@soulcraft/sdk 1.0.0

package/dist/modules/auth/config.js

@@ -0,0 +1,158 @@
+/**
+ * @module modules/auth/config
+ * @description Shared constants, utilities, and environment helpers for Soulcraft
+ * platform authentication.
+ *
+ * Provides ONLY well-typed shared values — no `betterAuth()` wrappers. Each product
+ * (Workshop, Venue, Academy) assembles its own fully-typed `betterAuth()` configuration
+ * using these constants and utilities, keeping TypeScript inference intact end-to-end.
+ *
+ * ## Why no config factory functions?
+ *
+ * A factory returning a broad object type loses compile-time safety when passed to
+ * `betterAuth()`. The correct boundary is:
+ * - **This module** → exports typed field definitions, session config, and pure utilities
+ * - **Each product** → imports those exports and constructs its own `betterAuth()` call
+ *
+ * This absorbs and replaces `@soulcraft/auth/config`, which is deprecated.
+ *
+ * @example Workshop auth setup
+ * ```typescript
+ * import { betterAuth } from 'better-auth'
+ * import {
+ *   SOULCRAFT_USER_FIELDS,
+ *   SOULCRAFT_SESSION_CONFIG,
+ *   computeEmailHash,
+ * } from '@soulcraft/sdk/server'
+ *
+ * export const auth = betterAuth({
+ *   database: new Database('./auth.db'),
+ *   secret: process.env.BETTER_AUTH_SECRET!,
+ *   session: SOULCRAFT_SESSION_CONFIG,
+ *   user: { additionalFields: SOULCRAFT_USER_FIELDS },
+ *   databaseHooks: {
+ *     user: { create: { before: async (user) => ({
+ *       data: { ...user, emailHash: computeEmailHash(user.email), platformRole: 'creator' }
+ *     })}}
+ *   },
+ * })
+ * ```
+ */
+import { createHash } from 'node:crypto';
+// ─────────────────────────────────────────────────────────────────────────────
+// Shared additional user fields
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Additional fields to register on the better-auth `user` table.
+ *
+ * Pass to `betterAuth({ user: { additionalFields: SOULCRAFT_USER_FIELDS } })`.
+ *
+ * `emailHash` must be populated at user-creation time via a
+ * `databaseHooks.user.create.before` hook. `platformRole` defaults to `'creator'`
+ * for Workshop; products override this in their own hook.
+ */
+export const SOULCRAFT_USER_FIELDS = {
+    platformRole: {
+        type: 'string',
+        required: false,
+        defaultValue: 'creator',
+    },
+    emailHash: {
+        type: 'string',
+        required: false,
+        defaultValue: '',
+    },
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// Shared session configuration
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Session lifetime configuration shared across all Soulcraft products.
+ *
+ * Pass to `betterAuth({ session: SOULCRAFT_SESSION_CONFIG })`.
+ *
+ * - Sessions are valid for 30 days from issuance
+ * - Silently refreshed after 24 hours of activity, resetting the 30-day window
+ */
+export const SOULCRAFT_SESSION_CONFIG = {
+    expiresIn: 30 * 24 * 60 * 60,
+    updateAge: 24 * 60 * 60,
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// Pure utility functions
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Compute the SHA-256 hex digest of a canonical email address.
+ *
+ * The email is lower-cased and trimmed before hashing to ensure the same
+ * input always yields the same digest regardless of capitalisation or whitespace.
+ *
+ * Stored as `emailHash` on the user record. Used by Workshop to deterministically
+ * locate the user's Brainy data directory without exposing the raw email in paths.
+ *
+ * @param email - Raw email address (any case, may have leading/trailing whitespace).
+ * @returns 64-character lowercase hex SHA-256 digest.
+ *
+ * @example
+ * computeEmailHash('Alice@Example.COM') === computeEmailHash('alice@example.com') // true
+ * computeEmailHash('alice@example.com')
+ * // → 'b4c9a289522dd28a04617a41d7b14cf18d43d06febe513d9e27b5da67c17e52e'
+ */
+export function computeEmailHash(email) {
+    return createHash('sha256')
+        .update(email.toLowerCase().trim())
+        .digest('hex');
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// SSO / OIDC environment helpers
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Determine the authentication mode from environment variables.
+ *
+ * - `'standalone'`  — each product runs its own better-auth instance with a local
+ *   SQLite database. No cross-product SSO. Default before `auth.soulcraft.com` is live.
+ * - `'oidc-client'` — set `SOULCRAFT_IDP_URL` to activate. The product's better-auth
+ *   instance delegates all authentication to the central IdP.
+ *
+ * @returns The current auth mode derived from `SOULCRAFT_IDP_URL`.
+ */
+export function getAuthMode() {
+    return process.env['SOULCRAFT_IDP_URL'] ? 'oidc-client' : 'standalone';
+}
+/**
+ * Read OIDC client configuration from environment variables.
+ *
+ * Returns `null` in standalone mode (when `SOULCRAFT_IDP_URL` is unset).
+ * Throws with a descriptive message if the URL is set but required variables
+ * are missing — prevents silent misconfiguration.
+ *
+ * | Variable                     | Required | Description                             |
+ * |------------------------------|----------|-----------------------------------------|
+ * | `SOULCRAFT_IDP_URL`          | Yes      | Central IdP base URL                    |
+ * | `SOULCRAFT_OIDC_CLIENT_ID`   | Yes      | This product's registered client ID     |
+ * | `SOULCRAFT_OIDC_CLIENT_SECRET` | Yes    | This product's registered client secret |
+ * | `SOULCRAFT_OIDC_REDIRECT_URI`  | No     | Deprecated — auto-derived from BETTER_AUTH_URL |
+ *
+ * @returns OIDC client config or null in standalone mode.
+ * @throws {Error} If `SOULCRAFT_IDP_URL` is set but client ID or secret are missing.
+ */
+export function getOIDCClientConfig() {
+    const idpUrl = process.env['SOULCRAFT_IDP_URL'];
+    if (!idpUrl)
+        return null;
+    const clientId = process.env['SOULCRAFT_OIDC_CLIENT_ID'];
+    const clientSecret = process.env['SOULCRAFT_OIDC_CLIENT_SECRET'];
+    if (!clientId || !clientSecret) {
+        const missing = [
+            !clientId && 'SOULCRAFT_OIDC_CLIENT_ID',
+            !clientSecret && 'SOULCRAFT_OIDC_CLIENT_SECRET',
+        ].filter(Boolean).join(', ');
+        throw new Error(`SOULCRAFT_IDP_URL is set to "${idpUrl}" but the following required OIDC ` +
+            `client environment variables are missing: ${missing}. ` +
+            `Either set both variables for OIDC client mode, or unset SOULCRAFT_IDP_URL ` +
+            `to run in standalone mode.`);
+    }
+    const redirectUri = process.env['SOULCRAFT_OIDC_REDIRECT_URI'];
+    return { idpUrl, clientId, clientSecret, ...(redirectUri ? { redirectUri } : {}) };
+}
+//# sourceMappingURL=config.js.map

package/dist/modules/auth/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/modules/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAGxC,gFAAgF;AAChF,gCAAgC;AAChC,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY,EAAE;QACZ,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,SAAS;KACxB;IACD,SAAS,EAAE;QACT,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,EAAE;KACjB;CACO,CAAA;AAEV,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;IAC5B,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;CACf,CAAA;AAEV,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;SAClC,MAAM,CAAC,KAAK,CAAC,CAAA;AAClB,CAAC;AAED,gFAAgF;AAChF,iCAAiC;AACjC,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAA;AACxE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAExB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;IACxD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAA;IAEhE,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG;YACd,CAAC,QAAQ,IAAI,0BAA0B;YACvC,CAAC,YAAY,IAAI,8BAA8B;SAChD,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE5B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,oCAAoC;YAC1E,6CAA6C,OAAO,IAAI;YACxD,6EAA6E;YAC7E,4BAA4B,CAC7B,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAA;IAC9D,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAA;AACpF,CAAC"}

package/dist/modules/auth/middleware.d.ts

@@ -0,0 +1,146 @@
+/**
+ * @module modules/auth/middleware
+ * @description Hono auth middleware factories and remote session verification
+ * for Soulcraft product backends.
+ *
+ * Provides framework-agnostic middleware that products mount in their Hono server
+ * to authenticate requests against a better-auth instance (local or remote IdP).
+ *
+ * The middleware pattern is product-agnostic — Workshop, Venue, and Academy all
+ * use the same factories, passing their own `auth` instance. This replaces the
+ * per-product copies of `requireAuth` / `optionalAuth` in Workshop's better-auth.ts.
+ *
+ * ## Remote session verification
+ *
+ * `createRemoteSessionVerifier` is used by products that delegate authentication
+ * to the central IdP (`auth.soulcraft.com`) but need to verify sessions without
+ * running a full better-auth instance. It proxies the session lookup via HTTP with
+ * an LRU cache to avoid per-request round-trips to the IdP.
+ *
+ * @example Hono setup (Workshop)
+ * ```typescript
+ * import { createAuthMiddleware } from '@soulcraft/sdk/server'
+ * import { auth } from './better-auth.js'
+ *
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ *
+ * app.get('/api/workspaces', requireAuth, async (c) => {
+ *   const user = c.get('user')! // SoulcraftSessionUser, guaranteed non-null
+ * })
+ * ```
+ */
+import type { SoulcraftSessionUser, SoulcraftSession } from './types.js';
+import type { Context, Next } from 'hono';
+/** The Hono context variable key where the resolved user is stored. */
+export declare const AUTH_USER_KEY: "user";
+/** Hono context type with the resolved Soulcraft user variable. */
+export type AuthContext = Context<{
+    Variables: {
+        [AUTH_USER_KEY]: SoulcraftSessionUser | null;
+    };
+}>;
+/** Minimal better-auth API surface the middleware depends on. */
+export interface BetterAuthLike {
+    api: {
+        getSession(opts: {
+            headers: Headers;
+        }): Promise<{
+            user: Record<string, unknown>;
+            session: {
+                id: string;
+                expiresAt: Date | string | number;
+            };
+        } | null>;
+    };
+}
+/**
+ * @description Options for createAuthMiddleware().
+ */
+export interface AuthMiddlewareOptions {
+    /**
+     * If true, a synthetic dev user is injected in non-production environments,
+     * bypassing the session check entirely. Set to false to disable dev auto-login
+     * (e.g. for integration test servers that need real auth even in dev).
+     * @default true
+     */
+    devAutoLogin?: boolean;
+}
+/**
+ * @description The object returned by createAuthMiddleware().
+ */
+export interface AuthMiddleware {
+    /**
+     * Require authentication. Resolves the better-auth session. If the session is
+     * valid, attaches the typed user to the Hono context and calls next(). Returns
+     * HTTP 401 if unauthenticated.
+     *
+     * In development mode (unless devAutoLogin is disabled), a synthetic dev user
+     * is injected automatically.
+     */
+    requireAuth: (c: AuthContext, next: Next) => Promise<void | Response>;
+    /**
+     * Optional authentication. Resolves the session if one exists, but does not
+     * reject unauthenticated requests. User will be null for anonymous requests.
+     */
+    optionalAuth: (c: AuthContext, next: Next) => Promise<void | Response>;
+}
+/**
+ * @description Options for createRemoteSessionVerifier().
+ */
+export interface RemoteSessionVerifierOptions {
+    /** The central IdP base URL, e.g. "https://auth.soulcraft.com". */
+    idpUrl: string;
+    /** Session cache TTL in milliseconds. Default: 30 000 (30 seconds). */
+    cacheTtlMs?: number;
+    /** Maximum cached sessions. Default: 500. */
+    cacheMax?: number;
+}
+/**
+ * @description Creates Hono auth middleware bound to a specific better-auth instance.
+ *
+ * Returns `requireAuth` and `optionalAuth` middleware functions. Both functions
+ * resolve the session from request cookies/headers using better-auth's `getSession`
+ * API and attach the user to the Hono context under the `'user'` variable key.
+ *
+ * In non-production environments (`NODE_ENV !== 'production'`), a synthetic dev
+ * user is injected automatically to allow local development without OAuth setup.
+ * Disable this with `options.devAutoLogin = false`.
+ *
+ * @param auth - The product's better-auth instance.
+ * @param options - Optional middleware configuration.
+ * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
+ *
+ * @example
+ * ```typescript
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ * app.get('/api/me', requireAuth, (c) => c.json(c.get('user')))
+ * ```
+ */
+export declare function createAuthMiddleware(auth: BetterAuthLike, options?: AuthMiddlewareOptions): AuthMiddleware;
+/**
+ * @description Creates a cached remote session verifier that proxies session lookups
+ * to the central IdP at `auth.soulcraft.com`.
+ *
+ * Used by products that operate as OIDC clients and need to verify sessions without
+ * running a full better-auth instance locally. Caches successful lookups to avoid
+ * per-request HTTP calls to the IdP.
+ *
+ * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
+ * and returns the resolved `SoulcraftSession` or null if the session is invalid.
+ *
+ * @param options - IdP URL, cache TTL, and max cache size.
+ * @returns An async function that accepts a cookie header string and returns a session or null.
+ *
+ * @example
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({
+ *   idpUrl: 'https://auth.soulcraft.com',
+ *   cacheTtlMs: 30_000,
+ * })
+ *
+ * const session = await verifySession(c.req.header('cookie') ?? '')
+ * if (!session) return c.json({ error: 'Unauthorized' }, 401)
+ * ```
+ */
+export declare function createRemoteSessionVerifier(options: RemoteSessionVerifierOptions): (cookieHeader: string) => Promise<SoulcraftSession | null>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/modules/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AACxE,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAMzC,uEAAuE;AACvE,eAAO,MAAM,aAAa,EAAG,MAAe,CAAA;AAE5C,mEAAmE;AACnE,MAAM,MAAM,WAAW,GAAG,OAAO,CAAC;IAAE,SAAS,EAAE;QAAE,CAAC,aAAa,CAAC,EAAE,oBAAoB,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,CAAC,CAAA;AAElG,iEAAiE;AACjE,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE;QACH,UAAU,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAAC,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,CAAA;aAAE,CAAA;SAAE,GAAG,IAAI,CAAC,CAAA;KACtJ,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;;;OAOG;IACH,WAAW,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;IAErE;;;OAGG;IACH,YAAY,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;CACvE;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,mEAAmE;IACnE,MAAM,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,cAAc,EACpB,OAAO,GAAE,qBAA0B,GAClC,cAAc,CA+DhB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,4BAA4B,GACpC,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA4D5D"}

package/dist/modules/auth/middleware.js

@@ -0,0 +1,204 @@
+/**
+ * @module modules/auth/middleware
+ * @description Hono auth middleware factories and remote session verification
+ * for Soulcraft product backends.
+ *
+ * Provides framework-agnostic middleware that products mount in their Hono server
+ * to authenticate requests against a better-auth instance (local or remote IdP).
+ *
+ * The middleware pattern is product-agnostic — Workshop, Venue, and Academy all
+ * use the same factories, passing their own `auth` instance. This replaces the
+ * per-product copies of `requireAuth` / `optionalAuth` in Workshop's better-auth.ts.
+ *
+ * ## Remote session verification
+ *
+ * `createRemoteSessionVerifier` is used by products that delegate authentication
+ * to the central IdP (`auth.soulcraft.com`) but need to verify sessions without
+ * running a full better-auth instance. It proxies the session lookup via HTTP with
+ * an LRU cache to avoid per-request round-trips to the IdP.
+ *
+ * @example Hono setup (Workshop)
+ * ```typescript
+ * import { createAuthMiddleware } from '@soulcraft/sdk/server'
+ * import { auth } from './better-auth.js'
+ *
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ *
+ * app.get('/api/workspaces', requireAuth, async (c) => {
+ *   const user = c.get('user')! // SoulcraftSessionUser, guaranteed non-null
+ * })
+ * ```
+ */
+import { LRUCache } from 'lru-cache';
+import { computeEmailHash } from './config.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// Types
+// ─────────────────────────────────────────────────────────────────────────────
+/** The Hono context variable key where the resolved user is stored. */
+export const AUTH_USER_KEY = 'user';
+// ─────────────────────────────────────────────────────────────────────────────
+// createAuthMiddleware
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * @description Creates Hono auth middleware bound to a specific better-auth instance.
+ *
+ * Returns `requireAuth` and `optionalAuth` middleware functions. Both functions
+ * resolve the session from request cookies/headers using better-auth's `getSession`
+ * API and attach the user to the Hono context under the `'user'` variable key.
+ *
+ * In non-production environments (`NODE_ENV !== 'production'`), a synthetic dev
+ * user is injected automatically to allow local development without OAuth setup.
+ * Disable this with `options.devAutoLogin = false`.
+ *
+ * @param auth - The product's better-auth instance.
+ * @param options - Optional middleware configuration.
+ * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
+ *
+ * @example
+ * ```typescript
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ * app.get('/api/me', requireAuth, (c) => c.json(c.get('user')))
+ * ```
+ */
+export function createAuthMiddleware(auth, options = {}) {
+    const devAutoLogin = options.devAutoLogin ?? true;
+    const isDev = process.env['NODE_ENV'] !== 'production';
+    const DEV_USER = {
+        id: 'dev-user-001',
+        email: 'dev@localhost',
+        name: 'Dev User',
+        image: null,
+        emailHash: computeEmailHash('dev@localhost'),
+        platformRole: 'creator',
+    };
+    function resolveUser(raw) {
+        const email = String(raw['email'] ?? '');
+        const emailHash = raw['emailHash']
+            ? String(raw['emailHash'])
+            : computeEmailHash(email);
+        return {
+            id: String(raw['id'] ?? ''),
+            email,
+            name: String(raw['name'] ?? ''),
+            image: raw['image'] ?? null,
+            platformRole: raw['platformRole'] ?? 'creator',
+            emailHash,
+        };
+    }
+    const requireAuth = async (c, next) => {
+        if (isDev && devAutoLogin) {
+            if (!c.get(AUTH_USER_KEY))
+                c.set(AUTH_USER_KEY, DEV_USER);
+            await next();
+            return;
+        }
+        const session = await auth.api.getSession({ headers: c.req.raw.headers });
+        if (!session?.user) {
+            return c.json({ error: 'Authentication required' }, 401);
+        }
+        c.set(AUTH_USER_KEY, resolveUser(session.user));
+        await next();
+        return;
+    };
+    const optionalAuth = async (c, next) => {
+        if (isDev && devAutoLogin) {
+            if (!c.get(AUTH_USER_KEY))
+                c.set(AUTH_USER_KEY, DEV_USER);
+            await next();
+            return;
+        }
+        const session = await auth.api.getSession({ headers: c.req.raw.headers });
+        if (session?.user) {
+            c.set(AUTH_USER_KEY, resolveUser(session.user));
+        }
+        else {
+            c.set(AUTH_USER_KEY, null);
+        }
+        await next();
+    };
+    return { requireAuth, optionalAuth };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createRemoteSessionVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * @description Creates a cached remote session verifier that proxies session lookups
+ * to the central IdP at `auth.soulcraft.com`.
+ *
+ * Used by products that operate as OIDC clients and need to verify sessions without
+ * running a full better-auth instance locally. Caches successful lookups to avoid
+ * per-request HTTP calls to the IdP.
+ *
+ * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
+ * and returns the resolved `SoulcraftSession` or null if the session is invalid.
+ *
+ * @param options - IdP URL, cache TTL, and max cache size.
+ * @returns An async function that accepts a cookie header string and returns a session or null.
+ *
+ * @example
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({
+ *   idpUrl: 'https://auth.soulcraft.com',
+ *   cacheTtlMs: 30_000,
+ * })
+ *
+ * const session = await verifySession(c.req.header('cookie') ?? '')
+ * if (!session) return c.json({ error: 'Unauthorized' }, 401)
+ * ```
+ */
+export function createRemoteSessionVerifier(options) {
+    const cacheTtl = options.cacheTtlMs ?? 30_000;
+    const cacheMax = options.cacheMax ?? 500;
+    const sessionUrl = `${options.idpUrl.replace(/\/$/, '')}/api/auth/get-session`;
+    const cache = new LRUCache({
+        max: cacheMax,
+        ttl: cacheTtl,
+    });
+    return async function verifyRemoteSession(cookieHeader) {
+        if (!cookieHeader)
+            return null;
+        // Use cookie header as cache key — it contains the session token
+        const cached = cache.get(cookieHeader);
+        if (cached !== undefined)
+            return cached;
+        let response;
+        try {
+            response = await fetch(sessionUrl, {
+                headers: { cookie: cookieHeader },
+                credentials: 'include',
+            });
+        }
+        catch {
+            return null;
+        }
+        if (!response.ok)
+            return null;
+        let data;
+        try {
+            data = await response.json();
+        }
+        catch {
+            return null;
+        }
+        const rawUser = data['user'];
+        const rawSession = data['session'];
+        if (!rawUser || !rawSession)
+            return null;
+        const email = String(rawUser['email'] ?? '');
+        const session = {
+            user: {
+                id: String(rawUser['id'] ?? ''),
+                email,
+                name: String(rawUser['name'] ?? ''),
+                image: rawUser['image'] ?? null,
+                platformRole: rawUser['platformRole'] ?? 'creator',
+                emailHash: rawUser['emailHash'] ? String(rawUser['emailHash']) : computeEmailHash(email),
+            },
+            sessionId: String(rawSession['id'] ?? ''),
+            expiresAt: Number(rawSession['expiresAt'] ?? 0),
+        };
+        cache.set(cookieHeader, session);
+        return session;
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/modules/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAI9C,gFAAgF;AAChF,QAAQ;AACR,gFAAgF;AAEhF,uEAAuE;AACvE,MAAM,CAAC,MAAM,aAAa,GAAG,MAAe,CAAA;AA0D5C,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAoB,EACpB,UAAiC,EAAE;IAEnC,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAA;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAA;IAEtD,MAAM,QAAQ,GAAyB;QACrC,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,gBAAgB,CAAC,eAAe,CAAC;QAC5C,YAAY,EAAE,SAAS;KACxB,CAAA;IAED,SAAS,WAAW,CAAC,GAA4B;QAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QACxC,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC;YAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC1B,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAA;QAE3B,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC3B,KAAK;YACL,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC/B,KAAK,EAAG,GAAG,CAAC,OAAO,CAA+B,IAAI,IAAI;YAC1D,YAAY,EAAG,GAAG,CAAC,cAAc,CAA0C,IAAI,SAAS;YACxF,SAAS;SACV,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACnE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAC/C,MAAM,IAAI,EAAE,CAAA;QACZ,OAAM;IACR,CAAC,CAAA;IAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACrE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAA;QAC5B,CAAC;QACD,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;IAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AACtC,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;aACzF;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC"}