better-near-auth 0.1.13 → 0.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-near-auth",
-  "version": "0.1.13",
+  "version": "0.2.0",
   "description": "Sign in with NEAR (SIWN) plugin for Better Auth",
   "main": "src/index.ts",
   "module": "src/index.ts",
@@ -47,17 +47,16 @@
     "typescript": "^5.0.0"
   },
   "dependencies": {
-    "@better-auth/utils": "^0.2.6",
     "fastintear": "^0.3.6",
     "nanostores": "^1.0.1",
     "near-sign-verify": "^0.4.3",
-    "zod": "^4.0.17"
+    "zod": "^4.1.12"
   },
   "devDependencies": {
     "@types/bun": "latest",
-    "@types/node": "^24.3.0",
-    "better-auth": "^1.3.6",
-    "typescript": "^5.9.2",
+    "@types/node": "^24.8.1",
+    "better-auth": "^1.3.27",
+    "typescript": "^5.9.3",
     "vitest": "^3.2.4"
   },
   "files": [

package/src/client.ts

@@ -34,6 +34,9 @@ export interface SIWNClientActions {
 		getAccountId: () => string | null;
 		getState: () => { accountId: string | null; publicKey: string | null; networkId: string } | null;
 		disconnect: () => Promise<void>;
+		link: (params: { recipient: string }, callbacks?: AuthCallbacks) => Promise<void>;
+		unlink: (params: { accountId: string; network?: "mainnet" | "testnet" }) => Promise<BetterFetchResponse<{ success: boolean; message: string }>>;
+		listAccounts: () => Promise<BetterFetchResponse<{ accounts: any[] }>>;
 	};
 	requestSignIn: {
 		near: (params: { recipient: string }, callbacks?: AuthCallbacks) => Promise<void>;
@@ -128,6 +131,95 @@ export const siwnClient = (config: SIWNClientConfig): SIWNClientPlugin => {
 						clearNonce();
 						nearState.set(null);
 					},
+					link: async (
+						params: { recipient: string },
+						callbacks?: AuthCallbacks
+					): Promise<void> => {
+						try {
+							const { recipient } = params;
+
+							if (!nearClient) {
+								const error = new Error("NEAR client not available") as Error & { code?: string };
+								error.code = "SIGNER_NOT_AVAILABLE";
+								throw error;
+							}
+
+							const accountId = nearClient.accountId();
+							if (!accountId) {
+								const error = new Error("Wallet not connected. Please connect your wallet first.") as Error & { code?: string };
+								error.code = "WALLET_NOT_CONNECTED";
+								throw error;
+							}
+
+							// Get nonce first
+							const state = nearState.get();
+							const nonceRequest: NonceRequestT = {
+								accountId,
+								publicKey: state?.publicKey || "",
+								networkId: (state?.networkId || "mainnet") as "mainnet" | "testnet"
+							};
+
+							const nonceResponse: BetterFetchResponse<NonceResponseT> = await $fetch("/near/nonce", {
+								method: "POST",
+								body: nonceRequest
+							});
+
+							if (nonceResponse.error) {
+								throw new Error(nonceResponse.error.message || "Failed to get nonce");
+							}
+
+							const nonce = nonceResponse?.data?.nonce;
+							if (!nonce) {
+								throw new Error("No nonce received from server");
+							}
+
+							// Create the sign-in message
+							const message = `Sign in to ${recipient}\n\nAccount ID: ${accountId}\nNonce: ${nonce}`;
+							const nonceBytes = base64ToBytes(nonce);
+
+							// Sign the message
+							const authToken = await sign(message, {
+								signer: nearClient,
+								recipient,
+								nonce: nonceBytes,
+							});
+
+							// Link the account (instead of verify)
+							const linkResponse: BetterFetchResponse<any> = await $fetch("/near/link-account", {
+								method: "POST",
+								body: {
+									authToken,
+									accountId,
+								}
+							});
+
+							if (linkResponse.error) {
+								throw new Error(linkResponse.error.message || "Failed to link NEAR account");
+							}
+
+							if (!linkResponse?.data?.success) {
+								throw new Error("Account linking failed");
+							}
+
+							callbacks?.onSuccess?.();
+						} catch (error) {
+							const err = error instanceof Error ? error : new Error(String(error));
+							callbacks?.onError?.(err);
+						}
+					},
+					unlink: async (
+						params: { accountId: string; network?: "mainnet" | "testnet" },
+						fetchOptions?: BetterFetchOption
+					): Promise<BetterFetchResponse<{ success: boolean; message: string }>> => {
+						return await $fetch("/near/unlink-account", {
+							method: "POST",
+							body: params,
+							...fetchOptions
+						});
+					},
+					listAccounts: async (): Promise<BetterFetchResponse<{ accounts: any[] }>> => {
+						return await $fetch("/near/list-accounts", { method: "GET" });
+					},
 				},
 				requestSignIn: {
 					near: async (

package/src/index.ts

@@ -1,7 +1,7 @@
 import { bytesToBase64 } from "fastintear/utils";
 import { APIError, createAuthEndpoint, createAuthMiddleware, sessionMiddleware } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
-import type { BetterAuthPlugin, User } from "better-auth/types";
+import type { Account, BetterAuthPlugin, User } from "better-auth/types";
 import { generateNonce, parseAuthToken, verify, type VerificationResult, type VerifyOptions } from "near-sign-verify";
 import { defaultGetProfile, getImageUrl, getNetworkFromAccountId } from "./profile";
 import { schema } from "./schema";
@@ -18,6 +18,7 @@ import {
 	VerifyRequest,
 	VerifyResponse
 } from "./types";
+import z from "zod";
 export * from "./types";
 
 function getOrigin(baseURL: string): string {
@@ -102,6 +103,267 @@ export const siwn = (options: SIWNPluginOptions) =>
 			],
 		},
 		endpoints: {
+			linkNearAccount: createAuthEndpoint(
+				"/near/link-account",
+				{
+					method: "POST",
+					body: VerifyRequest.refine((data) => options.anonymous !== false || !!data.email, {
+						message: "Email is required when the anonymous plugin option is disabled.",
+						path: ["email"],
+					}),
+					use: [sessionMiddleware], // Requires active session
+					requireRequest: true,
+				},
+				async (ctx) => {
+					const { authToken, accountId, email } = ctx.body;
+					const network = getNetworkFromAccountId(accountId);
+					const session = ctx.context.session;
+
+					if (!session) {
+						throw new APIError("UNAUTHORIZED", {
+							message: "Must be logged in to link NEAR account",
+							status: 401,
+						});
+					}
+
+					try {
+						const verification = await ctx.context.internalAdapter.findVerificationValue(
+							`siwn:${accountId}:${network}`,
+						);
+
+						if (!verification || new Date() > verification.expiresAt) {
+							throw new APIError("UNAUTHORIZED", {
+								message: "Unauthorized: Invalid or expired nonce",
+								status: 401,
+							});
+						}
+
+						// Build verify options using plugin configuration
+						const requireFullAccessKey = options.requireFullAccessKey ?? true;
+						const verifyOptions: VerifyOptions = {
+							requireFullAccessKey: requireFullAccessKey,
+							...(options.validateNonce
+								? { validateNonce: options.validateNonce }
+								: { nonceMaxAge: 15 * 60 * 1000 }),
+							...(options.validateRecipient
+								? { validateRecipient: options.validateRecipient }
+								: { expectedRecipient: options.recipient }),
+							...(options.validateMessage ? { validateMessage: options.validateMessage } : {}),
+						} as VerifyOptions;
+
+						// Verify the signature using near-sign-verify
+						const result: VerificationResult = await verify(authToken, verifyOptions);
+
+						if (result.accountId !== accountId) {
+							throw new APIError("UNAUTHORIZED", {
+								message: "Unauthorized: Account ID mismatch",
+								status: 401,
+							});
+						}
+
+						if (!options.requireFullAccessKey && options.validateLimitedAccessKey) {
+							const isValidKey = await options.validateLimitedAccessKey({
+								accountId: result.accountId,
+								publicKey: result.publicKey,
+								recipient: options.recipient
+							});
+
+							if (!isValidKey) {
+								throw new APIError("UNAUTHORIZED", {
+									message: "Unauthorized: Invalid function call access key",
+									status: 401,
+								});
+							}
+						}
+
+						await ctx.context.internalAdapter.deleteVerificationValue(verification.id);
+
+						// Check if this NEAR account is already linked
+						const existingNearAccount: NearAccount | null = await ctx.context.adapter.findOne({
+							model: "nearAccount",
+							where: [
+								{ field: "accountId", operator: "eq", value: accountId },
+								{ field: "network", operator: "eq", value: network },
+							],
+						});
+
+						if (existingNearAccount) {
+							throw new APIError("BAD_REQUEST", {
+								message: "This NEAR account is already linked to another user",
+								status: 400,
+							});
+						}
+
+						// Check if user already has a primary NEAR account
+						const existingPrimaryAccount: NearAccount | null = await ctx.context.adapter.findOne({
+							model: "nearAccount",
+							where: [
+								{ field: "userId", operator: "eq", value: session.user.id },
+								{ field: "isPrimary", operator: "eq", value: true },
+							],
+						});
+
+						// Link the NEAR account to the current user
+						await ctx.context.adapter.create({
+							model: "nearAccount",
+							data: {
+								userId: session.user.id,
+								accountId,
+								network,
+								publicKey: result.publicKey,
+								isPrimary: !existingPrimaryAccount, // First NEAR account becomes primary
+								createdAt: new Date(),
+							},
+						});
+
+						await ctx.context.internalAdapter.createAccount({
+							userId: session.user.id,
+							providerId: "siwn",
+							accountId: `${accountId}:${network}`,
+							createdAt: new Date(),
+							updatedAt: new Date(),
+						});
+
+						return ctx.json({
+							success: true,
+							accountId,
+							network,
+							message: "NEAR account successfully linked"
+						});
+					} catch (error: unknown) {
+						if (error instanceof APIError) throw error;
+						throw new APIError("UNAUTHORIZED", {
+							message: "Something went wrong. Please try again later.",
+							error: error instanceof Error ? error.message : "Unknown error",
+							status: 401,
+						});
+					}
+				},
+			),
+			unlinkNearAccount: createAuthEndpoint(
+				"/near/unlink-account",
+				{
+					method: "POST",
+					body: z.object({
+						accountId: z.string(),
+						network: z.enum(["mainnet", "testnet"]).optional(),
+					}),
+					use: [sessionMiddleware],
+				},
+				async (ctx) => {
+					const { accountId, network: providedNetwork } = ctx.body;
+					const session = ctx.context.session;
+
+					if (!session) {
+						throw new APIError("UNAUTHORIZED", {
+							message: "Must be logged in to unlink NEAR account",
+							status: 401,
+						});
+					}
+
+					const network = providedNetwork || getNetworkFromAccountId(accountId);
+
+					// Find the NEAR account to unlink
+					const nearAccount: NearAccount | null = await ctx.context.adapter.findOne({
+						model: "nearAccount",
+						where: [
+							{ field: "userId", operator: "eq", value: session.user.id },
+							{ field: "accountId", operator: "eq", value: accountId },
+							{ field: "network", operator: "eq", value: network },
+						],
+					});
+
+					if (!nearAccount) {
+						throw new APIError("NOT_FOUND", {
+							message: "NEAR account not found or not linked to your user",
+							status: 404,
+						});
+					}
+
+					// Safety check: Don't allow unlinking if it's the only auth method
+					const accounts = await ctx.context.adapter.findMany({
+						model: "account",
+						where: [{ field: "userId", operator: "eq", value: session.user.id }],
+					});
+
+					if (accounts.length <= 1) {
+						throw new APIError("BAD_REQUEST", {
+							message: "Cannot unlink last authentication method. Link another account first.",
+							status: 400,
+						});
+					}
+
+					// If unlinking primary account, promote another one
+					if (nearAccount.isPrimary) {
+						const otherNearAccounts: NearAccount[] = await ctx.context.adapter.findMany({
+							model: "nearAccount",
+							where: [
+								{ field: "userId", operator: "eq", value: session.user.id },
+								{ field: "accountId", operator: "ne", value: accountId },
+							],
+						});
+
+						if (otherNearAccounts.length > 0) {
+							// Promote the first other NEAR account to primary
+							await ctx.context.adapter.update({
+								model: "nearAccount",
+								where: [
+									{ field: "id", operator: "eq", value: otherNearAccounts[0]!.id },
+								],
+								update: { isPrimary: true },
+							});
+						}
+					}
+
+					// Delete the NEAR account record
+					await ctx.context.adapter.delete({
+						model: "nearAccount",
+						where: [
+							{ field: "userId", operator: "eq", value: session.user.id },
+							{ field: "accountId", operator: "eq", value: accountId },
+							{ field: "network", operator: "eq", value: network },
+						],
+					});
+
+					// Delete the associated account record
+					const accountToDelete: Account | null = await ctx.context.adapter.findOne({
+						model: "account",
+						where: [
+							{ field: "userId", operator: "eq", value: session.user.id },
+							{ field: "providerId", operator: "eq", value: "siwn" },
+							{ field: "accountId", operator: "eq", value: `${accountId}:${network}` },
+						],
+					});
+
+					if (accountToDelete) {
+						await ctx.context.internalAdapter.deleteAccount(accountToDelete.id);
+					}
+
+					return ctx.json({
+						success: true,
+						accountId,
+						network,
+						message: "NEAR account successfully unlinked"
+					});
+				},
+			),
+			listNearAccounts: createAuthEndpoint(
+				"/near/list-accounts",
+				{
+					method: "GET",
+					use: [sessionMiddleware],
+				},
+				async (ctx) => {
+					const session = ctx.context.session;
+
+					const nearAccounts: NearAccount[] = await ctx.context.adapter.findMany({
+						model: "nearAccount",
+						where: [{ field: "userId", operator: "eq", value: session.user.id }],
+					});
+
+					return ctx.json({ accounts: nearAccounts });
+				},
+			),
 			getSiwnNonce: createAuthEndpoint(
 				"/near/nonce",
 				{
@@ -393,4 +655,4 @@ export const siwn = (options: SIWNPluginOptions) =>
 				},
 			),
 		},
-	}) satisfies BetterAuthPlugin;
+	}) satisfies BetterAuthPlugin;