@wopr-network/platform-core 1.0.1 → 1.0.3

package/dist/auth/better-auth.d.ts

@@ -11,13 +11,60 @@ import { betterAuth } from "better-auth";
 import type { Pool } from "pg";
 import type { PlatformDb } from "../db/index.js";
 import { PgEmailVerifier } from "../email/verification.js";
+import { type IUserCreator } from "./user-creator.js";
+/** OAuth provider credentials. */
+export interface OAuthProvider {
+    clientId: string;
+    clientSecret: string;
+}
+/** Rate limit rule for a specific auth endpoint. */
+export interface AuthRateLimitRule {
+    window: number;
+    max: number;
+}
 /** Configuration for initializing Better Auth in platform-core. */
 export interface BetterAuthConfig {
     pool: Pool;
     db: PlatformDb;
+    /** HMAC secret for session tokens. Falls back to BETTER_AUTH_SECRET env var. */
+    secret?: string;
+    /** Base URL for OAuth callbacks. Falls back to BETTER_AUTH_URL env var. */
+    baseURL?: string;
+    /** Route prefix. Default: "/api/auth" */
+    basePath?: string;
+    /** Email+password config. Default: enabled with 12-char min. */
+    emailAndPassword?: {
+        enabled: boolean;
+        minPasswordLength?: number;
+    };
+    /** OAuth providers. Default: reads GITHUB/DISCORD/GOOGLE env vars. */
+    socialProviders?: {
+        github?: OAuthProvider;
+        discord?: OAuthProvider;
+        google?: OAuthProvider;
+    };
+    /** Trusted providers for account linking. Default: ["github", "google"] */
+    trustedProviders?: string[];
+    /** Enable 2FA plugin. Default: true */
+    twoFactor?: boolean;
+    /** Cookie cache max age in seconds. Default: 300 (5 min) */
+    sessionCacheMaxAge?: number;
+    /** Cookie prefix. Default: "better-auth" */
+    cookiePrefix?: string;
+    /** Cookie domain (e.g., ".wopr.bot"). Falls back to COOKIE_DOMAIN env var. */
+    cookieDomain?: string;
+    /** Global rate limit window in seconds. Default: 60 */
+    rateLimitWindow?: number;
+    /** Global rate limit max requests. Default: 100 */
+    rateLimitMax?: number;
+    /** Per-endpoint rate limit overrides. Default: sign-in/sign-up/reset limits. */
+    rateLimitRules?: Record<string, AuthRateLimitRule>;
+    /** Trusted origins for CORS. Falls back to UI_ORIGIN env var. */
+    trustedOrigins?: string[];
     /** Called after a new user signs up (e.g., create personal tenant). */
     onUserCreated?: (userId: string, userName: string, email: string) => Promise<void>;
 }
+export declare function getUserCreator(): Promise<IUserCreator>;
 /** The type of a better-auth instance. */
 export type Auth = ReturnType<typeof betterAuth>;
 /** Initialize Better Auth with the given config. Must be called before getAuth(). */

package/dist/auth/better-auth.js

@@ -16,50 +16,83 @@ import { getEmailClient } from "../email/client.js";
 import { passwordResetEmailTemplate, verifyEmailTemplate } from "../email/templates.js";
 import { generateVerificationToken, initVerificationSchema, PgEmailVerifier } from "../email/verification.js";
 import { createUserCreator } from "./user-creator.js";
-const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET || "";
-const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL || "http://localhost:3100";
+const DEFAULT_RATE_LIMIT_RULES = {
+    "/sign-in/email": { window: 900, max: 5 },
+    "/sign-up/email": { window: 3600, max: 10 },
+    "/request-password-reset": { window: 3600, max: 3 },
+};
 let _config = null;
 let _userCreator = null;
 let _userCreatorPromise = null;
-async function getUserCreator() {
+export async function getUserCreator() {
     if (_userCreator)
         return _userCreator;
     if (!_userCreatorPromise) {
         if (!_config)
             throw new Error("BetterAuth not initialized — call initBetterAuth() first");
-        _userCreatorPromise = createUserCreator(new RoleStore(_config.db)).then((creator) => {
+        _userCreatorPromise = createUserCreator(new RoleStore(_config.db))
+            .then((creator) => {
             _userCreator = creator;
             return creator;
+        })
+            .catch((err) => {
+            _userCreatorPromise = null;
+            throw err;
         });
     }
     return _userCreatorPromise;
 }
-function authOptions(pool) {
+/** Resolve OAuth providers from config or env vars. */
+function resolveSocialProviders(cfg) {
+    if (cfg.socialProviders)
+        return cfg.socialProviders;
+    return {
+        ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET
+            ? { github: { clientId: process.env.GITHUB_CLIENT_ID, clientSecret: process.env.GITHUB_CLIENT_SECRET } }
+            : {}),
+        ...(process.env.DISCORD_CLIENT_ID && process.env.DISCORD_CLIENT_SECRET
+            ? { discord: { clientId: process.env.DISCORD_CLIENT_ID, clientSecret: process.env.DISCORD_CLIENT_SECRET } }
+            : {}),
+        ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
+            ? { google: { clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET } }
+            : {}),
+    };
+}
+function authOptions(cfg) {
+    const pool = cfg.pool;
+    const secret = cfg.secret || process.env.BETTER_AUTH_SECRET;
+    if (!secret) {
+        if (process.env.NODE_ENV === "production") {
+            throw new Error("BETTER_AUTH_SECRET is required in production");
+        }
+        logger.warn("BetterAuth secret not configured — sessions may be insecure");
+    }
+    const baseURL = cfg.baseURL || process.env.BETTER_AUTH_URL || "http://localhost:3100";
+    const basePath = cfg.basePath || "/api/auth";
+    const cookieDomain = cfg.cookieDomain || process.env.COOKIE_DOMAIN;
+    const trustedOrigins = cfg.trustedOrigins ||
+        (process.env.UI_ORIGIN || "http://localhost:3001")
+            .split(",")
+            .map((o) => o.trim())
+            .filter(Boolean);
+    // Default minPasswordLength: 12 — caller must explicitly override, not accidentally omit
+    const emailAndPassword = cfg.emailAndPassword
+        ? { minPasswordLength: 12, ...cfg.emailAndPassword }
+        : { enabled: true, minPasswordLength: 12 };
     return {
         database: pool,
-        secret: BETTER_AUTH_SECRET,
-        baseURL: BETTER_AUTH_URL,
-        basePath: "/api/auth",
-        socialProviders: {
-            ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET
-                ? { github: { clientId: process.env.GITHUB_CLIENT_ID, clientSecret: process.env.GITHUB_CLIENT_SECRET } }
-                : {}),
-            ...(process.env.DISCORD_CLIENT_ID && process.env.DISCORD_CLIENT_SECRET
-                ? { discord: { clientId: process.env.DISCORD_CLIENT_ID, clientSecret: process.env.DISCORD_CLIENT_SECRET } }
-                : {}),
-            ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
-                ? { google: { clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET } }
-                : {}),
-        },
+        secret: secret || "",
+        baseURL,
+        basePath,
+        socialProviders: resolveSocialProviders(cfg),
         account: {
             accountLinking: {
                 enabled: true,
-                trustedProviders: ["github", "google"],
+                trustedProviders: cfg.trustedProviders ?? ["github", "google"],
             },
         },
         emailAndPassword: {
-            enabled: true,
-            minPasswordLength: 12,
+            ...emailAndPassword,
             sendResetPassword: async ({ user, url }) => {
                 try {
                     const emailClient = getEmailClient();
@@ -87,12 +120,20 @@ function authOptions(pool) {
                         catch (error) {
                             logger.error("Failed to run user creator:", error);
                         }
+                        if (cfg.onUserCreated) {
+                            try {
+                                await cfg.onUserCreated(user.id, user.name || user.email, user.email);
+                            }
+                            catch (error) {
+                                logger.error("Failed to run onUserCreated callback:", error);
+                            }
+                        }
                         if (user.emailVerified)
                             return;
                         try {
                             await initVerificationSchema(pool);
                             const { token } = await generateVerificationToken(pool, user.id);
-                            const verifyUrl = `${BETTER_AUTH_URL}/auth/verify?token=${token}`;
+                            const verifyUrl = `${baseURL}${basePath}/verify?token=${token}`;
                             const emailClient = getEmailClient();
                             const template = verifyEmailTemplate(verifyUrl, user.email);
                             await emailClient.send({
@@ -105,45 +146,30 @@ function authOptions(pool) {
                         catch (error) {
                             logger.error("Failed to send verification email:", error);
                         }
-                        // Delegate personal tenant creation to the consumer
-                        if (_config?.onUserCreated) {
-                            try {
-                                await _config.onUserCreated(user.id, user.name || user.email, user.email);
-                            }
-                            catch (error) {
-                                logger.error("Failed to run onUserCreated callback:", error);
-                            }
-                        }
                     },
                 },
             },
         },
         session: {
-            cookieCache: { enabled: true, maxAge: 5 * 60 },
+            cookieCache: { enabled: true, maxAge: cfg.sessionCacheMaxAge ?? 300 },
         },
         advanced: {
-            cookiePrefix: "better-auth",
+            cookiePrefix: cfg.cookiePrefix || "better-auth",
             cookies: {
                 session_token: {
-                    attributes: {
-                        domain: process.env.COOKIE_DOMAIN || ".wopr.bot",
-                    },
+                    attributes: cookieDomain ? { domain: cookieDomain } : {},
                 },
             },
         },
-        plugins: [twoFactor()],
+        plugins: cfg.twoFactor !== false ? [twoFactor()] : [],
         rateLimit: {
             enabled: true,
-            window: 60,
-            max: 100,
-            customRules: {
-                "/sign-in/email": { window: 900, max: 5 },
-                "/sign-up/email": { window: 3600, max: 10 },
-                "/request-password-reset": { window: 3600, max: 3 },
-            },
+            window: cfg.rateLimitWindow ?? 60,
+            max: cfg.rateLimitMax ?? 100,
+            customRules: { ...DEFAULT_RATE_LIMIT_RULES, ...cfg.rateLimitRules },
             storage: "memory",
         },
-        trustedOrigins: (process.env.UI_ORIGIN || "http://localhost:3001").split(","),
+        trustedOrigins,
     };
 }
 /** Initialize Better Auth with the given config. Must be called before getAuth(). */
@@ -158,9 +184,11 @@ export async function runAuthMigrations() {
     if (!_config)
         throw new Error("BetterAuth not initialized — call initBetterAuth() first");
     const { getMigrations } = (await import("better-auth/db"));
-    const { runMigrations } = await getMigrations(authOptions(_config.pool));
+    const { runMigrations } = await getMigrations(authOptions(_config));
     await runMigrations();
-    await initTwoFactorSchema(_config.pool);
+    if (_config.twoFactor !== false) {
+        await initTwoFactorSchema(_config.pool);
+    }
 }
 let _auth = null;
 /**
@@ -171,7 +199,7 @@ export function getAuth() {
     if (!_auth) {
         if (!_config)
             throw new Error("BetterAuth not initialized — call initBetterAuth() first");
-        _auth = betterAuth(authOptions(_config.pool));
+        _auth = betterAuth(authOptions(_config));
     }
     return _auth;
 }

package/dist/auth/better-auth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth/better-auth.test.js

@@ -0,0 +1,35 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+const mockCreateUserCreator = vi.fn();
+vi.mock("./user-creator.js", () => ({
+    createUserCreator: (...args) => mockCreateUserCreator(...args),
+}));
+vi.mock("../admin/role-store.js", () => ({
+    RoleStore: vi.fn(),
+}));
+const { getUserCreator, initBetterAuth, resetUserCreator } = await import("./better-auth.js");
+const fakeConfig = { pool: {}, db: {} };
+describe("getUserCreator", () => {
+    afterEach(() => {
+        resetUserCreator();
+        mockCreateUserCreator.mockReset();
+    });
+    it("caches the resolved creator on success", async () => {
+        initBetterAuth(fakeConfig);
+        const fakeCreator = { createUser: vi.fn() };
+        mockCreateUserCreator.mockResolvedValueOnce(fakeCreator);
+        const first = await getUserCreator();
+        const second = await getUserCreator();
+        expect(first).toBe(second);
+        expect(mockCreateUserCreator).toHaveBeenCalledOnce();
+    });
+    it("clears cached promise on rejection so next call retries", async () => {
+        initBetterAuth(fakeConfig);
+        const fakeCreator = { createUser: vi.fn() };
+        mockCreateUserCreator.mockRejectedValueOnce(new Error("DB unavailable"));
+        mockCreateUserCreator.mockResolvedValueOnce(fakeCreator);
+        await expect(getUserCreator()).rejects.toThrow("DB unavailable");
+        const creator = await getUserCreator();
+        expect(creator).toBe(fakeCreator);
+        expect(mockCreateUserCreator).toHaveBeenCalledTimes(2);
+    });
+});

package/dist/auth/index.d.ts

@@ -184,3 +184,15 @@ export declare function validateTenantOwnership<T>(c: Context, resource: T | nul
  * @returns true if the user has access, false otherwise.
  */
 export declare function validateTenantAccess(userId: string, requestedTenantId: string | undefined, orgMemberRepo: IOrgMemberRepository): Promise<boolean>;
+export type { IApiKeyRepository } from "./api-key-repository.js";
+export { DrizzleApiKeyRepository } from "./api-key-repository.js";
+export type { Auth, AuthRateLimitRule, BetterAuthConfig, OAuthProvider, } from "./better-auth.js";
+export { getAuth, getEmailVerifier, getUserCreator, initBetterAuth, resetAuth, resetUserCreator, runAuthMigrations, setAuth, } from "./better-auth.js";
+export type { ILoginHistoryRepository, LoginHistoryEntry } from "./login-history-repository.js";
+export { BetterAuthLoginHistoryRepository } from "./login-history-repository.js";
+export type { SessionAuthEnv } from "./middleware.js";
+export { dualAuth, sessionAuth } from "./middleware.js";
+export type { IUserCreator } from "./user-creator.js";
+export { createUserCreator } from "./user-creator.js";
+export type { IUserRoleRepository } from "./user-role-repository.js";
+export { DrizzleUserRoleRepository } from "./user-role-repository.js";

package/dist/auth/index.js

@@ -420,3 +420,10 @@ export async function validateTenantAccess(userId, requestedTenantId, orgMemberR
     const member = await orgMemberRepo.findMember(requestedTenantId, userId);
     return member !== null;
 }
+export { DrizzleApiKeyRepository } from "./api-key-repository.js";
+// Test utilities — do not call in production code
+export { getAuth, getEmailVerifier, getUserCreator, initBetterAuth, resetAuth, resetUserCreator, runAuthMigrations, setAuth, } from "./better-auth.js";
+export { BetterAuthLoginHistoryRepository } from "./login-history-repository.js";
+export { dualAuth, sessionAuth } from "./middleware.js";
+export { createUserCreator } from "./user-creator.js";
+export { DrizzleUserRoleRepository } from "./user-role-repository.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-core",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/better-auth.test.ts

@@ -0,0 +1,47 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+const mockCreateUserCreator = vi.fn();
+vi.mock("./user-creator.js", () => ({
+  createUserCreator: (...args: unknown[]) => mockCreateUserCreator(...args),
+}));
+
+vi.mock("../admin/role-store.js", () => ({
+  RoleStore: vi.fn(),
+}));
+
+const { getUserCreator, initBetterAuth, resetUserCreator } = await import("./better-auth.js");
+
+const fakeConfig = { pool: {}, db: {} } as Parameters<typeof initBetterAuth>[0];
+
+describe("getUserCreator", () => {
+  afterEach(() => {
+    resetUserCreator();
+    mockCreateUserCreator.mockReset();
+  });
+
+  it("caches the resolved creator on success", async () => {
+    initBetterAuth(fakeConfig);
+    const fakeCreator = { createUser: vi.fn() };
+    mockCreateUserCreator.mockResolvedValueOnce(fakeCreator);
+
+    const first = await getUserCreator();
+    const second = await getUserCreator();
+
+    expect(first).toBe(second);
+    expect(mockCreateUserCreator).toHaveBeenCalledOnce();
+  });
+
+  it("clears cached promise on rejection so next call retries", async () => {
+    initBetterAuth(fakeConfig);
+    const fakeCreator = { createUser: vi.fn() };
+
+    mockCreateUserCreator.mockRejectedValueOnce(new Error("DB unavailable"));
+    mockCreateUserCreator.mockResolvedValueOnce(fakeCreator);
+
+    await expect(getUserCreator()).rejects.toThrow("DB unavailable");
+
+    const creator = await getUserCreator();
+    expect(creator).toBe(fakeCreator);
+    expect(mockCreateUserCreator).toHaveBeenCalledTimes(2);
+  });
+});

package/src/auth/better-auth.ts

@@ -20,59 +20,150 @@ import { passwordResetEmailTemplate, verifyEmailTemplate } from "../email/templa
 import { generateVerificationToken, initVerificationSchema, PgEmailVerifier } from "../email/verification.js";
 import { createUserCreator, type IUserCreator } from "./user-creator.js";
 
+/** OAuth provider credentials. */
+export interface OAuthProvider {
+  clientId: string;
+  clientSecret: string;
+}
+
+/** Rate limit rule for a specific auth endpoint. */
+export interface AuthRateLimitRule {
+  window: number;
+  max: number;
+}
+
 /** Configuration for initializing Better Auth in platform-core. */
 export interface BetterAuthConfig {
   pool: Pool;
   db: PlatformDb;
+
+  // --- Required ---
+  /** HMAC secret for session tokens. Falls back to BETTER_AUTH_SECRET env var. */
+  secret?: string;
+  /** Base URL for OAuth callbacks. Falls back to BETTER_AUTH_URL env var. */
+  baseURL?: string;
+
+  // --- Auth features ---
+  /** Route prefix. Default: "/api/auth" */
+  basePath?: string;
+  /** Email+password config. Default: enabled with 12-char min. */
+  emailAndPassword?: { enabled: boolean; minPasswordLength?: number };
+  /** OAuth providers. Default: reads GITHUB/DISCORD/GOOGLE env vars. */
+  socialProviders?: {
+    github?: OAuthProvider;
+    discord?: OAuthProvider;
+    google?: OAuthProvider;
+  };
+  /** Trusted providers for account linking. Default: ["github", "google"] */
+  trustedProviders?: string[];
+  /** Enable 2FA plugin. Default: true */
+  twoFactor?: boolean;
+
+  // --- Session & cookies ---
+  /** Cookie cache max age in seconds. Default: 300 (5 min) */
+  sessionCacheMaxAge?: number;
+  /** Cookie prefix. Default: "better-auth" */
+  cookiePrefix?: string;
+  /** Cookie domain (e.g., ".wopr.bot"). Falls back to COOKIE_DOMAIN env var. */
+  cookieDomain?: string;
+
+  // --- Rate limiting ---
+  /** Global rate limit window in seconds. Default: 60 */
+  rateLimitWindow?: number;
+  /** Global rate limit max requests. Default: 100 */
+  rateLimitMax?: number;
+  /** Per-endpoint rate limit overrides. Default: sign-in/sign-up/reset limits. */
+  rateLimitRules?: Record<string, AuthRateLimitRule>;
+
+  // --- Origins ---
+  /** Trusted origins for CORS. Falls back to UI_ORIGIN env var. */
+  trustedOrigins?: string[];
+
+  // --- Lifecycle hooks ---
   /** Called after a new user signs up (e.g., create personal tenant). */
   onUserCreated?: (userId: string, userName: string, email: string) => Promise<void>;
 }
 
-const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET || "";
-const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL || "http://localhost:3100";
+const DEFAULT_RATE_LIMIT_RULES: Record<string, AuthRateLimitRule> = {
+  "/sign-in/email": { window: 900, max: 5 },
+  "/sign-up/email": { window: 3600, max: 10 },
+  "/request-password-reset": { window: 3600, max: 3 },
+};
 
 let _config: BetterAuthConfig | null = null;
 let _userCreator: IUserCreator | null = null;
 let _userCreatorPromise: Promise<IUserCreator> | null = null;
 
-async function getUserCreator(): Promise<IUserCreator> {
+export async function getUserCreator(): Promise<IUserCreator> {
   if (_userCreator) return _userCreator;
   if (!_userCreatorPromise) {
     if (!_config) throw new Error("BetterAuth not initialized — call initBetterAuth() first");
-    _userCreatorPromise = createUserCreator(new RoleStore(_config.db)).then((creator) => {
-      _userCreator = creator;
-      return creator;
-    });
+    _userCreatorPromise = createUserCreator(new RoleStore(_config.db))
+      .then((creator) => {
+        _userCreator = creator;
+        return creator;
+      })
+      .catch((err) => {
+        _userCreatorPromise = null;
+        throw err;
+      });
   }
   return _userCreatorPromise;
 }
 
-function authOptions(pool: Pool): BetterAuthOptions {
+/** Resolve OAuth providers from config or env vars. */
+function resolveSocialProviders(cfg: BetterAuthConfig): BetterAuthOptions["socialProviders"] {
+  if (cfg.socialProviders) return cfg.socialProviders;
+  return {
+    ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET
+      ? { github: { clientId: process.env.GITHUB_CLIENT_ID, clientSecret: process.env.GITHUB_CLIENT_SECRET } }
+      : {}),
+    ...(process.env.DISCORD_CLIENT_ID && process.env.DISCORD_CLIENT_SECRET
+      ? { discord: { clientId: process.env.DISCORD_CLIENT_ID, clientSecret: process.env.DISCORD_CLIENT_SECRET } }
+      : {}),
+    ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
+      ? { google: { clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET } }
+      : {}),
+  };
+}
+
+function authOptions(cfg: BetterAuthConfig): BetterAuthOptions {
+  const pool = cfg.pool;
+  const secret = cfg.secret || process.env.BETTER_AUTH_SECRET;
+  if (!secret) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("BETTER_AUTH_SECRET is required in production");
+    }
+    logger.warn("BetterAuth secret not configured — sessions may be insecure");
+  }
+  const baseURL = cfg.baseURL || process.env.BETTER_AUTH_URL || "http://localhost:3100";
+  const basePath = cfg.basePath || "/api/auth";
+  const cookieDomain = cfg.cookieDomain || process.env.COOKIE_DOMAIN;
+  const trustedOrigins =
+    cfg.trustedOrigins ||
+    (process.env.UI_ORIGIN || "http://localhost:3001")
+      .split(",")
+      .map((o) => o.trim())
+      .filter(Boolean);
+  // Default minPasswordLength: 12 — caller must explicitly override, not accidentally omit
+  const emailAndPassword = cfg.emailAndPassword
+    ? { minPasswordLength: 12, ...cfg.emailAndPassword }
+    : { enabled: true, minPasswordLength: 12 };
+
   return {
     database: pool,
-    secret: BETTER_AUTH_SECRET,
-    baseURL: BETTER_AUTH_URL,
-    basePath: "/api/auth",
-    socialProviders: {
-      ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET
-        ? { github: { clientId: process.env.GITHUB_CLIENT_ID, clientSecret: process.env.GITHUB_CLIENT_SECRET } }
-        : {}),
-      ...(process.env.DISCORD_CLIENT_ID && process.env.DISCORD_CLIENT_SECRET
-        ? { discord: { clientId: process.env.DISCORD_CLIENT_ID, clientSecret: process.env.DISCORD_CLIENT_SECRET } }
-        : {}),
-      ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
-        ? { google: { clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET } }
-        : {}),
-    },
+    secret: secret || "",
+    baseURL,
+    basePath,
+    socialProviders: resolveSocialProviders(cfg),
     account: {
       accountLinking: {
         enabled: true,
-        trustedProviders: ["github", "google"],
+        trustedProviders: cfg.trustedProviders ?? ["github", "google"],
       },
     },
     emailAndPassword: {
-      enabled: true,
-      minPasswordLength: 12,
+      ...emailAndPassword,
       sendResetPassword: async ({ user, url }) => {
         try {
           const emailClient = getEmailClient();
@@ -99,12 +190,20 @@ function authOptions(pool: Pool): BetterAuthOptions {
               logger.error("Failed to run user creator:", error);
             }
 
+            if (cfg.onUserCreated) {
+              try {
+                await cfg.onUserCreated(user.id, user.name || user.email, user.email);
+              } catch (error) {
+                logger.error("Failed to run onUserCreated callback:", error);
+              }
+            }
+
             if (user.emailVerified) return;
 
             try {
               await initVerificationSchema(pool);
               const { token } = await generateVerificationToken(pool, user.id);
-              const verifyUrl = `${BETTER_AUTH_URL}/auth/verify?token=${token}`;
+              const verifyUrl = `${baseURL}${basePath}/verify?token=${token}`;
               const emailClient = getEmailClient();
               const template = verifyEmailTemplate(verifyUrl, user.email);
               await emailClient.send({
@@ -116,45 +215,30 @@ function authOptions(pool: Pool): BetterAuthOptions {
             } catch (error) {
               logger.error("Failed to send verification email:", error);
             }
-
-            // Delegate personal tenant creation to the consumer
-            if (_config?.onUserCreated) {
-              try {
-                await _config.onUserCreated(user.id, user.name || user.email, user.email);
-              } catch (error) {
-                logger.error("Failed to run onUserCreated callback:", error);
-              }
-            }
           },
         },
       },
     },
     session: {
-      cookieCache: { enabled: true, maxAge: 5 * 60 },
+      cookieCache: { enabled: true, maxAge: cfg.sessionCacheMaxAge ?? 300 },
     },
     advanced: {
-      cookiePrefix: "better-auth",
+      cookiePrefix: cfg.cookiePrefix || "better-auth",
       cookies: {
         session_token: {
-          attributes: {
-            domain: process.env.COOKIE_DOMAIN || ".wopr.bot",
-          },
+          attributes: cookieDomain ? { domain: cookieDomain } : {},
         },
       },
     },
-    plugins: [twoFactor()],
+    plugins: cfg.twoFactor !== false ? [twoFactor()] : [],
     rateLimit: {
       enabled: true,
-      window: 60,
-      max: 100,
-      customRules: {
-        "/sign-in/email": { window: 900, max: 5 },
-        "/sign-up/email": { window: 3600, max: 10 },
-        "/request-password-reset": { window: 3600, max: 3 },
-      },
+      window: cfg.rateLimitWindow ?? 60,
+      max: cfg.rateLimitMax ?? 100,
+      customRules: { ...DEFAULT_RATE_LIMIT_RULES, ...cfg.rateLimitRules },
       storage: "memory",
     },
-    trustedOrigins: (process.env.UI_ORIGIN || "http://localhost:3001").split(","),
+    trustedOrigins,
   };
 }
 
@@ -174,9 +258,11 @@ export async function runAuthMigrations(): Promise<void> {
   if (!_config) throw new Error("BetterAuth not initialized — call initBetterAuth() first");
   type DbModule = { getMigrations: (opts: BetterAuthOptions) => Promise<{ runMigrations: () => Promise<void> }> };
   const { getMigrations } = (await import("better-auth/db")) as unknown as DbModule;
-  const { runMigrations } = await getMigrations(authOptions(_config.pool));
+  const { runMigrations } = await getMigrations(authOptions(_config));
   await runMigrations();
-  await initTwoFactorSchema(_config.pool);
+  if (_config.twoFactor !== false) {
+    await initTwoFactorSchema(_config.pool);
+  }
 }
 
 let _auth: Auth | null = null;
@@ -188,7 +274,7 @@ let _auth: Auth | null = null;
 export function getAuth(): Auth {
   if (!_auth) {
     if (!_config) throw new Error("BetterAuth not initialized — call initBetterAuth() first");
-    _auth = betterAuth(authOptions(_config.pool));
+    _auth = betterAuth(authOptions(_config));
   }
   return _auth;
 }

package/src/auth/index.ts

@@ -518,3 +518,35 @@ export async function validateTenantAccess(
   const member = await orgMemberRepo.findMember(requestedTenantId, userId);
   return member !== null;
 }
+
+// ---------------------------------------------------------------------------
+// Re-exports — Better Auth factory, middleware, and repositories
+// ---------------------------------------------------------------------------
+
+export type { IApiKeyRepository } from "./api-key-repository.js";
+export { DrizzleApiKeyRepository } from "./api-key-repository.js";
+export type {
+  Auth,
+  AuthRateLimitRule,
+  BetterAuthConfig,
+  OAuthProvider,
+} from "./better-auth.js";
+// Test utilities — do not call in production code
+export {
+  getAuth,
+  getEmailVerifier,
+  getUserCreator,
+  initBetterAuth,
+  resetAuth,
+  resetUserCreator,
+  runAuthMigrations,
+  setAuth,
+} from "./better-auth.js";
+export type { ILoginHistoryRepository, LoginHistoryEntry } from "./login-history-repository.js";
+export { BetterAuthLoginHistoryRepository } from "./login-history-repository.js";
+export type { SessionAuthEnv } from "./middleware.js";
+export { dualAuth, sessionAuth } from "./middleware.js";
+export type { IUserCreator } from "./user-creator.js";
+export { createUserCreator } from "./user-creator.js";
+export type { IUserRoleRepository } from "./user-role-repository.js";
+export { DrizzleUserRoleRepository } from "./user-role-repository.js";

package/vitest.config.ts

@@ -3,6 +3,7 @@ import { defineConfig } from "vitest/config";
 export default defineConfig({
   test: {
     testTimeout: 30000,
+    hookTimeout: 30000,
     include: ["src/**/*.test.ts"],
     coverage: {
       provider: "v8",