better-auth-audit-logs 0.1.0

package/README.md

@@ -0,0 +1,366 @@
+# better-auth-audit-logs
+
+Audit log plugin for [Better Auth](https://better-auth.com). Captures auth lifecycle events, stores structured log entries with IP and user agent, and exposes query endpoints — with PII redaction, custom storage backends, and a manual insertion escape hatch.
+
+## Requirements
+
+- `better-auth >= 1.0.0`
+- `typescript >= 5.0`
+
+## Installation
+
+```bash
+# npm
+npm install better-auth-audit-logs
+
+# pnpm
+pnpm add better-auth-audit-logs
+
+# yarn
+yarn add better-auth-audit-logs
+
+# bun
+bun add better-auth-audit-logs
+```
+
+## Setup
+
+### 1. Add the plugin to your auth config
+
+```ts
+import { betterAuth } from "better-auth";
+import { auditLog } from "better-auth-audit-logs";
+
+export const auth = betterAuth({
+  // ...
+  plugins: [auditLog()],
+});
+```
+
+### 2. Generate and run the migration
+
+```bash
+npx @better-auth/cli generate
+```
+
+This adds an `audit_log` table to your database. All columns are indexed for efficient querying.
+
+### 3. Add the client plugin (optional)
+
+```ts
+import { createAuthClient } from "better-auth/client";
+import { auditLogClient } from "better-auth-audit-logs/client";
+
+export const authClient = createAuthClient({
+  plugins: [auditLogClient()],
+});
+```
+
+## What gets logged
+
+All auth `POST` endpoints are captured by default. Destructive events (where session data would be lost after execution) use a `before` hook — all others use `after`.
+
+| Event | Path | Notes |
+|---|---|---|
+| Sign in | `/sign-in/email`, `/sign-in/social` | `userId` is `null` on failed attempts |
+| Sign up | `/sign-up/email` | |
+| Change password | `/change-password` | |
+| Reset password | `/reset-password` | |
+| Change email | `/change-email` | |
+| Two-factor | `/two-factor/*` | |
+| OAuth callback | `/oauth/callback` | |
+| Sign out | `/sign-out` | Logged **before** session is destroyed |
+| Delete account | `/delete-user` | Logged **before** session is destroyed |
+| Revoke session | `/revoke-session`, `/revoke-sessions`, `/revoke-other-sessions` | Logged **before** session is destroyed |
+
+Severity is inferred automatically:
+
+| Pattern | Severity |
+|---|---|
+| `ban-user`, `impersonate-user` | `critical` |
+| `delete-user`, `revoke-sessions` | `high` |
+| Failed sign-in | `high` |
+| `sign-in`, `sign-out`, `two-factor` | `medium` |
+| Everything else | `low` |
+
+Override severity per-path via the `paths` option.
+
+## Configuration
+
+All options are optional — defaults are listed below.
+
+```ts
+auditLog({
+  enabled: true,
+  nonBlocking: false,
+  paths: [],              // empty = capture all POST paths
+  piiRedaction: {
+    enabled: false,
+    strategy: "mask",     // "mask" | "hash" | "remove"
+    fields: [],           // see default field list below
+  },
+  capture: {
+    ipAddress: true,
+    userAgent: true,
+    requestBody: false,
+  },
+  retention: undefined,   // no automatic cleanup by default
+  beforeLog: undefined,
+  afterLog: undefined,
+  storage: undefined,     // uses Better Auth's database by default
+  schema: undefined,
+})
+```
+
+### Options reference
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | `boolean` | `true` | Set to `false` to disable all logging without removing the plugin |
+| `nonBlocking` | `boolean` | `false` | Fire-and-forget — log writes never block the auth response |
+| `paths` | `(string \| PathConfig)[]` | `[]` | Restrict logging to specific paths. Empty captures all |
+| `piiRedaction.enabled` | `boolean` | `false` | Redact sensitive fields from request body snapshots |
+| `piiRedaction.strategy` | `"mask" \| "hash" \| "remove"` | `"mask"` | How to redact matched fields |
+| `piiRedaction.fields` | `string[]` | see below | Fields to redact |
+| `capture.ipAddress` | `boolean` | `true` | Capture client IP address |
+| `capture.userAgent` | `boolean` | `true` | Capture `User-Agent` header |
+| `capture.requestBody` | `boolean` | `false` | Include request body snapshot in `metadata` |
+| `retention.enabled` | `boolean` | — | Enable scheduled cleanup |
+| `retention.days` | `number` | — | Delete entries older than N days |
+| `beforeLog` | `function` | — | Intercept entries before write. Return `null` to suppress |
+| `afterLog` | `function` | — | Called after each successful write |
+| `storage` | `AuditLogStorage` | — | Custom storage backend |
+| `schema.auditLog.modelName` | `string` | `"audit_log"` | Override the DB table name |
+| `schema.auditLog.fields` | `Record<string, string>` | — | Rename individual columns |
+
+### Path-level config
+
+Restrict and customise logging per endpoint:
+
+```ts
+auditLog({
+  paths: [
+    "/sign-in/email",
+    "/sign-up/email",
+    { path: "/change-password", config: { severity: "high" } },
+    { path: "/delete-user", config: { capture: { requestBody: true } } },
+  ],
+})
+```
+
+### PII redaction
+
+When `requestBody` capture is enabled, sensitive fields are redacted before storage. Default fields:
+
+```
+password, newPassword, token, secret, apiKey, refreshToken, accessToken, code, backupCode, otp
+```
+
+```ts
+auditLog({
+  capture: { requestBody: true },
+  piiRedaction: {
+    enabled: true,
+    strategy: "hash",           // SHA-256 via Web Crypto
+    fields: ["password", "ssn", "creditCard"],
+  },
+})
+```
+
+Strategies: `"mask"` replaces with `***`, `"hash"` replaces with a SHA-256 hex digest, `"remove"` deletes the key entirely.
+
+### `beforeLog` / `afterLog`
+
+```ts
+auditLog({
+  // Drop entries or modify them before write
+  beforeLog: async (entry) => {
+    if (entry.userId === "service-account-id") return null;
+    return entry;
+  },
+
+  // Forward to an external system after write
+  afterLog: async (entry) => {
+    await analytics.track("auth.event", entry);
+  },
+})
+```
+
+### Custom table name
+
+```ts
+auditLog({
+  schema: {
+    auditLog: {
+      modelName: "auth_events",   // maps to auth_events table in DB
+    },
+  },
+})
+```
+
+## Custom storage
+
+Route log writes to any external backend by implementing `AuditLogStorage`:
+
+```ts
+import { auditLog, type AuditLogStorage } from "better-auth-audit-logs";
+
+const clickhouse: AuditLogStorage = {
+  async write(entry) {
+    await fetch("https://ch.example.com/insert", {
+      method: "POST",
+      body: JSON.stringify(entry),
+    });
+  },
+
+  // Optional — enables the built-in query endpoints to work
+  async read(options) {
+    const rows = await ch.query({ ...options });
+    return { entries: rows, total: rows.length };
+  },
+  async readById(id) {
+    return await ch.queryOne({ id });
+  },
+};
+
+auditLog({ storage: clickhouse })
+```
+
+When `storage` is set, the plugin does **not** write to the Better Auth database. The built-in query endpoints (`/audit-log/list`, `/audit-log/:id`) will only work if you implement the optional `read` and `readById` methods.
+
+### MemoryStorage (testing)
+
+An in-memory adapter included for unit tests:
+
+```ts
+import { betterAuth } from "better-auth";
+import { auditLog, MemoryStorage } from "better-auth-audit-logs";
+
+const storage = new MemoryStorage();
+
+const auth = betterAuth({
+  plugins: [auditLog({ storage })],
+});
+
+// Assert captured entries in tests
+expect(storage.entries).toHaveLength(1);
+expect(storage.entries[0].action).toBe("sign-in:email");
+```
+
+## API reference
+
+Three endpoints are registered under `/audit-log/`. All require an active session.
+
+| Endpoint | Method | Description |
+|---|---|---|
+| `/audit-log/list` | `GET` | Paginated entries for the authenticated user |
+| `/audit-log/:id` | `GET` | Single entry by ID |
+| `/audit-log/insert` | `POST` | Manually insert a custom event |
+
+Rate limit: 60 requests / 60 seconds per user.
+
+### Query parameters — `GET /audit-log/list`
+
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `userId` | `string` | session user | Filter by user ID |
+| `action` | `string` | — | Exact match, e.g. `sign-in:email` |
+| `status` | `"success" \| "failed"` | — | Filter by outcome |
+| `from` | ISO date string | — | Entries on or after this date |
+| `to` | ISO date string | — | Entries on or before this date |
+| `limit` | `number` | `50` | Max results (1–500) |
+| `offset` | `number` | `0` | Pagination offset |
+
+### Manual insert — `POST /audit-log/insert`
+
+Log events that originate outside the auth flow (e.g. admin actions, sensitive data exports):
+
+```ts
+await authClient.auditLog.insertAuditLog({
+  action: "admin:user-export",
+  status: "success",
+  severity: "high",
+  metadata: { exportedCount: 500, requestedBy: "admin@example.com" },
+});
+```
+
+### Querying via client
+
+```ts
+// List recent failed sign-ins
+const { data } = await authClient.auditLog.listAuditLogs({
+  query: { status: "failed", limit: 20 },
+});
+
+// Single entry
+const { data: entry } = await authClient.auditLog.getAuditLog({
+  params: { id: "log-entry-id" },
+});
+```
+
+## TypeScript types
+
+```ts
+import type {
+  AuditLogEntry,
+  AuditLogStorage,
+  AuditLogOptions,
+  StorageReadOptions,
+  StorageReadResult,
+} from "better-auth-audit-logs";
+
+interface AuditLogEntry {
+  id: string;
+  userId: string | null;       // null for failed pre-auth attempts
+  action: string;              // e.g. "sign-in:email", "sign-out"
+  status: "success" | "failed";
+  severity: "low" | "medium" | "high" | "critical";
+  ipAddress: string | null;
+  userAgent: string | null;    // excluded from API responses by default
+  metadata: Record<string, unknown>;
+  createdAt: Date;
+}
+```
+
+## Database schema
+
+| Column | Type | Notes |
+|---|---|---|
+| `id` | string | Primary key |
+| `userId` | string \| null | FK → `user(id)`, `ON DELETE SET NULL` |
+| `action` | string | Indexed |
+| `status` | string | |
+| `severity` | string | |
+| `ipAddress` | string \| null | |
+| `userAgent` | string \| null | Not returned in API responses |
+| `metadata` | string | Stored as JSON |
+| `createdAt` | date | Indexed |
+
+Audit log entries survive user deletion (`ON DELETE SET NULL` on `userId`). This is intentional — deleting a user should not erase the audit trail.
+
+## Production
+
+Recommended config for production deployments:
+
+```ts
+auditLog({
+  nonBlocking: true,        // never add latency to auth responses
+  piiRedaction: {
+    enabled: true,
+    strategy: "hash",       // pseudonymise rather than mask
+  },
+  capture: {
+    requestBody: false,     // only enable if you need body snapshots
+  },
+  retention: {
+    enabled: true,
+    days: 90,               // comply with your data retention policy
+  },
+  afterLog: async (entry) => {
+    // Forward high-severity events to your alerting system
+    if (entry.severity === "critical" || entry.severity === "high") {
+      await alerting.emit(entry);
+    }
+  },
+})
+```

package/dist/adapters/index.d.ts

@@ -0,0 +1,2 @@
+export { MemoryStorage } from "./memory";
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/dist/adapters/memory.d.ts

@@ -0,0 +1,9 @@
+import type { AuditLogEntry, AuditLogStorage, StorageReadOptions, StorageReadResult } from "../types";
+export declare class MemoryStorage implements AuditLogStorage {
+    readonly entries: AuditLogEntry[];
+    write(entry: AuditLogEntry): Promise<void>;
+    read(opts: StorageReadOptions): Promise<StorageReadResult>;
+    readById(id: string): Promise<AuditLogEntry | null>;
+    deleteOlderThan(date: Date): Promise<number>;
+}
+//# sourceMappingURL=memory.d.ts.map

package/dist/adapters/memory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/adapters/memory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAElB,qBAAa,aAAc,YAAW,eAAe;IACnD,QAAQ,CAAC,OAAO,EAAE,aAAa,EAAE,CAAM;IAEjC,KAAK,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAmB1D,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAInD,eAAe,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;CAOnD"}

package/dist/client.cjs

@@ -0,0 +1,53 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/client.ts
+var exports_client = {};
+__export(exports_client, {
+  auditLogClient: () => auditLogClient
+});
+module.exports = __toCommonJS(exports_client);
+var auditLogClient = () => ({
+  id: "audit-log",
+  $InferServerPlugin: {},
+  pathMethods: {
+    "/audit-log/list": "GET",
+    "/audit-log/:id": "GET",
+    "/audit-log/insert": "POST"
+  }
+});

package/dist/client.d.ts

@@ -0,0 +1,11 @@
+import type { auditLog } from "./plugin";
+export declare const auditLogClient: () => {
+    id: "audit-log";
+    $InferServerPlugin: ReturnType<typeof auditLog>;
+    pathMethods: {
+        "/audit-log/list": "GET";
+        "/audit-log/:id": "GET";
+        "/audit-log/insert": "POST";
+    };
+};
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEzC,eAAO,MAAM,cAAc;;wBAGG,UAAU,CAAC,OAAO,QAAQ,CAAC;;;;;;CAMpB,CAAC"}

package/dist/client.js

@@ -0,0 +1,13 @@
+// src/client.ts
+var auditLogClient = () => ({
+  id: "audit-log",
+  $InferServerPlugin: {},
+  pathMethods: {
+    "/audit-log/list": "GET",
+    "/audit-log/:id": "GET",
+    "/audit-log/insert": "POST"
+  }
+});
+export {
+  auditLogClient
+};

package/dist/endpoints/get-log.d.ts

@@ -0,0 +1,28 @@
+import type { AuditLogEntry, ResolvedOptions } from "../types";
+export declare function createGetLogEndpoint(opts: ResolvedOptions, modelName: string): import("better-call").StrictEndpoint<"/audit-log/:id", {
+    method: "GET";
+    use: ((inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<{
+        session: {
+            session: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                userId: string;
+                expiresAt: Date;
+                token: string;
+                ipAddress?: string | null | undefined;
+                userAgent?: string | null | undefined;
+            };
+            user: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                email: string;
+                emailVerified: boolean;
+                name: string;
+                image?: string | null | undefined;
+            };
+        };
+    }>)[];
+}, AuditLogEntry>;
+//# sourceMappingURL=get-log.d.ts.map

package/dist/endpoints/get-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-log.d.ts","sourceRoot":"","sources":["../../src/endpoints/get-log.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE/D,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM;;;;;;;;;;;yBA4C0lB,CAAC;yBAA4C,CAAC;;;;;;;;;qBAAwN,CAAC;;;;kBAD76B"}

package/dist/endpoints/index.d.ts

@@ -0,0 +1,4 @@
+export { createListLogsEndpoint } from "./list-logs";
+export { createGetLogEndpoint } from "./get-log";
+export { createInsertLogEndpoint } from "./insert-log";
+//# sourceMappingURL=index.d.ts.map

package/dist/endpoints/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/endpoints/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC"}

package/dist/endpoints/insert-log.d.ts

@@ -0,0 +1,45 @@
+import { z } from "zod";
+import type { ResolvedOptions } from "../types";
+export declare function createInsertLogEndpoint(opts: ResolvedOptions, modelName: string): import("better-call").StrictEndpoint<"/audit-log/insert", {
+    method: "POST";
+    use: ((inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<{
+        session: {
+            session: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                userId: string;
+                expiresAt: Date;
+                token: string;
+                ipAddress?: string | null | undefined;
+                userAgent?: string | null | undefined;
+            };
+            user: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                email: string;
+                emailVerified: boolean;
+                name: string;
+                image?: string | null | undefined;
+            };
+        };
+    }>)[];
+    body: z.ZodObject<{
+        action: z.ZodString;
+        status: z.ZodDefault<z.ZodOptional<z.ZodEnum<{
+            success: "success";
+            failed: "failed";
+        }>>>;
+        severity: z.ZodOptional<z.ZodEnum<{
+            low: "low";
+            medium: "medium";
+            high: "high";
+            critical: "critical";
+        }>>;
+        metadata: z.ZodDefault<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
+    }, z.core.$strip>;
+}, {
+    success: boolean;
+}>;
+//# sourceMappingURL=insert-log.d.ts.map

package/dist/endpoints/insert-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insert-log.d.ts","sourceRoot":"","sources":["../../src/endpoints/insert-log.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAoC,eAAe,EAAE,MAAM,UAAU,CAAC;AAGlF,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM;;;;;;;;;;;yBAwC2oB,CAAC;yBAA4C,CAAC;;;;;;;;;qBAAwN,CAAC;;;;;;;;;;;;;;;;;;;;GADj+B"}

package/dist/endpoints/list-logs.d.ts

@@ -0,0 +1,41 @@
+import { z } from "zod";
+import type { ResolvedOptions } from "../types";
+export declare function createListLogsEndpoint(opts: ResolvedOptions, modelName: string): import("better-call").StrictEndpoint<"/audit-log/list", {
+    method: "GET";
+    use: ((inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<{
+        session: {
+            session: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                userId: string;
+                expiresAt: Date;
+                token: string;
+                ipAddress?: string | null | undefined;
+                userAgent?: string | null | undefined;
+            };
+            user: Record<string, any> & {
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                email: string;
+                emailVerified: boolean;
+                name: string;
+                image?: string | null | undefined;
+            };
+        };
+    }>)[];
+    query: z.ZodObject<{
+        userId: z.ZodOptional<z.ZodString>;
+        action: z.ZodOptional<z.ZodString>;
+        status: z.ZodOptional<z.ZodEnum<{
+            success: "success";
+            failed: "failed";
+        }>>;
+        from: z.ZodOptional<z.ZodString>;
+        to: z.ZodOptional<z.ZodString>;
+        limit: z.ZodDefault<z.ZodOptional<z.ZodCoercedNumber<unknown>>>;
+        offset: z.ZodDefault<z.ZodOptional<z.ZodCoercedNumber<unknown>>>;
+    }, z.core.$strip>;
+}, import("..").StorageReadResult>;
+//# sourceMappingURL=list-logs.d.ts.map

package/dist/endpoints/list-logs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-logs.d.ts","sourceRoot":"","sources":["../../src/endpoints/list-logs.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAiB,eAAe,EAAsB,MAAM,UAAU,CAAC;AAEnF,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM;;;;;;;;;;;yBAwDzE,CAAH;yBAEmC,CAAC;;;;;;;;;qBAM7B,CAAT;;;;;;;;;;;;;;;;mCAgBA"}

package/dist/hooks/after.d.ts

@@ -0,0 +1,7 @@
+import type { HookEndpointContext } from "@better-auth/core";
+import type { ResolvedOptions } from "../types";
+export declare function createAfterHooks(opts: ResolvedOptions, modelName: string): {
+    matcher: (context: HookEndpointContext) => boolean;
+    handler: (inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<void>;
+}[];
+//# sourceMappingURL=after.d.ts.map

package/dist/hooks/after.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"after.d.ts","sourceRoot":"","sources":["../../src/hooks/after.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,KAAK,EAAkB,eAAe,EAAE,MAAM,UAAU,CAAC;AAIhE,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM;uBAGhD,mBAAmB;;IAmD3C"}

package/dist/hooks/before.d.ts

@@ -0,0 +1,8 @@
+import type { HookEndpointContext } from "@better-auth/core";
+import type { ResolvedOptions } from "../types";
+export declare const BEFORE_PATHS: readonly ["/sign-out", "/delete-user", "/revoke-session", "/revoke-sessions", "/revoke-other-sessions"];
+export declare function createBeforeHooks(opts: ResolvedOptions, modelName: string): {
+    matcher: (context: HookEndpointContext) => boolean;
+    handler: (inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<void>;
+}[];
+//# sourceMappingURL=before.d.ts.map

package/dist/hooks/before.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"before.d.ts","sourceRoot":"","sources":["../../src/hooks/before.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAGhD,eAAO,MAAM,YAAY,yGAMf,CAAC;AAEX,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM;uBAGjD,mBAAmB;;IA2B3C"}

package/dist/hooks/index.d.ts

@@ -0,0 +1,3 @@
+export { createBeforeHooks, BEFORE_PATHS } from "./before";
+export { createAfterHooks } from "./after";
+//# sourceMappingURL=index.d.ts.map

package/dist/hooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC"}