@opensaas/stack-auth 0.20.1 → 0.22.0

package/src/server/index.ts

@@ -1,8 +1,9 @@
 import { betterAuth } from 'better-auth'
 import { prismaAdapter } from 'better-auth/adapters/prisma'
 import type { BetterAuthOptions } from 'better-auth'
-import type { OpenSaasConfig, DatabaseConfig, AccessContext } from '@opensaas/stack-core'
-import type { NormalizedAuthConfig } from '../config/types.js'
+import type { OpenSaasConfig, AccessContext } from '@opensaas/stack-core'
+import type { DatabaseConfig } from '@opensaas/stack-core/internal'
+import type { NormalizedAuthConfig, NormalizedAuthModelConfig } from '../config/types.js'
 
 /**
  * Get better-auth database configuration from OpenSaas config
@@ -16,6 +17,22 @@ function getDatabaseConfig(
   })
 }
 
+/**
+ * Translate a normalized OpenSaaS auth model config into the better-auth
+ * per-model options (`modelName` + `fields` column map). Returns `undefined`
+ * when there is nothing to override so the running auth instance keeps
+ * better-auth's own defaults untouched.
+ */
+function toBetterAuthModelOptions(
+  model: NormalizedAuthModelConfig,
+): { modelName?: string; fields?: Record<string, string> } | undefined {
+  const hasFields = Object.keys(model.fields).length > 0
+  const options: { modelName?: string; fields?: Record<string, string> } = {}
+  if (model.modelName) options.modelName = model.modelName
+  if (hasFields) options.fields = model.fields
+  return Object.keys(options).length > 0 ? options : undefined
+}
+
 /**
  * Create a better-auth instance from OpenSaas config
  * This should be called once at app startup
@@ -63,6 +80,20 @@ export function createAuth(
         const betterAuthConfig: BetterAuthOptions = {
           database: getDatabaseConfig(resolvedConfig.db, resolvedContext),
 
+          // Mirror the per-model config (modelName + field column maps) back to
+          // better-auth so the running auth instance reads/writes the same
+          // tables/columns the OpenSaaS Auth lists were derived from.
+          user: toBetterAuthModelOptions(authConfig.models.user),
+          session: {
+            ...toBetterAuthModelOptions(authConfig.models.session),
+            expiresIn: authConfig.session.expiresIn || 604800,
+            updateAge: authConfig.session.updateAge
+              ? (authConfig.session.expiresIn || 604800) / 10
+              : 0,
+          },
+          account: toBetterAuthModelOptions(authConfig.models.account),
+          verification: toBetterAuthModelOptions(authConfig.models.verification),
+
           // Enable email and password if configured
           emailAndPassword: authConfig.emailAndPassword.enabled
             ? {
@@ -71,14 +102,6 @@ export function createAuth(
               }
             : undefined,
 
-          // Configure session
-          session: {
-            expiresIn: authConfig.session.expiresIn || 604800,
-            updateAge: authConfig.session.updateAge
-              ? (authConfig.session.expiresIn || 604800) / 10
-              : 0,
-          },
-
           // Trust host (required for production)
           trustedOrigins: process.env.BETTER_AUTH_TRUSTED_ORIGINS?.split(',') || [],
 

package/src/server/schema-converter.ts

@@ -283,7 +283,7 @@ export function convertTableToList(
 
 /**
  * Convert all Better Auth tables to OpenSaaS list configs
- * This is called by withAuth() to generate lists from Better Auth + plugins
+ * This is called by authPlugin() to generate lists from Better Auth + plugins
  */
 export function convertBetterAuthSchema(
   tables: Record<string, BetterAuthTableSchema>,

package/tests/adopt-better-auth-tables.test.ts

@@ -0,0 +1,183 @@
+import { describe, it, expect } from 'vitest'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { OpenSaasConfig } from '@opensaas/stack-core'
+import type { Plugin } from '@opensaas/stack-core/extend'
+import { authPlugin } from '../src/config/plugin.js'
+import { adoptBetterAuthTables } from '../src/config/adopt-better-auth-tables.js'
+
+/**
+ * Run a config through plugin `init` (via `config()`) and then the auth
+ * plugin's `beforeGenerate` hook — mirroring the CLI generate pipeline — to
+ * observe the final config the generator would consume. Mirrors the helper in
+ * `plugin-schema-placement.test.ts`.
+ */
+async function generationConfig(userConfig: OpenSaasConfig): Promise<OpenSaasConfig> {
+  const resolved = await config(userConfig)
+  let current = resolved
+  const plugins: Plugin[] = resolved.plugins ?? []
+  for (const plugin of plugins) {
+    if (plugin.beforeGenerate) {
+      current = await plugin.beforeGenerate(current)
+    }
+  }
+  return current
+}
+
+describe('adoptBetterAuthTables - recipe defaults', () => {
+  it('produces the standard separate-schema better-auth defaults', () => {
+    const fragment = adoptBetterAuthTables()
+
+    expect(fragment).toEqual({
+      schema: 'auth',
+      user: { modelName: 'AuthUser' },
+      session: { modelName: 'AuthSession' },
+      account: { modelName: 'AuthAccount' },
+      verification: { modelName: 'AuthVerification' },
+    })
+  })
+
+  it('honours a custom schema and model-name prefix', () => {
+    const fragment = adoptBetterAuthTables({ schema: 'identity', modelNamePrefix: 'BA' })
+
+    expect(fragment).toEqual({
+      schema: 'identity',
+      user: { modelName: 'BAUser' },
+      session: { modelName: 'BASession' },
+      account: { modelName: 'BAAccount' },
+      verification: { modelName: 'BAVerification' },
+    })
+  })
+
+  it('merges per-model field column maps when provided', () => {
+    const fragment = adoptBetterAuthTables({
+      fields: {
+        user: { name: 'full_name', emailVerified: 'is_verified' },
+        session: { userId: 'user_id' },
+      },
+    })
+
+    expect(fragment.user).toEqual({
+      modelName: 'AuthUser',
+      fields: { name: 'full_name', emailVerified: 'is_verified' },
+    })
+    expect(fragment.session).toEqual({
+      modelName: 'AuthSession',
+      fields: { userId: 'user_id' },
+    })
+    // Models without a field map carry no `fields` key (no empty object)
+    expect(fragment.account).toEqual({ modelName: 'AuthAccount' })
+    expect(fragment.verification).toEqual({ modelName: 'AuthVerification' })
+  })
+
+  it('omits the schema when explicitly set to public', () => {
+    const fragment = adoptBetterAuthTables({ schema: 'public' })
+    expect(fragment.schema).toBe('public')
+  })
+})
+
+describe('adoptBetterAuthTables - composes with authPlugin', () => {
+  it('spreads into authPlugin alongside the rest of the auth config', async () => {
+    const result = await config({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables(),
+          emailAndPassword: { enabled: true },
+          sessionFields: ['userId', 'email', 'name'],
+        }),
+      ],
+      lists: {},
+    })
+
+    // The recipe's derived Auth lists are present...
+    expect(result.lists).toHaveProperty('AuthUser')
+    expect(result.lists).toHaveProperty('AuthSession')
+    expect(result.lists).toHaveProperty('AuthAccount')
+    expect(result.lists).toHaveProperty('AuthVerification')
+    // ...keyed off the recipe's model names, not the default `User`/`Session`.
+    expect(result.lists).not.toHaveProperty('User')
+    expect(result.lists).not.toHaveProperty('Session')
+
+    // The rest of the auth config still applies (stored for runtime).
+    const authData = result._pluginData?.auth as { emailAndPassword?: { enabled?: boolean } }
+    expect(authData?.emailAndPassword?.enabled).toBe(true)
+  })
+})
+
+describe('adoptBetterAuthTables - clean-diff adoption (Auth lists ≠ app User)', () => {
+  it('lands every Auth list in the auth schema with @@map + @@schema and leaves the app User untouched', async () => {
+    const result = await generationConfig({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables(),
+          emailAndPassword: { enabled: true },
+        }),
+      ],
+      // The migrating app keeps its own domain User (public.User), keyed by
+      // its own subjectId — a DIFFERENT model from the better-auth user.
+      lists: {
+        User: list({
+          fields: {
+            subjectId: text({ validation: { isRequired: true } }),
+          },
+        }),
+      },
+    })
+
+    // Each Auth list is pinned to its live table name (@@map) and the `auth`
+    // schema (@@schema), with auto-timestamps preserved (ADR-0004) — exactly the
+    // shape that diffs CLEAN against a live separate-schema better-auth install.
+    expect(result.lists.AuthUser.db).toEqual({ timestamps: true, map: 'AuthUser', schema: 'auth' })
+    expect(result.lists.AuthSession.db).toEqual({
+      timestamps: true,
+      map: 'AuthSession',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthAccount.db).toEqual({
+      timestamps: true,
+      map: 'AuthAccount',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthVerification.db).toEqual({
+      timestamps: true,
+      map: 'AuthVerification',
+      schema: 'auth',
+    })
+
+    // The app's own domain User is preserved: its field shape is intact, NOT
+    // merged with auth fields, and it stays in `public` (not the auth schema).
+    const appUser = result.lists.User
+    expect(appUser.fields).toHaveProperty('subjectId')
+    expect(appUser.fields).not.toHaveProperty('email')
+    expect(appUser.fields).not.toHaveProperty('emailVerified')
+    expect(appUser.fields).not.toHaveProperty('sessions')
+    expect(appUser.db?.schema).toBe('public')
+
+    // The datasource lists both schemas so the multi-schema Prisma schema is valid.
+    expect(result.db.schemas).toEqual(['public', 'auth'])
+  })
+
+  it('carries field column maps through to the derived Auth lists for renamed columns', async () => {
+    const result = await config({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables({
+            fields: {
+              user: { name: 'full_name' },
+              session: { userId: 'user_id' },
+            },
+          }),
+        }),
+      ],
+      lists: {},
+    })
+
+    // Renamed columns flow through to the derived field-level @map / FK @map so
+    // the lists match the live columns.
+    expect(result.lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(result.lists.AuthSession.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+  })
+})

package/tests/derive-auth-lists.test.ts

@@ -0,0 +1,232 @@
+import { describe, it, expect } from 'vitest'
+import { deriveAuthLists } from '../src/config/derive-auth-lists.js'
+import type { NormalizedAuthModels } from '../src/config/types.js'
+
+const defaultModels: NormalizedAuthModels = {
+  user: { modelName: 'User', fields: {} },
+  session: { modelName: 'Session', fields: {} },
+  account: { modelName: 'Account', fields: {} },
+  verification: { modelName: 'Verification', fields: {} },
+}
+
+describe('deriveAuthLists - default behaviour (no overrides)', () => {
+  it('keeps the historical User/Session/Account/Verification keys', () => {
+    const { keys, lists } = deriveAuthLists(defaultModels)
+
+    expect(keys).toEqual({
+      user: 'User',
+      session: 'Session',
+      account: 'Account',
+      verification: 'Verification',
+    })
+    expect(Object.keys(lists).sort()).toEqual(['Account', 'Session', 'User', 'Verification'])
+  })
+
+  it('keeps the original User field shape', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+    const user = lists.User
+
+    expect(user.fields).toHaveProperty('name')
+    expect(user.fields).toHaveProperty('email')
+    expect(user.fields).toHaveProperty('emailVerified')
+    expect(user.fields).toHaveProperty('image')
+    expect(user.fields).toHaveProperty('sessions')
+    expect(user.fields).toHaveProperty('accounts')
+    expect(user.fields.email.isIndexed).toBe('unique')
+    expect(user.fields.name.validation?.isRequired).toBe(true)
+  })
+
+  it('wires relationship refs to the default keys', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+    expect(lists.Session.fields.user.ref).toBe('User.sessions')
+    expect(lists.Account.fields.user.ref).toBe('User.accounts')
+    expect(lists.User.fields.sessions.ref).toBe('Session.user')
+    expect(lists.User.fields.accounts.ref).toBe('Account.user')
+  })
+
+  it('emits no table @@map and no scalar @map for default keys', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+
+    expect(lists.User.db?.map).toBeUndefined()
+    expect(lists.Session.db?.map).toBeUndefined()
+    expect(lists.Account.db?.map).toBeUndefined()
+    expect(lists.Verification.db?.map).toBeUndefined()
+
+    expect(lists.User.fields.name.db?.map).toBeUndefined()
+    expect(lists.Session.fields.token.db?.map).toBeUndefined()
+    // FK column not overridden -> no foreignKey map on the relationship
+    expect(lists.Session.fields.user.db).toBeUndefined()
+  })
+
+  it('opts every auth list into auto-timestamps', () => {
+    // Auto-timestamps are OFF by default (ADR-0004), but better-auth's adapter
+    // writes createdAt/updatedAt on every auth row and the schema converter
+    // returns null for those columns assuming the generator injects them. Each
+    // derived auth list must therefore re-enable them via db.timestamps.
+    const { lists } = deriveAuthLists(defaultModels)
+
+    expect(lists.User.db?.timestamps).toBe(true)
+    expect(lists.Session.db?.timestamps).toBe(true)
+    expect(lists.Account.db?.timestamps).toBe(true)
+    expect(lists.Verification.db?.timestamps).toBe(true)
+  })
+})
+
+describe('deriveAuthLists - custom modelName overrides', () => {
+  const customModels: NormalizedAuthModels = {
+    user: { modelName: 'AuthUser', fields: {} },
+    session: { modelName: 'AuthSession', fields: {} },
+    account: { modelName: 'AuthAccount', fields: {} },
+    verification: { modelName: 'AuthVerification', fields: {} },
+  }
+
+  it('derives list keys from modelName', () => {
+    const { keys, lists } = deriveAuthLists(customModels)
+
+    expect(keys).toEqual({
+      user: 'AuthUser',
+      session: 'AuthSession',
+      account: 'AuthAccount',
+      verification: 'AuthVerification',
+    })
+    expect(Object.keys(lists).sort()).toEqual([
+      'AuthAccount',
+      'AuthSession',
+      'AuthUser',
+      'AuthVerification',
+    ])
+    // The app's own `User` key must NOT be produced by the plugin
+    expect(lists).not.toHaveProperty('User')
+  })
+
+  it('wires relationship refs to the derived keys', () => {
+    const { lists } = deriveAuthLists(customModels)
+    expect(lists.AuthSession.fields.user.ref).toBe('AuthUser.sessions')
+    expect(lists.AuthAccount.fields.user.ref).toBe('AuthUser.accounts')
+    expect(lists.AuthUser.fields.sessions.ref).toBe('AuthSession.user')
+    expect(lists.AuthUser.fields.accounts.ref).toBe('AuthAccount.user')
+  })
+
+  it('pins each renamed list to a table @@map equal to the model name', () => {
+    const { lists } = deriveAuthLists(customModels)
+
+    expect(lists.AuthUser.db?.map).toBe('AuthUser')
+    expect(lists.AuthSession.db?.map).toBe('AuthSession')
+    expect(lists.AuthAccount.db?.map).toBe('AuthAccount')
+    expect(lists.AuthVerification.db?.map).toBe('AuthVerification')
+  })
+
+  it('keeps auto-timestamps enabled alongside the table @@map', () => {
+    const { lists } = deriveAuthLists(customModels)
+
+    expect(lists.AuthUser.db?.timestamps).toBe(true)
+    expect(lists.AuthSession.db?.timestamps).toBe(true)
+    expect(lists.AuthAccount.db?.timestamps).toBe(true)
+    expect(lists.AuthVerification.db?.timestamps).toBe(true)
+  })
+})
+
+describe('deriveAuthLists - custom field column maps', () => {
+  const models: NormalizedAuthModels = {
+    user: { modelName: 'AuthUser', fields: { name: 'full_name', emailVerified: 'is_verified' } },
+    session: { modelName: 'AuthSession', fields: { token: 'session_token', userId: 'user_id' } },
+    account: { modelName: 'AuthAccount', fields: { userId: 'user_id' } },
+    verification: { modelName: 'AuthVerification', fields: {} },
+  }
+
+  it('applies @map column overrides to scalar fields', () => {
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(lists.AuthUser.fields.emailVerified.db?.map).toBe('is_verified')
+    expect(lists.AuthSession.fields.token.db?.map).toBe('session_token')
+  })
+
+  it('applies the userId column override to the relationship foreign key', () => {
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthSession.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+    expect(lists.AuthAccount.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+  })
+
+  it('only maps fields that have an override, leaving others unmapped', () => {
+    const { lists } = deriveAuthLists(models)
+    // name is mapped, email is not
+    expect(lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(lists.AuthUser.fields.email.db?.map).toBeUndefined()
+  })
+})
+
+describe('deriveAuthLists - schema placement', () => {
+  it('places all lists in the configured schema via db.schema', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.db?.schema).toBe('auth')
+    expect(lists.AuthSession.db?.schema).toBe('auth')
+    expect(lists.AuthAccount.db?.schema).toBe('auth')
+    expect(lists.AuthVerification.db?.schema).toBe('auth')
+  })
+
+  it('carries both @@map and @@schema for renamed + relocated lists', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    // Auth lists always opt into auto-timestamps (ADR-0004) alongside the
+    // table @@map and @@schema placement.
+    expect(lists.AuthUser.db).toEqual({ timestamps: true, map: 'AuthUser', schema: 'auth' })
+  })
+
+  it('honours a per-model schema override alongside a different default schema', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      // One list targets a different schema than the rest
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth_internal' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.db?.schema).toBe('auth')
+    expect(lists.AuthVerification.db?.schema).toBe('auth_internal')
+  })
+
+  it('emits no @@schema for the default (no-schema) configuration', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+
+    // Auth lists still opt into auto-timestamps (ADR-0004); the greenfield
+    // default just carries no schema/map placement.
+    expect(lists.User.db).toEqual({ timestamps: true })
+    expect(lists.User.db?.schema).toBeUndefined()
+    expect(lists.Session.db?.schema).toBeUndefined()
+    expect(lists.Account.db?.schema).toBeUndefined()
+    expect(lists.Verification.db?.schema).toBeUndefined()
+  })
+})
+
+describe('deriveAuthLists - extendUserList', () => {
+  it('adds custom fields to the derived user list', () => {
+    const { lists } = deriveAuthLists(
+      { ...defaultModels, user: { modelName: 'AuthUser', fields: {} } },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- minimal custom field config for test
+      { fields: { role: { type: 'text' } as any } },
+    )
+
+    expect(lists.AuthUser.fields).toHaveProperty('role')
+    // Base fields still present
+    expect(lists.AuthUser.fields).toHaveProperty('email')
+  })
+})

package/tests/plugin-derived-keys.test.ts

@@ -0,0 +1,138 @@
+import { describe, it, expect, vi } from 'vitest'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { AccessContext } from '@opensaas/stack-core'
+import { authPlugin } from '../src/config/plugin.js'
+import type { AuthRuntimeServices } from '../src/runtime/types.js'
+
+describe('authPlugin - add-vs-extend with derived keys', () => {
+  it("does NOT extend or overwrite an app's own User when keys are customised", async () => {
+    // The app declares its own domain `User` (a different model from the
+    // better-auth user). The plugin renames its user model to `AuthUser`.
+    const appUserHook = vi.fn()
+    const result = await config({
+      db: { provider: 'sqlite' },
+      plugins: [
+        authPlugin({
+          user: { modelName: 'AuthUser' },
+          session: { modelName: 'AuthSession' },
+          account: { modelName: 'AuthAccount' },
+          verification: { modelName: 'AuthVerification' },
+        }),
+      ],
+      lists: {
+        User: list({
+          fields: {
+            subjectId: text({ validation: { isRequired: true } }),
+          },
+          hooks: { beforeOperation: appUserHook },
+        }),
+      },
+    })
+
+    // The plugin adds its own AuthUser/AuthSession/... lists
+    expect(result.lists).toHaveProperty('AuthUser')
+    expect(result.lists).toHaveProperty('AuthSession')
+    expect(result.lists).toHaveProperty('AuthAccount')
+    expect(result.lists).toHaveProperty('AuthVerification')
+
+    // The app's own `User` is left completely untouched: its field shape is
+    // preserved and NOT merged with auth fields (no email/name/sessions).
+    const appUser = result.lists.User
+    expect(appUser.fields).toHaveProperty('subjectId')
+    expect(appUser.fields).not.toHaveProperty('email')
+    expect(appUser.fields).not.toHaveProperty('emailVerified')
+    expect(appUser.fields).not.toHaveProperty('sessions')
+    // Its hooks are preserved (not replaced by the auth user's hooks)
+    expect(appUser.hooks?.beforeOperation).toBe(appUserHook)
+
+    // And the auth user list (AuthUser) is the one carrying auth fields
+    expect(result.lists.AuthUser.fields).toHaveProperty('email')
+    expect(result.lists.AuthUser.fields).toHaveProperty('sessions')
+  })
+
+  it('still merges auth fields into an existing list that shares the default key', async () => {
+    // Default keys: the plugin's user key is `User`, so an existing `User`
+    // is intentionally extended with auth fields (the historical behaviour).
+    const result = await config({
+      db: { provider: 'sqlite' },
+      plugins: [authPlugin({})],
+      lists: {
+        User: list({
+          fields: {
+            bio: text(),
+          },
+        }),
+      },
+    })
+
+    const user = result.lists.User
+    expect(user.fields).toHaveProperty('bio') // app field preserved
+    expect(user.fields).toHaveProperty('email') // auth field merged in
+    expect(user.fields).toHaveProperty('sessions')
+  })
+})
+
+describe('authPlugin - runtime user-key resolution', () => {
+  /**
+   * Build a minimal AccessContext whose `db` records which model key was
+   * accessed, so we can assert the runtime resolves the configured user model.
+   */
+  function makeFakeContext(session: { userId?: string } | null) {
+    const accessedKeys: string[] = []
+    const db = new Proxy(
+      {},
+      {
+        get(_target, key: string) {
+          accessedKeys.push(key)
+          return {
+            findUnique: async ({ where }: { where: { id: string } }) => ({
+              id: where.id,
+              __model: key,
+            }),
+          }
+        },
+      },
+    )
+    const context = { session, db } as unknown as AccessContext
+    return { context, accessedKeys }
+  }
+
+  it('getUser uses the default `user` db key when no modelName override', () => {
+    const plugin = authPlugin({})
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    void services.getUser('u1')
+    expect(accessedKeys).toContain('user')
+  })
+
+  it('getUser uses the configured user model db key (AuthUser -> authUser)', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    const user = (await services.getUser('u1')) as { __model: string }
+    expect(accessedKeys).toContain('authUser')
+    expect(accessedKeys).not.toContain('user')
+    expect(user.__model).toBe('authUser')
+  })
+
+  it('getCurrentUser uses the configured user model db key', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    const user = (await services.getCurrentUser()) as { __model: string }
+    expect(accessedKeys).toContain('authUser')
+    expect(user.__model).toBe('authUser')
+  })
+
+  it('getCurrentUser returns null when there is no session', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context } = makeFakeContext(null)
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    expect(await services.getCurrentUser()).toBeNull()
+  })
+})