@payez/next-mvp 3.7.1 → 3.8.1

package/dist/auth/better-auth.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Better Auth Configuration (Phase 1 — parallel install)
+ *
+ * NOT wired to routes yet. Exists alongside auth-options.ts for testing.
+ * Wired in Phase 2 behind USE_BETTER_AUTH flag.
+ *
+ * Architecture: No database adapter — Better Auth runs in stateless mode
+ * with JWE cookie cache. User management stays on IDP, sessions on Redis.
+ *
+ * @see BETTER-AUTH-MIGRATION-SPEC.md
+ */
+import 'server-only';
+import type { IDPClientConfig } from '../lib/idp-client-config';
+/**
+ * Better Auth social provider config shape.
+ */
+export interface BetterAuthSocialProvider {
+    clientId: string;
+    clientSecret: string;
+    scope?: string[];
+}
+/**
+ * Build Better Auth social providers from IDP config.
+ * Replaces buildOAuthProviders() from providers/oauth.ts.
+ */
+export declare function buildBetterAuthProviders(config: IDPClientConfig): Record<string, BetterAuthSocialProvider>;
+/**
+ * Create Better Auth instance from IDP config.
+ *
+ * No database — runs in stateless mode with JWE cookie cache.
+ * Call after getIDPClientConfig() resolves.
+ */
+export declare function createBetterAuthInstance(idpConfig: IDPClientConfig): import("better-auth").Auth<{
+    secret: string;
+    socialProviders: Record<string, BetterAuthSocialProvider>;
+    session: {
+        cookieCache: {
+            enabled: true;
+            maxAge: number;
+            refreshCache: true;
+        };
+    };
+    plugins: [{
+        id: "next-cookies";
+        hooks: {
+            before: {
+                matcher(ctx: import("better-auth").HookEndpointContext): boolean;
+                handler: (inputContext: import("better-auth").MiddlewareInputContext<import("better-auth").MiddlewareOptions>) => Promise<void>;
+            }[];
+            after: {
+                matcher(ctx: import("better-auth").HookEndpointContext): true;
+                handler: (inputContext: import("better-auth").MiddlewareInputContext<import("better-auth").MiddlewareOptions>) => Promise<void>;
+            }[];
+        };
+    }];
+}>;
+/**
+ * Check if Better Auth is enabled via flag.
+ */
+export declare function isBetterAuthEnabled(): boolean;
+/**
+ * Get flag-gated auth handler for Next.js route.
+ *
+ * When USE_BETTER_AUTH=true, returns Better Auth handlers.
+ * Otherwise returns null (caller uses NextAuth).
+ *
+ * Usage in host app route:
+ * ```ts
+ * import { getBetterAuthHandler } from '@payez/next-mvp/auth/better-auth';
+ *
+ * export async function GET(req: Request) {
+ *   const ba = await getBetterAuthHandler();
+ *   if (ba) return ba.GET(req);
+ *   // ... existing NextAuth handler
+ * }
+ * ```
+ */
+export declare function getBetterAuthHandler(): Promise<{
+    GET: (req: Request) => Promise<Response>;
+    POST: (req: Request) => Promise<Response>;
+} | null>;

package/dist/auth/better-auth.js

@@ -0,0 +1,114 @@
+"use strict";
+/**
+ * Better Auth Configuration (Phase 1 — parallel install)
+ *
+ * NOT wired to routes yet. Exists alongside auth-options.ts for testing.
+ * Wired in Phase 2 behind USE_BETTER_AUTH flag.
+ *
+ * Architecture: No database adapter — Better Auth runs in stateless mode
+ * with JWE cookie cache. User management stays on IDP, sessions on Redis.
+ *
+ * @see BETTER-AUTH-MIGRATION-SPEC.md
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildBetterAuthProviders = buildBetterAuthProviders;
+exports.createBetterAuthInstance = createBetterAuthInstance;
+exports.isBetterAuthEnabled = isBetterAuthEnabled;
+exports.getBetterAuthHandler = getBetterAuthHandler;
+require("server-only");
+const better_auth_1 = require("better-auth");
+const next_js_1 = require("better-auth/next-js");
+const next_js_2 = require("better-auth/next-js");
+const idp_client_config_1 = require("../lib/idp-client-config");
+/**
+ * Build Better Auth social providers from IDP config.
+ * Replaces buildOAuthProviders() from providers/oauth.ts.
+ */
+function buildBetterAuthProviders(config) {
+    const providers = {};
+    for (const oauth of config.oauthProviders || []) {
+        if (!oauth.enabled)
+            continue;
+        const name = oauth.provider.toLowerCase();
+        providers[name] = {
+            clientId: oauth.clientId,
+            clientSecret: oauth.clientSecret,
+            scope: oauth.scopes?.split(' '),
+        };
+    }
+    return providers;
+}
+/**
+ * Create Better Auth instance from IDP config.
+ *
+ * No database — runs in stateless mode with JWE cookie cache.
+ * Call after getIDPClientConfig() resolves.
+ */
+function createBetterAuthInstance(idpConfig) {
+    return (0, better_auth_1.betterAuth)({
+        secret: idpConfig.nextAuthSecret,
+        socialProviders: buildBetterAuthProviders(idpConfig),
+        // No database — stateless mode. Better Auth defaults to JWE cookie cache.
+        // Session cookie cache with refreshCache for DB-less setup.
+        session: {
+            cookieCache: {
+                enabled: true,
+                maxAge: 300,
+                refreshCache: true,
+            },
+        },
+        plugins: [
+            (0, next_js_1.nextCookies)(),
+        ],
+    });
+}
+/**
+ * Check if Better Auth is enabled via flag.
+ */
+function isBetterAuthEnabled() {
+    return process.env.USE_BETTER_AUTH === 'true';
+}
+/**
+ * Get Better Auth Next.js route handlers (GET, POST).
+ * Initializes Better Auth from IDP config on first call, caches the instance.
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let cachedInstance = null;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let initPromise = null;
+async function getBetterAuthInstance() {
+    if (cachedInstance)
+        return cachedInstance;
+    if (!initPromise) {
+        initPromise = (0, idp_client_config_1.getIDPClientConfig)().then(config => {
+            const instance = createBetterAuthInstance(config);
+            cachedInstance = instance;
+            console.log('[BETTER_AUTH] Instance created for', config.clientSlug || config.clientId);
+            return instance;
+        });
+    }
+    return initPromise;
+}
+/**
+ * Get flag-gated auth handler for Next.js route.
+ *
+ * When USE_BETTER_AUTH=true, returns Better Auth handlers.
+ * Otherwise returns null (caller uses NextAuth).
+ *
+ * Usage in host app route:
+ * ```ts
+ * import { getBetterAuthHandler } from '@payez/next-mvp/auth/better-auth';
+ *
+ * export async function GET(req: Request) {
+ *   const ba = await getBetterAuthHandler();
+ *   if (ba) return ba.GET(req);
+ *   // ... existing NextAuth handler
+ * }
+ * ```
+ */
+async function getBetterAuthHandler() {
+    if (!isBetterAuthEnabled())
+        return null;
+    const auth = await getBetterAuthInstance();
+    return (0, next_js_2.toNextJsHandler)(auth);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "3.7.1",
+  "version": "3.8.1",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -47,6 +47,11 @@
       "require": "./dist/auth/auth-options.js",
       "default": "./dist/auth/auth-options.js"
     },
+    "./auth/better-auth": {
+      "types": "./dist/auth/better-auth.d.ts",
+      "require": "./dist/auth/better-auth.js",
+      "default": "./dist/auth/better-auth.js"
+    },
     "./components/auth/FederatedAuthSection": {
       "types": "./dist/components/auth/FederatedAuthSection.d.ts",
       "require": "./dist/components/auth/FederatedAuthSection.js",
@@ -863,6 +868,7 @@
     "@azure/identity": "^4.0.1",
     "@azure/keyvault-secrets": "^4.7.0",
     "@upstash/redis": "^1.35.6",
+    "better-auth": "^1.5.6",
     "ioredis": "^5.3.2",
     "jose": "^5.2.4",
     "jsonwebtoken": "^9.0.2",

package/src/auth/better-auth.ts

@@ -0,0 +1,132 @@
+/**
+ * Better Auth Configuration (Phase 1 — parallel install)
+ *
+ * NOT wired to routes yet. Exists alongside auth-options.ts for testing.
+ * Wired in Phase 2 behind USE_BETTER_AUTH flag.
+ *
+ * Architecture: No database adapter — Better Auth runs in stateless mode
+ * with JWE cookie cache. User management stays on IDP, sessions on Redis.
+ *
+ * @see BETTER-AUTH-MIGRATION-SPEC.md
+ */
+
+import 'server-only';
+import { betterAuth } from 'better-auth';
+import { nextCookies } from 'better-auth/next-js';
+import { toNextJsHandler } from 'better-auth/next-js';
+import type { IDPClientConfig } from '../lib/idp-client-config';
+import { getIDPClientConfig } from '../lib/idp-client-config';
+
+/**
+ * Better Auth social provider config shape.
+ */
+export interface BetterAuthSocialProvider {
+  clientId: string;
+  clientSecret: string;
+  scope?: string[];
+}
+
+/**
+ * Build Better Auth social providers from IDP config.
+ * Replaces buildOAuthProviders() from providers/oauth.ts.
+ */
+export function buildBetterAuthProviders(
+  config: IDPClientConfig
+): Record<string, BetterAuthSocialProvider> {
+  const providers: Record<string, BetterAuthSocialProvider> = {};
+
+  for (const oauth of config.oauthProviders || []) {
+    if (!oauth.enabled) continue;
+    const name = oauth.provider.toLowerCase();
+    providers[name] = {
+      clientId: oauth.clientId,
+      clientSecret: oauth.clientSecret,
+      scope: oauth.scopes?.split(' '),
+    };
+  }
+
+  return providers;
+}
+
+/**
+ * Create Better Auth instance from IDP config.
+ *
+ * No database — runs in stateless mode with JWE cookie cache.
+ * Call after getIDPClientConfig() resolves.
+ */
+export function createBetterAuthInstance(idpConfig: IDPClientConfig) {
+  return betterAuth({
+    secret: idpConfig.nextAuthSecret as string,
+
+    socialProviders: buildBetterAuthProviders(idpConfig),
+
+    // No database — stateless mode. Better Auth defaults to JWE cookie cache.
+    // Session cookie cache with refreshCache for DB-less setup.
+    session: {
+      cookieCache: {
+        enabled: true,
+        maxAge: 300,
+        refreshCache: true,
+      },
+    },
+
+    plugins: [
+      nextCookies(),
+    ],
+  });
+}
+
+/**
+ * Check if Better Auth is enabled via flag.
+ */
+export function isBetterAuthEnabled(): boolean {
+  return process.env.USE_BETTER_AUTH === 'true';
+}
+
+/**
+ * Get Better Auth Next.js route handlers (GET, POST).
+ * Initializes Better Auth from IDP config on first call, caches the instance.
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let cachedInstance: any = null;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let initPromise: Promise<any> | null = null;
+
+async function getBetterAuthInstance() {
+  if (cachedInstance) return cachedInstance;
+
+  if (!initPromise) {
+    initPromise = getIDPClientConfig().then(config => {
+      const instance = createBetterAuthInstance(config);
+      cachedInstance = instance;
+      console.log('[BETTER_AUTH] Instance created for', config.clientSlug || config.clientId);
+      return instance;
+    });
+  }
+
+  return initPromise;
+}
+
+/**
+ * Get flag-gated auth handler for Next.js route.
+ *
+ * When USE_BETTER_AUTH=true, returns Better Auth handlers.
+ * Otherwise returns null (caller uses NextAuth).
+ *
+ * Usage in host app route:
+ * ```ts
+ * import { getBetterAuthHandler } from '@payez/next-mvp/auth/better-auth';
+ *
+ * export async function GET(req: Request) {
+ *   const ba = await getBetterAuthHandler();
+ *   if (ba) return ba.GET(req);
+ *   // ... existing NextAuth handler
+ * }
+ * ```
+ */
+export async function getBetterAuthHandler(): Promise<{ GET: (req: Request) => Promise<Response>; POST: (req: Request) => Promise<Response> } | null> {
+  if (!isBetterAuthEnabled()) return null;
+
+  const auth = await getBetterAuthInstance();
+  return toNextJsHandler(auth);
+}