@owox/idp-owox-better-auth 0.18.0

package/dist/types/index.d.ts

@@ -0,0 +1,45 @@
+import type { PoolOptions } from 'mysql2';
+/**
+ * SQLite database configuration
+ */
+export interface SqliteConfig {
+    type: 'sqlite';
+    filename: string;
+}
+/**
+ * MySQL database configuration
+ */
+export interface MySqlConfig {
+    type: 'mysql';
+    host: string;
+    user: string;
+    password: string;
+    database: string;
+    port: number | undefined;
+    ssl?: PoolOptions['ssl'];
+    connectionLimit: number | undefined;
+}
+export interface GoogleProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectURI?: string;
+    prompt?: string;
+    accessType?: string;
+}
+export interface SocialProvidersConfig {
+    google?: GoogleProviderConfig;
+}
+export type DatabaseConfig = SqliteConfig | MySqlConfig;
+export interface BetterAuthConfig {
+    database: DatabaseConfig;
+    socialProviders?: SocialProvidersConfig;
+    session?: {
+        maxAge?: number;
+    };
+    trustedOrigins?: string[];
+    baseURL?: string;
+    secret: string;
+}
+export * from './auth-session.js';
+export * from './database-models.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,GAAG,CAAC,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IACzB,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;CACrC;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,oBAAoB,CAAC;CAC/B;AAED,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,WAAW,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe,CAAC,EAAE,qBAAqB,CAAC;IACxC,OAAO,CAAC,EAAE;QACR,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC"}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+export * from './auth-session.js';
+export * from './database-models.js';

package/dist/utils/cookie-policy.d.ts

@@ -0,0 +1,16 @@
+import type { CookieOptions, Request, Response } from 'express';
+/** Default cookie path for auth cookies. */
+export declare const COOKIE_DEFAULT_PATH = "/";
+/** Determines if a request should use secure cookies. */
+export declare const isSecureRequest: (req: Request) => boolean;
+/** Builds cookie options using consistent security defaults. */
+export declare function buildCookieOptions(req: Request, options?: {
+    maxAgeMs?: number;
+}): CookieOptions;
+/** Sets a cookie using shared defaults. */
+export declare function setCookie(res: Response, req: Request, name: string, value: string, options?: {
+    maxAgeMs?: number;
+}): void;
+/** Clears a cookie, optionally using the same security flags as set. */
+export declare function clearCookie(res: Response, name: string, req?: Request): void;
+//# sourceMappingURL=cookie-policy.d.ts.map

package/dist/utils/cookie-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-policy.d.ts","sourceRoot":"","sources":["../../src/utils/cookie-policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEhE,4CAA4C;AAC5C,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAIvC,yDAAyD;AACzD,eAAO,MAAM,eAAe,GAAI,KAAK,OAAO,KAAG,OACQ,CAAC;AAExD,gEAAgE;AAChE,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,aAAa,CAQ/F;AAED,2CAA2C;AAC3C,wBAAgB,SAAS,CACvB,GAAG,EAAE,QAAQ,EACb,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9B,IAAI,CAEN;AAED,wEAAwE;AACxE,wBAAgB,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAM5E"}

package/dist/utils/cookie-policy.js

@@ -0,0 +1,27 @@
+/** Default cookie path for auth cookies. */
+export const COOKIE_DEFAULT_PATH = '/';
+const isLocalhost = (host) => host === 'localhost' || host === '127.0.0.1';
+/** Determines if a request should use secure cookies. */
+export const isSecureRequest = (req) => req.protocol !== 'http' && !isLocalhost(req.hostname);
+/** Builds cookie options using consistent security defaults. */
+export function buildCookieOptions(req, options) {
+    return {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: COOKIE_DEFAULT_PATH,
+        secure: isSecureRequest(req),
+        ...(options?.maxAgeMs ? { maxAge: options.maxAgeMs } : {}),
+    };
+}
+/** Sets a cookie using shared defaults. */
+export function setCookie(res, req, name, value, options) {
+    res.cookie(name, value, buildCookieOptions(req, options));
+}
+/** Clears a cookie, optionally using the same security flags as set. */
+export function clearCookie(res, name, req) {
+    if (req) {
+        res.clearCookie(name, buildCookieOptions(req));
+        return;
+    }
+    res.clearCookie(name, { path: COOKIE_DEFAULT_PATH });
+}

package/dist/utils/platform-redirect-builder.d.ts

@@ -0,0 +1,29 @@
+import { PlatformParams } from './request-utils.js';
+export interface PlatformRedirectOptions {
+    baseUrl?: string | null;
+    signInUrl?: string | null;
+    code: string;
+    state: string;
+    params?: PlatformParams;
+    defaultSource?: string;
+    allowedRedirectOrigins?: string[];
+}
+export interface PlatformEntryOptions {
+    authUrl: string;
+    params?: PlatformParams;
+    defaultSource?: string;
+    allowedRedirectOrigins?: string[];
+}
+/**
+ * Sanitizes redirect parameters to avoid open redirects.
+ */
+export declare function sanitizeRedirectParam(value: string | undefined, allowedRedirectOrigins: string[] | undefined): string | undefined;
+/**
+ * Builds a Platform redirect URL with code/state and safe params.
+ */
+export declare function buildPlatformRedirectUrl(options: PlatformRedirectOptions): URL | null;
+/**
+ * Builds a Platform entry URL (sign-in or sign-up) with safe params.
+ */
+export declare function buildPlatformEntryUrl(options: PlatformEntryOptions): URL;
+//# sourceMappingURL=platform-redirect-builder.d.ts.map

package/dist/utils/platform-redirect-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-redirect-builder.d.ts","sourceRoot":"","sources":["../../src/utils/platform-redirect-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,MAAM,WAAW,uBAAuB;IACtC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;CACnC;AAcD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,sBAAsB,EAAE,MAAM,EAAE,GAAG,SAAS,GAC3C,MAAM,GAAG,SAAS,CAQpB;AAkCD;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,uBAAuB,GAAG,GAAG,GAAG,IAAI,CAcrF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,GAAG,CAOxE"}

package/dist/utils/platform-redirect-builder.js

@@ -0,0 +1,86 @@
+function isRelativePath(value) {
+    return value.startsWith('/') && !value.startsWith('//');
+}
+function normalizeOrigin(value) {
+    try {
+        return new URL(value).origin;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Sanitizes redirect parameters to avoid open redirects.
+ */
+export function sanitizeRedirectParam(value, allowedRedirectOrigins) {
+    if (!value)
+        return undefined;
+    const trimmed = value.trim();
+    if (!trimmed)
+        return undefined;
+    if (isRelativePath(trimmed))
+        return trimmed;
+    const origin = normalizeOrigin(trimmed);
+    if (!origin || !allowedRedirectOrigins?.length)
+        return undefined;
+    return allowedRedirectOrigins.includes(origin) ? trimmed : undefined;
+}
+function applyPlatformParams(url, params, options) {
+    const source = params?.source || options.defaultSource;
+    if (source)
+        url.searchParams.set('source', source);
+    const redirectTo = sanitizeRedirectParam(params?.redirectTo, options.allowedRedirectOrigins);
+    if (redirectTo)
+        url.searchParams.set('redirect-to', redirectTo);
+    const appRedirectTo = sanitizeRedirectParam(params?.appRedirectTo, options.allowedRedirectOrigins);
+    if (appRedirectTo)
+        url.searchParams.set('app-redirect-to', appRedirectTo);
+    if (params?.clientId)
+        url.searchParams.set('clientId', params.clientId);
+    if (params?.codeChallenge)
+        url.searchParams.set('codeChallenge', params.codeChallenge);
+    if (params?.projectId)
+        url.searchParams.set('projectId', params.projectId);
+}
+function resolveBaseUrl(baseUrl, signInUrl) {
+    if (baseUrl)
+        return baseUrl;
+    if (!signInUrl)
+        return null;
+    try {
+        const origin = new URL(signInUrl);
+        origin.pathname = '/ui/p/signin';
+        origin.search = '';
+        return origin.toString();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Builds a Platform redirect URL with code/state and safe params.
+ */
+export function buildPlatformRedirectUrl(options) {
+    const base = resolveBaseUrl(options.baseUrl, options.signInUrl);
+    if (!base)
+        return null;
+    const url = new URL(base);
+    url.searchParams.set('code', options.code);
+    url.searchParams.set('state', options.state);
+    applyPlatformParams(url, options.params, {
+        defaultSource: options.defaultSource,
+        allowedRedirectOrigins: options.allowedRedirectOrigins,
+    });
+    return url;
+}
+/**
+ * Builds a Platform entry URL (sign-in or sign-up) with safe params.
+ */
+export function buildPlatformEntryUrl(options) {
+    const url = new URL(options.authUrl);
+    applyPlatformParams(url, options.params, {
+        defaultSource: options.defaultSource,
+        allowedRedirectOrigins: options.allowedRedirectOrigins,
+    });
+    return url;
+}

package/dist/utils/request-utils.d.ts

@@ -0,0 +1,87 @@
+import { type Request, type Response } from 'express';
+export { setCookie } from './cookie-policy.js';
+/**
+ * Parameters used for Platform redirects and context persistence.
+ */
+export interface PlatformParams {
+    redirectTo?: string;
+    appRedirectTo?: string;
+    source?: string;
+    clientId?: string;
+    codeChallenge?: string;
+    projectId?: string;
+}
+/**
+ * Centralized state handling with single-source validation.
+ */
+export declare class StateManager {
+    private readonly req;
+    private readonly stateFromCookie;
+    private readonly queryState;
+    constructor(req: Request);
+    extract(): string;
+    extractFromCookie(): string;
+    hasMismatch(): boolean;
+    persist(res: Response, state: string): void;
+}
+declare module 'express' {
+    interface Request {
+        _stateManager?: StateManager;
+    }
+}
+/**
+ * Returns a cached StateManager instance for the request.
+ */
+export declare function getStateManager(req: Request): StateManager;
+/**
+ * Reads a cookie value from request headers or cookie parser.
+ */
+export declare function getCookie(req: Request, name: string): string | undefined;
+/**
+ * Clears Platform flow cookies (state and params).
+ */
+export declare function clearPlatformCookies(res: Response, req?: Request): void;
+/**
+ * Clears Better Auth session and CSRF cookies.
+ */
+export declare function clearBetterAuthCookies(res: Response, req?: Request): void;
+/**
+ * Clears all auth-related cookies (Platform + Better Auth).
+ */
+export declare function clearAllAuthCookies(res: Response, req?: Request): void;
+/**
+ * Persists the PKCE state into a cookie.
+ */
+export declare function persistStateCookie(req: Request, res: Response, state: string): void;
+/**
+ * Extracts state from cookie or query, with mismatch protection.
+ */
+export declare function extractState(req: Request): string;
+/**
+ * Extracts state only from the cookie.
+ */
+export declare function extractStateFromCookie(req: Request): string;
+/**
+ * Returns true when cookie state and query state mismatch.
+ */
+export declare function hasStateMismatch(req: Request): boolean;
+/**
+ * Extracts redirect parameters from cookie or query.
+ */
+export declare function extractPlatformParams(req: Request): PlatformParams;
+/**
+ * Persists redirect parameters into a cookie.
+ */
+export declare function persistPlatformParams(req: Request, res: Response, params: PlatformParams): void;
+/**
+ * Persists both state and redirect parameters into cookies.
+ */
+export declare function persistPlatformContext(req: Request, res: Response, context: {
+    state?: string;
+    params: PlatformParams;
+}): void;
+/**
+ * Extracts the core refresh token from cookies.
+ */
+export declare const extractRefreshToken: (req: Request) => string | undefined;
+//# sourceMappingURL=request-utils.d.ts.map

package/dist/utils/request-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-utils.d.ts","sourceRoot":"","sources":["../../src/utils/request-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,SAAS,CAAC;AAQtD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD;;GAEG;AACH,qBAAa,YAAY;IAIX,OAAO,CAAC,QAAQ,CAAC,GAAG;IAHhC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAqB;IACrD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAEP,GAAG,EAAE,OAAO;IAKzC,OAAO,IAAI,MAAM;IAOjB,iBAAiB,IAAI,MAAM;IAI3B,WAAW,IAAI,OAAO;IAMtB,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;CAI5C;AAED,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,OAAO;QACf,aAAa,CAAC,EAAE,YAAY,CAAC;KAC9B;CACF;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,YAAY,CAK1D;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAkBxE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAGvE;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAIzE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAGtE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAEnF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAEjD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAE3D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAEtD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,cAAc,CAqClE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,GAAG,IAAI,CAO/F;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,cAAc,CAAA;CAAE,GAClD,IAAI,CAKN;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAAI,KAAK,OAAO,KAAG,MAAM,GAAG,SACjB,CAAC"}

package/dist/utils/request-utils.js

@@ -0,0 +1,171 @@
+import { BETTER_AUTH_CSRF_COOKIE, BETTER_AUTH_SESSION_COOKIE, BETTER_AUTH_STATE_COOKIE, CORE_REFRESH_TOKEN_COOKIE, } from '../core/constants.js';
+import { clearCookie, setCookie } from './cookie-policy.js';
+export { setCookie } from './cookie-policy.js';
+const STATE_COOKIE = 'idp-owox-state';
+const PLATFORM_PARAMS_COOKIE = 'idp-owox-params';
+/**
+ * Centralized state handling with single-source validation.
+ */
+export class StateManager {
+    req;
+    stateFromCookie;
+    queryState;
+    constructor(req) {
+        this.req = req;
+        this.stateFromCookie = getCookie(req, STATE_COOKIE);
+        this.queryState = typeof req.query?.state === 'string' ? req.query.state : '';
+    }
+    extract() {
+        if (this.hasMismatch()) {
+            return '';
+        }
+        return this.stateFromCookie || this.queryState || '';
+    }
+    extractFromCookie() {
+        return this.stateFromCookie || '';
+    }
+    hasMismatch() {
+        return Boolean(this.stateFromCookie && this.queryState && this.stateFromCookie !== this.queryState);
+    }
+    persist(res, state) {
+        if (!state)
+            return;
+        setCookie(res, this.req, STATE_COOKIE, state);
+    }
+}
+/**
+ * Returns a cached StateManager instance for the request.
+ */
+export function getStateManager(req) {
+    if (!req._stateManager) {
+        req._stateManager = new StateManager(req);
+    }
+    return req._stateManager;
+}
+/**
+ * Reads a cookie value from request headers or cookie parser.
+ */
+export function getCookie(req, name) {
+    const cookies = req.cookies;
+    if (cookies && typeof cookies[name] === 'string') {
+        return cookies[name];
+    }
+    const cookieHeader = req.headers.cookie || '';
+    if (!cookieHeader)
+        return undefined;
+    const escapedName = encodeURIComponent(name).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapedName}=([^;]*)`));
+    if (!match || !match[1])
+        return undefined;
+    try {
+        return decodeURIComponent(match[1]);
+    }
+    catch {
+        return match[1];
+    }
+}
+/**
+ * Clears Platform flow cookies (state and params).
+ */
+export function clearPlatformCookies(res, req) {
+    clearCookie(res, STATE_COOKIE, req);
+    clearCookie(res, PLATFORM_PARAMS_COOKIE, req);
+}
+/**
+ * Clears Better Auth session and CSRF cookies.
+ */
+export function clearBetterAuthCookies(res, req) {
+    clearCookie(res, BETTER_AUTH_SESSION_COOKIE, req);
+    clearCookie(res, BETTER_AUTH_CSRF_COOKIE, req);
+    clearCookie(res, BETTER_AUTH_STATE_COOKIE, req);
+}
+/**
+ * Clears all auth-related cookies (Platform + Better Auth).
+ */
+export function clearAllAuthCookies(res, req) {
+    clearPlatformCookies(res, req);
+    clearBetterAuthCookies(res, req);
+}
+/**
+ * Persists the PKCE state into a cookie.
+ */
+export function persistStateCookie(req, res, state) {
+    getStateManager(req).persist(res, state);
+}
+/**
+ * Extracts state from cookie or query, with mismatch protection.
+ */
+export function extractState(req) {
+    return getStateManager(req).extract();
+}
+/**
+ * Extracts state only from the cookie.
+ */
+export function extractStateFromCookie(req) {
+    return getStateManager(req).extractFromCookie();
+}
+/**
+ * Returns true when cookie state and query state mismatch.
+ */
+export function hasStateMismatch(req) {
+    return getStateManager(req).hasMismatch();
+}
+/**
+ * Extracts redirect parameters from cookie or query.
+ */
+export function extractPlatformParams(req) {
+    const cookiePayload = getCookie(req, PLATFORM_PARAMS_COOKIE);
+    if (cookiePayload) {
+        try {
+            const parsed = JSON.parse(decodeURIComponent(cookiePayload));
+            return {
+                redirectTo: parsed.redirectTo,
+                appRedirectTo: parsed.appRedirectTo,
+                source: parsed.source,
+                clientId: parsed.clientId,
+                codeChallenge: parsed.codeChallenge,
+                projectId: parsed.projectId,
+            };
+        }
+        catch {
+            // ignore malformed cookie
+        }
+    }
+    const redirectTo = (typeof req.query?.['redirect-to'] === 'string' && req.query['redirect-to']) ||
+        (typeof req.query?.redirectTo === 'string' && req.query.redirectTo) ||
+        undefined;
+    const appRedirectTo = (typeof req.query?.['app-redirect-to'] === 'string' && req.query['app-redirect-to']) ||
+        undefined;
+    const source = typeof req.query?.source === 'string' ? req.query.source : undefined;
+    const clientId = typeof req.query?.clientId === 'string' ? req.query.clientId : undefined;
+    const codeChallenge = (typeof req.query?.codeChallenge === 'string' && req.query.codeChallenge) ||
+        (typeof req.query?.codechallenge === 'string' && req.query.codechallenge) ||
+        undefined;
+    const projectId = typeof req.query?.projectId === 'string' ? req.query.projectId : undefined;
+    return { redirectTo, appRedirectTo, source, clientId, codeChallenge, projectId };
+}
+/**
+ * Persists redirect parameters into a cookie.
+ */
+export function persistPlatformParams(req, res, params) {
+    try {
+        const serialized = encodeURIComponent(JSON.stringify(params));
+        setCookie(res, req, PLATFORM_PARAMS_COOKIE, serialized);
+    }
+    catch {
+        // ignore serialization issues
+    }
+}
+/**
+ * Persists both state and redirect parameters into cookies.
+ */
+export function persistPlatformContext(req, res, context) {
+    persistPlatformParams(req, res, context.params);
+    if (context.state) {
+        persistStateCookie(req, res, context.state);
+    }
+}
+/**
+ * Extracts the core refresh token from cookies.
+ */
+export const extractRefreshToken = (req) => getCookie(req, CORE_REFRESH_TOKEN_COOKIE);

package/dist/utils/string-utils.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Splits a full name into first/last parts.
+ */
+export declare function splitName(name?: string): {
+    firstName: string;
+    lastName: string;
+    fullName: string;
+};
+/**
+ * Formats an error into a readable string with stack.
+ */
+export declare function formatError(error: unknown): string;
+//# sourceMappingURL=string-utils.d.ts.map

package/dist/utils/string-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-utils.d.ts","sourceRoot":"","sources":["../../src/utils/string-utils.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAQA;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKlD"}

package/dist/utils/string-utils.js

@@ -0,0 +1,21 @@
+/**
+ * Splits a full name into first/last parts.
+ */
+export function splitName(name) {
+    const cleaned = (name || '').trim();
+    if (!cleaned) {
+        return { firstName: '', lastName: '', fullName: '' };
+    }
+    const [firstName = '', ...rest] = cleaned.split(/\s+/);
+    const lastName = rest.join(' ');
+    return { firstName, lastName, fullName: cleaned };
+}
+/**
+ * Formats an error into a readable string with stack.
+ */
+export function formatError(error) {
+    if (error instanceof Error) {
+        return `${error.message}\n${error.stack ?? ''}`;
+    }
+    return String(error);
+}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "@owox/idp-owox-better-auth",
+  "version": "0.18.0",
+  "type": "module",
+  "author": "OWOX",
+  "license": "ELv2",
+  "description": "OWOX Better Auth implementation for OWOX IDP Protocol",
+  "scripts": {
+    "build": "tsc && node ./scripts/copy-public.cjs",
+    "build:dep": "npm run build:internal-helpers && npm run build:idp-protocol",
+    "build:idp-protocol": "npm run build -w @owox/idp-protocol --prefix ../..",
+    "build:internal-helpers": "npm run build -w @owox/internal-helpers --prefix ../..",
+    "clean": "shx rm -rf dist",
+    "test": "jest",
+    "lint": "eslint . --config ./eslint.config.js",
+    "lint:fix": "eslint . --fix --config ./eslint.config.js",
+    "format": "prettier --write \"**/*.{ts,js,json,md}\" --ignore-path ../../.prettierignore",
+    "format:check": "prettier --check \"**/*.{ts,js,json,md}\" --ignore-path ../../.prettierignore",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run lint && npm run typecheck"
+  },
+  "peerDependencies": {
+    "express": "^5",
+    "zod": "^3.25"
+  },
+  "dependencies": {
+    "@owox/idp-protocol": "0.18.0",
+    "@owox/internal-helpers": "0.18.0",
+    "axios": "^1.11.0",
+    "better-auth": "^1.4.18",
+    "cookie-parser": "^1.4.7",
+    "ejs": "^3.1.10",
+    "env-paths": "^3.0.0",
+    "jose": "^6.0.12",
+    "ms": "^2.1.3",
+    "mysql2": "^3.14.3",
+    "better-sqlite3": "^12.2.0",
+    "pkce-challenge": "^5.0.0"
+  },
+  "devDependencies": {
+    "@owox/eslint-config": "*",
+    "@owox/prettier-config": "*",
+    "@owox/typescript-config": "*",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/cookie-parser": "^1.4.9",
+    "@types/ejs": "^3.1.5",
+    "@types/express": "^5.0.0",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^22.10.7",
+    "jest": "^30.2.0",
+    "ts-jest": "^29.4.6"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=22.16.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts"
+}