@take-out/better-auth-utils 0.0.66 → 0.0.68

package/dist/esm/server.native.js

@@ -0,0 +1,166 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+function _assert_this_initialized(self) {
+  if (self === void 0) throw new ReferenceError("this hasn't been initialised - super() hasn't been called");
+  return self;
+}
+function _call_super(_this, derived, args) {
+  return derived = _get_prototype_of(derived), _possible_constructor_return(_this, _is_native_reflect_construct() ? Reflect.construct(derived, args || [], _get_prototype_of(_this).constructor) : derived.apply(_this, args));
+}
+function _class_call_check(instance, Constructor) {
+  if (!(instance instanceof Constructor)) throw new TypeError("Cannot call a class as a function");
+}
+function _construct(Parent, args, Class) {
+  return _is_native_reflect_construct() ? _construct = Reflect.construct : _construct = function (Parent2, args2, Class2) {
+    var a = [null];
+    a.push.apply(a, args2);
+    var Constructor = Function.bind.apply(Parent2, a),
+      instance = new Constructor();
+    return Class2 && _set_prototype_of(instance, Class2.prototype), instance;
+  }, _construct.apply(null, arguments);
+}
+function _get_prototype_of(o) {
+  return _get_prototype_of = Object.setPrototypeOf ? Object.getPrototypeOf : function (o2) {
+    return o2.__proto__ || Object.getPrototypeOf(o2);
+  }, _get_prototype_of(o);
+}
+function _inherits(subClass, superClass) {
+  if (typeof superClass != "function" && superClass !== null) throw new TypeError("Super expression must either be null or a function");
+  subClass.prototype = Object.create(superClass && superClass.prototype, {
+    constructor: {
+      value: subClass,
+      writable: !0,
+      configurable: !0
+    }
+  }), superClass && _set_prototype_of(subClass, superClass);
+}
+function _instanceof(left, right) {
+  return right != null && typeof Symbol < "u" && right[Symbol.hasInstance] ? !!right[Symbol.hasInstance](left) : left instanceof right;
+}
+function _is_native_function(fn) {
+  return Function.toString.call(fn).indexOf("[native code]") !== -1;
+}
+function _possible_constructor_return(self, call) {
+  return call && (_type_of(call) === "object" || typeof call == "function") ? call : _assert_this_initialized(self);
+}
+function _set_prototype_of(o, p) {
+  return _set_prototype_of = Object.setPrototypeOf || function (o2, p2) {
+    return o2.__proto__ = p2, o2;
+  }, _set_prototype_of(o, p);
+}
+function _type_of(obj) {
+  "@swc/helpers - typeof";
+
+  return obj && typeof Symbol < "u" && obj.constructor === Symbol ? "symbol" : typeof obj;
+}
+function _wrap_native_super(Class) {
+  var _cache = typeof Map == "function" ? /* @__PURE__ */new Map() : void 0;
+  return _wrap_native_super = function (Class2) {
+    if (Class2 === null || !_is_native_function(Class2)) return Class2;
+    if (typeof Class2 != "function") throw new TypeError("Super expression must either be null or a function");
+    if (typeof _cache < "u") {
+      if (_cache.has(Class2)) return _cache.get(Class2);
+      _cache.set(Class2, Wrapper);
+    }
+    function Wrapper() {
+      return _construct(Class2, arguments, _get_prototype_of(this).constructor);
+    }
+    return Wrapper.prototype = Object.create(Class2.prototype, {
+      constructor: {
+        value: Wrapper,
+        enumerable: !1,
+        writable: !0,
+        configurable: !0
+      }
+    }), _set_prototype_of(Wrapper, Class2);
+  }, _wrap_native_super(Class);
+}
+function _is_native_reflect_construct() {
+  try {
+    var result = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {}));
+  } catch {}
+  return (_is_native_reflect_construct = function () {
+    return !!result;
+  })();
+}
+var NotAuthenticatedError = /* @__PURE__ */function (Error1) {
+    "use strict";
+
+    _inherits(NotAuthenticatedError2, Error1);
+    function NotAuthenticatedError2() {
+      return _class_call_check(this, NotAuthenticatedError2), _call_super(this, NotAuthenticatedError2, arguments);
+    }
+    return NotAuthenticatedError2;
+  }(_wrap_native_super(Error)),
+  InvalidTokenError = /* @__PURE__ */function (Error1) {
+    "use strict";
+
+    _inherits(InvalidTokenError2, Error1);
+    function InvalidTokenError2() {
+      return _class_call_check(this, InvalidTokenError2), _call_super(this, InvalidTokenError2, arguments);
+    }
+    return InvalidTokenError2;
+  }(_wrap_native_super(Error));
+async function getAuthDataFromRequest(authServer, req, tokenOptions) {
+  var authHeader = req.headers.get("authorization"),
+    cookie = authHeader?.split("Bearer ")[1],
+    newHeaders = new Headers(req.headers);
+  cookie && newHeaders.set("Cookie", cookie);
+  try {
+    var session = await authServer.api.getSession({
+      headers: newHeaders
+    });
+    if (session?.user) return {
+      id: session.user.id,
+      email: session.user.email || void 0,
+      role: session.user.role === "admin" ? "admin" : void 0
+    };
+  } catch {}
+  var jwtToken = authHeader?.replace("Bearer ", "");
+  if (jwtToken) try {
+    var payload = await validateToken(jwtToken, tokenOptions),
+      userId = payload?.id || payload?.sub;
+    if (userId) return {
+      id: userId,
+      email: payload.email,
+      role: payload.role === "admin" ? "admin" : void 0
+    };
+  } catch (err) {
+    if (!_instanceof(err, InvalidTokenError)) throw err;
+  }
+  return null;
+}
+async function validateToken(token, options) {
+  var {
+    baseUrl = process.env.ONE_SERVER_URL,
+    forceIssuer = process.env.FORCE_ISSUER || "",
+    jwksPath = "/api/auth/jwks"
+  } = options || {};
+  if (!baseUrl) throw new Error("No baseURL!");
+  var normalizedBaseUrl = removeTrailingSlash(baseUrl),
+    url = `${forceIssuer || normalizedBaseUrl}${jwksPath}`,
+    JWKS = createRemoteJWKSet(new URL(url));
+  try {
+    var verifyOptions = forceIssuer ? {} : {
+        issuer: normalizedBaseUrl,
+        audience: normalizedBaseUrl
+      },
+      {
+        payload
+      } = await jwtVerify(token, JWKS, verifyOptions);
+    return payload;
+  } catch (error) {
+    throw new InvalidTokenError(`${error}`);
+  }
+}
+async function isValidJWT(token, options) {
+  try {
+    return await validateToken(token, options), !0;
+  } catch {
+    return !1;
+  }
+}
+function removeTrailingSlash(str) {
+  return str.replace(/\/$/, "");
+}
+export { InvalidTokenError, NotAuthenticatedError, getAuthDataFromRequest, isValidJWT, validateToken };
+//# sourceMappingURL=server.native.js.map

package/dist/esm/server.native.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["createRemoteJWKSet","jwtVerify","_assert_this_initialized","self","ReferenceError","_call_super","_this","derived","args","_get_prototype_of","_possible_constructor_return","_is_native_reflect_construct","Reflect","construct","constructor","apply","_class_call_check","instance","Constructor","TypeError","_construct","Parent","Class","Parent2","args2","Class2","a","push","Function","bind","_set_prototype_of","prototype","arguments","o","Object","setPrototypeOf","getPrototypeOf","o2","__proto__","_inherits","subClass","superClass","create","value","writable","configurable","_instanceof","left","right","Symbol","hasInstance","_is_native_function","fn","toString","call","indexOf","_type_of","p","p2","obj","_wrap_native_super","_cache","Map"],"sources":["../../src/server.ts"],"sourcesContent":[null],"mappings":"AAMA,SAASA,kBAAA,EAAoBC,SAAA,QAAkC;AAiBxD,SAAMC,yBAAAC,IAA8B;EAAO,IAAAA,IAAA,aAC3C,MAAM,IAAAC,cAAA,4DAAgC;EAAC,OAAAD,IAAA;AAiB9C;AAQE,SAAME,YAAaC,KAAI,EAAAC,OAAQ,EAAIC,IAAA;EAI/B,OAAAD,OACF,GAAAE,iBAAe,CAAUF,OAAM,GAAAG,4BAAA,CAAAJ,KAAA,EAAAK,4BAAA,KAAAC,OAAA,CAAAC,SAAA,CAAAN,OAAA,EAAAC,IAAA,QAAAC,iBAAA,CAAAH,KAAA,EAAAQ,WAAA,IAAAP,OAAA,CAAAQ,KAAA,CAAAT,KAAA,EAAAE,IAAA;AAIjC;AACE,SAAAQ,iBAAsBA,CAAAC,QAAA,EAAWC,WAAI;EACrC,MAAID,QAAA,YAASC,WAAA,GACX,UAAOC,SAAA;AAAA;AACY,SACjBC,UAAOA,CAAAC,MAAQ,EAAKb,IAAA,EAAAc,KAAS;EAAA,OAC7BX,4BAA4B,KAAAS,UAAU,GAAAR,OAAU,CAAAC,SAAA,GAAAO,UAAA,YAAAA,CAAAG,OAAA,EAAAC,KAAA,EAAAC,MAAA;IAAA,IAClDC,CAAA,IAEJ,IAAQ,CAER;IAIAA,CAAA,CAAAC,IAAM,CAAAZ,KAAA,CAAAW,CAAA,EAAWF,KAAA;IAEjB,IAAIN,WAAA,GAAAU,QAAA,CAAAC,IAAA,CAAAd,KAAA,CAAAQ,OAAA,EAAAG,CAAA;MAAAT,QAAA,OAAAC,WAAA;IACF,OAAIO,MAAA,IAAAK,iBAAA,CAAAb,QAAA,EAAAQ,MAAA,CAAAM,SAAA,GAAAd,QAAA;EACF,GAAAG,UAAM,CAAAL,KAAA,CAAU,MAAMiB,SAAA;AAEtB;AACE,SAAAvB,iBAAOA,CAAAwB,CAAA;EAAA,OAAAxB,iBACD,GAAAyB,MAAA,CAAAC,cAAA,GAAAD,MAAA,CAAAE,cAAA,aAAAC,EAAA;IAAA,OACJA,EAAA,CAAAC,SAAQ,IAAgBJ,MAAA,CAAAE,cAAA,CAAAC,EAAA;EAAA,GAAA5B,iBACjB,CAAAwB,CAAgB;AAA6B;AACtD,SAEJM,SAAcA,CAAAC,QAAA,EAAAC,UAAA;EACZ,WAAMA,UAAA,IAAe,cAAAA,UAAA,WACnB,UAAMtB,SAAA;EAAAqB,QAEV,CAAAT,SAAA,GAAAG,MAAA,CAAAQ,MAAA,CAAAD,UAAA,IAAAA,UAAA,CAAAV,SAAA;IAGFjB,WAAO;MACT6B,KAAA,EAAAH,QAAA;MAIAI,QAAA,EAAsB;MAIpBC,YAAM;IACJ;EAAsB,EACtB,EAAAJ,UAAA,IAAcX,iBAAY,CAAAU,QAAgB,EAAAC,UAAA;AAAA;AAC/B,SACTK,WAAYA,CAAAC,IAAA,EAAAC,KAAA;EAEhB,OAAKA,KAAA,mBAAAC,MAAA,UAAAD,KAAA,CAAAC,MAAA,CAAAC,WAAA,MAAAF,KAAA,CAAAC,MAAA,CAAAC,WAAA,EAAAH,IAAA,IAAAA,IAAA,YAAAC,KAAA;AACH;AAGF,SAAMG,mBAAoBA,CAAAC,EAAA;EAM1B,OAAIxB,QAAA,CAAAyB,QAAA,CAAAC,IAAA,CAAAF,EAAA,EAAAG,OAAA;AACF;AAEI,SACE7C,4BAAQA,CAAAP,IAAA,EAAAmD,IAAA;EAAA,OACRA,IAAA,KAAUE,QAAA,CAAAF,IAAA,yBAAAA,IAAA,kBAAAA,IAAA,GAAApD,wBAAA,CAAAC,IAAA;AAAA;AAKhB,SAAA2B,iBAAOA,CAAAG,CAAA,EAAAwB,CAAA;EACT,OAAA3B,iBAAgB,GAAAI,MAAA,CAAAC,cAAA,cAAAE,EAAA,EAAAqB,EAAA;IACd,OAAMrB,EAAA,CAAIC,SAAA,GAAAoB,EAAA,EAAArB,EAAkB;EAC9B,GAAAP,iBAAA,CAAAG,CAAA,EAAAwB,CAAA;AACF;AAEA,SAAAD,QAAsBA,CAAAG,GAAA;EAIpB,uBAAI;;EACF,OAAAA,GAAA,WAAMV,MAAA,GAAc,OAAOU,GAAA,CAAA7C,WACpB,KAAAmC,MAAA,qBAAAU,GAAA;AAAA;AAEP,SAAAC,kBAAOA,CAAAtC,KAAA;EACT,IAAAuC,MAAA,UAAAC,GAAA,oCAAAA,GAAA;EACF,OAAAF,kBAAA,YAAAA,CAAAnC,MAAA;IAEA,IAAAA,MAAS,cAAA0B,mBAAiC,CAAA1B,MAAA,UAAAA,MAAA;IACxC,WAAWA,MAAQ,cAAS,EAC9B,UAAAN,SAAA","ignoreList":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@take-out/better-auth-utils",
-  "version": "0.0.66",
+  "version": "0.0.68",
   "description": "Better auth utilities and client for React/React Native applications",
   "sideEffects": false,
   "type": "module",
@@ -32,17 +32,24 @@
       "import": "./dist/esm/index.mjs",
       "require": "./dist/cjs/index.cjs",
       "default": "./dist/esm/index.mjs"
+    },
+    "./server": {
+      "types": "./types/server.d.ts",
+      "import": "./dist/esm/server.mjs",
+      "require": "./dist/cjs/server.cjs",
+      "default": "./dist/esm/server.mjs"
     }
   },
   "dependencies": {
-    "@take-out/helpers": "0.0.62",
-    "better-auth": "^1.3.28"
+    "@take-out/helpers": "0.0.67",
+    "better-auth": "^1.3.28",
+    "jose": "^6.0.10"
   },
   "peerDependencies": {
     "react": "*"
   },
   "devDependencies": {
-    "@tamagui/build": "2.0.0-rc.0-1769998500160",
+    "@tamagui/build": "2.0.0-rc.0-1770084657117",
     "@types/node": "24.0.3",
     "@types/react": "^19.0.8",
     "oxfmt": "^0.16.0",

package/src/createAuthClient.ts

@@ -2,11 +2,10 @@
  * Better-auth helpers for React / React Native applications
  *
  * Features:
- *  - JWT support (for Zero, Tauri, React Native)
  *  - Session persistence in local storage
- *  - Token validation and refresh
  *  - State management with emitters
  *  - Automatic retry on errors
+ *  - Optional JWT support (for Tauri, React Native)
  */
 
 import {
@@ -29,6 +28,7 @@ export type AuthState<U extends User = User> = {
   state: 'loading' | 'logged-in' | 'logged-out'
   session: Session | null
   user: U | null
+  /** JWT token - only populated when useJWT is enabled */
   token: string | null
 }
 
@@ -37,33 +37,45 @@ export interface BetterAuthClientProps<
 > extends BetterAuthClientOptions {
   /**
    * Callback to transform and type the user object
-   * This allows you to add app-specific fields and ensure proper typing
    * @default (user) => user
    */
   createUser?: (user: User) => TUser
+
   /**
    * Optional callback when authentication state changes
    */
   onAuthStateChange?: (state: AuthState<TUser>) => void
+
   /**
    * Optional callback for handling auth errors
    */
   onAuthError?: (error: any) => void
+
   /**
    * Storage key prefix for local storage
    * @default 'auth'
    */
   storagePrefix?: string
+
   /**
    * Retry delay in milliseconds after auth errors
    * @default 4000
    */
   retryDelay?: number
+
   /**
-   * Custom token validation endpoint
-   * @default '/api/auth/validateToken'
+   * Enable JWT token management for native apps (Tauri, React Native)
+   * When false (default), auth uses session cookies forwarded by the server
+   * When true, fetches and manages JWT tokens for Authorization header auth
+   * @default false
    */
-  tokenValidationEndpoint?: string
+  useJWT?: boolean
+
+  /**
+   * Cookie names to clear on auth invalidation
+   * @default ['better-auth.jwt', 'better-auth.session_token']
+   */
+  authCookieNames?: string[]
 }
 
 export interface BetterAuthClientReturn<U extends User = User, TClient = any> {
@@ -72,6 +84,7 @@ export interface BetterAuthClientReturn<U extends User = User, TClient = any> {
   authClient: TClient
   setAuthClientToken: (props: { token: string; session: string }) => Promise<void>
   clearAuthClientToken: () => void
+  clearAllAuth: () => void
   useAuth: () => AuthState<U>
   getAuth: () => AuthState<U> & { loggedIn: boolean }
   getValidToken: () => Promise<string | undefined>
@@ -95,7 +108,8 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
     createUser,
     storagePrefix = 'auth',
     retryDelay = 4000,
-    tokenValidationEndpoint = '/api/auth/validateToken',
+    useJWT = false,
+    authCookieNames = ['better-auth.jwt', 'better-auth.session_token'],
     ...authClientOptions
   } = options
 
@@ -106,33 +120,33 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
     token: null,
   }
 
+  const keysStorage = createStorageValue<StorageKeys>(`${storagePrefix}-keys`)
+  const stateStorage = createStorageValue<AuthState<TUser>>(`${storagePrefix}-state`)
+
   const createAuthClientWithSession = (session: string) => {
     return createAuthClient({
       ...authClientOptions,
       fetchOptions: {
-        headers: {
-          Authorization: `Bearer ${session}`,
-        },
+        credentials: 'include',
+        headers: useJWT ? { Authorization: `Bearer ${session}` } : undefined,
       },
     })
   }
 
-  const keysStorage = createStorageValue<StorageKeys>(`${storagePrefix}-keys`)
-  const stateStorage = createStorageValue<AuthState<TUser>>(`${storagePrefix}-state`)
-
   let authClient = (() => {
     const existingSession = keysStorage.get()?.session
     return existingSession
       ? createAuthClientWithSession(existingSession)
-      : createAuthClient(authClientOptions as Opts)
+      : createAuthClient({
+          ...authClientOptions,
+          fetchOptions: { credentials: 'include' },
+        } as Opts)
   })()
 
   const authState = createEmitter<AuthState<TUser>>(
     'authState',
     stateStorage.get() || empty,
-    {
-      comparator: isEqualDeepLite,
-    }
+    { comparator: isEqualDeepLite }
   )
 
   const authClientVersion = createEmitter<number>('authClientVersion', 0)
@@ -149,14 +163,15 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
         token: next.token,
         session: next.session.token,
       })
-    } else {
+    } else if (next.session) {
       keysStorage.set({
         token: '',
-        session: '',
+        session: next.session.token,
       })
+    } else {
+      keysStorage.set({ token: '', session: '' })
     }
 
-    // call optional callback
     onAuthStateChange?.(next)
   }
 
@@ -182,7 +197,6 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
 
       if (error) {
         onAuthError?.(error)
-        // retry by re-subscribing after a delay to recover from transient errors
         scheduleAuthRetry(retryDelay)
         return
       }
@@ -195,8 +209,6 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
           }
 
       // if we have a persisted session but server hasn't confirmed yet, stay loading
-      // this prevents redirect race on direct navigation while session is being validated
-      // note: data === null means server confirmed no session, data === undefined means still loading
       const hasPersistedSession = !!keysStorage.get()?.session
       const nextState = isPending
         ? 'loading'
@@ -206,8 +218,7 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
             ? 'loading'
             : 'logged-out'
 
-      // only update session/user when we have definitive data (not during pending state)
-      // this prevents clearing persisted data during the loading phase
+      // only update session/user when we have definitive data
       const sessionUpdate =
         nextState === 'loading'
           ? {}
@@ -216,13 +227,25 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
               user: data?.user ? (createUser ? createUser(data.user) : data.user) : null,
             }
 
+      // detect new session
+      const previousSession = authState.value?.session
+      const isNewSession =
+        data?.session &&
+        (!previousSession ||
+          previousSession.id !== data.session.id ||
+          previousSession.userId !== data.session.userId)
+
       setState({
         state: nextState,
         ...sessionUpdate,
       })
 
-      // get token on creating a new session (for native + tauri)
-      if (data?.session && !authState.value.token) {
+      // fetch JWT token when useJWT is enabled (for native/tauri apps)
+      if (useJWT && data?.session && (isNewSession || !authState.value.token)) {
+        if (isNewSession && authState.value.token) {
+          setState({ token: null })
+        }
+
         getValidToken().then((token) => {
           if (token) {
             setState({ token })
@@ -233,9 +256,7 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
   }
 
   function scheduleAuthRetry(delayMs: number) {
-    if (retryTimer) {
-      clearTimeout(retryTimer)
-    }
+    if (retryTimer) clearTimeout(retryTimer)
     retryTimer = setTimeout(() => {
       retryTimer = null
       subscribeToAuthEffect()
@@ -243,47 +264,39 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
   }
 
   async function getValidToken(): Promise<string | undefined> {
-    const existing = keysStorage.get()?.token
-
-    if (existing) {
-      try {
-        const response = await fetch(tokenValidationEndpoint, {
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json',
-          },
-          body: JSON.stringify({
-            token: existing,
-          }),
-        }).then((res) => res.json())
-
-        if (response?.valid) {
-          return existing
-        }
-      } catch (error) {
-        console.error('Error validating token:', error)
-      }
-    }
-
     const res = await authClient.$fetch('/token')
     if (res.error) {
       console.error(`Error fetching token: ${res.error.statusText}`)
       return undefined
     }
-    const data = res.data as any
-    return data?.token as string | undefined
+    return (res.data as any)?.token as string | undefined
   }
 
   const clearAuthClientToken = () => {
     keysStorage.remove()
   }
 
+  function clearAuthCookies() {
+    if (typeof document === 'undefined') return
+
+    for (const cookieName of authCookieNames) {
+      document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`
+      const domain = window.location.hostname
+      document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=${domain}`
+      if (domain.startsWith('.')) {
+        document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=${domain.slice(1)}`
+      }
+    }
+  }
+
+  function clearAllAuth() {
+    clearAuthCookies()
+    clearState()
+  }
+
   const getAuth = () => {
     const state = authState?.value || empty
-    return {
-      ...state,
-      loggedIn: !!state.session,
-    }
+    return { ...state, loggedIn: !!state.session }
   }
 
   const useAuth = () => {
@@ -296,16 +309,12 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
     setState(empty)
   }
 
-  // initialize subscription
   subscribeToAuthEffect()
 
-  // cleanup on unmount
   if (typeof window !== 'undefined' && window.addEventListener) {
     const cleanup = () => {
       dispose?.()
-      if (retryTimer) {
-        clearTimeout(retryTimer)
-      }
+      if (retryTimer) clearTimeout(retryTimer)
     }
     window.addEventListener('beforeunload', cleanup)
   }
@@ -315,19 +324,13 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
       if (key === 'signOut') {
         return () => {
           clearState()
-
-          // don't await - better-auth has fetch issues on react native
-          // attempting to await causes "method uppercase not a func" error
-          // @ts-expect-error better-auth type issue, signOut does exist
+          // @ts-expect-error better-auth type issue
           authClient.signOut?.()
-
-          // force refresh to clear any remaining state
           if (typeof window !== 'undefined') {
             window.location?.reload?.()
           }
         }
       }
-      // ensure always latest authClient after login
       return Reflect.get(authClient, key)
     },
   }) as ReturnType<typeof createAuthClient<Opts>>
@@ -339,6 +342,7 @@ export function createBetterAuthClient<const Opts extends BetterAuthClientProps<
     authClient: proxiedAuthClient,
     setAuthClientToken,
     clearAuthClientToken,
+    clearAllAuth,
     useAuth,
     getAuth,
     getValidToken,

package/src/server.ts

@@ -0,0 +1,149 @@
+/**
+ * Server-side auth utilities for better-auth
+ * - Session validation via cookies (web)
+ * - JWT validation via JWKS (native apps)
+ */
+
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose'
+
+export interface ValidateTokenOptions {
+  /** base URL for the auth server (e.g., https://myapp.com) */
+  baseUrl?: string
+  /** optional issuer override for CI/test environments */
+  forceIssuer?: string
+  /** JWKS endpoint path, defaults to /api/auth/jwks */
+  jwksPath?: string
+}
+
+export interface AuthData {
+  id: string
+  email?: string
+  role: 'admin' | undefined
+}
+
+export class NotAuthenticatedError extends Error {}
+export class InvalidTokenError extends Error {}
+
+export type AuthServer = {
+  api: {
+    getSession: (opts: { headers: Headers }) =>
+      | Promise<{
+          user: { id: string; email?: string | null; role?: string | null }
+        } | null>
+      | Promise<any>
+  }
+}
+
+/**
+ * Get auth data from request - tries session cookies first, then JWT header
+ * Session: web apps with cookies forwarded by zero
+ * JWT: native apps (Tauri, React Native) using Authorization header
+ */
+export async function getAuthDataFromRequest(
+  authServer: AuthServer,
+  req: Request,
+  tokenOptions?: ValidateTokenOptions
+): Promise<AuthData | null> {
+  // from react native, better auth doesnt send cookie but insteead only the Authorization
+  // but better auth wants to find the cookie here, so re-route it:
+
+  const authHeader = req.headers.get('authorization')
+  const cookie = authHeader?.split('Bearer ')[1]
+
+  const newHeaders = new Headers(req.headers)
+  if (cookie) {
+    newHeaders.set('Cookie', cookie)
+  }
+
+  // try session-based auth first (web - cookies forwarded by zero)
+  try {
+    const session = await authServer.api.getSession({ headers: newHeaders })
+    if (session?.user) {
+      return {
+        id: session.user.id,
+        email: session.user.email || undefined,
+        role: session.user.role === 'admin' ? 'admin' : undefined,
+      }
+    }
+  } catch {
+    // session auth failed, try JWT
+  }
+
+  // try authorization header (token-based auth for native/tauri)
+
+  const jwtToken = authHeader?.replace('Bearer ', '')
+
+  if (jwtToken) {
+    try {
+      const payload = await validateToken(jwtToken, tokenOptions)
+      const userId = (payload as any)?.id || payload?.sub
+      if (userId) {
+        return {
+          id: userId as string,
+          email: (payload as any).email as string | undefined,
+          role: (payload as any).role === 'admin' ? 'admin' : undefined,
+        }
+      }
+    } catch (err) {
+      if (!(err instanceof InvalidTokenError)) {
+        throw err
+      }
+    }
+  }
+
+  return null
+}
+
+// jwt validation for native apps
+
+export async function validateToken(
+  token: string,
+  options?: ValidateTokenOptions
+): Promise<JWTPayload> {
+  const {
+    baseUrl = process.env.ONE_SERVER_URL,
+    forceIssuer = process.env.FORCE_ISSUER || '',
+    jwksPath = '/api/auth/jwks',
+  } = options || {}
+
+  if (!baseUrl) {
+    throw new Error(`No baseURL!`)
+  }
+
+  const normalizedBaseUrl = removeTrailingSlash(baseUrl)
+  const url = `${forceIssuer || normalizedBaseUrl}${jwksPath}`
+
+  // create fresh JWKS fetcher each time to avoid stale key cache issues
+  const JWKS = createRemoteJWKSet(new URL(url))
+
+  try {
+    const verifyOptions = forceIssuer
+      ? {}
+      : {
+          issuer: normalizedBaseUrl,
+          audience: normalizedBaseUrl,
+        }
+
+    const { payload } = await jwtVerify(token, JWKS, verifyOptions)
+
+    return payload
+  } catch (error) {
+    throw new InvalidTokenError(`${error}`)
+  }
+}
+
+export async function isValidJWT(
+  token: string,
+  options: ValidateTokenOptions
+): Promise<boolean> {
+  try {
+    await validateToken(token, options)
+    return true
+  } catch {
+    return false
+  }
+}
+
+function removeTrailingSlash(str: string) {
+  return str.replace(/\/$/, '')
+}