better-auth-nuxt 0.0.9 → 0.0.10-beta.20

package/dist/module.mjs

@@ -1,388 +1,655 @@
-import fs from 'node:fs';
-import { defineNuxtModule, createResolver, logger, addServerHandler, addTypeTemplate, addServerImports, addImports, addRouteMiddleware, addPlugin, addTemplate } from '@nuxt/kit';
+import { randomBytes } from 'node:crypto';
+import { existsSync, writeFileSync, readFileSync } from 'node:fs';
+import { mkdir, writeFile } from 'node:fs/promises';
+import { defineNuxtModule, createResolver, hasNuxtModule, addTemplate, addTypeTemplate, updateTemplates, addServerImportsDir, addServerImports, addServerScanDir, addServerHandler, addImportsDir, addPlugin, addComponentsDir, installModule, extendPages } from '@nuxt/kit';
+import { consola as consola$1 } from 'consola';
 import { defu } from 'defu';
-import { resolve } from 'pathe';
-import { hash } from 'ohash';
-import { glob } from 'tinyglobby';
-import { pascalCase } from 'scule';
+import { join, dirname } from 'pathe';
+import { toRouteMatcher, createRouter } from 'radix3';
+import { isCI, isTest } from 'std-env';
+import { generateDrizzleSchema as generateDrizzleSchema$1 } from '@better-auth/cli/api';
+import { getAuthTables } from 'better-auth/db';
+export { defineClientAuth, defineServerAuth } from '../dist/runtime/config.js';
 
-async function serverAuth({ options }) {
-  return [
-    'import mergeDeep from "@fastify/deepmerge"',
-    'import { betterAuth } from "better-auth"',
-    ...options.configs.map((config) => {
-      return `import ${config.key} from "${config.path}"`;
-    }),
-    "",
-    "let _auth",
-    "",
-    "export function useAuth() {",
-    "  if (!_auth) {",
-    "const betterAuthConfigs = mergeDeep({all: true})({},",
-    "{",
-    ...options.moduleOptions?.options?.server ? Object.entries(options.moduleOptions.options.server).map(([key, value]) => {
-      return `    ${key}: ${JSON.stringify(value)},`;
-    }) : [],
-    "},",
-    ...options.configs.map((config) => {
-      return `${config.key}(),`;
-    }),
-    ")",
-    "",
-    "    _auth = betterAuth(betterAuthConfigs)",
-    "  }",
-    "  return _auth",
-    "}",
-    "",
-    "export const auth = useAuth()",
-    ""
-  ].join("\n");
+const version = "0.0.10-beta.20";
+
+function setupDevTools(nuxt) {
+  nuxt.hook("devtools:customTabs", (tabs) => {
+    tabs.push({
+      category: "server",
+      name: "better-auth",
+      title: "Auth",
+      icon: "simple-icons:betterauth",
+      view: {
+        type: "iframe",
+        src: "/__better-auth-devtools"
+      }
+    });
+  });
 }
 
-async function useUserSession({ options }) {
-  return [
-    "import { createAuthClient } from 'better-auth/vue'",
-    ...options.configs.map((config) => {
-      return `import ${config.key} from "${config.path}"`;
-    }),
-    "import { defu } from 'defu'",
-    "import { computed, ref } from 'vue'",
-    "import { navigateTo, useRequestHeaders, useRequestURL, useRuntimeConfig, useState } from '#app'",
-    "",
-    "let _authInstance",
-    "",
-    "export function createAuthInstance() {",
-    "  const url = useRequestURL()",
-    "  const headers = import.meta.server ? useRequestHeaders() : undefined",
-    "  const config = useRuntimeConfig()",
-    "",
-    "  const authClient = createAuthClient({",
-    "    baseURL: url.origin,",
-    ...options.moduleOptions?.options?.client ? Object.entries(options.moduleOptions.options.client).map(([key, value]) => {
-      return `    ${key}: ${JSON.stringify(value)},`;
-    }) : [],
-    "    fetchOptions: {",
-    ...options.configs.map((config) => {
-      return `    ...${config.key}?.fetchOptions || {},`;
-    }),
-    "      headers,",
-    "    },",
-    ...options.configs.map((config) => {
-      return `    ${config.key},`;
-    }),
-    "   plugins: [",
-    ...options.configs.map((config) => {
-      return `    ...${config.key}?.plugins || [],`;
-    }),
-    " ],",
-    "  })",
-    "",
-    "  const options = defu(config.public.betterAuth.redirectOptions || {}, {",
-    "    redirectUserTo: '/profile',",
-    "    redirectGuestTo: '/signin',",
-    "    redirectUnauthorizedTo: '/401',",
-    "  })",
-    "",
-    "  const session = useState('auth:session', () => null)",
-    "  const user = useState('auth:user', () => null)",
-    "  const sessionFetching = import.meta.server ? ref(false) : useState('auth:sessionFetching', () => false)",
-    "",
-    "  const fetchSession = async () => {",
-    "    if (sessionFetching.value) {",
-    "      return",
-    "    }",
-    "    sessionFetching.value = true",
-    "    const { data } = await authClient.getSession({",
-    "      fetchOptions: {",
-    "        headers,",
-    "      },",
-    "    })",
-    "    session.value = data?.session || null",
-    "    user.value = data?.user || null",
-    "    sessionFetching.value = false",
-    "    return data",
-    "  }",
-    "",
-    "  return {",
-    "    session,",
-    "    user,",
-    "    loggedIn: computed(() => !!session.value),",
-    "    signIn: authClient.signIn,",
-    "    signUp: authClient.signUp,",
-    "    options,",
-    "    fetchSession,",
-    "    client: authClient,",
-    "    signOut: async (options = {}) => {",
-    "      try {",
-    "        await authClient.signOut()",
-    "        if (options.redirectTo)",
-    "          await navigateTo(options.redirectTo)",
-    "      }",
-    "      catch (error) {",
-    "        console.error('Sign out failed:', error)",
-    "        throw error",
-    "      }",
-    "    },",
-    "  }",
-    "}",
-    "",
-    "// Setup session listener for client-side updates",
-    "function setupSessionListener(client) {",
-    "  if (!import.meta.client)",
-    "    return",
-    "",
-    "  client.$store.listen('$sessionSignal', async (signal) => {",
-    "    if (!signal)",
-    "      return",
-    "    await client.useSession($fetch)",
-    "  })",
-    "}",
-    "",
-    "export function useUserSession() {",
-    "  if (_authInstance && import.meta.client)",
-    "    return _authInstance",
-    "",
-    "  const auth = createAuthInstance()",
-    "",
-    "  if (import.meta.client) {",
-    "    setupSessionListener(auth.client)",
-    "    _authInstance = auth",
-    "  }",
-    "",
-    "  return auth",
-    "}",
-    ""
-  ].join("\n");
+function dialectToProvider(dialect) {
+  return dialect === "postgresql" ? "pg" : dialect;
+}
+async function generateDrizzleSchema(authOptions, dialect, schemaOptions) {
+  const provider = dialectToProvider(dialect);
+  const options = {
+    ...authOptions,
+    advanced: {
+      ...authOptions.advanced,
+      database: {
+        ...authOptions.advanced?.database,
+        ...schemaOptions?.useUuid && { generateId: "uuid" }
+      }
+    }
+  };
+  const adapter = {
+    id: "drizzle",
+    options: {
+      provider,
+      camelCase: schemaOptions?.casing !== "snake_case",
+      adapterConfig: { usePlural: schemaOptions?.usePlural ?? false }
+    }
+  };
+  const result = await generateDrizzleSchema$1({ adapter, options });
+  if (!result.code) {
+    throw new Error(`Schema generation returned empty result for ${dialect}`);
+  }
+  return result.code;
+}
+const convexIndexFields = {
+  account: ["accountId", ["accountId", "providerId"], ["providerId", "userId"]],
+  rateLimit: ["key"],
+  session: ["expiresAt", ["expiresAt", "userId"]],
+  verification: ["expiresAt", "identifier"],
+  user: [["email", "name"], "name", "userId"],
+  passkey: ["credentialID"],
+  oauthConsent: [["clientId", "userId"]]
+};
+function getConvexSpecialFields(tables) {
+  return Object.fromEntries(
+    Object.entries(tables).map(([key, table]) => {
+      const fields = Object.fromEntries(
+        Object.entries(table.fields).map(([fieldKey, field]) => [
+          field.fieldName ?? fieldKey,
+          {
+            ...field.sortable ? { sortable: true } : {},
+            ...field.unique ? { unique: true } : {},
+            ...field.references ? { references: field.references } : {}
+          }
+        ]).filter(([_key, value]) => typeof value === "object" ? Object.keys(value).length > 0 : true)
+      );
+      return [key, fields];
+    }).filter(([_key, value]) => typeof value === "object" ? Object.keys(value).length > 0 : true)
+  );
 }
+function getMergedConvexIndexFields(tables) {
+  return Object.fromEntries(
+    Object.entries(tables).map(([key, table]) => {
+      const manualIndexes = convexIndexFields[key]?.map((index) => {
+        return typeof index === "string" ? table.fields[index]?.fieldName ?? index : index.map((i) => table.fields[i]?.fieldName ?? i);
+      }) || [];
+      const specialFieldsObj = getConvexSpecialFields(tables);
+      const specialFieldIndexes = Object.keys(specialFieldsObj[key] || {}).filter(
+        (index) => !manualIndexes.some((m) => Array.isArray(m) ? m[0] === index : m === index)
+      );
+      return [key, manualIndexes.concat(specialFieldIndexes)];
+    })
+  );
+}
+async function generateConvexSchema(authOptions) {
+  const tables = getAuthTables(authOptions);
+  let code = `/**
+ * Auto-generated Better Auth tables for Convex.
+ * Import these tables in your convex/schema.ts:
+ *
+ * import { defineSchema } from 'convex/server'
+ * import { authTables } from './_generated/auth-tables'
+ *
+ * export default defineSchema({ ...authTables, ...yourTables })
+ */
 
-const module = defineNuxtModule({
-  meta: {
-    name: "better-auth",
-    configKey: "betterAuth"
-  },
-  // Default configuration options of the Nuxt module
+import { defineTable } from 'convex/server'
+import { v } from 'convex/values'
+
+export const authTables = {
+`;
+  const getType = (_name, field) => {
+    const type = field.type;
+    const typeMap = {
+      "string": "v.string()",
+      "boolean": "v.boolean()",
+      "number": "v.number()",
+      "date": "v.number()",
+      "json": "v.string()",
+      "number[]": "v.array(v.number())",
+      "string[]": "v.array(v.string())"
+    };
+    return typeMap[type];
+  };
+  for (const tableKey in tables) {
+    const table = tables[tableKey];
+    const modelName = table.modelName;
+    const fields = Object.fromEntries(Object.entries(table.fields).filter(([key]) => key !== "id"));
+    const indexes = getMergedConvexIndexFields(tables)[tableKey]?.map((index) => {
+      const indexArray = Array.isArray(index) ? index.sort() : [index];
+      const indexName = indexArray.join("_");
+      return `.index('${indexName}', ${JSON.stringify(indexArray)})`;
+    }) || [];
+    const schema = `${modelName}: defineTable({
+${Object.keys(fields).map((field) => {
+      const attr = fields[field];
+      const type = getType(field, attr);
+      const optional = (fieldSchema) => attr.required ? fieldSchema : `v.optional(v.union(v.null(), ${fieldSchema}))`;
+      return `    ${attr.fieldName ?? field}: ${optional(type)},`;
+    }).join("\n")}
+  })${indexes.length > 0 ? `
+    ${indexes.join("\n    ")}` : ""},
+`;
+    code += `  ${schema}`;
+  }
+  code += `}
+`;
+  return code;
+}
+async function loadUserAuthConfig(configPath, throwOnError = false) {
+  const { createJiti } = await import('jiti');
+  const { defineServerAuth } = await import('../dist/runtime/config.js');
+  const jiti = createJiti(import.meta.url, { interopDefault: true, moduleCache: false });
+  if (!globalThis.defineServerAuth) {
+    defineServerAuth._count = 0;
+    globalThis.defineServerAuth = defineServerAuth;
+  }
+  globalThis.defineServerAuth._count++;
+  try {
+    const mod = await jiti.import(configPath);
+    const configFn = mod.default;
+    if (typeof configFn === "function") {
+      return configFn({ runtimeConfig: {}, db: null });
+    }
+    consola$1.warn("[@onmax/nuxt-better-auth] auth.config.ts does not export default. Expected: export default defineServerAuth(...)");
+    if (throwOnError) {
+      throw new Error("auth.config.ts must export default defineServerAuth(...)");
+    }
+    return {};
+  } catch (error) {
+    if (throwOnError) {
+      throw new Error(`Failed to load auth config: ${error instanceof Error ? error.message : error}`);
+    }
+    consola$1.error("[@onmax/nuxt-better-auth] Failed to load auth config for schema generation. Schema may be incomplete:", error);
+    return {};
+  } finally {
+    globalThis.defineServerAuth._count--;
+    if (!globalThis.defineServerAuth._count) {
+      globalThis.defineServerAuth = void 0;
+    }
+  }
+}
+
+function getHubDialect(hub) {
+  if (!hub?.db)
+    return void 0;
+  if (typeof hub.db === "string")
+    return hub.db;
+  if (typeof hub.db === "object" && hub.db !== null)
+    return hub.db.dialect;
+  return void 0;
+}
+function getHubCasing(hub) {
+  if (!hub?.db || typeof hub.db !== "object" || hub.db === null)
+    return void 0;
+  return hub.db.casing;
+}
+const consola = consola$1.withTag("nuxt-better-auth");
+function resolveConvexUrl(nuxt) {
+  const convexConfig = nuxt.options.convex;
+  if (convexConfig?.url)
+    return convexConfig.url;
+  const runtimeUrl = nuxt.options.runtimeConfig.public?.convex?.url;
+  if (runtimeUrl)
+    return runtimeUrl;
+  if (process.env.CONVEX_URL)
+    return process.env.CONVEX_URL;
+  if (process.env.NUXT_PUBLIC_CONVEX_URL)
+    return process.env.NUXT_PUBLIC_CONVEX_URL;
+  return "";
+}
+const generateSecret = () => randomBytes(32).toString("hex");
+function readEnvFile(rootDir) {
+  const envPath = join(rootDir, ".env");
+  return existsSync(envPath) ? readFileSync(envPath, "utf-8") : "";
+}
+function hasEnvSecret(rootDir) {
+  const match = readEnvFile(rootDir).match(/^BETTER_AUTH_SECRET=(.+)$/m);
+  return !!match && !!match[1] && match[1].trim().length > 0;
+}
+function appendSecretToEnv(rootDir, secret) {
+  const envPath = join(rootDir, ".env");
+  let content = readEnvFile(rootDir);
+  if (content.length > 0 && !content.endsWith("\n"))
+    content += "\n";
+  content += `BETTER_AUTH_SECRET=${secret}
+`;
+  writeFileSync(envPath, content, "utf-8");
+}
+async function promptForSecret(rootDir) {
+  if (process.env.BETTER_AUTH_SECRET || hasEnvSecret(rootDir))
+    return void 0;
+  if (isCI || isTest) {
+    const secret2 = generateSecret();
+    appendSecretToEnv(rootDir, secret2);
+    consola.info("Generated BETTER_AUTH_SECRET and added to .env (CI mode)");
+    return secret2;
+  }
+  consola.box("BETTER_AUTH_SECRET is required for authentication.\nThis will be appended to your .env file.");
+  const choice = await consola.prompt("How do you want to set it?", {
+    type: "select",
+    options: [
+      { label: "Generate for me", value: "generate", hint: "uses crypto.randomBytes(32)" },
+      { label: "Enter manually", value: "paste" },
+      { label: "Skip", value: "skip", hint: "will fail in production" }
+    ],
+    cancel: "null"
+  });
+  if (typeof choice === "symbol" || choice === "skip") {
+    consola.warn("Skipping BETTER_AUTH_SECRET. Auth will fail without it in production.");
+    return void 0;
+  }
+  let secret;
+  if (choice === "generate") {
+    secret = generateSecret();
+  } else {
+    const input = await consola.prompt("Paste your secret (min 32 chars):", { type: "text", cancel: "null" });
+    if (typeof input === "symbol" || !input || input.length < 32) {
+      consola.warn("Invalid secret. Skipping.");
+      return void 0;
+    }
+    secret = input;
+  }
+  const preview = `${secret.slice(0, 8)}...${secret.slice(-4)}`;
+  const confirm = await consola.prompt(`Add to .env:
+BETTER_AUTH_SECRET=${preview}
+Proceed?`, { type: "confirm", initial: true, cancel: "null" });
+  if (typeof confirm === "symbol" || !confirm) {
+    consola.info("Cancelled. Secret not written.");
+    return void 0;
+  }
+  appendSecretToEnv(rootDir, secret);
+  consola.success("Added BETTER_AUTH_SECRET to .env");
+  return secret;
+}
+const module$1 = defineNuxtModule({
+  meta: { name: "better-auth-nuxt", version, configKey: "auth", compatibility: { nuxt: ">=3.0.0" } },
   defaults: {
-    endpoint: "/api/auth/**",
-    serverConfigs: [],
-    redirectOptions: {
-      redirectUserTo: "/auth/login",
-      redirectGuestTo: "/",
-      redirectUnauthorizedTo: "/401"
+    clientOnly: false,
+    serverConfig: "server/auth.config",
+    clientConfig: "app/auth.config",
+    redirects: { login: "/login", guest: "/" },
+    secondaryStorage: false
+  },
+  async onInstall(nuxt) {
+    const generatedSecret = await promptForSecret(nuxt.options.rootDir);
+    if (generatedSecret)
+      process.env.BETTER_AUTH_SECRET = generatedSecret;
+    const serverPath = join(nuxt.options.rootDir, "server/auth.config.ts");
+    const clientPath = join(nuxt.options.srcDir, "auth.config.ts");
+    const serverTemplate = `import { defineServerAuth } from 'better-auth-nuxt/config'
+
+export default defineServerAuth({
+  emailAndPassword: { enabled: true },
+})
+`;
+    const clientTemplate = `import { defineClientAuth } from 'better-auth-nuxt/config'
+
+export default defineClientAuth({})
+`;
+    if (!existsSync(serverPath)) {
+      await mkdir(dirname(serverPath), { recursive: true });
+      await writeFile(serverPath, serverTemplate);
+      consola.success("Created server/auth.config.ts");
+    }
+    if (!existsSync(clientPath)) {
+      await mkdir(dirname(clientPath), { recursive: true });
+      await writeFile(clientPath, clientTemplate);
+      const relativePath = clientPath.replace(`${nuxt.options.rootDir}/`, "");
+      consola.success(`Created ${relativePath}`);
     }
   },
   async setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
-    nuxt.options.vite.optimizeDeps ??= {};
-    nuxt.options.vite.optimizeDeps.include ??= [];
-    nuxt.options.vite.optimizeDeps.include.push(...[
-      "better-auth/client",
-      "better-auth/vue"
-    ]);
-    if (!options.endpoint) {
-      logger.withTag("better-auth").error("Missing endpoint option");
+    if (options.clientConfig === "app/auth.config") {
+      const srcDirRelative = nuxt.options.srcDir.replace(`${nuxt.options.rootDir}/`, "");
+      options.clientConfig = srcDirRelative === nuxt.options.srcDir ? "auth.config" : `${srcDirRelative}/auth.config`;
     }
-    nuxt.options.runtimeConfig.public.betterAuth = defu(nuxt.options.runtimeConfig.public.betterAuth, {
-      endpoint: options.endpoint,
-      redirectOptions: options.redirectOptions
-    });
-    nuxt.options.alias["#better-auth"] = resolve("./runtime");
-    addServerHandler({
-      route: options.endpoint,
-      handler: resolver.resolve("./runtime/server/handler")
+    const clientOnly = options.clientOnly;
+    const serverConfigFile = options.serverConfig;
+    const clientConfigFile = options.clientConfig;
+    const serverConfigPath = resolver.resolve(nuxt.options.rootDir, serverConfigFile);
+    const clientConfigPath = resolver.resolve(nuxt.options.rootDir, clientConfigFile);
+    const serverConfigExists = existsSync(`${serverConfigPath}.ts`) || existsSync(`${serverConfigPath}.js`);
+    const clientConfigExists = existsSync(`${clientConfigPath}.ts`) || existsSync(`${clientConfigPath}.js`);
+    if (!clientOnly && !serverConfigExists)
+      throw new Error(`[nuxt-better-auth] Missing ${serverConfigFile}.ts - export default defineServerAuth(...)`);
+    if (!clientConfigExists)
+      throw new Error(`[nuxt-better-auth] Missing ${clientConfigFile}.ts - export default defineClientAuth(...)`);
+    const hasNuxtHub = hasNuxtModule("@nuxthub/core", nuxt);
+    const hub = hasNuxtHub ? nuxt.options.hub : void 0;
+    const hasHubDb = !clientOnly && hasNuxtHub && !!hub?.db;
+    const hasConvex = hasNuxtModule("nuxt-convex", nuxt);
+    const convexUrl = resolveConvexUrl(nuxt);
+    const hasConvexDb = !clientOnly && hasConvex && !!convexUrl && !hasHubDb;
+    if (hasConvexDb) {
+      consola.info("Detected Convex - using Convex HTTP adapter for Better Auth database");
+    }
+    let secondaryStorageEnabled = options.secondaryStorage ?? false;
+    if (secondaryStorageEnabled && clientOnly) {
+      consola.warn("secondaryStorage is not available in clientOnly mode. Disabling.");
+      secondaryStorageEnabled = false;
+    } else if (secondaryStorageEnabled && (!hasNuxtHub || !hub?.kv)) {
+      consola.warn("secondaryStorage requires @nuxthub/core with hub.kv: true. Disabling.");
+      secondaryStorageEnabled = false;
+    }
+    nuxt.options.runtimeConfig.public = nuxt.options.runtimeConfig.public || {};
+    nuxt.options.runtimeConfig.public.auth = defu(nuxt.options.runtimeConfig.public.auth, {
+      redirects: { login: options.redirects?.login ?? "/login", guest: options.redirects?.guest ?? "/" },
+      useDatabase: hasHubDb || hasConvexDb,
+      clientOnly
     });
-    const registerTemplate = (options2) => {
-      const name = options2.filename.replace(/\.m?js$/, "");
-      const alias = "#" + name;
-      const results = addTemplate({
-        ...options2,
-        write: true
-        // Write to disk for Nitro to consume
-      });
-      nuxt.options.nitro.alias ||= {};
-      nuxt.options.nitro.externals ||= {};
-      nuxt.options.nitro.externals.inline ||= [];
-      nuxt.options.alias[alias] = results.dst;
-      nuxt.options.nitro.alias[alias] = nuxt.options.alias[alias];
-      nuxt.options.nitro.externals.inline.push(nuxt.options.alias[alias]);
-      nuxt.options.nitro.externals.inline.push(alias);
-      return results;
-    };
-    const serverConfigs = [
-      {
-        key: pascalCase(hash("better-auth-configs")),
-        path: resolver.resolve("./runtime/server")
+    if (clientOnly) {
+      const siteUrl = process.env.NUXT_PUBLIC_SITE_URL || nuxt.options.runtimeConfig.public.siteUrl;
+      if (!siteUrl) {
+        consola.warn("clientOnly mode: NUXT_PUBLIC_SITE_URL should be set to your frontend URL");
       }
-    ];
-    for (const layer of nuxt.options._layers) {
-      const paths = await glob([
-        "**/*.better-auth.ts",
-        ...options.serverConfigs?.map((pattern) => {
-          return `**/${pattern}.ts`;
-        }) || []
-      ], { onlyFiles: true, ignore: nuxt.options.ignore, dot: true, cwd: layer.config.rootDir, absolute: true });
-      const pathsJS = await glob([
-        "**/*.better-auth.js",
-        ...options.serverConfigs?.map((pattern) => {
-          return `**/${pattern}.js`;
-        }) || []
-      ], { cwd: layer.config.serverDir });
-      if (paths.length === 0 && pathsJS.length === 0) {
-        continue;
+      consola.info("clientOnly mode enabled - server utilities (serverAuth, getUserSession, requireUserSession) are not available");
+    }
+    if (!clientOnly) {
+      const currentSecret = nuxt.options.runtimeConfig.betterAuthSecret;
+      nuxt.options.runtimeConfig.betterAuthSecret = currentSecret || process.env.BETTER_AUTH_SECRET || "";
+      const betterAuthSecret = nuxt.options.runtimeConfig.betterAuthSecret;
+      if (!nuxt.options.dev && !nuxt.options._prepare && !betterAuthSecret) {
+        throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET is required in production. Set BETTER_AUTH_SECRET or NUXT_BETTER_AUTH_SECRET environment variable.");
       }
-      for (const path of [...paths, ...pathsJS]) {
-        if (fs.existsSync(path)) {
-          serverConfigs.push({
-            key: pascalCase(hash(path)),
-            path
-          });
-        }
+      if (betterAuthSecret && betterAuthSecret.length < 32) {
+        throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET must be at least 32 characters for security");
       }
+      nuxt.options.runtimeConfig.auth = defu(nuxt.options.runtimeConfig.auth, {
+        secondaryStorage: secondaryStorageEnabled
+      });
     }
-    const server = registerTemplate({
-      filename: "better-auth/server.mjs",
-      getContents: serverAuth,
-      options: { configs: serverConfigs, moduleOptions: options }
-    });
-    addTypeTemplate({
-      filename: "better-auth/server.d.ts",
-      getContents: () => {
-        return [
-          'import { betterAuth } from "better-auth"',
-          'import mergeDeep from "@fastify/deepmerge"',
-          ...serverConfigs.map((config) => {
-            return `import ${config.key} from "${config.path}"`;
-          }),
-          "const betterAuthConfigs = mergeDeep({all: true})({},",
-          ...serverConfigs.map((config) => {
-            return `${config.key}(),`;
-          }),
-          ")",
-          "export type BetterAuth = ReturnType<typeof betterAuth<typeof betterAuthConfigs>>",
-          "export declare const useAuth: () => BetterAuth",
-          "export declare const auth: BetterAuth"
-        ].join("\n");
+    nuxt.options.alias["#nuxt-better-auth"] = resolver.resolve("./runtime/types/augment");
+    if (!clientOnly)
+      nuxt.options.alias["#auth/server"] = serverConfigPath;
+    nuxt.options.alias["#auth/client"] = clientConfigPath;
+    if (!clientOnly) {
+      if (secondaryStorageEnabled && !nuxt.options.alias["hub:kv"]) {
+        throw new Error("[nuxt-better-auth] hub:kv not found. Ensure @nuxthub/core is loaded before this module and hub.kv is enabled.");
       }
-    });
-    const clientConfigs = [];
-    for (const layer of nuxt.options._layers) {
-      const paths = await glob([
-        "**/*.better-auth-client.ts",
-        ...options.clientConfigs?.map((pattern) => {
-          return `**/${pattern}.ts`;
-        }) || []
-      ], { onlyFiles: true, ignore: nuxt.options.ignore, dot: true, cwd: layer.config.rootDir, absolute: true });
-      const pathsJS = await glob([
-        "**/*.better-auth.js",
-        ...options.serverConfigs?.map((pattern) => {
-          return `**/${pattern}.js`;
-        }) || []
-      ], { cwd: layer.config.serverDir });
-      if (paths.length === 0 && pathsJS.length === 0) {
-        continue;
+      const secondaryStorageCode = secondaryStorageEnabled ? `import { kv } from '@nuxthub/kv'
+export function createSecondaryStorage() {
+  return {
+    get: async (key) => kv.get(\`_auth:\${key}\`),
+    set: async (key, value, ttl) => kv.set(\`_auth:\${key}\`, value, { ttl }),
+    delete: async (key) => kv.del(\`_auth:\${key}\`),
+  }
+}` : `export function createSecondaryStorage() { return undefined }`;
+      const secondaryStorageTemplate = addTemplate({ filename: "better-auth/secondary-storage.mjs", getContents: () => secondaryStorageCode, write: true });
+      nuxt.options.alias["#auth/secondary-storage"] = secondaryStorageTemplate.dst;
+      if (hasHubDb && !nuxt.options.alias["hub:db"]) {
+        throw new Error("[nuxt-better-auth] hub:db not found. Ensure @nuxthub/core is loaded before this module and hub.db is configured.");
       }
-      for (const path of [...paths, ...pathsJS]) {
-        if (fs.existsSync(path)) {
-          clientConfigs.push({
-            key: pascalCase(hash(path)),
-            path
-          });
-        }
+      const hubDialect = getHubDialect(hub) ?? "sqlite";
+      const usePlural = options.schema?.usePlural ?? false;
+      const camelCase = (options.schema?.casing ?? getHubCasing(hub)) !== "snake_case";
+      let databaseCode;
+      if (hasHubDb) {
+        databaseCode = `import { db, schema } from '@nuxthub/db'
+import { drizzleAdapter } from 'better-auth/adapters/drizzle'
+const rawDialect = '${hubDialect}'
+const dialect = rawDialect === 'postgresql' ? 'pg' : rawDialect
+export function createDatabase() { return drizzleAdapter(db, { provider: dialect, schema, usePlural: ${usePlural}, camelCase: ${camelCase} }) }
+export { db }`;
+      } else if (hasConvexDb) {
+        nuxt.options.runtimeConfig.betterAuth = defu(
+          nuxt.options.runtimeConfig.betterAuth || {},
+          { convexUrl }
+        );
+        databaseCode = `import { useRuntimeConfig } from '#imports'
+import { createConvexHttpAdapter } from 'better-auth-nuxt/adapters/convex'
+import { api } from '#convex/api'
+
+export function createDatabase() {
+  const config = useRuntimeConfig()
+  const convexUrl = config.betterAuth?.convexUrl || config.public?.convex?.url
+  if (!convexUrl) throw new Error('[nuxt-better-auth] CONVEX_URL not configured')
+  return createConvexHttpAdapter({ url: convexUrl, api: api.auth })
+}
+export const db = undefined`;
+      } else {
+        databaseCode = `export function createDatabase() { return undefined }
+export const db = undefined`;
       }
+      const databaseTemplate = addTemplate({ filename: "better-auth/database.mjs", getContents: () => databaseCode, write: true });
+      nuxt.options.alias["#auth/database"] = databaseTemplate.dst;
+      addTypeTemplate({
+        filename: "types/auth-secondary-storage.d.ts",
+        getContents: () => `
+declare module '#auth/secondary-storage' {
+  interface SecondaryStorage {
+    get: (key: string) => Promise<string | null>
+    set: (key: string, value: unknown, ttl?: number) => Promise<void>
+    delete: (key: string) => Promise<void>
+  }
+  export function createSecondaryStorage(): SecondaryStorage | undefined
+}
+`
+      }, { nitro: true, node: true });
+      addTypeTemplate({
+        filename: "types/auth-database.d.ts",
+        getContents: () => `
+declare module '#auth/database' {
+  import type { drizzleAdapter } from 'better-auth/adapters/drizzle'
+  export function createDatabase(): ReturnType<typeof drizzleAdapter> | undefined
+  export const db: unknown
+}
+`
+      }, { nitro: true, node: true });
+      addTypeTemplate({
+        filename: "types/nuxt-better-auth-infer.d.ts",
+        getContents: () => `
+import type { InferUser, InferSession, InferPluginTypes } from 'better-auth'
+import type { RuntimeConfig } from 'nuxt/schema'
+import type createServerAuth from '${serverConfigPath}'
+
+type _Config = ReturnType<typeof createServerAuth>
+
+declare module '#nuxt-better-auth' {
+  interface AuthUser extends InferUser<_Config> {}
+  interface AuthSession extends InferSession<_Config> {}
+  interface ServerAuthContext {
+    runtimeConfig: RuntimeConfig
+    ${hasHubDb ? `db: typeof import('@nuxthub/db')['db']` : ""}
+  }
+  type PluginTypes = InferPluginTypes<_Config>
+}
+
+// Augment the config module to use the extended ServerAuthContext
+interface _AugmentedServerAuthContext {
+  runtimeConfig: RuntimeConfig
+  ${hasHubDb ? `db: typeof import('@nuxthub/db')['db']` : "db: unknown"}
+}
+
+declare module 'better-auth-nuxt/config' {
+  import type { BetterAuthOptions } from 'better-auth'
+  type ServerAuthConfig = Omit<BetterAuthOptions, 'database' | 'secret' | 'baseURL'>
+  export function defineServerAuth<T extends ServerAuthConfig>(config: T | ((ctx: _AugmentedServerAuthContext) => T)): (ctx: _AugmentedServerAuthContext) => T
+}
+`
+      }, { nuxt: true, nitro: true, node: true });
+      addTypeTemplate({
+        filename: "types/nuxt-better-auth-nitro.d.ts",
+        getContents: () => `
+declare module 'nitro' {
+  interface NitroRouteRules {
+    auth?: import('${resolver.resolve("./runtime/types")}').AuthMeta
+  }
+  interface NitroRouteConfig {
+    auth?: import('${resolver.resolve("./runtime/types")}').AuthMeta
+  }
+}
+declare module 'nitro/types' {
+  interface NitroRouteRules {
+    auth?: import('${resolver.resolve("./runtime/types")}').AuthMeta
+  }
+  interface NitroRouteConfig {
+    auth?: import('${resolver.resolve("./runtime/types")}').AuthMeta
+  }
+}
+export {}
+`
+      }, { nuxt: true, nitro: true, node: true });
     }
-    const client = registerTemplate({
-      filename: "better-auth/client.mjs",
-      getContents: useUserSession,
-      options: { configs: clientConfigs, moduleOptions: options }
+    addTypeTemplate({
+      filename: "types/nuxt-better-auth.d.ts",
+      getContents: () => `
+export * from '${resolver.resolve("./runtime/types/augment")}'
+export type { AuthMeta, AuthMode, AuthRouteRules, UserMatch, RequireSessionOptions, Auth, InferUser, InferSession } from '${resolver.resolve("./runtime/types")}'
+`
     });
     addTypeTemplate({
-      filename: "better-auth/client.d.ts",
-      getContents: () => {
-        return [
-          'import { createAuthInstance } from "./client.mjs"',
-          'import type { ClientOptions, InferSessionFromClient, InferUserFromClient } from "better-auth"',
-          'import type { RouteLocationRaw } from "vue-router"',
-          'import { Ref, ComputedRef } from "vue"',
-          ...clientConfigs.map((config) => {
-            return `import ${config.key} from "${config.path}"`;
-          }),
-          "export interface RuntimeAuthConfig {",
-          "  redirectUserTo: RouteLocationRaw | string",
-          "  redirectGuestTo: RouteLocationRaw | string",
-          "  redirectUnauthorizedTo: RouteLocationRaw | string",
-          "}",
-          "export interface AuthSignOutOptions {",
-          "  redirectTo?: RouteLocationRaw",
-          "}",
-          "export type AuthClient = ReturnType<typeof createAuthInstance>",
-          "export declare const useUserSession: () => AuthClient"
-        ].join("\n");
-      }
+      filename: "types/nuxt-better-auth-client.d.ts",
+      getContents: () => `
+import type createAppAuthClient from '${clientConfigPath}'
+declare module '#nuxt-better-auth' {
+  export type AppAuthClient = ReturnType<typeof createAppAuthClient>
+}
+`
     });
-    addServerImports([
-      {
-        from: server.dst,
-        name: "useAuth"
-      },
-      {
-        from: server.dst,
-        name: "auth"
-      }
-    ]);
-    addImports([
-      {
-        from: client.dst,
-        name: "useUserSession"
-      },
-      {
-        from: client.dst,
-        name: "createAuthInstance"
+    nuxt.hook("builder:watch", async (_event, relativePath) => {
+      if (relativePath.includes("auth.config")) {
+        await updateTemplates({ filter: (t) => t.filename.includes("nuxt-better-auth") });
       }
-    ]);
-    addRouteMiddleware({
-      name: "auth",
-      path: resolver.resolve("./runtime/middleware/auth"),
-      global: true
     });
-    addTypeTemplate({
-      filename: "types/better-auth-middleware.d.ts",
-      getContents: () => {
-        return [
-          " type MiddlewareOptions = false | {",
-          "   /**",
-          "    * Only apply auth middleware to guest or user",
-          "    */",
-          "   only?:",
-          '     | "guest"',
-          '     | "user"',
-          '     | "member"',
-          '     | "admin"',
-          "   /**",
-          "    * Redirect authenticated user to this route",
-          "    */",
-          "   redirectUserTo?: string",
-          "   /**",
-          "    * Redirect guest to this route",
-          "    */",
-          "   redirectGuestTo?: string",
-          "   redirectUnauthorizedTo?: string",
-          " }",
-          ' declare module "#app" {',
-          "   interface PageMeta {",
-          "     auth?: MiddlewareOptions",
-          "   }",
-          " }",
-          ' declare module "vue-router" {',
-          "   interface RouteMeta {",
-          "     auth?: MiddlewareOptions",
-          "   }",
-          " }",
-          "export {}"
-        ].join("\n");
-      },
-      write: true
+    if (!clientOnly) {
+      addServerImportsDir(resolver.resolve("./runtime/server/utils"));
+      addServerImports([{ name: "defineServerAuth", from: resolver.resolve("./runtime/config") }]);
+      addServerScanDir(resolver.resolve("./runtime/server/middleware"));
+      addServerHandler({ route: "/api/auth/**", handler: resolver.resolve("./runtime/server/api/auth/[...all]") });
+    }
+    addImportsDir(resolver.resolve("./runtime/app/composables"));
+    addImportsDir(resolver.resolve("./runtime/utils"));
+    if (!clientOnly)
+      addPlugin({ src: resolver.resolve("./runtime/app/plugins/session.server"), mode: "server" });
+    addPlugin({ src: resolver.resolve("./runtime/app/plugins/session.client"), mode: "client" });
+    addComponentsDir({ path: resolver.resolve("./runtime/app/components") });
+    nuxt.hook("app:resolve", (app) => {
+      app.middleware.push({ name: "auth", path: resolver.resolve("./runtime/app/middleware/auth.global"), global: true });
+    });
+    if (hasHubDb) {
+      await setupBetterAuthSchema(nuxt, serverConfigPath, options);
+    }
+    if (hasConvexDb) {
+      await setupConvexAuthSchema(nuxt, serverConfigPath);
+    }
+    const isProduction = process.env.NODE_ENV === "production" || !nuxt.options.dev;
+    if (!isProduction && !clientOnly) {
+      if (!hasNuxtModule("@nuxt/ui"))
+        await installModule("@nuxt/ui");
+      setupDevTools(nuxt);
+      addServerHandler({ route: "/api/_better-auth/config", method: "GET", handler: resolver.resolve("./runtime/server/api/_better-auth/config.get") });
+      if (hasHubDb) {
+        addServerHandler({ route: "/api/_better-auth/sessions", method: "GET", handler: resolver.resolve("./runtime/server/api/_better-auth/sessions.get") });
+        addServerHandler({ route: "/api/_better-auth/sessions", method: "DELETE", handler: resolver.resolve("./runtime/server/api/_better-auth/sessions.delete") });
+        addServerHandler({ route: "/api/_better-auth/users", method: "GET", handler: resolver.resolve("./runtime/server/api/_better-auth/users.get") });
+        addServerHandler({ route: "/api/_better-auth/accounts", method: "GET", handler: resolver.resolve("./runtime/server/api/_better-auth/accounts.get") });
+      }
+      extendPages((pages) => {
+        pages.push({ name: "better-auth-devtools", path: "/__better-auth-devtools", file: resolver.resolve("./runtime/app/pages/__better-auth-devtools.vue") });
+      });
+    }
+    nuxt.hook("pages:extend", (pages) => {
+      const routeRules = nuxt.options.routeRules || {};
+      if (!Object.keys(routeRules).length)
+        return;
+      const matcher = toRouteMatcher(createRouter({ routes: routeRules }));
+      const applyMetaFromRules = (page) => {
+        const matches = matcher.matchAll(page.path);
+        if (!matches.length)
+          return;
+        const matchedRules = defu({}, ...matches.reverse());
+        if (matchedRules.auth !== void 0) {
+          page.meta = page.meta || {};
+          page.meta.auth = matchedRules.auth;
+        }
+        page.children?.forEach((child) => applyMetaFromRules(child));
+      };
+      pages.forEach((page) => applyMetaFromRules(page));
     });
-    addPlugin(resolver.resolve("./runtime/plugin"));
   }
 });
+async function setupBetterAuthSchema(nuxt, serverConfigPath, options) {
+  const hub = nuxt.options.hub;
+  const dialect = getHubDialect(hub);
+  if (!dialect || !["sqlite", "postgresql", "mysql"].includes(dialect)) {
+    consola.warn(`Unsupported database dialect: ${dialect}`);
+    return;
+  }
+  const isProduction = !nuxt.options.dev;
+  try {
+    const configFile = `${serverConfigPath}.ts`;
+    const userConfig = await loadUserAuthConfig(configFile, isProduction);
+    const extendedConfig = {};
+    await nuxt.callHook("better-auth:config:extend", extendedConfig);
+    const plugins = [...userConfig.plugins || [], ...extendedConfig.plugins || []];
+    const authOptions = {
+      ...userConfig,
+      plugins,
+      secondaryStorage: options.secondaryStorage ? { get: async (_key) => null, set: async (_key, _value, _ttl) => {
+      }, delete: async (_key) => {
+      } } : void 0
+    };
+    const hubCasing = getHubCasing(hub);
+    const schemaOptions = { ...options.schema, useUuid: userConfig.advanced?.database?.generateId === "uuid", casing: options.schema?.casing ?? hubCasing };
+    const schemaCode = await generateDrizzleSchema(authOptions, dialect, schemaOptions);
+    const schemaDir = join(nuxt.options.buildDir, "better-auth");
+    const schemaPath = join(schemaDir, `schema.${dialect}.ts`);
+    await mkdir(schemaDir, { recursive: true });
+    await writeFile(schemaPath, schemaCode);
+    addTemplate({ filename: `better-auth/schema.${dialect}.ts`, getContents: () => schemaCode, write: true });
+    consola.info(`Generated ${dialect} schema`);
+  } catch (error) {
+    if (isProduction) {
+      throw error;
+    }
+    consola.error("Failed to generate schema:", error);
+  }
+  const nuxtWithHubHooks = nuxt;
+  nuxtWithHubHooks.hook("hub:db:schema:extend", ({ paths, dialect: hookDialect }) => {
+    const schemaPath = join(nuxt.options.buildDir, "better-auth", `schema.${hookDialect}.ts`);
+    if (existsSync(schemaPath)) {
+      paths.unshift(schemaPath);
+    }
+  });
+}
+async function setupConvexAuthSchema(nuxt, serverConfigPath) {
+  const isProduction = !nuxt.options.dev;
+  try {
+    const configFile = `${serverConfigPath}.ts`;
+    const userConfig = await loadUserAuthConfig(configFile, isProduction);
+    const authOptions = { ...userConfig };
+    const schemaCode = await generateConvexSchema(authOptions);
+    const schemaDir = join(nuxt.options.buildDir, "better-auth");
+    const schemaPath = join(schemaDir, "auth-tables.convex.ts");
+    await mkdir(schemaDir, { recursive: true });
+    await writeFile(schemaPath, schemaCode);
+    addTemplate({ filename: "better-auth/auth-tables.convex.ts", getContents: () => schemaCode, write: true });
+    nuxt.options.alias["#auth/convex-schema"] = schemaPath;
+    consola.info("Generated Convex auth schema at .nuxt/better-auth/auth-tables.convex.ts");
+  } catch (error) {
+    if (isProduction) {
+      throw error;
+    }
+    consola.error("Failed to generate Convex schema:", error);
+  }
+}
 
-export { module as default };
+export { module$1 as default };