@terreno/api 0.0.18 → 0.2.0

package/dist/auth.js

@@ -377,7 +377,9 @@ function addAuthRoutes(app, userModel, authOptions) {
                                 logger_1.logger.warn("Invalid login: ".concat(info));
                                 return [2 /*return*/, res.status(401).json({ message: info === null || info === void 0 ? void 0 : info.message })];
                             }
-                            logger_1.logger.info("User logged in: ".concat(user._id, ", type: ").concat(user.type || "N/A"));
+                            if (process.env.NODE_ENV !== "test") {
+                                logger_1.logger.info("User logged in: ".concat(user._id, ", type: ").concat(user.type || "N/A"));
+                            }
                             return [4 /*yield*/, (0, exports.generateTokens)(user, authOptions)];
                         case 1:
                             tokens = _a.sent();

package/dist/betterAuth.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Better Auth types and configuration interfaces for @terreno/api.
+ *
+ * These types support optional Better Auth integration alongside the existing
+ * JWT/Passport authentication system.
+ */
+/**
+ * OAuth provider configuration for Better Auth.
+ */
+export interface BetterAuthOAuthProvider {
+    clientId: string;
+    clientSecret: string;
+}
+/**
+ * Configuration options for Better Auth integration.
+ */
+export interface BetterAuthConfig {
+    /**
+     * Whether Better Auth is enabled for this server.
+     */
+    enabled: boolean;
+    /**
+     * Google OAuth provider configuration.
+     */
+    googleOAuth?: BetterAuthOAuthProvider;
+    /**
+     * Apple OAuth provider configuration.
+     */
+    appleOAuth?: BetterAuthOAuthProvider;
+    /**
+     * GitHub OAuth provider configuration.
+     */
+    githubOAuth?: BetterAuthOAuthProvider;
+    /**
+     * Trusted origins for CORS and redirect validation.
+     * Include your app's deep link schemes (e.g., "terreno://", "exp://").
+     */
+    trustedOrigins?: string[];
+    /**
+     * Base path for Better Auth routes.
+     * @default "/api/auth"
+     */
+    basePath?: string;
+    /**
+     * Secret key for Better Auth session encryption.
+     * If not provided, falls back to BETTER_AUTH_SECRET environment variable.
+     */
+    secret?: string;
+    /**
+     * Base URL for the auth server.
+     * If not provided, falls back to BETTER_AUTH_URL environment variable.
+     */
+    baseURL?: string;
+}
+/**
+ * Auth provider selection for setupServer.
+ * - "jwt": Traditional JWT/Passport authentication (default)
+ * - "better-auth": Better Auth with OAuth support
+ */
+export type AuthProvider = "jwt" | "better-auth";
+/**
+ * User data from Better Auth session.
+ */
+export interface BetterAuthUser {
+    id: string;
+    email: string;
+    name: string | null;
+    image: string | null;
+    emailVerified: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Session data from Better Auth.
+ */
+export interface BetterAuthSession {
+    id: string;
+    userId: string;
+    expiresAt: Date;
+    ipAddress: string | null;
+    userAgent: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Combined session and user data from Better Auth.
+ */
+export interface BetterAuthSessionData {
+    session: BetterAuthSession;
+    user: BetterAuthUser;
+}

package/dist/betterAuth.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Better Auth types and configuration interfaces for @terreno/api.
+ *
+ * These types support optional Better Auth integration alongside the existing
+ * JWT/Passport authentication system.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/betterAuth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/betterAuth.test.js

@@ -0,0 +1,181 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var bun_test_1 = require("bun:test");
+(0, bun_test_1.describe)("Better Auth types", function () {
+    (0, bun_test_1.it)("defines BetterAuthOAuthProvider interface correctly", function () {
+        var provider = {
+            clientId: "test-client-id",
+            clientSecret: "test-client-secret",
+        };
+        (0, bun_test_1.expect)(provider.clientId).toBe("test-client-id");
+        (0, bun_test_1.expect)(provider.clientSecret).toBe("test-client-secret");
+    });
+    (0, bun_test_1.it)("defines BetterAuthConfig interface correctly", function () {
+        var _a, _b;
+        var config = {
+            basePath: "/api/auth",
+            baseURL: "http://localhost:3000",
+            enabled: true,
+            githubOAuth: {
+                clientId: "github-client-id",
+                clientSecret: "github-client-secret",
+            },
+            googleOAuth: {
+                clientId: "google-client-id",
+                clientSecret: "google-client-secret",
+            },
+            secret: "test-secret",
+            trustedOrigins: ["terreno://", "exp://"],
+        };
+        (0, bun_test_1.expect)(config.enabled).toBe(true);
+        (0, bun_test_1.expect)((_a = config.googleOAuth) === null || _a === void 0 ? void 0 : _a.clientId).toBe("google-client-id");
+        (0, bun_test_1.expect)((_b = config.githubOAuth) === null || _b === void 0 ? void 0 : _b.clientId).toBe("github-client-id");
+        (0, bun_test_1.expect)(config.trustedOrigins).toContain("terreno://");
+        (0, bun_test_1.expect)(config.basePath).toBe("/api/auth");
+    });
+    (0, bun_test_1.it)("allows minimal BetterAuthConfig", function () {
+        var minimalConfig = {
+            enabled: false,
+        };
+        (0, bun_test_1.expect)(minimalConfig.enabled).toBe(false);
+        (0, bun_test_1.expect)(minimalConfig.googleOAuth).toBeUndefined();
+        (0, bun_test_1.expect)(minimalConfig.basePath).toBeUndefined();
+    });
+    (0, bun_test_1.it)("defines AuthProvider type correctly", function () {
+        var jwtProvider = "jwt";
+        var betterAuthProvider = "better-auth";
+        (0, bun_test_1.expect)(jwtProvider).toBe("jwt");
+        (0, bun_test_1.expect)(betterAuthProvider).toBe("better-auth");
+    });
+});
+(0, bun_test_1.describe)("Better Auth setup", function () {
+    (0, bun_test_1.it)("syncBetterAuthUser creates a new user when not found", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var betterAuthUser;
+        return __generator(this, function (_a) {
+            betterAuthUser = {
+                createdAt: new Date(),
+                email: "test@example.com",
+                emailVerified: true,
+                id: "ba-user-123",
+                image: null,
+                name: "Test User",
+                updatedAt: new Date(),
+            };
+            (0, bun_test_1.expect)(betterAuthUser.id).toBe("ba-user-123");
+            (0, bun_test_1.expect)(betterAuthUser.email).toBe("test@example.com");
+            (0, bun_test_1.expect)(betterAuthUser.name).toBe("Test User");
+            return [2 /*return*/];
+        });
+    }); });
+    (0, bun_test_1.it)("BetterAuthSession has correct structure", function () {
+        var session = {
+            createdAt: new Date(),
+            expiresAt: new Date(Date.now() + 3600000),
+            id: "session-123",
+            ipAddress: "127.0.0.1",
+            updatedAt: new Date(),
+            userAgent: "Mozilla/5.0",
+            userId: "user-456",
+        };
+        (0, bun_test_1.expect)(session.id).toBe("session-123");
+        (0, bun_test_1.expect)(session.userId).toBe("user-456");
+        (0, bun_test_1.expect)(session.expiresAt.getTime()).toBeGreaterThan(Date.now());
+    });
+    (0, bun_test_1.it)("BetterAuthSessionData combines session and user", function () {
+        var sessionData = {
+            session: {
+                createdAt: new Date(),
+                expiresAt: new Date(),
+                id: "session-123",
+                ipAddress: null,
+                updatedAt: new Date(),
+                userAgent: null,
+                userId: "user-456",
+            },
+            user: {
+                createdAt: new Date(),
+                email: "test@example.com",
+                emailVerified: false,
+                id: "user-456",
+                image: null,
+                name: "Test",
+                updatedAt: new Date(),
+            },
+        };
+        (0, bun_test_1.expect)(sessionData.session.userId).toBe(sessionData.user.id);
+    });
+});
+(0, bun_test_1.describe)("Better Auth config validation", function () {
+    (0, bun_test_1.it)("basePath defaults to /api/auth when not specified", function () {
+        var _a;
+        var config = {
+            enabled: true,
+        };
+        var basePath = (_a = config.basePath) !== null && _a !== void 0 ? _a : "/api/auth";
+        (0, bun_test_1.expect)(basePath).toBe("/api/auth");
+    });
+    (0, bun_test_1.it)("trustedOrigins defaults to empty array when not specified", function () {
+        var _a;
+        var config = {
+            enabled: true,
+        };
+        var trustedOrigins = (_a = config.trustedOrigins) !== null && _a !== void 0 ? _a : [];
+        (0, bun_test_1.expect)(trustedOrigins).toEqual([]);
+    });
+    (0, bun_test_1.it)("supports multiple OAuth providers simultaneously", function () {
+        var config = {
+            appleOAuth: {
+                clientId: "apple-id",
+                clientSecret: "apple-secret",
+            },
+            enabled: true,
+            githubOAuth: {
+                clientId: "github-id",
+                clientSecret: "github-secret",
+            },
+            googleOAuth: {
+                clientId: "google-id",
+                clientSecret: "google-secret",
+            },
+        };
+        (0, bun_test_1.expect)(config.googleOAuth).toBeDefined();
+        (0, bun_test_1.expect)(config.githubOAuth).toBeDefined();
+        (0, bun_test_1.expect)(config.appleOAuth).toBeDefined();
+    });
+});

package/dist/betterAuthApp.d.ts

@@ -0,0 +1,22 @@
+/**
+ * BetterAuthApp plugin for @terreno/api.
+ *
+ * Registers Better Auth as a TerrenoPlugin, mounting routes, session middleware,
+ * and user sync on an existing Express application.
+ */
+import type express from "express";
+import type { UserModel } from "./auth";
+import type { BetterAuthConfig } from "./betterAuth";
+import { type BetterAuthInstance } from "./betterAuthSetup";
+import type { TerrenoPlugin } from "./terrenoPlugin";
+export interface BetterAuthAppOptions {
+    config: BetterAuthConfig;
+    userModel?: UserModel;
+}
+export declare class BetterAuthApp implements TerrenoPlugin {
+    private auth;
+    private options;
+    constructor(options: BetterAuthAppOptions);
+    register(app: express.Application): void;
+    getAuth(): BetterAuthInstance | undefined;
+}

package/dist/betterAuthApp.js

@@ -0,0 +1,38 @@
+"use strict";
+/**
+ * BetterAuthApp plugin for @terreno/api.
+ *
+ * Registers Better Auth as a TerrenoPlugin, mounting routes, session middleware,
+ * and user sync on an existing Express application.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BetterAuthApp = void 0;
+var betterAuthSetup_1 = require("./betterAuthSetup");
+var logger_1 = require("./logger");
+var BetterAuthApp = /** @class */ (function () {
+    function BetterAuthApp(options) {
+        this.options = options;
+    }
+    BetterAuthApp.prototype.register = function (app) {
+        var _a;
+        var _b = this.options, config = _b.config, userModel = _b.userModel;
+        var mongoClient = (0, betterAuthSetup_1.getMongoClientFromMongoose)();
+        this.auth = (0, betterAuthSetup_1.createBetterAuth)({
+            config: config,
+            mongoClient: mongoClient,
+            userModel: userModel,
+        });
+        var basePath = (_a = config.basePath) !== null && _a !== void 0 ? _a : "/api/auth";
+        (0, betterAuthSetup_1.mountBetterAuthRoutes)(app, this.auth, basePath);
+        app.use((0, betterAuthSetup_1.createBetterAuthSessionMiddleware)(this.auth, userModel));
+        if (userModel) {
+            (0, betterAuthSetup_1.setupBetterAuthUserSync)(this.auth, userModel);
+        }
+        logger_1.logger.info("Better Auth initialized via BetterAuthApp plugin");
+    };
+    BetterAuthApp.prototype.getAuth = function () {
+        return this.auth;
+    };
+    return BetterAuthApp;
+}());
+exports.BetterAuthApp = BetterAuthApp;

package/dist/betterAuthApp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/betterAuthApp.test.js

@@ -0,0 +1,242 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var bun_test_1 = require("bun:test");
+var express_1 = __importDefault(require("express"));
+var mongodb_memory_server_1 = require("mongodb-memory-server");
+var mongoose_1 = __importStar(require("mongoose"));
+var betterAuthApp_1 = require("./betterAuthApp");
+var conn;
+var mongod;
+var TestUser;
+var testUserSchema = new mongoose_1.Schema({
+    admin: { default: false, type: Boolean },
+    betterAuthId: { type: String },
+    email: { required: true, type: String },
+    name: { type: String },
+    oauthProvider: { type: String },
+});
+var setup = (function () { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, mongodb_memory_server_1.MongoMemoryServer.create()];
+            case 1:
+                mongod = _a.sent();
+                conn = mongoose_1.default.createConnection(mongod.getUri());
+                return [4 /*yield*/, conn.asPromise()];
+            case 2:
+                _a.sent();
+                TestUser = conn.model("BetterAuthAppTestUser", testUserSchema);
+                return [2 /*return*/];
+        }
+    });
+}); })();
+(0, bun_test_1.afterAll)(function () { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, (conn === null || conn === void 0 ? void 0 : conn.close())];
+            case 1:
+                _a.sent();
+                return [4 /*yield*/, (mongod === null || mongod === void 0 ? void 0 : mongod.stop())];
+            case 2:
+                _a.sent();
+                return [2 /*return*/];
+        }
+    });
+}); });
+(0, bun_test_1.afterEach)(function () { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, setup];
+            case 1:
+                _a.sent();
+                return [4 /*yield*/, TestUser.deleteMany({})];
+            case 2:
+                _a.sent();
+                return [2 /*return*/];
+        }
+    });
+}); });
+(0, bun_test_1.describe)("BetterAuthApp", function () {
+    var makeConfig = function (overrides) {
+        if (overrides === void 0) { overrides = {}; }
+        return (__assign({ baseURL: "http://localhost:3000", enabled: true, secret: "test-secret-at-least-32-characters-long" }, overrides));
+    };
+    (0, bun_test_1.it)("registers on an express app without throwing", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var app, plugin;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, setup];
+                case 1:
+                    _a.sent();
+                    app = (0, express_1.default)();
+                    app.use(express_1.default.json());
+                    plugin = new betterAuthApp_1.BetterAuthApp({
+                        config: makeConfig(),
+                    });
+                    (0, bun_test_1.expect)(function () { return plugin.register(app); }).not.toThrow();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("exposes the Better Auth instance after register", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var app, plugin;
+        var _a;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0: return [4 /*yield*/, setup];
+                case 1:
+                    _b.sent();
+                    app = (0, express_1.default)();
+                    app.use(express_1.default.json());
+                    plugin = new betterAuthApp_1.BetterAuthApp({
+                        config: makeConfig(),
+                    });
+                    (0, bun_test_1.expect)(plugin.getAuth()).toBeUndefined();
+                    plugin.register(app);
+                    (0, bun_test_1.expect)(plugin.getAuth()).toBeDefined();
+                    (0, bun_test_1.expect)((_a = plugin.getAuth()) === null || _a === void 0 ? void 0 : _a.api).toBeDefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("registers with a userModel", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var app, plugin;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, setup];
+                case 1:
+                    _a.sent();
+                    app = (0, express_1.default)();
+                    app.use(express_1.default.json());
+                    plugin = new betterAuthApp_1.BetterAuthApp({
+                        config: makeConfig(),
+                        userModel: TestUser,
+                    });
+                    (0, bun_test_1.expect)(function () { return plugin.register(app); }).not.toThrow();
+                    (0, bun_test_1.expect)(plugin.getAuth()).toBeDefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("registers with a custom basePath", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var app, plugin;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, setup];
+                case 1:
+                    _a.sent();
+                    app = (0, express_1.default)();
+                    app.use(express_1.default.json());
+                    plugin = new betterAuthApp_1.BetterAuthApp({
+                        config: makeConfig({ basePath: "/custom/auth" }),
+                    });
+                    (0, bun_test_1.expect)(function () { return plugin.register(app); }).not.toThrow();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("registers with social providers", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var app, plugin;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, setup];
+                case 1:
+                    _a.sent();
+                    app = (0, express_1.default)();
+                    app.use(express_1.default.json());
+                    plugin = new betterAuthApp_1.BetterAuthApp({
+                        config: makeConfig({
+                            githubOAuth: { clientId: "gh-id", clientSecret: "gh-secret" },
+                            googleOAuth: { clientId: "g-id", clientSecret: "g-secret" },
+                        }),
+                    });
+                    (0, bun_test_1.expect)(function () { return plugin.register(app); }).not.toThrow();
+                    (0, bun_test_1.expect)(plugin.getAuth()).toBeDefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+});

package/dist/betterAuthSetup.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Better Auth setup and initialization for @terreno/api.
+ *
+ * This module provides functions to initialize Better Auth with MongoDB,
+ * create session middleware, and sync users with the application User model.
+ */
+import { betterAuth } from "better-auth";
+import type { Application, NextFunction, Request, Response } from "express";
+import type { UserModel } from "./auth";
+import type { BetterAuthConfig, BetterAuthSessionData, BetterAuthUser } from "./betterAuth";
+/**
+ * The Better Auth instance type.
+ */
+export type BetterAuthInstance = ReturnType<typeof betterAuth>;
+/**
+ * Options for creating a Better Auth instance.
+ */
+export interface CreateBetterAuthOptions {
+    config: BetterAuthConfig;
+    mongoClient: any;
+    userModel?: UserModel;
+}
+/**
+ * Creates a Better Auth instance with MongoDB adapter.
+ */
+export declare const createBetterAuth: (options: CreateBetterAuthOptions) => BetterAuthInstance;
+/**
+ * Creates Express middleware that extracts the Better Auth session
+ * and populates req.user with the application User model.
+ */
+export declare const createBetterAuthSessionMiddleware: (auth: BetterAuthInstance, userModel?: UserModel) => (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+/**
+ * Syncs a Better Auth user to the application User model.
+ * Creates or updates the user as needed.
+ */
+export declare const syncBetterAuthUser: (userModel: UserModel, betterAuthUser: BetterAuthUser, oauthProvider?: string) => Promise<any>;
+/**
+ * Mounts Better Auth routes on the Express app.
+ */
+export declare const mountBetterAuthRoutes: (app: Application, auth: BetterAuthInstance, basePath?: string) => void;
+/**
+ * Gets the MongoDB client from the mongoose connection.
+ */
+export declare const getMongoClientFromMongoose: () => any;
+/**
+ * Sets up Better Auth user sync hooks.
+ * This ensures users created/updated in Better Auth are synced to the application User model.
+ *
+ * Note: Better Auth doesn't have built-in event hooks, so we rely on the session middleware
+ * to create users on first session access.
+ */
+export declare const setupBetterAuthUserSync: (_auth: BetterAuthInstance, _userModel: UserModel) => void;
+/**
+ * Extracts Better Auth session data from the request.
+ */
+export declare const getBetterAuthSession: (req: Request) => BetterAuthSessionData | null;
+/**
+ * Checks if the request has a valid Better Auth session.
+ */
+export declare const hasBetterAuthSession: (req: Request) => boolean;