@vobase/core 0.10.0 → 0.12.0

package/src/modules/auth/index.ts

@@ -0,0 +1,101 @@
+import { Hono } from 'hono';
+import { betterAuth } from 'better-auth';
+import type { SocialProviders } from 'better-auth/social-providers';
+import { drizzleAdapter } from 'better-auth/adapters/drizzle';
+import { apiKey } from '@better-auth/api-key';
+import { organization } from 'better-auth/plugins';
+
+import type { AuthAdapter } from '../../contracts/auth';
+import type { VobaseDb } from '../../db/client';
+import { defineBuiltinModule } from '../../module';
+import type { VobaseModule } from '../../module';
+import { authSchema, apikeySchema, organizationSchema } from './schema';
+import { createAuthAuditHooks } from './audit-hooks';
+import { setOrganizationEnabled } from './permissions';
+
+export interface AuthModuleConfig {
+  baseURL?: string;
+  trustedOrigins?: string[];
+  socialProviders?: SocialProviders;
+  /** Enable the organization plugin for multi-tenant support. Default: false */
+  organization?: boolean;
+}
+
+export type AuthModule = VobaseModule & {
+  adapter: AuthAdapter;
+  /** Validate an API key and return the owning user. Returns null if invalid. */
+  verifyApiKey: (key: string) => Promise<{ userId: string } | null>;
+  /** Whether the organization plugin is enabled */
+  organizationEnabled: boolean;
+};
+
+export function createAuthModule(db: VobaseDb, config?: AuthModuleConfig): AuthModule {
+  const baseURL = config?.baseURL ?? process.env.BETTER_AUTH_URL;
+  const orgEnabled = config?.organization ?? false;
+
+  // Tell the permission middleware whether org is enabled
+  setOrganizationEnabled(orgEnabled);
+
+  // Build plugin list
+  const plugins: any[] = [apiKey()];
+  if (orgEnabled) {
+    plugins.push(organization());
+  }
+
+  // Build schema for the adapter — always includes apikey, conditionally includes org
+  const adapterSchema = {
+    ...authSchema,
+    ...apikeySchema,
+    ...(orgEnabled ? organizationSchema : {}),
+  };
+
+  const auth = betterAuth({
+    database: drizzleAdapter(db, { provider: 'sqlite', schema: adapterSchema }),
+    ...(baseURL && { baseURL }),
+    emailAndPassword: {
+      enabled: true,
+    },
+    ...(config?.socialProviders && { socialProviders: config.socialProviders }),
+    user: {
+      additionalFields: {
+        role: {
+          type: 'string',
+          defaultValue: 'user',
+          input: false,
+        },
+      },
+    },
+    plugins,
+    hooks: createAuthAuditHooks(db),
+    ...(config?.trustedOrigins && { trustedOrigins: config.trustedOrigins }),
+  });
+
+  const adapter: AuthAdapter = {
+    getSession: (headers) => auth.api.getSession({ headers }),
+    handler: (request) => auth.handler(request),
+  };
+
+  const verifyApiKey = async (key: string): Promise<{ userId: string } | null> => {
+    try {
+      const result = await (auth.api as any).verifyApiKey({ body: { key } });
+      if (result && result.valid && result.key?.userId) {
+        return { userId: result.key.userId };
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  };
+
+  const mod = defineBuiltinModule({
+    name: '_auth',
+    schema: adapterSchema,
+    routes: new Hono(),
+  });
+
+  return { ...mod, adapter, verifyApiKey, organizationEnabled: orgEnabled };
+}
+
+export { authSchema } from './schema';
+export { sessionMiddleware, optionalSessionMiddleware } from './middleware';
+export { createAuthAuditHooks } from './audit-hooks';

package/src/modules/auth/middleware.ts

@@ -0,0 +1,51 @@
+import { createMiddleware } from 'hono/factory';
+
+import type { AuthAdapter } from '../../contracts/auth';
+import { unauthorized } from '../../infra/errors';
+
+declare module 'hono' {
+  interface ContextVariableMap {
+    user: { id: string; email: string; name: string; role: string; activeOrganizationId?: string } | null;
+  }
+}
+
+export function sessionMiddleware(adapter: AuthAdapter) {
+  return createMiddleware(async (c, next) => {
+    const session = await adapter.getSession(c.req.raw.headers);
+
+    if (!session) {
+      throw unauthorized();
+    }
+
+    c.set('user', {
+      id: session.user.id,
+      email: session.user.email,
+      name: session.user.name,
+      role: session.user.role ?? 'user',
+      activeOrganizationId: session.user.activeOrganizationId,
+    });
+
+    await next();
+  });
+}
+
+export function optionalSessionMiddleware(adapter: AuthAdapter) {
+  return createMiddleware(async (c, next) => {
+    const session = await adapter.getSession(c.req.raw.headers);
+
+    c.set(
+      'user',
+      session
+        ? {
+            id: session.user.id,
+            email: session.user.email,
+            name: session.user.name,
+            role: session.user.role ?? 'user',
+            activeOrganizationId: session.user.activeOrganizationId,
+          }
+        : null,
+    );
+
+    await next();
+  });
+}

package/src/modules/auth/permissions.ts

@@ -0,0 +1,46 @@
+import { createMiddleware } from 'hono/factory';
+import { forbidden } from '../../infra/errors';
+
+let _organizationEnabled = false;
+
+export function setOrganizationEnabled(enabled: boolean) {
+  _organizationEnabled = enabled;
+}
+
+export function requireRole(...roles: string[]) {
+  return createMiddleware(async (c, next) => {
+    const user = c.get('user');
+    if (!user || !roles.includes(user.role)) {
+      throw forbidden('Insufficient role');
+    }
+    await next();
+  });
+}
+
+export function requirePermission(..._permissions: string[]) {
+  if (!_organizationEnabled) {
+    throw new Error(
+      'Organization plugin required for permission-based auth. Use requireRole() instead or enable organization in config.',
+    );
+  }
+  return createMiddleware(async (c, next) => {
+    const user = c.get('user');
+    if (!user) throw forbidden('Authentication required');
+    await next();
+  });
+}
+
+export function requireOrg() {
+  if (!_organizationEnabled) {
+    throw new Error(
+      'Organization plugin required. Enable organization in config.',
+    );
+  }
+  return createMiddleware(async (c, next) => {
+    const user = c.get('user');
+    if (!user?.activeOrganizationId) {
+      throw forbidden('Active organization required');
+    }
+    await next();
+  });
+}

package/src/modules/auth/schema.ts

@@ -0,0 +1,184 @@
+import { index, integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+
+export const authUser = sqliteTable('user', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  email: text('email').notNull().unique(),
+  emailVerified: integer('email_verified', { mode: 'boolean' })
+    .notNull()
+    .default(false),
+  image: text('image'),
+  role: text('role').notNull().default('user'),
+  createdAt: integer('created_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+  updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date())
+    .$onUpdate(() => new Date()),
+});
+
+export const authSession = sqliteTable(
+  'session',
+  {
+    id: text('id').primaryKey(),
+    expiresAt: integer('expires_at', { mode: 'timestamp_ms' }).notNull(),
+    token: text('token').notNull().unique(),
+    createdAt: integer('created_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date()),
+    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date())
+      .$onUpdate(() => new Date()),
+    ipAddress: text('ip_address'),
+    userAgent: text('user_agent'),
+    userId: text('user_id')
+      .notNull()
+      .references(() => authUser.id, { onDelete: 'cascade' }),
+  },
+  (table) => [index('session_user_id_idx').on(table.userId)],
+);
+
+export const authAccount = sqliteTable(
+  'account',
+  {
+    id: text('id').primaryKey(),
+    accountId: text('account_id').notNull(),
+    providerId: text('provider_id').notNull(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => authUser.id, { onDelete: 'cascade' }),
+    accessToken: text('access_token'),
+    refreshToken: text('refresh_token'),
+    idToken: text('id_token'),
+    accessTokenExpiresAt: integer('access_token_expires_at', {
+      mode: 'timestamp_ms',
+    }),
+    refreshTokenExpiresAt: integer('refresh_token_expires_at', {
+      mode: 'timestamp_ms',
+    }),
+    scope: text('scope'),
+    password: text('password'),
+    createdAt: integer('created_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date()),
+    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date())
+      .$onUpdate(() => new Date()),
+  },
+  (table) => [index('account_user_id_idx').on(table.userId)],
+);
+
+export const authVerification = sqliteTable(
+  'verification',
+  {
+    id: text('id').primaryKey(),
+    identifier: text('identifier').notNull(),
+    value: text('value').notNull(),
+    expiresAt: integer('expires_at', { mode: 'timestamp_ms' }).notNull(),
+    createdAt: integer('created_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date()),
+    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+      .notNull()
+      .$defaultFn(() => new Date())
+      .$onUpdate(() => new Date()),
+  },
+  (table) => [index('verification_identifier_idx').on(table.identifier)],
+);
+
+// API Key table (better-auth apiKey plugin)
+export const authApikey = sqliteTable('apikey', {
+  id: text('id').primaryKey(),
+  name: text('name'),
+  start: text('start'),
+  prefix: text('prefix'),
+  key: text('key').notNull(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => authUser.id, { onDelete: 'cascade' }),
+  refillInterval: text('refill_interval'),
+  refillAmount: integer('refill_amount'),
+  lastRefillAt: integer('last_refill_at', { mode: 'timestamp_ms' }),
+  enabled: integer('enabled', { mode: 'boolean' }).notNull().default(true),
+  rateLimitEnabled: integer('rate_limit_enabled', { mode: 'boolean' })
+    .notNull()
+    .default(false),
+  rateLimitTimeWindow: integer('rate_limit_time_window'),
+  rateLimitMax: integer('rate_limit_max'),
+  requestCount: integer('request_count').notNull().default(0),
+  remaining: integer('remaining'),
+  lastRequest: integer('last_request', { mode: 'timestamp_ms' }),
+  expiresAt: integer('expires_at', { mode: 'timestamp_ms' }),
+  createdAt: integer('created_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+  updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date())
+    .$onUpdate(() => new Date()),
+  permissions: text('permissions'),
+  metadata: text('metadata'),
+});
+
+// Organization tables (better-auth organization plugin)
+export const authOrganization = sqliteTable('organization', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  slug: text('slug').notNull().unique(),
+  logo: text('logo'),
+  metadata: text('metadata'),
+  createdAt: integer('created_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+});
+
+export const authMember = sqliteTable('member', {
+  id: text('id').primaryKey(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => authUser.id, { onDelete: 'cascade' }),
+  organizationId: text('organization_id')
+    .notNull()
+    .references(() => authOrganization.id, { onDelete: 'cascade' }),
+  role: text('role').notNull().default('member'),
+  createdAt: integer('created_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+});
+
+export const authInvitation = sqliteTable('invitation', {
+  id: text('id').primaryKey(),
+  email: text('email').notNull(),
+  organizationId: text('organization_id')
+    .notNull()
+    .references(() => authOrganization.id, { onDelete: 'cascade' }),
+  inviterId: text('inviter_id')
+    .notNull()
+    .references(() => authUser.id, { onDelete: 'cascade' }),
+  role: text('role').notNull().default('member'),
+  status: text('status').notNull().default('pending'),
+  expiresAt: integer('expires_at', { mode: 'timestamp_ms' }).notNull(),
+  createdAt: integer('created_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+});
+
+export const authSchema = {
+  user: authUser,
+  session: authSession,
+  account: authAccount,
+  verification: authVerification,
+};
+
+export const apikeySchema = {
+  apikey: authApikey,
+};
+
+export const organizationSchema = {
+  organization: authOrganization,
+  member: authMember,
+  invitation: authInvitation,
+};

package/src/modules/credentials/encrypt.ts

@@ -0,0 +1,95 @@
+import crypto from 'node:crypto';
+import { eq } from 'drizzle-orm';
+
+import type { VobaseDb } from '../../db/client';
+import { credentialsTable } from './schema';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+
+const KDF_SALT = Buffer.from('vobase-credential-store-v1');
+
+function getEncryptionKey(): Buffer {
+  const secret = process.env.BETTER_AUTH_SECRET;
+  if (!secret)
+    throw new Error(
+      'BETTER_AUTH_SECRET is required for credential encryption',
+    );
+  return crypto.scryptSync(secret, KDF_SALT, 32);
+}
+
+/** Encrypt a plaintext string using AES-256-GCM. Returns base64-encoded ciphertext. */
+export function encrypt(plaintext: string): string {
+  const key = getEncryptionKey();
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, 'utf8'),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, encrypted]).toString('base64');
+}
+
+/** Decrypt a base64-encoded ciphertext using AES-256-GCM. */
+export function decrypt(encoded: string): string {
+  const key = getEncryptionKey();
+  const data = Buffer.from(encoded, 'base64');
+  if (data.length < IV_LENGTH + TAG_LENGTH + 1) {
+    throw new Error('Invalid ciphertext: too short');
+  }
+  const iv = data.subarray(0, IV_LENGTH);
+  const tag = data.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+  const ciphertext = data.subarray(IV_LENGTH + TAG_LENGTH);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final(),
+  ]).toString('utf8');
+}
+
+/** Get a single credential value (decrypted). Returns null if not found or decryption fails. */
+export async function getCredential(
+  db: VobaseDb,
+  key: string,
+): Promise<string | null> {
+  const rows = await db
+    .select()
+    .from(credentialsTable)
+    .where(eq(credentialsTable.key, key))
+    .limit(1);
+  if (!rows[0]) return null;
+  try {
+    return decrypt(rows[0].value);
+  } catch {
+    return null;
+  }
+}
+
+/** Set a single credential value (encrypted). Upserts on conflict. */
+export async function setCredential(
+  db: VobaseDb,
+  key: string,
+  value: string,
+): Promise<void> {
+  const encrypted = encrypt(value);
+  await db
+    .insert(credentialsTable)
+    .values({ key, value: encrypted })
+    .onConflictDoUpdate({
+      target: credentialsTable.key,
+      set: { value: encrypted, updatedAt: new Date() },
+    });
+}
+
+/** Delete a single credential. */
+export async function deleteCredential(
+  db: VobaseDb,
+  key: string,
+): Promise<void> {
+  await db
+    .delete(credentialsTable)
+    .where(eq(credentialsTable.key, key));
+}

package/src/modules/credentials/index.ts

@@ -0,0 +1,15 @@
+import { Hono } from 'hono';
+import { defineBuiltinModule } from '../../module';
+import { credentialsTable } from './schema';
+
+export { credentialsTable } from './schema';
+export { encrypt, decrypt, getCredential, setCredential, deleteCredential } from './encrypt';
+
+export function createCredentialsModule() {
+  return defineBuiltinModule({
+    name: '_credentials',
+    schema: { credentialsTable },
+    routes: new Hono(),
+    init: () => {},
+  });
+}

package/src/modules/credentials/schema.ts

@@ -0,0 +1,10 @@
+import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+
+export const credentialsTable = sqliteTable('_credentials', {
+  key: text('key').primaryKey(),
+  value: text('value').notNull(),
+  updatedAt: integer('updated_at', { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date())
+    .$onUpdate(() => new Date()),
+});

package/src/modules/notify/index.ts

@@ -0,0 +1,90 @@
+import { Hono } from 'hono';
+
+import type { EmailProvider, WhatsAppProvider } from '../../contracts/notify';
+import { defineBuiltinModule } from '../../module';
+import { createResendProvider, type ResendConfig } from './providers/resend';
+import { createSmtpProvider, type SmtpConfig } from './providers/smtp';
+import { createWabaProvider } from './providers/waba';
+import { createNotifyService } from './service';
+import { notifySchema } from './schema';
+import type { VobaseDb } from '../../db/client';
+
+export interface EmailNotifyConfig {
+  provider: 'resend' | 'smtp';
+  from: string;
+  resend?: Omit<ResendConfig, 'from'>;
+  smtp?: Omit<SmtpConfig, 'from'>;
+}
+
+export interface WhatsAppNotifyConfig {
+  phoneNumberId: string;
+  accessToken: string;
+  apiVersion?: string;
+}
+
+export interface NotifyModuleConfig {
+  email?: EmailNotifyConfig;
+  whatsapp?: WhatsAppNotifyConfig;
+}
+
+export function createNotifyModule(db: VobaseDb, config: NotifyModuleConfig) {
+  let emailProvider: EmailProvider | undefined;
+  let emailProviderName: string | undefined;
+
+  if (config.email) {
+    if (config.email.provider === 'resend') {
+      if (!config.email.resend) {
+        throw new Error('Resend config required when provider is "resend"');
+      }
+      emailProvider = createResendProvider({
+        apiKey: config.email.resend.apiKey,
+        from: config.email.from,
+      });
+      emailProviderName = 'resend';
+    } else if (config.email.provider === 'smtp') {
+      if (!config.email.smtp) {
+        throw new Error('SMTP config required when provider is "smtp"');
+      }
+      emailProvider = createSmtpProvider({
+        ...config.email.smtp,
+        from: config.email.from,
+      });
+      emailProviderName = 'smtp';
+    }
+  }
+
+  let whatsappProvider: WhatsAppProvider | undefined;
+  let whatsappProviderName: string | undefined;
+
+  if (config.whatsapp) {
+    whatsappProvider = createWabaProvider({
+      phoneNumberId: config.whatsapp.phoneNumberId,
+      accessToken: config.whatsapp.accessToken,
+      apiVersion: config.whatsapp.apiVersion,
+    });
+    whatsappProviderName = 'waba';
+  }
+
+  const service = createNotifyService({
+    db,
+    emailProvider,
+    emailProviderName,
+    whatsappProvider,
+    whatsappProviderName,
+  });
+
+  const mod = defineBuiltinModule({
+    name: '_notify',
+    schema: notifySchema,
+    routes: new Hono(),
+  });
+
+  return { ...mod, service };
+}
+
+export { notifyLog, notifySchema } from './schema';
+export { createNotifyService } from './service';
+export type { NotifyService, EmailChannel, WhatsAppChannel } from './service';
+export { createResendProvider, type ResendConfig } from './providers/resend';
+export { createSmtpProvider, type SmtpConfig } from './providers/smtp';
+export { createWabaProvider, type WabaConfig } from './providers/waba';