@wopr-network/platform-core 0.1.0

package/dist/email/resend-adapter.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Resend Email Adapter for Better Auth
+ *
+ * Provides transactional email capability for Better Auth password reset flows.
+ * Uses Resend API for email delivery.
+ */
+export interface EmailOptions {
+    to: string;
+    subject: string;
+    html: string;
+    text?: string;
+}
+/**
+ * Escape HTML special characters to prevent XSS.
+ *
+ * @param str - String to escape
+ * @returns Escaped string safe for HTML interpolation
+ */
+export declare function escapeHtml(str: string): string;
+/**
+ * Send an email using Resend.
+ *
+ * @param options - Email configuration (to, subject, html, text)
+ * @param apiKey - Resend API key (defaults to RESEND_API_KEY env var)
+ * @param from - Sender email address (defaults to RESEND_FROM_EMAIL env var)
+ * @returns Resend response
+ */
+export declare function sendEmail(options: EmailOptions, apiKey?: string, from?: string): Promise<{
+    id: string;
+    success: boolean;
+}>;
+/**
+ * Generate password reset email HTML template.
+ *
+ * @param resetUrl - The password reset URL with token
+ * @param email - User's email address
+ * @returns HTML email content
+ */
+export declare function passwordResetTemplate(resetUrl: string, email: string): string;
+/**
+ * Generate plain text version of password reset email.
+ *
+ * @param resetUrl - The password reset URL with token
+ * @param email - User's email address
+ * @returns Plain text email content
+ */
+export declare function passwordResetText(resetUrl: string, email: string): string;

package/dist/email/resend-adapter.js

@@ -0,0 +1,137 @@
+/**
+ * Resend Email Adapter for Better Auth
+ *
+ * Provides transactional email capability for Better Auth password reset flows.
+ * Uses Resend API for email delivery.
+ */
+import { Resend } from "resend";
+/**
+ * Escape HTML special characters to prevent XSS.
+ *
+ * @param str - String to escape
+ * @returns Escaped string safe for HTML interpolation
+ */
+export function escapeHtml(str) {
+    const map = {
+        "&": "&",
+        "<": "&lt;",
+        ">": "&gt;",
+        '"': "&quot;",
+        "'": "&#39;",
+    };
+    return str.replace(/[&<>"']/g, (char) => map[char] || char);
+}
+/**
+ * Send an email using Resend.
+ *
+ * @param options - Email configuration (to, subject, html, text)
+ * @param apiKey - Resend API key (defaults to RESEND_API_KEY env var)
+ * @param from - Sender email address (defaults to RESEND_FROM_EMAIL env var)
+ * @returns Resend response
+ */
+export async function sendEmail(options, apiKey, from) {
+    const key = apiKey || process.env.RESEND_API_KEY;
+    if (!key) {
+        throw new Error("RESEND_API_KEY environment variable is required");
+    }
+    const fromEmail = from || process.env.RESEND_FROM_EMAIL || "noreply@wopr.bot";
+    const resend = new Resend(key);
+    const { data, error } = await resend.emails.send({
+        from: fromEmail,
+        to: options.to,
+        subject: options.subject,
+        html: options.html,
+        text: options.text,
+    });
+    if (error) {
+        throw new Error(`Failed to send email: ${error.message}`);
+    }
+    return {
+        id: data?.id || "",
+        success: true,
+    };
+}
+/**
+ * Generate password reset email HTML template.
+ *
+ * @param resetUrl - The password reset URL with token
+ * @param email - User's email address
+ * @returns HTML email content
+ */
+export function passwordResetTemplate(resetUrl, email) {
+    const escapedEmail = escapeHtml(email);
+    const escapedResetUrl = escapeHtml(resetUrl);
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Reset Your Password</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f4;">
+  <table role="presentation" style="width: 100%; border-collapse: collapse;">
+    <tr>
+      <td style="padding: 40px 0; text-align: center;">
+        <table role="presentation" style="width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
+          <tr>
+            <td style="padding: 40px 40px 20px 40px; text-align: center;">
+              <h1 style="margin: 0; font-size: 24px; font-weight: 600; color: #1a1a1a;">Reset Your Password</h1>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding: 0 40px 20px 40px; color: #4a5568; font-size: 16px; line-height: 24px;">
+              <p>Hi there,</p>
+              <p>You requested a password reset for your WOPR account (<strong>${escapedEmail}</strong>).</p>
+              <p>Click the button below to create a new password. This link will expire in 1 hour.</p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding: 0 40px 30px 40px; text-align: center;">
+              <a href="${resetUrl}" style="display: inline-block; padding: 12px 32px; background-color: #2563eb; color: #ffffff; text-decoration: none; font-weight: 600; border-radius: 6px; font-size: 16px;">Reset Password</a>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding: 0 40px 20px 40px; color: #718096; font-size: 14px; line-height: 20px;">
+              <p>Or copy and paste this URL into your browser:</p>
+              <p style="word-break: break-all; color: #2563eb;">${escapedResetUrl}</p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding: 0 40px 40px 40px; color: #718096; font-size: 14px; line-height: 20px; border-top: 1px solid #e2e8f0;">
+              <p style="margin-top: 20px;">If you didn't request this password reset, you can safely ignore this email.</p>
+            </td>
+          </tr>
+        </table>
+        <p style="margin-top: 20px; color: #a0aec0; font-size: 12px;">© ${new Date().getFullYear()} WOPR Network. All rights reserved.</p>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>
+  `.trim();
+}
+/**
+ * Generate plain text version of password reset email.
+ *
+ * @param resetUrl - The password reset URL with token
+ * @param email - User's email address
+ * @returns Plain text email content
+ */
+export function passwordResetText(resetUrl, email) {
+    return `
+Reset Your Password
+
+Hi there,
+
+You requested a password reset for your WOPR account (${email}).
+
+Click the link below to create a new password. This link will expire in 1 hour.
+
+${resetUrl}
+
+If you didn't request this password reset, you can safely ignore this email.
+
+© ${new Date().getFullYear()} WOPR Network. All rights reserved.
+  `.trim();
+}

package/dist/email/resend-adapter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/email/resend-adapter.test.js

@@ -0,0 +1,190 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { escapeHtml, passwordResetTemplate, passwordResetText, sendEmail, } from "./resend-adapter.js";
+// Create a mock send function that can be controlled in tests
+const mockSend = vi.fn();
+// Mock the Resend module
+vi.mock("resend", () => {
+    return {
+        Resend: class MockResend {
+            emails = {
+                send: mockSend,
+            };
+        },
+    };
+});
+describe("escapeHtml", () => {
+    it("should escape all dangerous HTML characters", () => {
+        expect(escapeHtml("<script>alert('XSS')</script>")).toBe("&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;");
+        expect(escapeHtml('Test "quotes" & <tags>')).toBe("Test &quot;quotes&quot; &amp; &lt;tags&gt;");
+        expect(escapeHtml("user@example.com")).toBe("user@example.com");
+    });
+    it("should handle empty strings", () => {
+        expect(escapeHtml("")).toBe("");
+    });
+    it("should handle strings with no special characters", () => {
+        expect(escapeHtml("normal text 123")).toBe("normal text 123");
+    });
+});
+describe("sendEmail", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+        delete process.env.RESEND_API_KEY;
+        delete process.env.RESEND_FROM_EMAIL;
+        // Reset mock to default success response
+        mockSend.mockResolvedValue({
+            data: { id: "test-email-id" },
+            error: null,
+        });
+    });
+    it("should send email with required options", async () => {
+        process.env.RESEND_API_KEY = "test-api-key";
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        const result = await sendEmail(options);
+        expect(result).toEqual({
+            id: "test-email-id",
+            success: true,
+        });
+    });
+    it("should use custom API key when provided", async () => {
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        const result = await sendEmail(options, "custom-api-key");
+        expect(result.success).toBe(true);
+    });
+    it("should use custom from address when provided", async () => {
+        process.env.RESEND_API_KEY = "test-api-key";
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        const result = await sendEmail(options, undefined, "custom@example.com");
+        expect(result.success).toBe(true);
+    });
+    it("should throw error when RESEND_API_KEY is missing", async () => {
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        await expect(sendEmail(options)).rejects.toThrow("RESEND_API_KEY environment variable is required");
+    });
+    it("should handle Resend API errors", async () => {
+        process.env.RESEND_API_KEY = "test-api-key";
+        // Mock Resend to return an error for this specific test
+        mockSend.mockResolvedValueOnce({
+            data: null,
+            error: { message: "API error" },
+        });
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        await expect(sendEmail(options)).rejects.toThrow("Failed to send email: API error");
+    });
+    it("should use default from email when env var is set", async () => {
+        process.env.RESEND_API_KEY = "test-api-key";
+        process.env.RESEND_FROM_EMAIL = "default@example.com";
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+        };
+        const result = await sendEmail(options);
+        expect(result.success).toBe(true);
+    });
+    it("should include text version when provided", async () => {
+        process.env.RESEND_API_KEY = "test-api-key";
+        const options = {
+            to: "user@example.com",
+            subject: "Test Subject",
+            html: "<p>Test HTML</p>",
+            text: "Test plain text",
+        };
+        const result = await sendEmail(options);
+        expect(result.success).toBe(true);
+    });
+});
+describe("passwordResetTemplate", () => {
+    it("should generate HTML template with reset URL", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const html = passwordResetTemplate(resetUrl, email);
+        expect(html).toContain(resetUrl);
+        expect(html).toContain(email);
+        expect(html).toContain("Reset Your Password");
+        expect(html).toContain("Reset Password");
+        expect(html).toContain("<!DOCTYPE html>");
+    });
+    it("should escape HTML characters in email and URL to prevent XSS", () => {
+        const resetUrl = "https://wopr.bot/reset?token=<script>alert(1)</script>";
+        const email = "<script>alert('xss')</script>@example.com";
+        const html = passwordResetTemplate(resetUrl, email);
+        // Verify email is escaped in the text where it's displayed
+        expect(html).toContain("&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;@example.com");
+        // Verify resetUrl is escaped in the displayed text (not href)
+        expect(html).toContain("&lt;script&gt;alert(1)&lt;/script&gt;");
+        // Verify the email script tag doesn't appear unescaped in body text
+        // (it may appear in href attribute, which is safe from XSS)
+        const bodyMatch = html.match(/<p>.*<\/p>/gs);
+        const bodyText = bodyMatch ? bodyMatch.join("") : "";
+        expect(bodyText).not.toContain("<script>alert('xss')</script>");
+    });
+    it("should include current year in footer", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const html = passwordResetTemplate(resetUrl, email);
+        const currentYear = new Date().getFullYear();
+        expect(html).toContain(`© ${currentYear} WOPR Network`);
+    });
+    it("should be valid HTML structure", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const html = passwordResetTemplate(resetUrl, email);
+        expect(html).toContain("<html>");
+        expect(html).toContain("</html>");
+        expect(html).toContain("<head>");
+        expect(html).toContain("</head>");
+        expect(html).toContain("<body");
+        expect(html).toContain("</body>");
+    });
+});
+describe("passwordResetText", () => {
+    it("should generate plain text with reset URL", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const text = passwordResetText(resetUrl, email);
+        expect(text).toContain(resetUrl);
+        expect(text).toContain(email);
+        expect(text).toContain("Reset Your Password");
+    });
+    it("should not contain HTML tags", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const text = passwordResetText(resetUrl, email);
+        expect(text).not.toContain("<");
+        expect(text).not.toContain(">");
+    });
+    it("should include current year in footer", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const text = passwordResetText(resetUrl, email);
+        const currentYear = new Date().getFullYear();
+        expect(text).toContain(`© ${currentYear} WOPR Network`);
+    });
+    it("should be readable plain text format", () => {
+        const resetUrl = "https://wopr.bot/reset?token=abc123";
+        const email = "user@example.com";
+        const text = passwordResetText(resetUrl, email);
+        // Should have line breaks and be formatted
+        expect(text.split("\n").length).toBeGreaterThan(5);
+    });
+});

package/dist/email/templates.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Email Templates — HTML and plain text templates for all transactional emails.
+ *
+ * Each template has an HTML and a plain text version. HTML uses inline styles
+ * for maximum email client compatibility. All user-supplied values are escaped
+ * to prevent XSS.
+ */
+export type TemplateName = "verify-email" | "welcome" | "password-reset" | "credit-purchase" | "low-balance" | "bot-suspended" | "bot-destruction" | "data-deleted";
+export interface TemplateResult {
+    subject: string;
+    html: string;
+    text: string;
+}
+export declare function verifyEmailTemplate(verifyUrl: string, email: string): TemplateResult;
+export declare function welcomeTemplate(email: string): TemplateResult;
+export declare function passwordResetEmailTemplate(resetUrl: string, email: string): TemplateResult;
+export declare function creditPurchaseTemplate(email: string, amountDollars: string, newBalanceDollars?: string, creditsUrl?: string): TemplateResult;
+export declare function lowBalanceTemplate(email: string, balanceDollars: string, estimatedDaysRemaining?: number, creditsUrl?: string): TemplateResult;
+export declare function botSuspendedTemplate(email: string, botName: string, reason: string, creditsUrl?: string): TemplateResult;
+export declare function botDestructionTemplate(email: string, botName: string, daysRemaining: number, creditsUrl?: string): TemplateResult;
+export declare function dataDeletedTemplate(email: string, creditsUrl?: string): TemplateResult;
+export declare function orgInviteEmailTemplate(inviteUrl: string, orgName: string): TemplateResult;