appos 0.2.1-0 → 0.2.2-0

package/dist/exports/api/auth-schema.mjs

@@ -0,0 +1 @@
+import{sql as e}from"drizzle-orm";import{pgTable as t}from"drizzle-orm/pg-core";function n(){let n=t(`accounts`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),accessToken:t.text(`access_token`),accessTokenExpiresAt:t.timestamp(`access_token_expires_at`,{mode:`string`,withTimezone:!0}),accountId:t.text(`account_id`).notNull(),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),idToken:t.text(`id_token`),providerId:t.text(`provider_id`).notNull(),password:t.text(`password`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),refreshToken:t.text(`refresh_token`),refreshTokenExpiresAt:t.timestamp(`refresh_token_expires_at`,{mode:`string`,withTimezone:!0}),scope:t.text(`scope`),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),r=t(`api_keys`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`),enabled:t.boolean(`enabled`).default(!0),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}),key:t.text(`key`).notNull(),lastRefillAt:t.timestamp(`last_refill_at`,{mode:`string`,withTimezone:!0}),lastRequest:t.timestamp(`last_request`,{mode:`string`,withTimezone:!0}),lastUsedAt:t.timestamp(`last_used_at`,{mode:`string`,withTimezone:!0}),metadata:t.text(`metadata`),permissions:t.text(`permissions`),prefix:t.text(`prefix`),rateLimitEnabled:t.boolean(`rate_limit_enabled`).default(!0),rateLimitTimeWindow:t.integer(`rate_limit_time_window`).default(864e5),rateLimitMax:t.integer(`rate_limit_max`).default(10),refillInterval:t.integer(`refill_interval`),refillAmount:t.integer(`refill_amount`),requestCount:t.integer(`request_count`),remaining:t.integer(`remaining`),start:t.text(`start`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),i=t(`invitations`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),email:t.text(`email`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),inviterId:t.text(`inviter_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),role:t.text(`role`),status:t.text(`status`).default(`pending`).notNull(),teamId:t.text(`team_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),a=t(`members`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),role:t.text(`role`).default(`member`).notNull(),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),o=t(`organizations`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`).notNull(),slug:t.text(`slug`).unique(),logo:t.text(`logo`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),metadata:t.text(`metadata`)}),e=>[]),s=t(`sessions`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),activeOrganizationId:t.text(`active_organization_id`).references(()=>o.id,{onDelete:`set null`}),activeTeamId:t.text(`active_team_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),impersonatedBy:t.text(`impersonated_by`).references(()=>l.id,{onDelete:`set null`}),ipAddress:t.text(`ip_address`),token:t.text(`token`).notNull().unique(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),userAgent:t.text(`user_agent`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`})}),e=>[]),c=t(`sso_providers`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),domain:t.text(`domain`).notNull(),issuer:t.text(`issuer`).notNull(),oidcConfig:t.text(`oidc_config`),organizationId:t.text(`organization_id`).references(()=>o.id,{onDelete:`cascade`}),providerId:t.text(`provider_id`).notNull().unique(),samlConfig:t.text(`saml_config`),userId:t.text(`user_id`).references(()=>l.id,{onDelete:`cascade`})}),e=>[]),l=t(`users`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),banExpires:t.timestamp(`ban_expires`,{mode:`string`,withTimezone:!0}),banReason:t.text(`ban_reason`),banned:t.boolean(`banned`).default(!1),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),displayUsername:t.text(`display_username`),email:t.text(`email`).notNull().unique(),emailVerified:t.boolean(`email_verified`).default(!1).notNull(),image:t.text(`image`),isAnonymous:t.boolean(`is_anonymous`),lastLoginMethod:t.text(`last_login_method`),name:t.text(`name`).notNull(),phoneNumber:t.text(`phone_number`).unique(),phoneNumberVerified:t.boolean(`phone_number_verified`),role:t.text(`role`),twoFactorEnabled:t.boolean(`two_factor_enabled`).default(!1),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),username:t.text(`username`).unique()}),e=>[]),u=t(`teams`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`).notNull(),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),d=t(`team_members`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),teamId:t.text(`team_id`).notNull().references(()=>u.id,{onDelete:`cascade`}),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),f=t(`two_factors`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),secret:t.text(`secret`).notNull(),backupCodes:t.text(`backup_codes`).notNull(),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`})}),e=>[]),p=t(`verifications`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),identifier:t.text(`identifier`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),value:t.text(`value`).notNull()}),e=>[]);return{tables:{accounts:n,apiKeys:r,auditLogs:t(`audit_logs`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),tableName:t.text(`table_name`),action:t.text(`action`).notNull(),customAction:t.text(`custom_action`),oldData:t.jsonb(`old_data`),newData:t.jsonb(`new_data`),metadata:t.jsonb(`metadata`),organizationId:t.text(`organization_id`).references(()=>o.id,{onDelete:`set null`}),userId:t.text(`user_id`).references(()=>l.id,{onDelete:`set null`}),sessionId:t.text(`session_id`).references(()=>s.id,{onDelete:`set null`}),requestId:t.text(`request_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),invitations:i,members:a,organizations:o,sessions:s,ssoProviders:c,teams:u,teamMembers:d,twoFactors:f,users:l,verifications:p},relations:e=>({users:{sessions:e.many.sessions({from:e.users.id,to:e.sessions.userId}),accounts:e.many.accounts({from:e.users.id,to:e.accounts.userId}),apiKeys:e.many.apiKeys({from:e.users.id,to:e.apiKeys.userId}),memberships:e.many.members({from:e.users.id,to:e.members.userId}),invitations:e.many.invitations({from:e.users.id,to:e.invitations.inviterId}),ssoProvider:e.one.ssoProviders({from:e.users.id,to:e.ssoProviders.userId}),twoFactor:e.one.twoFactors({from:e.users.id,to:e.twoFactors.userId})},sessions:{user:e.one.users({from:e.sessions.userId,to:e.users.id})},accounts:{user:e.one.users({from:e.accounts.userId,to:e.users.id})},apiKeys:{user:e.one.users({from:e.apiKeys.userId,to:e.users.id})},organizations:{members:e.many.members({from:e.organizations.id,to:e.members.organizationId}),invitations:e.many.invitations({from:e.organizations.id,to:e.invitations.organizationId}),teams:e.many.teams({from:e.organizations.id,to:e.teams.organizationId})},members:{organization:e.one.organizations({from:e.members.organizationId,to:e.organizations.id}),user:e.one.users({from:e.members.userId,to:e.users.id})},invitations:{organization:e.one.organizations({from:e.invitations.organizationId,to:e.organizations.id}),inviter:e.one.users({from:e.invitations.inviterId,to:e.users.id})},teams:{organization:e.one.organizations({from:e.teams.organizationId,to:e.organizations.id})},ssoProviders:{user:e.one.users({from:e.ssoProviders.userId,to:e.users.id})},verifications:{},twoFactors:{user:e.one.users({from:e.twoFactors.userId,to:e.users.id})},auditLogs:{organization:e.one.organizations({from:e.auditLogs.organizationId,to:e.organizations.id}),user:e.one.users({from:e.auditLogs.userId,to:e.users.id}),session:e.one.sessions({from:e.auditLogs.sessionId,to:e.sessions.id})}})}}export{n as defineAuthSchema};

package/dist/exports/api/auth.d.mts

@@ -0,0 +1,398 @@
+import { Database, QualifiedTableNames } from "./database.mjs";
+import { betterAuth } from "better-auth";
+import { Role, createAccessControl } from "better-auth/plugins/access";
+import { z } from "zod";
+
+//#region src/api/auth.d.ts
+
+/**
+ * Type for access controller created via createAccessControl().
+ * Used for RBAC on both server and client.
+ */
+type AccessController = ReturnType<typeof createAccessControl>;
+/**
+ * Type for roles created via ac.newRole().
+ * Uses Role type from better-auth for compatibility.
+ */
+type AccessControlRoles = Record<string, Role>;
+/**
+ * Standard audit log actions following OCSF/CADF standards.
+ * Zod enum provides both runtime validation and TypeScript type.
+ *
+ * Actions:
+ * - Data ops: INSERT, UPDATE, DELETE, TRUNCATE, SELECT
+ * - Auth ops: LOGIN, LOGOUT, LOGIN_FAILED, PASSWORD_CHANGE
+ * - Custom: CUSTOM (use customAction field for app-specific events)
+ */
+declare const auditActionSchema: z.ZodEnum<{
+  DELETE: "DELETE";
+  LOGIN: "LOGIN";
+  LOGOUT: "LOGOUT";
+  INSERT: "INSERT";
+  PASSWORD_CHANGE: "PASSWORD_CHANGE";
+  TRUNCATE: "TRUNCATE";
+  UPDATE: "UPDATE";
+}>;
+/**
+ * TypeScript type extracted from Zod enum.
+ * Use this type for type annotations.
+ */
+type AuditAction = z.infer<typeof auditActionSchema>;
+/**
+ * Type-safe audit log options for defineAuth().
+ * Generic over db object to provide autocomplete for excludeTables.
+ *
+ * @template TDb - Database record type for table name inference
+ */
+type AuditLogOptions<TDb> = {
+  /**
+   * Tables to exclude from audit logging.
+   */
+  excludeTables?: QualifiedTableNames<TDb>[];
+  /**
+   * Cron expression for purge schedule.
+   *
+   * @default "0 0 * * *"
+   */
+  purgeCron?: string;
+  /**
+   * Retention period in days. Audit logs older than this are auto-deleted.
+   * @default 90
+   */
+  retentionDays?: number;
+};
+/**
+ * Neutral auth configuration - shared between server and client.
+ * Contains ONLY fields that affect both sides (UI + server features).
+ *
+ * PRESENCE-BASED CONFIG: If a key exists, it's enabled. No redundant `enabled` fields.
+ * Server-only fields (appName, session) are passed via DefineAuthOptions.
+ */
+interface AuthConfig {
+  /**
+   * Base URL where auth server is hosted.
+   *
+   * @default "" (same origin - client uses relative URLs)
+   * @example "http://localhost:8000" for cross-origin
+   */
+  baseURL?: string;
+  /**
+   * Base path for auth routes.
+   *
+   * @default "/auth"
+   */
+  basePath?: string;
+  /** Authentication methods - if defined, it's enabled */
+  methods?: {
+    /** Email/password auth. If defined, enabled. */
+    emailPassword?: {
+      requireEmailVerification?: boolean;
+      minPasswordLength?: number;
+      maxPasswordLength?: number;
+    };
+    /** Magic link auth. If defined, enabled. */
+    magicLink?: {
+      expiresIn?: number;
+    };
+    /** Passkey auth. If defined (even as empty object), enabled. */
+    passkey?: Record<string, never>;
+    /** Phone OTP auth. If defined, enabled. */
+    phoneOtp?: {
+      otpLength?: number;
+      expiresIn?: number;
+    };
+    /** Email OTP auth. If defined, enabled. */
+    emailOtp?: {
+      otpLength?: number;
+      expiresIn?: number;
+    };
+  };
+  /** OAuth providers - true = enabled, undefined/false = disabled */
+  oauth?: {
+    google?: boolean;
+    github?: boolean;
+    apple?: boolean;
+    facebook?: boolean;
+  };
+  /** Plugins - if defined, it's enabled */
+  plugins?: {
+    /** Admin plugin. If defined, enabled. Includes RBAC for both server and client. */
+    admin?: {
+      defaultRole?: string;
+      adminRoles?: string[];
+      /** Access controller created via createAccessControl() - shared between server and client */
+      ac: AccessController;
+      /** Role definitions created via ac.newRole() - shared between server and client */
+      roles: AccessControlRoles;
+    };
+    /** API key plugin. If defined, enabled. */
+    apiKey?: {
+      defaultPrefix?: string;
+      defaultKeyLength?: number;
+      rateLimit?: {
+        maxRequests?: number;
+        timeWindow?: number;
+      };
+    };
+    /** Two-factor plugin. If defined, enabled. Sub-features also presence-based. */
+    twoFactor?: {
+      issuer?: string;
+      totp?: {
+        digits?: 6 | 8;
+        period?: number;
+      };
+      otp?: boolean;
+      backupCodes?: {
+        amount?: number;
+        length?: number;
+      };
+    };
+    /** Multi-session plugin. If defined, enabled. */
+    multiSession?: {
+      maximumSessions?: number;
+    };
+    /** Username plugin. If defined, enabled. */
+    username?: {
+      minUsernameLength?: number;
+      maxUsernameLength?: number;
+    };
+    /** Anonymous auth plugin. If defined, enabled. */
+    anonymous?: {
+      emailDomainName?: string;
+    };
+    /** SSO plugin. If defined, enabled. Import from @better-auth/sso */
+    sso?: {
+      providersLimit?: number;
+      trustEmailVerified?: boolean;
+      domainVerification?: boolean;
+    };
+  };
+}
+/** Base hook types for reference */
+type EmailHook = (params: {
+  email: string;
+  url: string;
+  token: string;
+}) => Promise<void>;
+type OtpHook = (params: {
+  email: string;
+  otp: string;
+}) => Promise<void>;
+type PhoneOtpHook = (params: {
+  phoneNumber: string;
+  otp: string;
+}) => Promise<void>;
+/**
+ * Conditionally required hooks based on config.
+ * Uses PRESENCE-BASED detection - if key exists, hook is REQUIRED.
+ */
+type RequiredHooks<T extends AuthConfig> = (T["methods"] extends {
+  emailPassword: {
+    requireEmailVerification: true;
+  };
+} ? {
+  sendVerificationEmail: EmailHook;
+} : {
+  sendVerificationEmail?: EmailHook;
+}) & (T["methods"] extends {
+  emailPassword: object;
+} ? {
+  sendResetPasswordEmail: EmailHook;
+} : {
+  sendResetPasswordEmail?: EmailHook;
+}) & (T["methods"] extends {
+  magicLink: object;
+} ? {
+  sendMagicLink: EmailHook;
+} : {
+  sendMagicLink?: EmailHook;
+}) & (T["methods"] extends {
+  emailOtp: object;
+} ? {
+  sendEmailOTP: OtpHook;
+} : {
+  sendEmailOTP?: OtpHook;
+}) & (T["methods"] extends {
+  phoneOtp: object;
+} ? {
+  sendPhoneOTP: PhoneOtpHook;
+} : {
+  sendPhoneOTP?: PhoneOtpHook;
+}) & (T["plugins"] extends {
+  twoFactor: {
+    otp: true;
+  };
+} ? {
+  send2FAOTP: OtpHook;
+} : {
+  send2FAOTP?: OtpHook;
+});
+/**
+ * Conditionally required OAuth credentials based on config.
+ * If an OAuth provider is enabled in config, its credentials are REQUIRED.
+ */
+type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
+  google: true;
+} ? {
+  google: {
+    clientId: string;
+    clientSecret: string;
+  };
+} : {
+  google?: {
+    clientId: string;
+    clientSecret: string;
+  };
+}) & (T["oauth"] extends {
+  github: true;
+} ? {
+  github: {
+    clientId: string;
+    clientSecret: string;
+  };
+} : {
+  github?: {
+    clientId: string;
+    clientSecret: string;
+  };
+}) & (T["oauth"] extends {
+  apple: true;
+} ? {
+  apple: {
+    clientId: string;
+    clientSecret: string;
+  };
+} : {
+  apple?: {
+    clientId: string;
+    clientSecret: string;
+  };
+}) & (T["oauth"] extends {
+  facebook: true;
+} ? {
+  facebook: {
+    clientId: string;
+    clientSecret: string;
+  };
+} : {
+  facebook?: {
+    clientId: string;
+    clientSecret: string;
+  };
+});
+/** Check if any OAuth provider is enabled */
+type HasOAuthEnabled<T extends AuthConfig> = T["oauth"] extends {
+  google: true;
+} | {
+  github: true;
+} | {
+  apple: true;
+} | {
+  facebook: true;
+} ? true : false;
+/** Check if passkey is enabled */
+type HasPasskeyEnabled<T extends AuthConfig> = T["methods"] extends {
+  passkey: object;
+} ? true : false;
+/**
+ * Server-only session configuration.
+ */
+interface AuthSessionConfig {
+  /**
+   * Session duration in seconds.
+   *
+   * @default 604800 (7 days)
+   */
+  expiresIn?: number;
+  /**
+   * How often to update session in seconds.
+   *
+   * @default 86400 (1 day)
+   */
+  updateAge?: number;
+  /**
+   * Session freshness in seconds for sensitive ops.
+   *
+   * @default 86400 (1 day)
+   */
+  freshAge?: number;
+}
+/**
+ * Server-only passkey configuration (required if passkey is enabled).
+ */
+interface AuthPasskeyConfig {
+  /**
+   * Relying Party ID - domain for passkey (e.g., "example.com" or "localhost").
+   */
+  rpID: string;
+  /**
+   * Origin URL for passkey verification (e.g., "http://localhost:8000").
+   */
+  origin: string;
+}
+/**
+ * Fully type-safe options for defineAuth().
+ *
+ * Server-only fields:
+ * - `appName` - Application name for passkey rpName, TOTP issuer, emails
+ * - `auditLog` - Audit logging configuration
+ * - `session` - Session duration and freshness settings
+ *
+ * Conditional requirements:
+ * - If config has `oauth.google: true`, then `oauth.google` credentials are REQUIRED
+ * - If config has `methods.magicLink` defined, then `hooks.sendMagicLink` is REQUIRED
+ *
+ * @template T - Auth config type
+ * @template TDb - Database record type for type-safe excludeTables
+ */
+type DefineAuthOptions<T extends AuthConfig, TDb = unknown> = {
+  /**
+   * The application name.
+   */
+  appName: string;
+  /**
+   * Audit logging configuration (server-only). Use qualified table names: "dbName.tableName".
+   */
+  auditLog?: AuditLogOptions<TDb>;
+  /**
+   * The neutral auth configuration.
+   */
+  config: T;
+  /**
+   * Full db object (container.db) for type inference.
+   */
+  db: TDb;
+  /**
+   * Primary database for Better Auth storage.
+   */
+  database: Database;
+  /**
+   * Hooks for email sending and OTP delivery.
+   */
+  hooks: RequiredHooks<T>;
+  /**
+   * Session configuration.
+   */
+  session?: AuthSessionConfig;
+} & (HasOAuthEnabled<T> extends true ? {
+  oauth: RequiredOAuth<T>;
+} : {
+  oauth?: RequiredOAuth<T>;
+}) & (HasPasskeyEnabled<T> extends true ? {
+  passkey: AuthPasskeyConfig;
+} : {
+  passkey?: AuthPasskeyConfig;
+});
+/**
+ * Defines Better Auth instance from neutral config + server dependencies.
+ */
+declare function defineAuth<T extends AuthConfig, TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>>(opts: DefineAuthOptions<T, TDb>): ReturnType<typeof betterAuth> & {
+  auditLog?: AuditLogOptions<TDb>;
+  shouldAudit(tableName: QualifiedTableNames<TDb>): boolean;
+};
+/**
+ * The auth instance type.
+ */
+type Auth$1<TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>> = ReturnType<typeof defineAuth<AuthConfig, TDb>>;
+//#endregion
+export { AccessControlRoles, AccessController, AuditAction, Auth$1 as Auth, AuthConfig, AuthPasskeyConfig, AuthSessionConfig, DefineAuthOptions, type Role, auditActionSchema, createAccessControl, defineAuth };

package/dist/exports/api/auth.mjs

@@ -0,0 +1 @@
+import{AUTH_BASE_PATH as e,AUTH_BASE_URL as t}from"./packages/appos/src/web/auth.mjs";import{passkey as n}from"@better-auth/passkey";import{sso as r}from"@better-auth/sso";import{betterAuth as i}from"better-auth";import{drizzleAdapter as a}from"better-auth/adapters/drizzle";import{admin as o,anonymous as s,apiKey as c,emailOTP as l,magicLink as u,multiSession as d,phoneNumber as f,twoFactor as p,username as m}from"better-auth/plugins";import{createAccessControl as h}from"better-auth/plugins/access";import{z as g}from"zod";const _=g.enum([`DELETE`,`LOGIN`,`LOGOUT`,`INSERT`,`PASSWORD_CHANGE`,`TRUNCATE`,`UPDATE`]);function v(h){let{auditLog:g,config:_,appName:v,database:y,hooks:b,oauth:x,session:S,passkey:C}=h,w=[];_.plugins?.admin&&w.push(o({defaultRole:_.plugins.admin.defaultRole,adminRoles:_.plugins.admin.adminRoles})),_.plugins?.apiKey&&w.push(c({defaultPrefix:_.plugins.apiKey.defaultPrefix,defaultKeyLength:_.plugins.apiKey.defaultKeyLength,rateLimit:_.plugins.apiKey.rateLimit?{enabled:!0,maxRequests:_.plugins.apiKey.rateLimit.maxRequests,timeWindow:_.plugins.apiKey.rateLimit.timeWindow}:void 0})),_.plugins?.twoFactor&&w.push(p({issuer:_.plugins.twoFactor.issuer??v,totpOptions:_.plugins.twoFactor.totp?{digits:_.plugins.twoFactor.totp.digits,period:_.plugins.twoFactor.totp.period}:void 0,backupCodeOptions:_.plugins.twoFactor.backupCodes?{amount:_.plugins.twoFactor.backupCodes.amount,length:_.plugins.twoFactor.backupCodes.length}:void 0,otpOptions:_.plugins.twoFactor.otp&&b.send2FAOTP?{sendOTP:async({user:e,otp:t})=>b.send2FAOTP({email:e.email,otp:t})}:void 0})),_.methods?.passkey&&C&&w.push(n({rpName:v,rpID:C.rpID,origin:C.origin})),_.methods?.magicLink&&b.sendMagicLink&&w.push(u({expiresIn:_.methods.magicLink.expiresIn,sendMagicLink:async({email:e,url:t,token:n})=>{await b.sendMagicLink({email:e,url:t,token:n})}})),_.methods?.phoneOtp&&b.sendPhoneOTP&&w.push(f({otpLength:_.methods.phoneOtp.otpLength,expiresIn:_.methods.phoneOtp.expiresIn,sendOTP:async({phoneNumber:e,code:t})=>{await b.sendPhoneOTP({phoneNumber:e,otp:t})}})),_.methods?.emailOtp&&b.sendEmailOTP&&w.push(l({otpLength:_.methods.emailOtp.otpLength,expiresIn:_.methods.emailOtp.expiresIn,sendVerificationOTP:async({email:e,otp:t})=>{await b.sendEmailOTP({email:e,otp:t})}})),_.plugins?.username&&w.push(m({minUsernameLength:_.plugins.username.minUsernameLength,maxUsernameLength:_.plugins.username.maxUsernameLength})),_.plugins?.anonymous&&w.push(s({emailDomainName:_.plugins.anonymous.emailDomainName})),_.plugins?.multiSession&&w.push(d({maximumSessions:_.plugins.multiSession.maximumSessions})),_.plugins?.sso&&w.push(r({providersLimit:_.plugins.sso.providersLimit,trustEmailVerified:_.plugins.sso.trustEmailVerified,domainVerification:_.plugins.sso.domainVerification?{enabled:!0}:void 0}));let T={};_.oauth?.google&&(T.google={clientId:x?.google?.clientId??process.env.GOOGLE_CLIENT_ID??``,clientSecret:x?.google?.clientSecret??process.env.GOOGLE_CLIENT_SECRET??``}),_.oauth?.github&&(T.github={clientId:x?.github?.clientId??process.env.GITHUB_CLIENT_ID??``,clientSecret:x?.github?.clientSecret??process.env.GITHUB_CLIENT_SECRET??``}),_.oauth?.apple&&(T.apple={clientId:x?.apple?.clientId??process.env.APPLE_CLIENT_ID??``,clientSecret:x?.apple?.clientSecret??process.env.APPLE_CLIENT_SECRET??``}),_.oauth?.facebook&&(T.facebook={clientId:x?.facebook?.clientId??process.env.FACEBOOK_CLIENT_ID??``,clientSecret:x?.facebook?.clientSecret??process.env.FACEBOOK_CLIENT_SECRET??``});let E=_.basePath??e,D=_.baseURL??t,O=i({account:{accountLinking:{enabled:!0,trustedProviders:[`email-password`,`google`]}},advanced:{cookiePrefix:v.replace(/\s+/g,`_`).toLowerCase(),database:{generateId:!1},ipAddress:{disableIpTracking:!1,ipAddressHeaders:[`cf-connecting-ip`,`x-client-ip`,`x-forwarded-for`,`x-real-ip`]}},appName:v,baseURL:D||void 0,basePath:E,database:a(y,{provider:`pg`,usePlural:!0}),emailAndPassword:_.methods?.emailPassword?{enabled:!0,requireEmailVerification:_.methods.emailPassword.requireEmailVerification,minPasswordLength:_.methods.emailPassword.minPasswordLength,maxPasswordLength:_.methods.emailPassword.maxPasswordLength,sendVerificationEmail:b.sendVerificationEmail?async({user:e,url:t,token:n})=>b.sendVerificationEmail({email:e.email,url:t,token:n}):void 0,sendResetPassword:b.sendResetPasswordEmail?async({user:e,url:t,token:n})=>b.sendResetPasswordEmail({email:e.email,url:t,token:n}):void 0}:{enabled:!1},plugins:w,socialProviders:Object.keys(T).length>0?T:void 0,session:S?{expiresIn:S.expiresIn,updateAge:S.updateAge,freshAge:S.freshAge}:void 0}),k=new Set(g?.excludeTables??[]);return Object.assign(O,{auditLog:g,shouldAudit(e){return!k.has(e)}})}export{_ as auditActionSchema,h as createAccessControl,v as defineAuth};

package/dist/exports/api/cache.d.mts

@@ -0,0 +1,44 @@
+import { Logger } from "./logger.mjs";
+import { KeyvRedisOptions } from "@keyv/redis";
+import * as keyv0 from "keyv";
+
+//#region src/api/cache.d.ts
+/**
+ * The cache instance type.
+ */
+type Cache = ReturnType<typeof defineCache>;
+/**
+ * Options for defining the cache.
+ */
+type DefineCacheOptions = {
+  /**
+   * Redis URL(s). Single or comma-separated for cluster.
+   */
+  url: string;
+  /**
+   * The logger instance.
+   */
+  logger: Logger;
+  /**
+   * The Keyv Redis options.
+   */
+  options?: KeyvRedisOptions;
+};
+/**
+ * Define the cache instance using shared Redis client.
+ * Connection is lazy - only connects when first cache operation is performed.
+ *
+ * Algorithm:
+ * 1. Create Redis client using defineRedisClient() (lazy connection)
+ * 2. Pass client to createKeyv() - connection happens on first use
+ *
+ * @param opts - The options for defining the cache.
+ * @returns The cache instance.
+ */
+declare function defineCache({
+  url,
+  logger,
+  options
+}: DefineCacheOptions): keyv0.Keyv<any>;
+//#endregion
+export { Cache, DefineCacheOptions, defineCache };

package/dist/exports/api/cache.mjs

@@ -0,0 +1 @@
+import{defineRedisClient as e}from"./redis.mjs";import{createKeyv as t}from"@keyv/redis";function n({url:n,logger:r,options:i}){let a=t(e({logger:r,url:n}),i);return a.on(`error`,e=>{r.error({err:e},`Cache Keyv error`)}),a}export{n as defineCache};

package/dist/exports/api/config.d.mts

@@ -0,0 +1,28 @@
+import { z } from "zod";
+
+//#region src/api/config.d.ts
+
+/**
+ * The config base schema.
+ */
+declare const baseSchema: z.ZodObject<{
+  APP_NAME: z.ZodDefault<z.ZodString>;
+  APP_DESC: z.ZodDefault<z.ZodString>;
+  APP_VERSION: z.ZodDefault<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Creates a configuration object by merging base config with user-defined schema.
+ *
+ * Variables in default values are expanded after defaults are applied.
+ * For example: `DATABASE_URL: z.string().default("postgres://{{DB_HOST}}:5432")`
+ *
+ * @param userSchema User-defined Zod schema to merge with base config.
+ * @returns Parsed and validated configuration object.
+ */
+declare function defineConfig<T extends z.ZodRawShape = {}>(userSchema: z.ZodObject<T>): Config<T>;
+/**
+ * The configuration type inferred from the merged schema.
+ */
+type Config<T extends z.ZodRawShape = {}> = z.infer<ReturnType<typeof baseSchema.extend<T>>>;
+//#endregion
+export { Config, baseSchema, defineConfig };

package/dist/exports/api/config.mjs

@@ -0,0 +1 @@
+import{z as e}from"zod";const t=e.object({APP_NAME:e.string().default(`AppOS`),APP_DESC:e.string().default(`The app operating system to build your business.`),APP_VERSION:e.string().default(`development`)});function n(e){let t={...e},n=new Set;function r(e,i){if(n.has(e))throw Error(`Circular reference detected in environment variable: ${e}`);n.add(e);let a=i.replace(/\{\{([^}]+)\}\}/g,(e,n)=>{let i=n.trim();if(!i)return e;let a=t[i];return a===void 0?e:a.includes(`{{`)?r(i,a):a});return n.delete(e),a}for(let[e,n]of Object.entries(t))n?.includes(`{{`)&&(t[e]=r(e,n));return t}function r(e){let r=t.extend(e.shape),i={};for(let[e,t]of Object.entries(r.shape)){let n=t;for(;n;){let t=n.def;if(t.defaultValue!==void 0){let n=typeof t.defaultValue==`function`?t.defaultValue():t.defaultValue;typeof n==`string`&&(i[e]=n);break}n=t.innerType||t.schema}}let a={...i};for(let[e,t]of Object.entries(process.env))t!==void 0&&(a[e]=t);return r.parse(n(a))}export{t as baseSchema,r as defineConfig};