@unifiedcommerce/core 0.3.2 → 0.3.4

package/dist/auth/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAC9C,OAAO,KAAK,EAAmB,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA0B/C,wBAAgB,cAAc,CAC5B,IAAI,EAAE,YAAY,EAClB,MAAM,EAAE,cAAc,GACrB,iBAAiB,CAqInB"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAC9C,OAAO,KAAK,EAAmB,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA0B/C,wBAAgB,cAAc,CAC5B,IAAI,EAAE,YAAY,EAClB,MAAM,EAAE,cAAc,GACrB,iBAAiB,CAsInB"}

package/dist/auth/middleware.js

@@ -34,6 +34,7 @@ export function authMiddleware(auth, config) {
                 try {
                     const org = await auth.api.getFullOrganization({
                         query: { organizationId: orgId ?? DEFAULT_ORG_ID },
+                        headers: c.req.raw.headers,
                     });
                     if (org?.members) {
                         const membership = org.members.find((m) => m.userId === session.user.id);

package/dist/auth/setup.d.ts

@@ -1,69 +1,29 @@
+import { betterAuth } from "better-auth";
+import { apiKey } from "@better-auth/api-key";
+import { organization, twoFactor, phoneNumber, jwt, bearer } from "better-auth/plugins";
 import type { CommerceConfig } from "../config/types.js";
 import type { DatabaseAdapter } from "../kernel/database/adapter.js";
-/** Member shape returned by Better Auth's organization plugin */
-export interface OrgMember {
-    id: string;
-    userId: string;
-    organizationId: string;
-    role: string;
-    createdAt: string;
-}
-export interface AuthInstance {
-    handler(request: Request): Promise<Response>;
-    api: {
-        getSession(input: {
-            headers: Headers;
-        }): Promise<unknown>;
-        getActiveMemberRole?: (input: {
-            headers: Headers;
-        }) => Promise<{
-            role: string;
-        } | null>;
-        getFullOrganization?: (input: {
-            query: {
-                organizationId: string;
-            };
-        }) => Promise<{
-            id: string;
-            name: string;
-            members: OrgMember[];
-        } | null>;
-        listMembers?: (input: {
-            query: {
-                organizationId: string;
-            };
-        }) => Promise<OrgMember[]>;
-        verifyApiKey?: (input: {
-            body: {
-                key: string;
-                permissions?: Record<string, string[]>;
-            };
-        }) => Promise<{
-            valid: boolean;
-            error: {
-                message: string;
-                code: string;
-            } | null;
-            key: Record<string, unknown> | null;
-        }>;
-        createApiKey?: (input: {
-            body: {
-                configId?: string;
-                name?: string;
-                permissions?: Record<string, string[]>;
-                userId?: string;
-                organizationId?: string;
-            };
-            headers?: Headers;
-        }) => Promise<{
-            key: string;
-            id: string;
-        }>;
-        /** Allow access to other Better Auth API methods added by plugins */
-        [key: string]: unknown;
-    };
-    options?: Record<string, unknown>;
-    $context?: Promise<unknown>;
-}
+/**
+ * The auth type is inferred from `typeof betterAuth(...)` with all plugins enabled.
+ * This gives us the full API surface without manual interface maintenance.
+ *
+ * We use a type-level-only reference (never executed) to capture the complete type.
+ */
+type FullBetterAuth = ReturnType<typeof betterAuth<{
+    plugins: [
+        ReturnType<typeof organization>,
+        ReturnType<typeof bearer>,
+        ReturnType<typeof jwt>,
+        ReturnType<typeof twoFactor>,
+        ReturnType<typeof apiKey>,
+        ReturnType<typeof phoneNumber>
+    ];
+}>>;
+/**
+ * AuthInstance — inferred from Better Auth with all plugins.
+ * No manual type maintenance needed.
+ */
+export type AuthInstance = FullBetterAuth;
 export declare function createAuth(db: DatabaseAdapter, config: CommerceConfig): AuthInstance;
+export {};
 //# sourceMappingURL=setup.d.ts.map

package/dist/auth/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAgCrE,iEAAiE;AACjE,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,GAAG,EAAE;QACH,UAAU,CAAC,KAAK,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAG1D,mBAAmB,CAAC,EAAE,CAAC,KAAK,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACxF,mBAAmB,CAAC,EAAE,CAAC,KAAK,EAAE;YAAE,KAAK,EAAE;gBAAE,cAAc,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC;YAC9E,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,SAAS,EAAE,CAAC;SACtB,GAAG,IAAI,CAAC,CAAC;QACV,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE;YAAE,KAAK,EAAE;gBAAE,cAAc,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;QAGrF,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE;YACrB,IAAI,EAAE;gBAAE,GAAG,EAAE,MAAM,CAAC;gBAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;aAAE,CAAC;SAC/D,KAAK,OAAO,CAAC;YACZ,KAAK,EAAE,OAAO,CAAC;YACf,KAAK,EAAE;gBAAE,OAAO,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAA;aAAE,GAAG,IAAI,CAAC;YAChD,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;SACrC,CAAC,CAAC;QACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE;YACrB,IAAI,EAAE;gBACJ,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAClB,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;gBACvC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAChB,cAAc,CAAC,EAAE,MAAM,CAAC;aACzB,CAAC;YACF,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,KAAK,OAAO,CAAC;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAE3C,qEAAqE;QACrE,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7B;AAED,wBAAgB,UAAU,CACxB,EAAE,EAAE,eAAe,EACnB,MAAM,EAAE,cAAc,GACrB,YAAY,CAuHd"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AACxF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAiBrE;;;;;GAKG;AACH,KAAK,cAAc,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC;IACjD,OAAO,EAAE;QACP,UAAU,CAAC,OAAO,YAAY,CAAC;QAC/B,UAAU,CAAC,OAAO,MAAM,CAAC;QACzB,UAAU,CAAC,OAAO,GAAG,CAAC;QACtB,UAAU,CAAC,OAAO,SAAS,CAAC;QAC5B,UAAU,CAAC,OAAO,MAAM,CAAC;QACzB,UAAU,CAAC,OAAO,WAAW,CAAC;KAC/B,CAAC;CACH,CAAC,CAAC,CAAC;AAEJ;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,cAAc,CAAC;AAE1C,wBAAgB,UAAU,CACxB,EAAE,EAAE,eAAe,EACnB,MAAM,EAAE,cAAc,GACrB,YAAY,CA+Gd"}

package/dist/auth/setup.js

@@ -4,24 +4,17 @@ import { apiKey } from "@better-auth/api-key";
 import { organization, twoFactor, phoneNumber, jwt, bearer } from "better-auth/plugins";
 import * as authSchema from "./auth-schema.js";
 function resolveAuthDbProvider(provider) {
-    if (provider === "postgres" ||
-        provider === "postgresql" ||
-        provider === "pg") {
+    if (provider === "postgres" || provider === "postgresql" || provider === "pg")
         return "pg";
-    }
-    if (provider === "mysql") {
+    if (provider === "mysql")
         return "mysql";
-    }
-    if (provider === "sqlite") {
+    if (provider === "sqlite")
         return "sqlite";
-    }
-    throw new Error(`Unsupported auth database provider "${provider}". Expected one of: postgres, mysql, sqlite.`);
+    throw new Error(`Unsupported auth database provider "${provider}".`);
 }
 export function createAuth(db, config) {
     const plugins = [
         organization({
-            // Better Auth's Role includes `authorize` and `statements` fields that
-            // our RoleDefinition doesn't have. Double-cast is required — upstream type gap.
             roles: (config.auth?.roles ?? {}),
         }),
         bearer(),
@@ -30,7 +23,6 @@ export function createAuth(db, config) {
     if (config.auth?.twoFactor?.enabled) {
         plugins.push(twoFactor({ issuer: config.storeName ?? "UnifiedCommerce" }));
     }
-    // Configure API key plugin — one config per defined scope, or a single default config.
     const scopes = config.auth?.apiKeyScopes;
     if (scopes && Object.keys(scopes).length > 0) {
         const apiKeyConfigs = Object.entries(scopes).map(([scopeId, scope]) => ({
@@ -62,11 +54,8 @@ export function createAuth(db, config) {
             },
         }));
     }
-    // API key support can be attached via external plugin package in newer better-auth versions.
     try {
         const auth = betterAuth({
-            // Better Auth's drizzle adapter expects a plain object, not PgDatabase.
-            // Double-cast required — PgDatabase has no index signature.
             database: drizzleAdapter(db.db, {
                 provider: resolveAuthDbProvider(db.provider),
                 schema: authSchema,
@@ -100,7 +89,7 @@ export function createAuth(db, config) {
                 updateAge: 60 * 60 * 24,
                 cookieCache: {
                     enabled: true,
-                    maxAge: 60 * 5, // 5 minute cookie cache for performance
+                    maxAge: 60 * 5,
                 },
             },
             advanced: {
@@ -115,10 +104,8 @@ export function createAuth(db, config) {
                 },
             },
         });
-        // Better Auth's plugin-extended return type is structurally incompatible with
-        // our simplified AuthInstance interface (upstream generic union vs our narrowed shape).
-        // Double-cast is the accepted pattern — same approach used by PayloadCMS.
-        // @see https://github.com/better-auth/better-auth/discussions
+        // The runtime return matches FullBetterAuth structurally — plugins may differ
+        // at runtime (conditional) but the API surface is a superset.
         return auth;
     }
     catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@unifiedcommerce/core",
-  "version": "0.3.2",
+  "version": "0.3.4",
   "type": "module",
   "exports": {
     ".": {

package/src/auth/middleware.ts

@@ -50,6 +50,7 @@ export function authMiddleware(
         try {
           const org = await auth.api.getFullOrganization({
             query: { organizationId: orgId ?? DEFAULT_ORG_ID },
+            headers: c.req.raw.headers,
           });
           if (org?.members) {
             const membership = org.members.find(

package/src/auth/setup.ts

@@ -10,80 +10,39 @@ import * as authSchema from "./auth-schema.js";
 type BetterAuthDbProvider = "pg" | "mysql" | "sqlite";
 
 function resolveAuthDbProvider(provider: string): BetterAuthDbProvider {
-  if (
-    provider === "postgres" ||
-    provider === "postgresql" ||
-    provider === "pg"
-  ) {
-    return "pg";
-  }
-  if (provider === "mysql") {
-    return "mysql";
-  }
-  if (provider === "sqlite") {
-    return "sqlite";
-  }
-  throw new Error(
-    `Unsupported auth database provider "${provider}". Expected one of: postgres, mysql, sqlite.`,
-  );
+  if (provider === "postgres" || provider === "postgresql" || provider === "pg") return "pg";
+  if (provider === "mysql") return "mysql";
+  if (provider === "sqlite") return "sqlite";
+  throw new Error(`Unsupported auth database provider "${provider}".`);
 }
 
 interface AuthEmailPayload {
-  user: {
-    email: string;
-    name: string | null;
-  };
+  user: { email: string; name: string | null };
   url: string;
 }
 
-/** Member shape returned by Better Auth's organization plugin */
-export interface OrgMember {
-  id: string;
-  userId: string;
-  organizationId: string;
-  role: string;
-  createdAt: string;
-}
-
-export interface AuthInstance {
-  handler(request: Request): Promise<Response>;
-  api: {
-    getSession(input: { headers: Headers }): Promise<unknown>;
-
-    // Organization plugin methods
-    getActiveMemberRole?: (input: { headers: Headers }) => Promise<{ role: string } | null>;
-    getFullOrganization?: (input: { query: { organizationId: string } }) => Promise<{
-      id: string;
-      name: string;
-      members: OrgMember[];
-    } | null>;
-    listMembers?: (input: { query: { organizationId: string } }) => Promise<OrgMember[]>;
-
-    // API key plugin methods
-    verifyApiKey?: (input: {
-      body: { key: string; permissions?: Record<string, string[]> };
-    }) => Promise<{
-      valid: boolean;
-      error: { message: string; code: string } | null;
-      key: Record<string, unknown> | null;
-    }>;
-    createApiKey?: (input: {
-      body: {
-        configId?: string;
-        name?: string;
-        permissions?: Record<string, string[]>;
-        userId?: string;
-        organizationId?: string;
-      };
-      headers?: Headers;
-    }) => Promise<{ key: string; id: string }>;
+/**
+ * The auth type is inferred from `typeof betterAuth(...)` with all plugins enabled.
+ * This gives us the full API surface without manual interface maintenance.
+ *
+ * We use a type-level-only reference (never executed) to capture the complete type.
+ */
+type FullBetterAuth = ReturnType<typeof betterAuth<{
+  plugins: [
+    ReturnType<typeof organization>,
+    ReturnType<typeof bearer>,
+    ReturnType<typeof jwt>,
+    ReturnType<typeof twoFactor>,
+    ReturnType<typeof apiKey>,
+    ReturnType<typeof phoneNumber>,
+  ];
+}>>;
 
-    /** Allow access to other Better Auth API methods added by plugins */
-    [key: string]: unknown;
-  };
-  options?: Record<string, unknown>;
-  $context?: Promise<unknown>;
-}
+/**
+ * AuthInstance — inferred from Better Auth with all plugins.
+ * No manual type maintenance needed.
+ */
+export type AuthInstance = FullBetterAuth;
 
 export function createAuth(
   db: DatabaseAdapter,
@@ -98,8 +57,6 @@ export function createAuth(
     | ReturnType<typeof bearer>
   > = [
     organization({
-      // Better Auth's Role includes `authorize` and `statements` fields that
-      // our RoleDefinition doesn't have. Double-cast is required — upstream type gap.
       roles: (config.auth?.roles ?? {}) as unknown as Record<string, Role | undefined>,
     }),
     bearer(),
@@ -110,7 +67,6 @@ export function createAuth(
     plugins.push(twoFactor({ issuer: config.storeName ?? "UnifiedCommerce" }));
   }
 
-  // Configure API key plugin — one config per defined scope, or a single default config.
   const scopes = config.auth?.apiKeyScopes;
   if (scopes && Object.keys(scopes).length > 0) {
     const apiKeyConfigs = Object.entries(scopes).map(([scopeId, scope]) => ({
@@ -143,12 +99,8 @@ export function createAuth(
     }));
   }
 
-  // API key support can be attached via external plugin package in newer better-auth versions.
-
   try {
     const auth = betterAuth({
-      // Better Auth's drizzle adapter expects a plain object, not PgDatabase.
-      // Double-cast required — PgDatabase has no index signature.
       database: drizzleAdapter(db.db as unknown as Record<string, unknown>, {
         provider: resolveAuthDbProvider(db.provider),
         schema: authSchema,
@@ -180,7 +132,7 @@ export function createAuth(
         updateAge: 60 * 60 * 24,
         cookieCache: {
           enabled: true,
-          maxAge: 60 * 5,  // 5 minute cookie cache for performance
+          maxAge: 60 * 5,
         },
       },
       advanced: {
@@ -195,10 +147,9 @@ export function createAuth(
         },
       },
     });
-    // Better Auth's plugin-extended return type is structurally incompatible with
-    // our simplified AuthInstance interface (upstream generic union vs our narrowed shape).
-    // Double-cast is the accepted pattern — same approach used by PayloadCMS.
-    // @see https://github.com/better-auth/better-auth/discussions
+
+    // The runtime return matches FullBetterAuth structurally — plugins may differ
+    // at runtime (conditional) but the API surface is a superset.
     return auth as unknown as AuthInstance;
   } catch (error) {
     const message =