@sigma-auth/better-auth-plugin 0.0.26 → 0.0.27

package/README.md

@@ -17,6 +17,7 @@ This package provides multiple entry points for different use cases:
 - **`/client`** - Browser-side OAuth client with PKCE
 - **`/server`** - Server-side utilities for token exchange
 - **`/next`** - Next.js API route handlers
+- **`/payload`** - Payload CMS integration with session management
 - **`/provider`** - Better Auth server plugin for OIDC provider
 
 ## Architecture
@@ -233,6 +234,103 @@ const { data: session } = useSession();
 
 This requires setting up Better Auth server with the Sigma provider plugin on your domain.
 
+## Payload CMS Integration
+
+For Payload CMS apps using [payload-auth](https://github.com/b-open-io/payload-auth), the `/payload` entry point provides a callback handler that automatically:
+
+1. Exchanges the authorization code for tokens
+2. Finds or creates a user in your Payload users collection
+3. Creates a better-auth session in Payload's sessions collection
+4. Sets the session cookie
+
+### Setup
+
+```typescript
+// app/api/auth/sigma/callback/route.ts
+import configPromise from "@payload-config";
+import { createPayloadCallbackHandler } from "@sigma-auth/better-auth-plugin/payload";
+
+export const runtime = "nodejs";
+export const POST = createPayloadCallbackHandler({ configPromise });
+```
+
+### Custom User Creation
+
+Override the default user creation to add custom fields:
+
+```typescript
+export const POST = createPayloadCallbackHandler({
+  configPromise,
+  createUser: async (payload, sigmaUser) => {
+    return payload.create({
+      collection: "users",
+      data: {
+        email: sigmaUser.email || `${sigmaUser.sub}@sigma.identity`,
+        name: sigmaUser.name || sigmaUser.sub,
+        emailVerified: true,
+        role: ["subscriber"], // Custom role
+        bapId: sigmaUser.bap_id,
+        pubkey: sigmaUser.pubkey,
+      },
+    });
+  },
+});
+```
+
+### Configuration Options
+
+```typescript
+interface PayloadCallbackConfig {
+  /** Payload config promise (required) */
+  configPromise: Promise<unknown>;
+
+  /** Sigma Auth server URL (default: NEXT_PUBLIC_SIGMA_AUTH_URL) */
+  issuerUrl?: string;
+
+  /** OAuth client ID (default: NEXT_PUBLIC_SIGMA_CLIENT_ID) */
+  clientId?: string;
+
+  /** Member private key (default: SIGMA_MEMBER_PRIVATE_KEY env) */
+  memberPrivateKey?: string;
+
+  /** Callback path (default: /auth/sigma/callback) */
+  callbackPath?: string;
+
+  /** Users collection slug (default: "users") */
+  usersCollection?: string;
+
+  /** Sessions collection slug (default: "sessions") */
+  sessionsCollection?: string;
+
+  /** Session cookie name (default: "better-auth.session_token") */
+  sessionCookieName?: string;
+
+  /** Session duration in ms (default: 30 days) */
+  sessionDuration?: number;
+
+  /** Custom user creation handler */
+  createUser?: (payload, sigmaUser) => Promise<{ id: string | number }>;
+
+  /** Custom user lookup handler */
+  findUser?: (payload, sigmaUser) => Promise<{ id: string | number } | null>;
+}
+```
+
+### Response
+
+The callback returns `PayloadCallbackResult`:
+
+```typescript
+{
+  user: SigmaUserInfo;        // Sigma identity data
+  access_token: string;       // Access token
+  id_token: string;           // OIDC ID token
+  refresh_token?: string;     // Refresh token (if issued)
+  payloadUserId: string;      // Local Payload user ID
+  isNewUser: boolean;         // True if user was just created
+}
+```
+
 ## Server Plugin (Auth Provider)
 
 For building your own Sigma Identity server:

package/dist/payload/index.d.ts

@@ -0,0 +1,138 @@
+/**
+ * Payload CMS integration for Sigma Auth
+ * Provides callback handler that creates local better-auth sessions for Payload
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/sigma/callback/route.ts
+ * import configPromise from "@payload-config";
+ * import { createPayloadCallbackHandler } from "@sigma-auth/better-auth-plugin/payload";
+ *
+ * export const POST = createPayloadCallbackHandler({ configPromise });
+ * ```
+ */
+import { type TokenExchangeResult } from "../server/index.js";
+/**
+ * Next.js request interface (minimal typing for compatibility)
+ */
+interface NextRequest {
+    json(): Promise<unknown>;
+    url: string;
+    headers: Headers;
+}
+/**
+ * Payload instance with better-auth (from payload-auth)
+ */
+interface PayloadWithBetterAuth {
+    find: (args: {
+        collection: string;
+        where: Record<string, unknown>;
+        limit: number;
+    }) => Promise<{
+        docs: Array<{
+            id: number | string;
+        }>;
+    }>;
+    create: (args: {
+        collection: string;
+        data: Record<string, unknown>;
+    }) => Promise<{
+        id: number | string;
+    }>;
+}
+/**
+ * Configuration for the Payload callback handler
+ */
+export interface PayloadCallbackConfig {
+    /**
+     * Payload config promise (import configPromise from "@payload-config")
+     * Will be used to get the Payload instance via getPayloadAuth
+     */
+    configPromise: Promise<unknown>;
+    /**
+     * Function to get the Payload instance with better-auth
+     * If not provided, will dynamically import from payload-auth/better-auth
+     */
+    getPayloadAuth?: (config: Promise<unknown>) => Promise<PayloadWithBetterAuth>;
+    /** Sigma Auth server URL (default: NEXT_PUBLIC_SIGMA_AUTH_URL or https://auth.sigmaidentity.com) */
+    issuerUrl?: string;
+    /** OAuth client ID (default: NEXT_PUBLIC_SIGMA_CLIENT_ID) */
+    clientId?: string;
+    /** Member private key for signing (default: SIGMA_MEMBER_PRIVATE_KEY env) */
+    memberPrivateKey?: string;
+    /** Callback path (default: /auth/sigma/callback) */
+    callbackPath?: string;
+    /** Users collection slug (default: "users") */
+    usersCollection?: string;
+    /** Sessions collection slug (default: "sessions") */
+    sessionsCollection?: string;
+    /** Session cookie name (default: "better-auth.session_token") */
+    sessionCookieName?: string;
+    /** Session duration in milliseconds (default: 30 days) */
+    sessionDuration?: number;
+    /**
+     * Custom user creation handler
+     * Override to customize how users are created from Sigma identity
+     */
+    createUser?: (payload: PayloadWithBetterAuth, sigmaUser: TokenExchangeResult["user"]) => Promise<{
+        id: number | string;
+    }>;
+    /**
+     * Custom user lookup handler
+     * Override to customize how existing users are found
+     */
+    findUser?: (payload: PayloadWithBetterAuth, sigmaUser: TokenExchangeResult["user"]) => Promise<{
+        id: number | string;
+    } | null>;
+}
+/**
+ * Result returned from the callback handler
+ */
+export interface PayloadCallbackResult extends TokenExchangeResult {
+    /** The Payload user ID that was created or found */
+    payloadUserId: string;
+    /** Whether a new user was created */
+    isNewUser: boolean;
+}
+/**
+ * Creates a Next.js POST route handler for Sigma OAuth callback with Payload session creation
+ *
+ * This handler:
+ * 1. Exchanges the authorization code for tokens
+ * 2. Finds or creates a user in Payload
+ * 3. Creates a better-auth session in Payload's sessions collection
+ * 4. Sets the session cookie
+ * 5. Returns the tokens and user data
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/sigma/callback/route.ts
+ * import configPromise from "@payload-config";
+ * import { createPayloadCallbackHandler } from "@sigma-auth/better-auth-plugin/payload";
+ *
+ * export const POST = createPayloadCallbackHandler({ configPromise });
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom user creation
+ * export const POST = createPayloadCallbackHandler({
+ *   configPromise,
+ *   createUser: async (payload, sigmaUser) => {
+ *     return payload.create({
+ *       collection: "users",
+ *       data: {
+ *         email: sigmaUser.email,
+ *         name: sigmaUser.name,
+ *         emailVerified: true,
+ *         role: ["subscriber"], // Custom role
+ *         bapId: sigmaUser.bap_id,
+ *       },
+ *     });
+ *   },
+ * });
+ * ```
+ */
+export declare function createPayloadCallbackHandler(config: PayloadCallbackConfig): (request: NextRequest) => Promise<Response>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/payload/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/payload/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAGN,KAAK,mBAAmB,EACxB,MAAM,oBAAoB,CAAC;AAE5B;;GAEG;AACH,UAAU,WAAW;IACpB,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,OAAO,CAAC;CACjB;AAED;;GAEG;AACH,UAAU,qBAAqB;IAC9B,IAAI,EAAE,CAAC,IAAI,EAAE;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,KAAK,EAAE,MAAM,CAAC;KACd,KAAK,OAAO,CAAC;QAAE,IAAI,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IACxD,MAAM,EAAE,CAAC,IAAI,EAAE;QACd,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAC9B,KAAK,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC;;;OAGG;IACH,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAE9E,oGAAoG;IACpG,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,6EAA6E;IAC7E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,+CAA+C;IAC/C,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,CACZ,OAAO,EAAE,qBAAqB,EAC9B,SAAS,EAAE,mBAAmB,CAAC,MAAM,CAAC,KAClC,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC,CAAC;IAEtC;;;OAGG;IACH,QAAQ,CAAC,EAAE,CACV,OAAO,EAAE,qBAAqB,EAC9B,SAAS,EAAE,mBAAmB,CAAC,MAAM,CAAC,KAClC,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,mBAAmB;IACjE,oDAAoD;IACpD,aAAa,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,qBAAqB,IAC3D,SAAS,WAAW,uBAsPlC"}

package/dist/payload/index.js

@@ -0,0 +1,252 @@
+/**
+ * Payload CMS integration for Sigma Auth
+ * Provides callback handler that creates local better-auth sessions for Payload
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/sigma/callback/route.ts
+ * import configPromise from "@payload-config";
+ * import { createPayloadCallbackHandler } from "@sigma-auth/better-auth-plugin/payload";
+ *
+ * export const POST = createPayloadCallbackHandler({ configPromise });
+ * ```
+ */
+import { exchangeCodeForTokens, } from "../server/index.js";
+/**
+ * Creates a Next.js POST route handler for Sigma OAuth callback with Payload session creation
+ *
+ * This handler:
+ * 1. Exchanges the authorization code for tokens
+ * 2. Finds or creates a user in Payload
+ * 3. Creates a better-auth session in Payload's sessions collection
+ * 4. Sets the session cookie
+ * 5. Returns the tokens and user data
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/sigma/callback/route.ts
+ * import configPromise from "@payload-config";
+ * import { createPayloadCallbackHandler } from "@sigma-auth/better-auth-plugin/payload";
+ *
+ * export const POST = createPayloadCallbackHandler({ configPromise });
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom user creation
+ * export const POST = createPayloadCallbackHandler({
+ *   configPromise,
+ *   createUser: async (payload, sigmaUser) => {
+ *     return payload.create({
+ *       collection: "users",
+ *       data: {
+ *         email: sigmaUser.email,
+ *         name: sigmaUser.name,
+ *         emailVerified: true,
+ *         role: ["subscriber"], // Custom role
+ *         bapId: sigmaUser.bap_id,
+ *       },
+ *     });
+ *   },
+ * });
+ * ```
+ */
+export function createPayloadCallbackHandler(config) {
+    return async (request) => {
+        try {
+            const body = (await request.json());
+            const { code, code_verifier } = body;
+            if (!code) {
+                return Response.json({ error: "Missing authorization code" }, { status: 400 });
+            }
+            // Get configuration from env or config
+            const memberPrivateKey = config.memberPrivateKey || process.env.SIGMA_MEMBER_PRIVATE_KEY;
+            if (!memberPrivateKey) {
+                console.error("[Sigma Payload Callback] SIGMA_MEMBER_PRIVATE_KEY not configured");
+                return Response.json({
+                    error: "Server configuration error",
+                    details: "Missing SIGMA_MEMBER_PRIVATE_KEY",
+                }, { status: 500 });
+            }
+            const issuerUrl = config.issuerUrl ||
+                process.env.NEXT_PUBLIC_SIGMA_AUTH_URL ||
+                "https://auth.sigmaidentity.com";
+            const clientId = config.clientId || process.env.NEXT_PUBLIC_SIGMA_CLIENT_ID;
+            if (!clientId) {
+                console.error("[Sigma Payload Callback] NEXT_PUBLIC_SIGMA_CLIENT_ID not configured");
+                return Response.json({ error: "Server configuration error", details: "Missing client ID" }, { status: 500 });
+            }
+            const callbackPath = config.callbackPath || "/auth/sigma/callback";
+            // Determine origin from headers or env
+            let origin = process.env.NEXT_PUBLIC_SERVER_URL;
+            if (!origin) {
+                const forwardedHost = request.headers.get("x-forwarded-host");
+                const forwardedProto = request.headers.get("x-forwarded-proto") || "https";
+                if (forwardedHost) {
+                    origin = `${forwardedProto}://${forwardedHost}`;
+                }
+                else {
+                    origin = new URL(request.url).origin;
+                }
+            }
+            const redirectUri = `${origin}${callbackPath}`;
+            console.log("[Sigma Payload Callback] Exchanging code for tokens:", {
+                issuerUrl,
+                clientId,
+                redirectUri,
+            });
+            // Exchange authorization code for tokens
+            const result = await exchangeCodeForTokens({
+                code,
+                redirectUri,
+                clientId,
+                memberPrivateKey,
+                codeVerifier: code_verifier,
+                issuerUrl,
+            });
+            console.log("[Sigma Payload Callback] Token exchange success:", {
+                hasBap: !!result.user.bap,
+                name: result.user.name,
+                bapId: result.user.bap_id?.substring(0, 20) || "none",
+            });
+            // Get Payload instance
+            let payload;
+            if (config.getPayloadAuth) {
+                payload = await config.getPayloadAuth(config.configPromise);
+            }
+            else {
+                // Dynamic import to avoid hard dependency
+                // @ts-expect-error - payload-auth is an optional peer dependency
+                const mod = await import("payload-auth/better-auth");
+                payload = await mod.getPayloadAuth(config.configPromise);
+            }
+            const usersCollection = config.usersCollection || "users";
+            const sessionsCollection = config.sessionsCollection || "sessions";
+            // Find or create user
+            let userId;
+            let isNewUser = false;
+            if (config.findUser) {
+                const existingUser = await config.findUser(payload, result.user);
+                if (existingUser) {
+                    userId = String(existingUser.id);
+                }
+                else if (config.createUser) {
+                    const newUser = await config.createUser(payload, result.user);
+                    userId = String(newUser.id);
+                    isNewUser = true;
+                }
+                else {
+                    // Default user creation
+                    const email = result.user.email || `${result.user.sub}@sigma.identity`;
+                    const newUser = await payload.create({
+                        collection: usersCollection,
+                        data: {
+                            email,
+                            name: result.user.name || result.user.sub,
+                            emailVerified: true,
+                            role: ["user"],
+                        },
+                    });
+                    userId = String(newUser.id);
+                    isNewUser = true;
+                }
+            }
+            else {
+                // Default user lookup by email
+                const email = result.user.email || `${result.user.sub}@sigma.identity`;
+                const users = await payload.find({
+                    collection: usersCollection,
+                    where: { email: { equals: email } },
+                    limit: 1,
+                });
+                const existingUser = users.docs[0];
+                if (existingUser) {
+                    userId = String(existingUser.id);
+                }
+                else if (config.createUser) {
+                    const newUser = await config.createUser(payload, result.user);
+                    userId = String(newUser.id);
+                    isNewUser = true;
+                }
+                else {
+                    // Default user creation
+                    const newUser = await payload.create({
+                        collection: usersCollection,
+                        data: {
+                            email,
+                            name: result.user.name || result.user.sub,
+                            emailVerified: true,
+                            role: ["user"],
+                        },
+                    });
+                    userId = String(newUser.id);
+                    isNewUser = true;
+                }
+            }
+            console.log("[Sigma Payload Callback]", isNewUser ? "Created new user:" : "Found existing user:", userId);
+            // Create session
+            const sessionToken = crypto.randomUUID();
+            const sessionDuration = config.sessionDuration || 30 * 24 * 60 * 60 * 1000; // 30 days
+            const expiresAt = new Date(Date.now() + sessionDuration);
+            await payload.create({
+                collection: sessionsCollection,
+                data: {
+                    token: sessionToken,
+                    user: Number(userId),
+                    expiresAt: expiresAt.toISOString(),
+                    ipAddress: request.headers.get("x-forwarded-for") || undefined,
+                    userAgent: request.headers.get("user-agent") || undefined,
+                },
+            });
+            // Set session cookie using dynamic import to avoid hard dependency on next/headers
+            const sessionCookieName = config.sessionCookieName || "better-auth.session_token";
+            try {
+                // @ts-expect-error - next/headers is only available in Next.js route handlers
+                const mod = await import("next/headers");
+                const cookieStore = await mod.cookies();
+                cookieStore.set(sessionCookieName, sessionToken, {
+                    httpOnly: true,
+                    secure: process.env.NODE_ENV === "production",
+                    sameSite: "lax",
+                    path: "/",
+                    expires: expiresAt,
+                });
+            }
+            catch {
+                // Fallback: set cookie via response header if next/headers not available
+                // This shouldn't happen in Next.js route handlers but provides fallback
+                console.warn("[Sigma Payload Callback] Could not set cookie via next/headers");
+            }
+            console.log("[Sigma Payload Callback] Session created for user:", userId);
+            return Response.json({
+                user: result.user,
+                access_token: result.access_token,
+                id_token: result.id_token,
+                refresh_token: result.refresh_token,
+                payloadUserId: userId,
+                isNewUser,
+            });
+        }
+        catch (error) {
+            console.error("[Sigma Payload Callback] Error:", error);
+            // Check if it's a TokenExchangeError
+            if (error &&
+                typeof error === "object" &&
+                "error" in error &&
+                "endpoint" in error) {
+                const tokenError = error;
+                return Response.json({
+                    error: tokenError.error,
+                    details: tokenError.details,
+                    status: tokenError.status,
+                    endpoint: tokenError.endpoint,
+                }, { status: tokenError.status || 500 });
+            }
+            return Response.json({
+                error: "Internal server error",
+                details: error instanceof Error ? error.message : "Unknown error",
+            }, { status: 500 });
+        }
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/payload/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/payload/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACN,qBAAqB,GAGrB,MAAM,oBAAoB,CAAC;AA+F5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,UAAU,4BAA4B,CAAC,MAA6B;IACzE,OAAO,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAGjC,CAAC;YACF,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC;YAErC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,OAAO,QAAQ,CAAC,IAAI,CACnB,EAAE,KAAK,EAAE,4BAA4B,EAAE,EACvC,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,MAAM,gBAAgB,GACrB,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YACjE,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvB,OAAO,CAAC,KAAK,CACZ,kEAAkE,CAClE,CAAC;gBACF,OAAO,QAAQ,CAAC,IAAI,CACnB;oBACC,KAAK,EAAE,4BAA4B;oBACnC,OAAO,EAAE,kCAAkC;iBAC3C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GACd,MAAM,CAAC,SAAS;gBAChB,OAAO,CAAC,GAAG,CAAC,0BAA0B;gBACtC,gCAAgC,CAAC;YAElC,MAAM,QAAQ,GACb,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;YAC5D,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CACZ,qEAAqE,CACrE,CAAC;gBACF,OAAO,QAAQ,CAAC,IAAI,CACnB,EAAE,KAAK,EAAE,4BAA4B,EAAE,OAAO,EAAE,mBAAmB,EAAE,EACrE,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;YACH,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,sBAAsB,CAAC;YAEnE,uCAAuC;YACvC,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;YAChD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBAC9D,MAAM,cAAc,GACnB,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC;gBACrD,IAAI,aAAa,EAAE,CAAC;oBACnB,MAAM,GAAG,GAAG,cAAc,MAAM,aAAa,EAAE,CAAC;gBACjD,CAAC;qBAAM,CAAC;oBACP,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;gBACtC,CAAC;YACF,CAAC;YACD,MAAM,WAAW,GAAG,GAAG,MAAM,GAAG,YAAY,EAAE,CAAC;YAE/C,OAAO,CAAC,GAAG,CAAC,sDAAsD,EAAE;gBACnE,SAAS;gBACT,QAAQ;gBACR,WAAW;aACX,CAAC,CAAC;YAEH,yCAAyC;YACzC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC;gBAC1C,IAAI;gBACJ,WAAW;gBACX,QAAQ;gBACR,gBAAgB;gBAChB,YAAY,EAAE,aAAa;gBAC3B,SAAS;aACT,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,kDAAkD,EAAE;gBAC/D,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;gBACzB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM;aACrD,CAAC,CAAC;YAEH,uBAAuB;YACvB,IAAI,OAA8B,CAAC;YACnC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACP,0CAA0C;gBAC1C,iEAAiE;gBACjE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;gBACrD,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,OAAO,CAAC;YAC1D,MAAM,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,IAAI,UAAU,CAAC;YAEnE,sBAAsB;YACtB,IAAI,MAAc,CAAC;YACnB,IAAI,SAAS,GAAG,KAAK,CAAC;YAEtB,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBACjE,IAAI,YAAY,EAAE,CAAC;oBAClB,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;gBAClC,CAAC;qBAAM,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;oBAC9D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAC5B,SAAS,GAAG,IAAI,CAAC;gBAClB,CAAC;qBAAM,CAAC;oBACP,wBAAwB;oBACxB,MAAM,KAAK,GACV,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC;oBAC1D,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC;wBACpC,UAAU,EAAE,eAAe;wBAC3B,IAAI,EAAE;4BACL,KAAK;4BACL,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG;4BACzC,aAAa,EAAE,IAAI;4BACnB,IAAI,EAAE,CAAC,MAAM,CAAC;yBACd;qBACD,CAAC,CAAC;oBACH,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAC5B,SAAS,GAAG,IAAI,CAAC;gBAClB,CAAC;YACF,CAAC;iBAAM,CAAC;gBACP,+BAA+B;gBAC/B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC;gBACvE,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAChC,UAAU,EAAE,eAAe;oBAC3B,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE;oBACnC,KAAK,EAAE,CAAC;iBACR,CAAC,CAAC;gBAEH,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,YAAY,EAAE,CAAC;oBAClB,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;gBAClC,CAAC;qBAAM,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;oBAC9D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAC5B,SAAS,GAAG,IAAI,CAAC;gBAClB,CAAC;qBAAM,CAAC;oBACP,wBAAwB;oBACxB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC;wBACpC,UAAU,EAAE,eAAe;wBAC3B,IAAI,EAAE;4BACL,KAAK;4BACL,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG;4BACzC,aAAa,EAAE,IAAI;4BACnB,IAAI,EAAE,CAAC,MAAM,CAAC;yBACd;qBACD,CAAC,CAAC;oBACH,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAC5B,SAAS,GAAG,IAAI,CAAC;gBAClB,CAAC;YACF,CAAC;YAED,OAAO,CAAC,GAAG,CACV,0BAA0B,EAC1B,SAAS,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,sBAAsB,EACxD,MAAM,CACN,CAAC;YAEF,iBAAiB;YACjB,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,eAAe,GACpB,MAAM,CAAC,eAAe,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;YAC/D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;YAEzD,MAAM,OAAO,CAAC,MAAM,CAAC;gBACpB,UAAU,EAAE,kBAAkB;gBAC9B,IAAI,EAAE;oBACL,KAAK,EAAE,YAAY;oBACnB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;oBACpB,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;oBAClC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS;oBAC9D,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,SAAS;iBACzD;aACD,CAAC,CAAC;YAEH,mFAAmF;YACnF,MAAM,iBAAiB,GACtB,MAAM,CAAC,iBAAiB,IAAI,2BAA2B,CAAC;YACzD,IAAI,CAAC;gBACJ,8EAA8E;gBAC9E,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;gBACzC,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;gBACxC,WAAW,CAAC,GAAG,CAAC,iBAAiB,EAAE,YAAY,EAAE;oBAChD,QAAQ,EAAE,IAAI;oBACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;oBAC7C,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,GAAG;oBACT,OAAO,EAAE,SAAS;iBAClB,CAAC,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACR,yEAAyE;gBACzE,wEAAwE;gBACxE,OAAO,CAAC,IAAI,CACX,gEAAgE,CAChE,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,oDAAoD,EAAE,MAAM,CAAC,CAAC;YAE1E,OAAO,QAAQ,CAAC,IAAI,CAAC;gBACpB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,aAAa,EAAE,MAAM;gBACrB,SAAS;aACuB,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YAExD,qCAAqC;YACrC,IACC,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,OAAO,IAAI,KAAK;gBAChB,UAAU,IAAI,KAAK,EAClB,CAAC;gBACF,MAAM,UAAU,GAAG,KAA2B,CAAC;gBAC/C,OAAO,QAAQ,CAAC,IAAI,CACnB;oBACC,KAAK,EAAE,UAAU,CAAC,KAAK;oBACvB,OAAO,EAAE,UAAU,CAAC,OAAO;oBAC3B,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,QAAQ,EAAE,UAAU,CAAC,QAAQ;iBAC7B,EACD,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,GAAG,EAAE,CACpC,CAAC;YACH,CAAC;YAED,OAAO,QAAQ,CAAC,IAAI,CACnB;gBACC,KAAK,EAAE,uBAAuB;gBAC9B,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aACjE,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CACf,CAAC;QACH,CAAC;IACF,CAAC,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@sigma-auth/better-auth-plugin",
-	"version": "0.0.26",
+	"version": "0.0.27",
 	"description": "Better Auth plugins for Sigma Identity - client, server, and provider integrations",
 	"type": "module",
 	"main": "./dist/types/index.js",
@@ -22,6 +22,10 @@
 			"types": "./dist/next/index.d.ts",
 			"import": "./dist/next/index.js"
 		},
+		"./payload": {
+			"types": "./dist/payload/index.d.ts",
+			"import": "./dist/payload/index.js"
+		},
 		"./provider": {
 			"types": "./dist/provider/index.d.ts",
 			"import": "./dist/provider/index.js"
@@ -62,6 +66,7 @@
 		"better-auth": "^1.4.5",
 		"@bsv/sdk": "^1.9.9",
 		"@neondatabase/serverless": "^1.0.2",
+		"payload-auth": "^0.6.0",
 		"zod": "^4.1.12"
 	},
 	"peerDependenciesMeta": {
@@ -71,6 +76,9 @@
 		"@neondatabase/serverless": {
 			"optional": true
 		},
+		"payload-auth": {
+			"optional": true
+		},
 		"zod": {
 			"optional": true
 		}