@sigma-auth/better-auth-plugin 0.0.1

package/README.md

@@ -0,0 +1,15 @@
+# sigma-auth-better-auth-plugin
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run index.ts
+```
+
+This project was created using `bun init` in bun v1.3.0. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.

package/dist/client/index.d.ts

@@ -0,0 +1,59 @@
+import type { BetterFetchOption } from "@better-fetch/fetch";
+import type { OAuthCallbackResult, SubscriptionStatus } from "../types/index.js";
+export type { OAuthCallbackError, OAuthCallbackResult, SubscriptionStatus, } from "../types/index.js";
+/**
+ * Options for Sigma sign-in
+ */
+export interface SigmaSignInOptions {
+    authToken?: string;
+    bapId?: string;
+    callbackURL?: string;
+    errorCallbackURL?: string;
+    provider?: string;
+    clientId?: string;
+    disableRedirect?: boolean;
+}
+/**
+ * Sigma Auth client plugin for Better Auth
+ * Provides browser-side OAuth flow with PKCE
+ *
+ * @example
+ * ```typescript
+ * import { createAuthClient } from "better-auth/client";
+ * import { sigmaClient } from "@sigma-auth/better-auth-plugin/client";
+ *
+ * export const authClient = createAuthClient({
+ *   baseURL: "https://auth.sigmaidentity.com",
+ *   plugins: [sigmaClient()],
+ * });
+ *
+ * // Sign in with Sigma
+ * authClient.signIn.sigma({
+ *   clientId: "your-app",
+ *   callbackURL: "/callback",
+ * });
+ * ```
+ */
+export declare const sigmaClient: () => {
+    id: "sigma";
+    getActions: ($fetch: import("@better-fetch/fetch").BetterFetch) => {
+        subscription: {
+            getStatus: () => Promise<SubscriptionStatus>;
+        };
+        signIn: {
+            sigma: (options?: SigmaSignInOptions, fetchOptions?: BetterFetchOption) => Promise<unknown>;
+        };
+        sigma: {
+            /**
+             * Handle OAuth callback after redirect from auth server
+             * Verifies state, exchanges code for tokens, and returns user data
+             *
+             * @param searchParams - URL search params from callback (code, state, error)
+             * @returns Promise resolving to user data and tokens
+             * @throws OAuthCallbackError if callback fails
+             */
+            handleCallback: (searchParams: URLSearchParams) => Promise<OAuthCallbackResult>;
+        };
+    };
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,OAAO,KAAK,EAEX,mBAAmB,EACnB,kBAAkB,EAClB,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EACX,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,GAClB,MAAM,mBAAmB,CAAC;AAE3B;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC1B;AAsBD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,WAAW;;;;6BAOE,OAAO,CAAC,kBAAkB,CAAC;;;8BAiBrC,kBAAkB,iBACb,iBAAiB;;;YAwEjC;;;;;;;eAOG;2CAEY,eAAe,KAC3B,OAAO,CAAC,mBAAmB,CAAC;;;CAsJnC,CAAC"}

package/dist/client/index.js

@@ -0,0 +1,246 @@
+// PKCE helper functions
+const generateCodeVerifier = () => {
+    const array = new Uint8Array(32);
+    crypto.getRandomValues(array);
+    return btoa(String.fromCharCode(...array))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+};
+const generateCodeChallenge = async (verifier) => {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(hash)))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+};
+/**
+ * Sigma Auth client plugin for Better Auth
+ * Provides browser-side OAuth flow with PKCE
+ *
+ * @example
+ * ```typescript
+ * import { createAuthClient } from "better-auth/client";
+ * import { sigmaClient } from "@sigma-auth/better-auth-plugin/client";
+ *
+ * export const authClient = createAuthClient({
+ *   baseURL: "https://auth.sigmaidentity.com",
+ *   plugins: [sigmaClient()],
+ * });
+ *
+ * // Sign in with Sigma
+ * authClient.signIn.sigma({
+ *   clientId: "your-app",
+ *   callbackURL: "/callback",
+ * });
+ * ```
+ */
+export const sigmaClient = () => {
+    return {
+        id: "sigma",
+        getActions: ($fetch) => {
+            return {
+                subscription: {
+                    getStatus: async () => {
+                        const res = await $fetch("/subscription/status", {
+                            method: "GET",
+                        });
+                        if (res.error) {
+                            throw new Error(res.error.message || "Failed to fetch subscription status");
+                        }
+                        return res.data;
+                    },
+                },
+                signIn: {
+                    sigma: async (options, fetchOptions) => {
+                        // Two modes:
+                        // 1. With authToken: Call local endpoint (for auth server login)
+                        // 2. Without authToken: OAuth redirect (for external clients)
+                        if (options?.authToken) {
+                            // Auth server local sign-in - call endpoint with authToken
+                            const res = await $fetch("/sign-in/sigma", {
+                                method: "POST",
+                                body: {},
+                                headers: {
+                                    "X-Auth-Token": options.authToken,
+                                },
+                                ...fetchOptions,
+                            });
+                            return res;
+                        }
+                        // External OAuth client - redirect to auth server
+                        const state = Math.random().toString(36).substring(7);
+                        // Generate PKCE parameters for public clients
+                        const codeVerifier = generateCodeVerifier();
+                        const codeChallenge = await generateCodeChallenge(codeVerifier);
+                        if (typeof window !== "undefined") {
+                            sessionStorage.setItem("sigma_oauth_state", state);
+                            sessionStorage.setItem("sigma_code_verifier", codeVerifier);
+                        }
+                        const authUrl = typeof process !== "undefined"
+                            ? process.env.NEXT_PUBLIC_SIGMA_AUTH_URL ||
+                                "https://auth.sigmaidentity.com"
+                            : "https://auth.sigmaidentity.com";
+                        // Ensure redirect_uri is always absolute (OAuth requires absolute URLs)
+                        const origin = typeof window !== "undefined" ? window.location.origin : "";
+                        const callbackPath = options?.callbackURL || "/callback";
+                        const redirectUri = callbackPath.startsWith("http")
+                            ? callbackPath
+                            : `${origin}${callbackPath.startsWith("/") ? callbackPath : `/${callbackPath}`}`;
+                        const params = new URLSearchParams({
+                            redirect_uri: redirectUri,
+                            response_type: "code",
+                            state,
+                            scope: "openid profile bsv:tools",
+                            code_challenge: codeChallenge,
+                            code_challenge_method: "S256",
+                        });
+                        if (options?.clientId) {
+                            params.append("client_id", options.clientId);
+                        }
+                        if (options?.provider) {
+                            params.append("provider", options.provider);
+                        }
+                        // Use custom authorize endpoint that checks wallet unlock before proceeding
+                        const fullAuthUrl = `${authUrl}/oauth2/authorize?${params.toString()}`;
+                        if (typeof window !== "undefined") {
+                            window.location.href = fullAuthUrl;
+                        }
+                        return new Promise(() => { });
+                    },
+                },
+                sigma: {
+                    /**
+                     * Handle OAuth callback after redirect from auth server
+                     * Verifies state, exchanges code for tokens, and returns user data
+                     *
+                     * @param searchParams - URL search params from callback (code, state, error)
+                     * @returns Promise resolving to user data and tokens
+                     * @throws OAuthCallbackError if callback fails
+                     */
+                    handleCallback: async (searchParams) => {
+                        // Check for OAuth error
+                        const error = searchParams.get("error");
+                        if (error) {
+                            const errorDescription = searchParams.get("error_description");
+                            throw {
+                                title: "Authentication Error",
+                                message: errorDescription ||
+                                    error ||
+                                    "An unknown error occurred during authentication.",
+                            };
+                        }
+                        // Check for authorization code
+                        const code = searchParams.get("code");
+                        const state = searchParams.get("state");
+                        if (!code) {
+                            throw {
+                                title: "Missing Authorization Code",
+                                message: "The authorization code was not received from the authentication server.",
+                            };
+                        }
+                        // Verify state for CSRF protection
+                        const savedState = typeof window !== "undefined"
+                            ? sessionStorage.getItem("sigma_oauth_state")
+                            : null;
+                        if (state !== savedState) {
+                            // Clear invalid state
+                            if (typeof window !== "undefined") {
+                                sessionStorage.removeItem("sigma_oauth_state");
+                            }
+                            throw {
+                                title: "Security Error",
+                                message: "Invalid state parameter. Please try signing in again.",
+                            };
+                        }
+                        // Clear state after successful verification
+                        if (typeof window !== "undefined") {
+                            sessionStorage.removeItem("sigma_oauth_state");
+                        }
+                        // Get PKCE verifier
+                        const codeVerifier = typeof window !== "undefined"
+                            ? sessionStorage.getItem("sigma_code_verifier") || undefined
+                            : undefined;
+                        // Exchange code for tokens via backend API
+                        // This must be done server-side because it requires bitcoin-auth signature
+                        try {
+                            const response = await fetch("/api/auth/callback", {
+                                method: "POST",
+                                headers: {
+                                    "Content-Type": "application/json",
+                                },
+                                body: JSON.stringify({
+                                    code,
+                                    state,
+                                    code_verifier: codeVerifier,
+                                }),
+                            });
+                            if (!response.ok) {
+                                let errorMessage = "Failed to exchange authorization code for access token.";
+                                let errorTitle = "Token Exchange Failed";
+                                try {
+                                    const errorData = (await response.json());
+                                    const endpoint = errorData.endpoint || "unknown";
+                                    const status = errorData.status || response.status;
+                                    // Parse nested error details if present
+                                    if (errorData.details) {
+                                        try {
+                                            const nestedError = JSON.parse(errorData.details);
+                                            if (nestedError.error_description) {
+                                                errorMessage = nestedError.error_description;
+                                            }
+                                            if (nestedError.error === "invalid_client") {
+                                                errorTitle = "Platform Not Registered";
+                                                errorMessage =
+                                                    "This platform is not registered with the authentication server.";
+                                            }
+                                        }
+                                        catch {
+                                            errorMessage = errorData.details;
+                                        }
+                                    }
+                                    else if (errorData.error) {
+                                        errorMessage = errorData.error;
+                                    }
+                                    errorMessage += `\n\nBackend: ${status} (${endpoint})`;
+                                }
+                                catch {
+                                    // Use default error message
+                                }
+                                throw {
+                                    title: errorTitle,
+                                    message: errorMessage,
+                                };
+                            }
+                            const data = (await response.json());
+                            return {
+                                user: data.user,
+                                access_token: data.access_token,
+                                refresh_token: data.refresh_token,
+                            };
+                        }
+                        catch (err) {
+                            // If already an OAuthCallbackError, rethrow
+                            if (typeof err === "object" &&
+                                err !== null &&
+                                "title" in err &&
+                                "message" in err) {
+                                throw err;
+                            }
+                            // Otherwise wrap in error object
+                            throw {
+                                title: "Authentication Failed",
+                                message: err instanceof Error
+                                    ? err.message
+                                    : "An unknown error occurred.",
+                            };
+                        }
+                    },
+                },
+            };
+        },
+    };
+};
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AA4BA,wBAAwB;AACxB,MAAM,oBAAoB,GAAG,GAAG,EAAE;IACjC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;SACxC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,qBAAqB,GAAG,KAAK,EAAE,QAAgB,EAAE,EAAE;IACxD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;SACvD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,GAAG,EAAE;IAC/B,OAAO;QACN,EAAE,EAAE,OAAO;QAEX,UAAU,EAAE,CAAC,MAAM,EAAE,EAAE;YACtB,OAAO;gBACN,YAAY,EAAE;oBACb,SAAS,EAAE,KAAK,IAAiC,EAAE;wBAClD,MAAM,GAAG,GAAG,MAAM,MAAM,CACvB,sBAAsB,EACtB;4BACC,MAAM,EAAE,KAAK;yBACb,CACD,CAAC;wBACF,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;4BACf,MAAM,IAAI,KAAK,CACd,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,qCAAqC,CAC1D,CAAC;wBACH,CAAC;wBACD,OAAO,GAAG,CAAC,IAA0B,CAAC;oBACvC,CAAC;iBACD;gBACD,MAAM,EAAE;oBACP,KAAK,EAAE,KAAK,EACX,OAA4B,EAC5B,YAAgC,EAC/B,EAAE;wBACH,aAAa;wBACb,iEAAiE;wBACjE,8DAA8D;wBAC9D,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;4BACxB,2DAA2D;4BAC3D,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,gBAAgB,EAAE;gCAC1C,MAAM,EAAE,MAAM;gCACd,IAAI,EAAE,EAAE;gCACR,OAAO,EAAE;oCACR,cAAc,EAAE,OAAO,CAAC,SAAS;iCACjC;gCACD,GAAG,YAAY;6BACf,CAAC,CAAC;4BACH,OAAO,GAAG,CAAC;wBACZ,CAAC;wBAED,kDAAkD;wBAClD,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wBAEtD,8CAA8C;wBAC9C,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;wBAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;wBAEhE,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;4BACnC,cAAc,CAAC,OAAO,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;4BACnD,cAAc,CAAC,OAAO,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;wBAC7D,CAAC;wBAED,MAAM,OAAO,GACZ,OAAO,OAAO,KAAK,WAAW;4BAC7B,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B;gCACvC,gCAAgC;4BACjC,CAAC,CAAC,gCAAgC,CAAC;wBAErC,wEAAwE;wBACxE,MAAM,MAAM,GACX,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC7D,MAAM,YAAY,GAAG,OAAO,EAAE,WAAW,IAAI,WAAW,CAAC;wBACzD,MAAM,WAAW,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC;4BAClD,CAAC,CAAC,YAAY;4BACd,CAAC,CAAC,GAAG,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,YAAY,EAAE,EAAE,CAAC;wBAElF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;4BAClC,YAAY,EAAE,WAAW;4BACzB,aAAa,EAAE,MAAM;4BACrB,KAAK;4BACL,KAAK,EAAE,0BAA0B;4BACjC,cAAc,EAAE,aAAa;4BAC7B,qBAAqB,EAAE,MAAM;yBAC7B,CAAC,CAAC;wBAEH,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;4BACvB,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;wBAC9C,CAAC;wBAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;4BACvB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;wBAC7C,CAAC;wBAED,4EAA4E;wBAC5E,MAAM,WAAW,GAAG,GAAG,OAAO,qBAAqB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;wBAEvE,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;4BACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;wBACpC,CAAC;wBAED,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBAC9B,CAAC;iBACD;gBACD,KAAK,EAAE;oBACN;;;;;;;uBAOG;oBACH,cAAc,EAAE,KAAK,EACpB,YAA6B,EACE,EAAE;wBACjC,wBAAwB;wBACxB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBACxC,IAAI,KAAK,EAAE,CAAC;4BACX,MAAM,gBAAgB,GAAG,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;4BAC/D,MAAM;gCACL,KAAK,EAAE,sBAAsB;gCAC7B,OAAO,EACN,gBAAgB;oCAChB,KAAK;oCACL,kDAAkD;6BAC7B,CAAC;wBACzB,CAAC;wBAED,+BAA+B;wBAC/B,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;wBACtC,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBAExC,IAAI,CAAC,IAAI,EAAE,CAAC;4BACX,MAAM;gCACL,KAAK,EAAE,4BAA4B;gCACnC,OAAO,EACN,yEAAyE;6BACpD,CAAC;wBACzB,CAAC;wBAED,mCAAmC;wBACnC,MAAM,UAAU,GACf,OAAO,MAAM,KAAK,WAAW;4BAC5B,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,mBAAmB,CAAC;4BAC7C,CAAC,CAAC,IAAI,CAAC;wBAET,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;4BAC1B,sBAAsB;4BACtB,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;gCACnC,cAAc,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;4BAChD,CAAC;4BAED,MAAM;gCACL,KAAK,EAAE,gBAAgB;gCACvB,OAAO,EACN,uDAAuD;6BAClC,CAAC;wBACzB,CAAC;wBAED,4CAA4C;wBAC5C,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;4BACnC,cAAc,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;wBAChD,CAAC;wBAED,oBAAoB;wBACpB,MAAM,YAAY,GACjB,OAAO,MAAM,KAAK,WAAW;4BAC5B,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,qBAAqB,CAAC,IAAI,SAAS;4BAC5D,CAAC,CAAC,SAAS,CAAC;wBAEd,2CAA2C;wBAC3C,2EAA2E;wBAC3E,IAAI,CAAC;4BACJ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oBAAoB,EAAE;gCAClD,MAAM,EAAE,MAAM;gCACd,OAAO,EAAE;oCACR,cAAc,EAAE,kBAAkB;iCAClC;gCACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oCACpB,IAAI;oCACJ,KAAK;oCACL,aAAa,EAAE,YAAY;iCAC3B,CAAC;6BACF,CAAC,CAAC;4BAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gCAClB,IAAI,YAAY,GACf,yDAAyD,CAAC;gCAC3D,IAAI,UAAU,GAAG,uBAAuB,CAAC;gCAEzC,IAAI,CAAC;oCACJ,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKvC,CAAC;oCACF,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC;oCACjD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;oCAEnD,wCAAwC;oCACxC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;wCACvB,IAAI,CAAC;4CACJ,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAG/C,CAAC;4CACF,IAAI,WAAW,CAAC,iBAAiB,EAAE,CAAC;gDACnC,YAAY,GAAG,WAAW,CAAC,iBAAiB,CAAC;4CAC9C,CAAC;4CACD,IAAI,WAAW,CAAC,KAAK,KAAK,gBAAgB,EAAE,CAAC;gDAC5C,UAAU,GAAG,yBAAyB,CAAC;gDACvC,YAAY;oDACX,iEAAiE,CAAC;4CACpE,CAAC;wCACF,CAAC;wCAAC,MAAM,CAAC;4CACR,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC;wCAClC,CAAC;oCACF,CAAC;yCAAM,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;wCAC5B,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC;oCAChC,CAAC;oCAED,YAAY,IAAI,gBAAgB,MAAM,KAAK,QAAQ,GAAG,CAAC;gCACxD,CAAC;gCAAC,MAAM,CAAC;oCACR,4BAA4B;gCAC7B,CAAC;gCAED,MAAM;oCACL,KAAK,EAAE,UAAU;oCACjB,OAAO,EAAE,YAAY;iCACC,CAAC;4BACzB,CAAC;4BAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;4BAC5D,OAAO;gCACN,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,YAAY,EAAE,IAAI,CAAC,YAAY;gCAC/B,aAAa,EAAE,IAAI,CAAC,aAAa;6BACjC,CAAC;wBACH,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACd,4CAA4C;4BAC5C,IACC,OAAO,GAAG,KAAK,QAAQ;gCACvB,GAAG,KAAK,IAAI;gCACZ,OAAO,IAAI,GAAG;gCACd,SAAS,IAAI,GAAG,EACf,CAAC;gCACF,MAAM,GAAG,CAAC;4BACX,CAAC;4BAED,iCAAiC;4BACjC,MAAM;gCACL,KAAK,EAAE,uBAAuB;gCAC9B,OAAO,EACN,GAAG,YAAY,KAAK;oCACnB,CAAC,CAAC,GAAG,CAAC,OAAO;oCACb,CAAC,CAAC,4BAA4B;6BACV,CAAC;wBACzB,CAAC;oBACF,CAAC;iBACD;aACD,CAAC;QACH,CAAC;KACgC,CAAC;AACpC,CAAC,CAAC"}

package/dist/next/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Next.js App Router integration for Sigma Auth
+ * Provides ready-to-use route handlers for OAuth callback
+ */
+interface NextRequest {
+    json(): Promise<unknown>;
+    nextUrl: {
+        origin: string;
+    };
+}
+/**
+ * Configuration for the callback route handler
+ * All values can be set via environment variables
+ */
+export interface CallbackRouteConfig {
+    /** Sigma Auth server URL (default: NEXT_PUBLIC_SIGMA_AUTH_URL or https://auth.sigmaidentity.com) */
+    issuerUrl?: string;
+    /** OAuth client ID (default: NEXT_PUBLIC_SIGMA_CLIENT_ID) */
+    clientId?: string;
+    /** Member private key for signing (default: SIGMA_MEMBER_PRIVATE_KEY env) */
+    memberPrivateKey?: string;
+    /** Callback path (default: /callback) */
+    callbackPath?: string;
+}
+/**
+ * Creates a Next.js POST route handler for OAuth callback
+ * This handler exchanges the authorization code for tokens using bitcoin-auth signature
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/callback/route.ts
+ * import { createCallbackHandler } from "@sigma-auth/better-auth-plugin/next";
+ *
+ * export const runtime = "nodejs";
+ * export const POST = createCallbackHandler();
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom config
+ * import { createCallbackHandler } from "@sigma-auth/better-auth-plugin/next";
+ *
+ * export const runtime = "nodejs";
+ * export const POST = createCallbackHandler({
+ *   callbackPath: "/auth/callback"
+ * });
+ * ```
+ */
+export declare function createCallbackHandler(config?: CallbackRouteConfig): (request: NextRequest) => Promise<Response>;
+/**
+ * Runtime configuration for Next.js route
+ * Set to nodejs to support bitcoin-auth cryptography
+ */
+export declare const runtime = "nodejs";
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/next/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/next/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,UAAU,WAAW;IACpB,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IACzB,OAAO,EAAE;QACR,MAAM,EAAE,MAAM,CAAC;KACf,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IACnC,oGAAoG;IACpG,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,yCAAyC;IACzC,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,CAAC,EAAE,mBAAmB,IACnD,SAAS,WAAW,uBA4GlC;AAED;;;GAGG;AACH,eAAO,MAAM,OAAO,WAAW,CAAC"}

package/dist/next/index.js

@@ -0,0 +1,108 @@
+/**
+ * Next.js App Router integration for Sigma Auth
+ * Provides ready-to-use route handlers for OAuth callback
+ */
+import { exchangeCodeForTokens, } from "../server/index.js";
+/**
+ * Creates a Next.js POST route handler for OAuth callback
+ * This handler exchanges the authorization code for tokens using bitcoin-auth signature
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/callback/route.ts
+ * import { createCallbackHandler } from "@sigma-auth/better-auth-plugin/next";
+ *
+ * export const runtime = "nodejs";
+ * export const POST = createCallbackHandler();
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom config
+ * import { createCallbackHandler } from "@sigma-auth/better-auth-plugin/next";
+ *
+ * export const runtime = "nodejs";
+ * export const POST = createCallbackHandler({
+ *   callbackPath: "/auth/callback"
+ * });
+ * ```
+ */
+export function createCallbackHandler(config) {
+    return async (request) => {
+        try {
+            const body = (await request.json());
+            const { code, code_verifier } = body;
+            if (!code) {
+                return Response.json({ error: "Missing authorization code" }, { status: 400 });
+            }
+            // Get configuration from env or config
+            const memberPrivateKey = config?.memberPrivateKey || process.env.SIGMA_MEMBER_PRIVATE_KEY;
+            if (!memberPrivateKey) {
+                console.error("[Sigma OAuth Callback] SIGMA_MEMBER_PRIVATE_KEY not configured");
+                return Response.json({
+                    error: "Server configuration error",
+                    details: "Missing SIGMA_MEMBER_PRIVATE_KEY",
+                }, { status: 500 });
+            }
+            const issuerUrl = config?.issuerUrl ||
+                process.env.NEXT_PUBLIC_SIGMA_AUTH_URL ||
+                "https://auth.sigmaidentity.com";
+            const clientId = config?.clientId || process.env.NEXT_PUBLIC_SIGMA_CLIENT_ID;
+            if (!clientId) {
+                console.error("[Sigma OAuth Callback] NEXT_PUBLIC_SIGMA_CLIENT_ID not configured");
+                return Response.json({ error: "Server configuration error", details: "Missing client ID" }, { status: 500 });
+            }
+            const callbackPath = config?.callbackPath || "/callback";
+            const redirectUri = `${request.nextUrl.origin}${callbackPath}`;
+            console.log("[Sigma OAuth Callback] Exchanging code for tokens:", {
+                issuerUrl,
+                clientId,
+                redirectUri,
+            });
+            const result = await exchangeCodeForTokens({
+                code,
+                redirectUri,
+                clientId,
+                memberPrivateKey,
+                codeVerifier: code_verifier,
+                issuerUrl,
+            });
+            console.log("[Sigma OAuth Callback] Success:", {
+                hasBap: !!result.user.bap,
+                name: result.user.name,
+                bapId: result.user.bap?.idKey?.substring(0, 20) || "none",
+            });
+            return Response.json({
+                user: result.user,
+                access_token: result.access_token,
+                refresh_token: result.refresh_token,
+            });
+        }
+        catch (error) {
+            console.error("[Sigma OAuth Callback] Error:", error);
+            // Check if it's a TokenExchangeError
+            if (error &&
+                typeof error === "object" &&
+                "error" in error &&
+                "endpoint" in error) {
+                const tokenError = error;
+                return Response.json({
+                    error: tokenError.error,
+                    details: tokenError.details,
+                    status: tokenError.status,
+                    endpoint: tokenError.endpoint,
+                }, { status: tokenError.status || 500 });
+            }
+            return Response.json({
+                error: "Internal server error",
+                details: error instanceof Error ? error.message : "Unknown error",
+            }, { status: 500 });
+        }
+    };
+}
+/**
+ * Runtime configuration for Next.js route
+ * Set to nodejs to support bitcoin-auth cryptography
+ */
+export const runtime = "nodejs";
+//# sourceMappingURL=index.js.map

package/dist/next/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/next/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACN,qBAAqB,GAErB,MAAM,oBAAoB,CAAC;AAwB5B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAA4B;IACjE,OAAO,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAGjC,CAAC;YACF,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC;YAErC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,OAAO,QAAQ,CAAC,IAAI,CACnB,EAAE,KAAK,EAAE,4BAA4B,EAAE,EACvC,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,MAAM,gBAAgB,GACrB,MAAM,EAAE,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YAClE,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvB,OAAO,CAAC,KAAK,CACZ,gEAAgE,CAChE,CAAC;gBACF,OAAO,QAAQ,CAAC,IAAI,CACnB;oBACC,KAAK,EAAE,4BAA4B;oBACnC,OAAO,EAAE,kCAAkC;iBAC3C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GACd,MAAM,EAAE,SAAS;gBACjB,OAAO,CAAC,GAAG,CAAC,0BAA0B;gBACtC,gCAAgC,CAAC;YAElC,MAAM,QAAQ,GACb,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;YAC7D,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CACZ,mEAAmE,CACnE,CAAC;gBACF,OAAO,QAAQ,CAAC,IAAI,CACnB,EAAE,KAAK,EAAE,4BAA4B,EAAE,OAAO,EAAE,mBAAmB,EAAE,EACrE,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,WAAW,CAAC;YACzD,MAAM,WAAW,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;YAE/D,OAAO,CAAC,GAAG,CAAC,oDAAoD,EAAE;gBACjE,SAAS;gBACT,QAAQ;gBACR,WAAW;aACX,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC;gBAC1C,IAAI;gBACJ,WAAW;gBACX,QAAQ;gBACR,gBAAgB;gBAChB,YAAY,EAAE,aAAa;gBAC3B,SAAS;aACT,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE;gBAC9C,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;gBACzB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM;aACzD,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,IAAI,CAAC;gBACpB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa;aACnC,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YAEtD,qCAAqC;YACrC,IACC,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,OAAO,IAAI,KAAK;gBAChB,UAAU,IAAI,KAAK,EAClB,CAAC;gBACF,MAAM,UAAU,GAAG,KAA2B,CAAC;gBAC/C,OAAO,QAAQ,CAAC,IAAI,CACnB;oBACC,KAAK,EAAE,UAAU,CAAC,KAAK;oBACvB,OAAO,EAAE,UAAU,CAAC,OAAO;oBAC3B,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,QAAQ,EAAE,UAAU,CAAC,QAAQ;iBAC7B,EACD,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,GAAG,EAAE,CACpC,CAAC;YACH,CAAC;YAED,OAAO,QAAQ,CAAC,IAAI,CACnB;gBACC,KAAK,EAAE,uBAAuB;gBAC9B,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aACjE,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;QACH,CAAC;IACF,CAAC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,QAAQ,CAAC"}

package/dist/provider/index.d.ts

@@ -0,0 +1,64 @@
+import type { Pool } from "@neondatabase/serverless";
+import type { BetterAuthPlugin } from "better-auth";
+/**
+ * Configuration options for the Sigma Auth provider plugin
+ */
+export interface SigmaProviderOptions {
+    /**
+     * Optional BAP (Bitcoin Attestation Protocol) ID resolver
+     * Resolves a Bitcoin pubkey to a BAP ID and registers it
+     * @param pool Database connection pool (implementation-specific)
+     * @param userId User ID in your database
+     * @param pubkey Bitcoin public key
+     * @param register Whether to register the BAP ID
+     * @returns BAP ID or null if not found
+     */
+    resolveBAPId?: (pool: Pool, userId: string, pubkey: string, register: boolean) => Promise<string | null>;
+    /**
+     * Optional database pool getter
+     * Returns a database connection pool for BAP ID resolution
+     */
+    getPool?: () => Pool;
+    /**
+     * Optional cache implementation for BAP ID caching and OAuth consent state
+     * Should provide get/set/delete methods for key-value storage
+     * The set method should accept an optional options object for TTL configuration
+     */
+    cache?: {
+        get: <T = unknown>(key: string) => Promise<T | null>;
+        set: (key: string, value: unknown, options?: {
+            ex?: number;
+        }) => Promise<void>;
+        delete?: (key: string) => Promise<void>;
+    };
+    /**
+     * Enable subscription tier support
+     * Adds subscriptionTier field to user and session
+     * @default false
+     */
+    enableSubscription?: boolean;
+}
+/**
+ * Sigma Auth provider plugin for Better Auth
+ * This is the OAuth provider that runs on auth.sigmaidentity.com
+ *
+ * @example
+ * ```typescript
+ * import { betterAuth } from "better-auth";
+ * import { sigmaProvider } from "@sigma-auth/better-auth-plugin/provider";
+ *
+ * export const auth = betterAuth({
+ *   plugins: [
+ *     sigmaProvider({
+ *       getPool: () => dbPool,
+ *       cache: redisCache,
+ *       resolveBAPId: async (pool, userId, pubkey, register) => {
+ *         // Custom BAP ID resolution logic
+ *       },
+ *     }),
+ *   ],
+ * });
+ * ```
+ */
+export declare const sigmaProvider: (options?: SigmaProviderOptions) => BetterAuthPlugin;
+//# sourceMappingURL=index.d.ts.map

package/dist/provider/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/provider/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAQ,MAAM,aAAa,CAAC;AAoB1D;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,CACd,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,OAAO,KACb,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAE5B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAErB;;;;OAIG;IACH,KAAK,CAAC,EAAE;QACP,GAAG,EAAE,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACrD,GAAG,EAAE,CACJ,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,OAAO,EACd,OAAO,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAA;SAAE,KACrB,OAAO,CAAC,IAAI,CAAC,CAAC;QACnB,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACxC,CAAC;IAEF;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,aAAa,GACzB,UAAU,oBAAoB,KAC5B,gBA25BD,CAAC"}