@opensaas/stack-auth 0.1.7 → 0.4.0

package/src/lists/index.ts

@@ -15,18 +15,22 @@ export type ExtendUserListConfig = {
    * Access control for the User list
    * If not provided, defaults to basic access control (users can update their own records)
    */
-  access?: ListConfig['access']
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  access?: ListConfig<any>['access']
   /**
    * Hooks for the User list
    */
-  hooks?: ListConfig['hooks']
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  hooks?: ListConfig<any>['hooks']
 }
 
 /**
  * Create the base User list with better-auth required fields
  * This matches the better-auth user schema
  */
-export function createUserList(config?: ExtendUserListConfig): ListConfig {
+export function createUserList(
+  config?: ExtendUserListConfig, // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
   return list({
     fields: {
       // Better-auth required fields
@@ -85,7 +89,8 @@ export function createUserList(config?: ExtendUserListConfig): ListConfig {
  * Create the Session list for better-auth
  * Stores active user sessions
  */
-export function createSessionList(): ListConfig {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+export function createSessionList(): ListConfig<any> {
   return list({
     fields: {
       // Session token (stored in cookie, used as primary key)
@@ -138,7 +143,8 @@ export function createSessionList(): ListConfig {
  * Create the Account list for better-auth
  * Stores OAuth provider accounts and credentials
  */
-export function createAccountList(): ListConfig {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+export function createAccountList(): ListConfig<any> {
   return list({
     fields: {
       // Account identifier from provider
@@ -202,7 +208,8 @@ export function createAccountList(): ListConfig {
  * Create the Verification list for better-auth
  * Stores email verification tokens, password reset tokens, etc.
  */
-export function createVerificationList(): ListConfig {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+export function createVerificationList(): ListConfig<any> {
   return list({
     fields: {
       // Identifier (e.g., email address)
@@ -235,7 +242,8 @@ export function createVerificationList(): ListConfig {
  * Get all auth lists required by better-auth
  * This is the main export used by withAuth()
  */
-export function getAuthLists(userConfig?: ExtendUserListConfig): Record<string, ListConfig> {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+export function getAuthLists(userConfig?: ExtendUserListConfig): Record<string, ListConfig<any>> {
   return {
     User: createUserList(userConfig),
     Session: createSessionList(),

package/src/runtime/types.ts

@@ -0,0 +1,27 @@
+/**
+ * Type definitions for auth plugin runtime services
+ * These types are used for type-safe access to context.plugins.auth
+ */
+
+/**
+ * Runtime services provided by the auth plugin
+ * Available via context.plugins.auth
+ */
+export interface AuthRuntimeServices {
+  /**
+   * Get user by ID
+   * Uses the access-controlled context to fetch user data
+   *
+   * @param userId - The ID of the user to fetch
+   * @returns User object or null if not found or access denied
+   */
+  getUser: (userId: string) => Promise<unknown>
+
+  /**
+   * Get current user from session
+   * Extracts userId from session and fetches user data
+   *
+   * @returns Current user object or null if not authenticated or not found
+   */
+  getCurrentUser: () => Promise<unknown>
+}

package/src/server/index.ts

@@ -98,6 +98,15 @@ export function createAuth(
               {} as Record<string, { clientId: string; clientSecret: string }>,
             ),
 
+          // Rate limiting configuration
+          rateLimit: authConfig.rateLimit
+            ? {
+                enabled: authConfig.rateLimit.enabled,
+                window: authConfig.rateLimit.window,
+                max: authConfig.rateLimit.max,
+              }
+            : undefined,
+
           // Pass through any additional Better Auth plugins
           plugins: authConfig.betterAuthPlugins || [],
         }
@@ -113,16 +122,45 @@ export function createAuth(
   // Return a proxy that lazily initializes the auth instance
   return new Proxy({} as ReturnType<typeof betterAuth>, {
     get(_, prop) {
-      return (...args: unknown[]) => {
-        return (async () => {
-          const instance = await getAuthInstance()
-          const value = instance[prop as keyof typeof instance]
-          if (typeof value === 'function') {
-            return (value as (...args: unknown[]) => unknown).apply(instance, args)
-          }
-          return value
-        })()
+      if (prop === 'then') {
+        // Support await on the proxy itself
+        return undefined
+      }
+
+      // Create a lazy wrapper function
+      const lazyWrapper = async (...args: unknown[]) => {
+        const instance = await getAuthInstance()
+        const value = instance[prop as keyof typeof instance]
+        if (typeof value === 'function') {
+          return (value as (...args: unknown[]) => unknown).apply(instance, args)
+        }
+        return value
       }
+
+      // Return a proxy that supports both direct calls and nested property access
+      return new Proxy(lazyWrapper, {
+        get(target, subProp) {
+          if (subProp === 'then') {
+            // Support await on nested properties
+            return undefined
+          }
+          // Handle nested property access (e.g., auth.api.getSession)
+          return async (...args: unknown[]) => {
+            const instance = await getAuthInstance()
+            const parentValue = instance[prop as keyof typeof instance]
+            if (parentValue && typeof parentValue === 'object') {
+              const childValue = (parentValue as Record<string, unknown>)[subProp as string]
+              if (typeof childValue === 'function') {
+                return (childValue as (...args: unknown[]) => unknown).apply(parentValue, args)
+              }
+              return childValue
+            }
+            throw new Error(
+              `Property ${String(prop)}.${String(subProp)} not found on auth instance`,
+            )
+          }
+        },
+      })
     },
   })
 }

package/src/server/schema-converter.ts

@@ -94,7 +94,8 @@ function convertField(
  * Get default access control for auth tables
  * Most auth tables should only be accessible to their owners
  */
-function getDefaultAccess(tableName: string): ListConfig['access'] {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+function getDefaultAccess(tableName: string): ListConfig<any>['access'] {
   const lowerTableName = tableName.toLowerCase()
 
   // User table - special access control
@@ -103,13 +104,15 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
       operation: {
         query: () => true, // Anyone can query users
         create: () => true, // Anyone can create (sign up)
-        update: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        update: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemId = (item as { id?: string })?.id
           return userId === itemId
         },
-        delete: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        delete: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemId = (item as { id?: string })?.id
@@ -123,7 +126,8 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
   if (lowerTableName === 'session') {
     return {
       operation: {
-        query: ({ session }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        query: ({ session }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           if (!userId) return false
@@ -133,7 +137,8 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
         },
         create: () => true, // Better-auth handles session creation
         update: () => false, // No manual updates
-        delete: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        delete: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemUserId = (item as { user?: { id?: string } })?.user?.id
@@ -147,7 +152,8 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
   if (lowerTableName === 'account') {
     return {
       operation: {
-        query: ({ session }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        query: ({ session }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           if (!userId) return false
@@ -156,13 +162,15 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
           } as Record<string, unknown>
         },
         create: () => true, // Better-auth handles account creation
-        update: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        update: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemUserId = (item as { user?: { id?: string } })?.user?.id
           return userId === itemUserId
         },
-        delete: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        delete: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemUserId = (item as { user?: { id?: string } })?.user?.id
@@ -192,7 +200,8 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
   ) {
     return {
       operation: {
-        query: ({ session }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        query: ({ session }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           if (!userId) return false
@@ -202,13 +211,15 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
           } as Record<string, unknown>
         },
         create: () => true, // Better-auth/plugins handle creation
-        update: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        update: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemUserId = (item as { userId?: string })?.userId
           return userId === itemUserId
         },
-        delete: ({ session, item }) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Access control parameters are runtime values
+        delete: ({ session, item }: any) => {
           if (!session) return false
           const userId = (session as { userId?: string }).userId
           const itemUserId = (item as { userId?: string })?.userId
@@ -235,7 +246,8 @@ function getDefaultAccess(tableName: string): ListConfig['access'] {
 export function convertTableToList(
   tableName: string,
   tableSchema: BetterAuthTableSchema,
-): ListConfig {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
   const fields: Record<string, FieldConfig> = {}
 
   // First pass: convert regular fields
@@ -275,8 +287,9 @@ export function convertTableToList(
  */
 export function convertBetterAuthSchema(
   tables: Record<string, BetterAuthTableSchema>,
-): Record<string, ListConfig> {
-  const lists: Record<string, ListConfig> = {}
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): Record<string, ListConfig<any>> {
+  const lists: Record<string, ListConfig<any>> = {} // eslint-disable-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
 
   for (const [tableName, tableSchema] of Object.entries(tables)) {
     // Convert table name to PascalCase for OpenSaaS list key

package/src/ui/components/ForgotPasswordForm.tsx

@@ -55,7 +55,7 @@ export function ForgotPasswordForm({
     setLoading(true)
 
     try {
-      const result = await authClient.forgetPassword({
+      const result = await authClient.requestPasswordReset({
         email,
         redirectTo: '/reset-password',
       })

package/src/ui/components/SignInForm.tsx

@@ -1,6 +1,7 @@
 'use client'
 
 import React, { useState } from 'react'
+import { useRouter } from 'next/navigation.js'
 import type { createAuthClient } from 'better-auth/react'
 
 export type SignInFormProps = {
@@ -62,6 +63,7 @@ export function SignInForm({
   onSuccess,
   onError,
 }: SignInFormProps) {
+  const router = useRouter()
   const [email, setEmail] = useState('')
   const [password, setPassword] = useState('')
   const [error, setError] = useState('')
@@ -83,7 +85,12 @@ export function SignInForm({
         throw new Error(result.error.message)
       }
 
-      onSuccess?.()
+      // If onSuccess is provided, call it. Otherwise, automatically redirect
+      if (onSuccess) {
+        onSuccess()
+      } else {
+        router.push(redirectTo)
+      }
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Sign in failed'
       setError(message)
@@ -102,6 +109,8 @@ export function SignInForm({
         provider,
         callbackURL: redirectTo,
       })
+      // Social sign-in handles its own redirect via OAuth flow
+      // Only call onSuccess if provided
       onSuccess?.()
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Sign in failed'

package/src/ui/components/SignUpForm.tsx

@@ -1,6 +1,7 @@
 'use client'
 
 import React, { useState } from 'react'
+import { useRouter } from 'next/navigation.js'
 import type { createAuthClient } from 'better-auth/react'
 
 export type SignUpFormProps = {
@@ -67,6 +68,7 @@ export function SignUpForm({
   onSuccess,
   onError,
 }: SignUpFormProps) {
+  const router = useRouter()
   const [name, setName] = useState('')
   const [email, setEmail] = useState('')
   const [password, setPassword] = useState('')
@@ -98,7 +100,12 @@ export function SignUpForm({
         throw new Error(result.error.message)
       }
 
-      onSuccess?.()
+      // If onSuccess is provided, call it. Otherwise, automatically redirect
+      if (onSuccess) {
+        onSuccess()
+      } else {
+        router.push(redirectTo)
+      }
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Sign up failed'
       setError(message)
@@ -117,6 +124,8 @@ export function SignUpForm({
         provider,
         callbackURL: redirectTo,
       })
+      // Social sign-in handles its own redirect via OAuth flow
+      // Only call onSuccess if provided
       onSuccess?.()
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Sign up failed'

package/tests/config.test.ts

@@ -154,7 +154,6 @@ describe('authPlugin', () => {
     const result = await config({
       db: {
         provider: 'sqlite',
-        url: 'file:./test.db',
       },
       plugins: [authPlugin({})],
       lists: {
@@ -175,22 +174,23 @@ describe('authPlugin', () => {
   })
 
   it('should preserve database config', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const mockConstructor = (() => null) as any
     const result = await config({
       db: {
         provider: 'postgresql',
-        url: 'postgresql://test',
+        prismaClientConstructor: mockConstructor,
       },
       plugins: [authPlugin({})],
       lists: {},
     })
 
     expect(result.db.provider).toBe('postgresql')
-    expect(result.db.url).toBe('postgresql://test')
+    expect(result.db.prismaClientConstructor).toBe(mockConstructor)
   })
 
   it('should store normalized auth config in _pluginData', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [
         authPlugin({
           emailAndPassword: { enabled: true, minPasswordLength: 12 },
@@ -209,7 +209,6 @@ describe('authPlugin', () => {
 
   it('should extend User list with custom fields', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [
         authPlugin({
           extendUserList: {
@@ -239,7 +238,6 @@ describe('authPlugin', () => {
 
   it('should generate User list with correct fields', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {},
     })
@@ -256,7 +254,6 @@ describe('authPlugin', () => {
 
   it('should generate Session list with correct fields', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {},
     })
@@ -272,7 +269,6 @@ describe('authPlugin', () => {
 
   it('should generate Account list with correct fields', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {},
     })
@@ -289,7 +285,6 @@ describe('authPlugin', () => {
 
   it('should generate Verification list with correct fields', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {},
     })
@@ -303,7 +298,6 @@ describe('authPlugin', () => {
 
   it('should work with empty auth config', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {},
     })
@@ -316,7 +310,6 @@ describe('authPlugin', () => {
 
   it('should merge with other user-defined lists', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [authPlugin({})],
       lists: {
         Post: list({
@@ -344,7 +337,6 @@ describe('authPlugin', () => {
 
   it('should pass through config options to normalized config', async () => {
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [
         authPlugin({
           emailAndPassword: {
@@ -407,7 +399,6 @@ describe('authPlugin', () => {
     }
 
     const result = await config({
-      db: { provider: 'sqlite', url: 'file:./test.db' },
       plugins: [
         authPlugin({
           betterAuthPlugins: [mockPlugin],