 'unique',
+      }),
+      // Expiration timestamp
+      expiresAt: timestamp(),
+      // Optional: IP address for security
+      ipAddress: text(),
+      // Optional: User agent for security
+      userAgent: text(),
+      // Relationship to user (userId will be auto-generated)
+      user: relationship({
+        ref: 'User.sessions',
+      }),
+    },
+    access: {
+      operation: {
+        // Only the session owner can query their sessions
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          // Return Prisma filter for nested relationship
+          return {
+            user: {
+              id: { equals: userId },
+            },
+          } as Record<string, unknown>
+        },
+        // Better-auth handles session creation
+        create: () => true,
+        // No manual updates
+        update: () => false,
+        // Better-auth handles session deletion (logout)
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    },
+  })
+}
+
+/**
+ * Create the Account list for better-auth
+ * Stores OAuth provider accounts and credentials
+ */
+export function createAccountList(): ListConfig {
+  return list({
+    fields: {
+      // Account identifier from provider
+      accountId: text({
+        validation: { isRequired: true },
+      }),
+      // Provider identifier (e.g., 'github', 'google', 'credentials')
+      providerId: text({
+        validation: { isRequired: true },
+      }),
+      // Relationship to user (userId will be auto-generated)
+      user: relationship({
+        ref: 'User.accounts',
+      }),
+      // OAuth tokens
+      accessToken: text(),
+      refreshToken: text(),
+      accessTokenExpiresAt: timestamp(),
+      refreshTokenExpiresAt: timestamp(),
+      scope: text(),
+      idToken: text(),
+      // Password hash for credential provider (better-auth stores in account table)
+      password: text(),
+    },
+    access: {
+      operation: {
+        // Only the account owner can query their accounts
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          // Return Prisma filter for nested relationship
+          return {
+            user: {
+              id: { equals: userId },
+            },
+          } as Record<string, unknown>
+        },
+        // Better-auth handles account creation
+        create: () => true,
+        // Better-auth handles account updates (token refresh)
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+        // Account owner can delete their accounts
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    },
+  })
+}
+
+/**
+ * Create the Verification list for better-auth
+ * Stores email verification tokens, password reset tokens, etc.
+ */
+export function createVerificationList(): ListConfig {
+  return list({
+    fields: {
+      // Identifier (e.g., email address)
+      identifier: text({
+        validation: { isRequired: true },
+      }),
+      // Token value
+      value: text({
+        validation: { isRequired: true },
+      }),
+      // Expiration timestamp
+      expiresAt: timestamp(),
+    },
+    access: {
+      operation: {
+        // No public querying (better-auth handles verification internally)
+        query: () => false,
+        // Better-auth creates verification tokens
+        create: () => true,
+        // No updates
+        update: () => false,
+        // Better-auth deletes used/expired tokens
+        delete: () => true,
+      },
+    },
+  })
+}
+
+/**
+ * Get all auth lists required by better-auth
+ * This is the main export used by withAuth()
+ */
+export function getAuthLists(userConfig?: ExtendUserListConfig): Record<string, ListConfig> {
+  return {
+    User: createUserList(userConfig),
+    Session: createSessionList(),
+    Account: createAccountList(),
+    Verification: createVerificationList(),
+  }
+}

package/src/server/index.ts

@@ -0,0 +1,120 @@
+import { betterAuth } from 'better-auth'
+import { prismaAdapter } from 'better-auth/adapters/prisma'
+import type { BetterAuthOptions } from 'better-auth'
+import type { OpenSaasConfig, DatabaseConfig, AccessContext } from '@opensaas/stack-core'
+import type { NormalizedAuthConfig } from '../config/types.js'
+
+/**
+ * Get better-auth database configuration from OpenSaas config
+ */
+function getDatabaseConfig(
+  dbConfig: DatabaseConfig,
+  context: AccessContext,
+): BetterAuthOptions['database'] {
+  return prismaAdapter(context.prisma, {
+    provider: dbConfig.provider,
+  })
+}
+
+/**
+ * Create a better-auth instance from OpenSaas config
+ * This should be called once at app startup
+ *
+ * @example
+ * ```typescript
+ * // lib/auth.ts
+ * import { createAuth } from '@opensaas/stack-auth/server'
+ * import config from '../opensaas.config'
+ *
+ * export const auth = createAuth(config)
+ * ```
+ */
+export function createAuth(
+  opensaasConfig: OpenSaasConfig & { __authConfig?: NormalizedAuthConfig },
+  context: AccessContext,
+) {
+  // Extract auth config (added by withAuth)
+  const authConfig = opensaasConfig.__authConfig
+
+  if (!authConfig) {
+    throw new Error(
+      'Auth config not found. Make sure to wrap your config with withAuth() in opensaas.config.ts',
+    )
+  }
+
+  // Build better-auth configuration
+  const betterAuthConfig: BetterAuthOptions = {
+    database: getDatabaseConfig(opensaasConfig.db, context),
+
+    // Enable email and password if configured
+    emailAndPassword: authConfig.emailAndPassword.enabled
+      ? {
+          enabled: true,
+          requireEmailVerification: authConfig.emailVerification.enabled,
+        }
+      : undefined,
+
+    // Configure session
+    session: {
+      expiresIn: authConfig.session.expiresIn || 604800,
+      updateAge: authConfig.session.updateAge ? (authConfig.session.expiresIn || 604800) / 10 : 0,
+    },
+
+    // Trust host (required for production)
+    trustedOrigins: process.env.BETTER_AUTH_TRUSTED_ORIGINS?.split(',') || [],
+
+    // Social providers
+    socialProviders: Object.entries(authConfig.socialProviders)
+      .filter(([_, config]) => config?.enabled !== false)
+      .reduce(
+        (acc, [provider, config]) => {
+          if (config) {
+            acc[provider] = {
+              clientId: config.clientId,
+              clientSecret: config.clientSecret,
+            }
+          }
+          return acc
+        },
+        {} as Record<string, { clientId: string; clientSecret: string }>,
+      ),
+  }
+
+  return betterAuth(betterAuthConfig)
+}
+
+/**
+ * Get session from better-auth and transform it to OpenSaas session format
+ * This is used internally by the generated context
+ */
+export async function getSessionFromAuth(
+  auth: ReturnType<typeof betterAuth>,
+  sessionFields: string[],
+) {
+  try {
+    const session = await auth.api.getSession({
+      headers: new Headers(),
+    })
+
+    if (!session?.user) {
+      return null
+    }
+
+    // Build session object with requested fields
+    const result: Record<string, unknown> = {}
+
+    for (const field of sessionFields) {
+      if (field === 'userId') {
+        result.userId = session.user.id
+      } else if (field in session.user) {
+        result[field] = session.user[field as keyof typeof session.user]
+      }
+    }
+
+    return result
+  } catch {
+    return null
+  }
+}
+
+export type { BetterAuthOptions }

package/src/ui/components/ForgotPasswordForm.tsx

@@ -0,0 +1,120 @@
+'use client'
+
+import React, { useState } from 'react'
+import type { createAuthClient } from 'better-auth/react'
+
+export type ForgotPasswordFormProps = {
+  /**
+   * Better-auth client instance
+   * Created with createAuthClient from better-auth/react
+   */
+  authClient: ReturnType<typeof createAuthClient>
+  /**
+   * Custom CSS class for the form container
+   */
+  className?: string
+  /**
+   * Callback when reset email is sent successfully
+   */
+  onSuccess?: () => void
+  /**
+   * Callback when reset fails
+   */
+  onError?: (error: Error) => void
+}
+
+/**
+ * Forgot password form component
+ * Allows users to request a password reset email
+ *
+ * @example
+ * ```typescript
+ * import { ForgotPasswordForm } from '@opensaas/stack-auth/ui'
+ * import { authClient } from '@/lib/auth-client'
+ *
+ * export default function ForgotPasswordPage() {
+ *   return <ForgotPasswordForm authClient={authClient} />
+ * }
+ * ```
+ */
+export function ForgotPasswordForm({
+  authClient,
+  className = '',
+  onSuccess,
+  onError,
+}: ForgotPasswordFormProps) {
+  const [email, setEmail] = useState('')
+  const [error, setError] = useState('')
+  const [success, setSuccess] = useState(false)
+  const [loading, setLoading] = useState(false)
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    setError('')
+    setSuccess(false)
+    setLoading(true)
+
+    try {
+      const result = await authClient.forgetPassword({
+        email,
+        redirectTo: '/reset-password',
+      })
+
+      if (result.error) {
+        throw new Error(result.error.message)
+      }
+
+      setSuccess(true)
+      onSuccess?.()
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to send reset email'
+      setError(message)
+      onError?.(err instanceof Error ? err : new Error(message))
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className={`w-full max-w-md mx-auto p-6 ${className}`}>
+      <h2 className="text-2xl font-bold mb-6">Forgot Password</h2>
+
+      {error && (
+        <div className="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded mb-4">
+          {error}
+        </div>
+      )}
+
+      {success && (
+        <div className="bg-green-50 border border-green-200 text-green-700 px-4 py-3 rounded mb-4">
+          Password reset email sent! Check your inbox for instructions.
+        </div>
+      )}
+
+      <form onSubmit={handleSubmit} className="space-y-4">
+        <div>
+          <label htmlFor="email" className="block text-sm font-medium mb-2">
+            Email
+          </label>
+          <input
+            id="email"
+            type="email"
+            value={email}
+            onChange={(e) => setEmail((e.target as HTMLInputElement).value)}
+            required
+            className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
+            disabled={loading || success}
+          />
+        </div>
+
+        <button
+          type="submit"
+          disabled={loading || success}
+          className="w-full bg-blue-600 text-white py-2 px-4 rounded-md hover:bg-blue-700 disabled:bg-gray-400 disabled:cursor-not-allowed"
+        >
+          {loading ? 'Sending...' : success ? 'Email Sent' : 'Send Reset Link'}
+        </button>
+      </form>
+    </div>
+  )
+}