create-authhero 0.45.0 → 0.47.0

package/dist/cloudflare/src/index.ts

@@ -1,6 +1,6 @@
-import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
 import createApp from "./app";
 import { Env } from "./types";
 import {
@@ -22,8 +22,7 @@ export default {
     // Get the origin from the request for dynamic CORS
     const origin = request.headers.get("Origin") || "";
 
-    const dialect = new D1Dialect({ database: env.AUTH_DB });
-    const db = new Kysely<any>({ dialect });
+    const db = drizzle(env.AUTH_DB, { schema });
     let dataAdapter = createAdapters(db, { useTransactions: false });
 
     // Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.

package/dist/cloudflare/wrangler.toml

@@ -13,7 +13,7 @@
 
 name = "authhero-server"
 main = "src/index.ts"
-compatibility_date = "2024-11-20"
+compatibility_date = "2026-05-01"
 compatibility_flags = ["nodejs_compat"]
 
 # ════════════════════════════════════════════════════════════════════════════

package/dist/cloudflare-control-plane/.dev.vars.example

@@ -0,0 +1,17 @@
+# ============================================================================
+# Development Environment Variables — Control Plane Worker
+# ============================================================================
+# Copy this file to .dev.vars and fill in your values.
+# ============================================================================
+
+# The control plane's own at-rest encryption key (base64-encoded 32 bytes).
+# `create-authhero` writes a generated key here for local dev. In production:
+#   wrangler secret put ENCRYPTION_KEY
+# Generate one with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+
+# The shared CONTROL PLANE key (key id "cp"). The rollout encrypts projected
+# secrets under this key; each tenant Worker holds the same key to decrypt them.
+# Must be byte-identical across the control plane and every tenant Worker.
+#   wrangler secret put CONTROL_PLANE_ENCRYPTION_KEY
+# CONTROL_PLANE_ENCRYPTION_KEY=

package/dist/cloudflare-control-plane/README.md

@@ -0,0 +1,59 @@
+# AuthHero — Control Plane Worker
+
+The **management surface and rollout source** for a Workers-for-Platforms setup.
+It manages tenants, serves colocated tenants from the shared database, and
+projects the control plane's defaults (shared social logins, prompts, branding,
+system resource servers, inheritable hooks) into each WFP tenant's own database.
+
+This is one of three pieces:
+
+| Piece | Template |
+| --- | --- |
+| Front door (host → tenant → dispatch) | `cloudflare-wfp-dispatcher` |
+| Per-tenant Workers | `cloudflare-wfp-tenant` |
+| **This control plane** | `cloudflare-control-plane` |
+
+## The rollout
+
+`src/index.ts` builds a `createDirectRolloutAdapter` (inline execution). The app
+exposes:
+
+```
+POST /internal/tenants/:id/sync-defaults
+```
+
+Call it **after a tenant is provisioned** and **after rotating a shared secret**.
+It reads the control plane tenant's inheritable rows and upserts them (by id,
+idempotently) into the target tenant's database under the `control_plane`
+tenant id, re-encrypting secrets under the `cp` key.
+
+::: warning Two things to wire before production
+1. **`buildTenantAdapters(env, tenantId)`** in `src/index.ts` is a stub. Return
+   the `DataAdapters` over the target tenant's own D1, wrapped with the same key
+   ring the tenant Worker uses (`{ default, keys: { cp } }`). How you reach a
+   tenant's D1 is platform-specific (per-tenant binding or the D1 HTTP API).
+   Until implemented, the endpoint returns `501`.
+2. **Protect the `/internal/...` route** (service binding, mTLS, or admin token).
+   It re-keys tenant databases.
+:::
+
+## Secrets
+
+- `ENCRYPTION_KEY` — the control plane's own secrets at rest.
+- `CONTROL_PLANE_ENCRYPTION_KEY` — the shared `cp` key the rollout encrypts
+  projected secrets under. Every tenant Worker holds the **same** key to decrypt
+  them; keep it byte-identical everywhere.
+
+## Setup
+
+```bash
+npm install
+npm run setup     # creates wrangler.local.toml + .dev.vars (ENCRYPTION_KEY generated)
+# add CONTROL_PLANE_ENCRYPTION_KEY (openssl rand -base64 32) to .dev.vars
+npm run migrate
+npm run seed      # seed the control plane tenant + admin
+npm run dev
+```
+
+See [Control Plane Defaults](https://authhero.net/docs/customization/multi-tenancy/control-plane-defaults)
+for the full architecture and request flows.

package/dist/cloudflare-control-plane/copy-assets.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+
+/**
+ * Copy AuthHero assets to dist directory
+ *
+ * This script copies static assets from the authhero package to the dist directory
+ * so they can be served as static files. Most deployment targets do not support
+ * serving files directly from node_modules.
+ */
+
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const sourceDir = path.join(
+  __dirname,
+  "node_modules",
+  "authhero",
+  "dist",
+  "assets",
+);
+const targetDir = path.join(__dirname, "dist", "assets");
+
+/**
+ * Recursively copy directory contents
+ */
+function copyDirectory(src, dest) {
+  // Create destination directory if it doesn't exist
+  if (!fs.existsSync(dest)) {
+    fs.mkdirSync(dest, { recursive: true });
+  }
+
+  // Read source directory
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDirectory(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+try {
+  console.log("📦 Copying AuthHero assets...");
+
+  if (!fs.existsSync(sourceDir)) {
+    console.error(`❌ Source directory not found: ${sourceDir}`);
+    console.error("Make sure the authhero package is installed.");
+    process.exit(1);
+  }
+
+  // Clean target directory to remove stale files from previous builds
+  if (fs.existsSync(targetDir)) {
+    fs.rmSync(targetDir, { recursive: true });
+    console.log("🧹 Cleaned old assets");
+  }
+
+  copyDirectory(sourceDir, targetDir);
+
+  // Also copy widget files from @authhero/widget package
+  const widgetSourceDir = path.join(
+    __dirname,
+    "node_modules",
+    "@authhero",
+    "widget",
+    "dist",
+    "authhero-widget",
+  );
+  const widgetTargetDir = path.join(targetDir, "u", "widget");
+
+  if (fs.existsSync(widgetSourceDir)) {
+    console.log("📦 Copying widget assets...");
+    copyDirectory(widgetSourceDir, widgetTargetDir);
+  } else {
+    console.warn(`⚠️  Widget directory not found: ${widgetSourceDir}`);
+    console.warn(
+      "Widget features may not work. Install @authhero/widget to enable.",
+    );
+  }
+
+  // Copy admin UI files from @authhero/admin package
+  const adminSourceDir = path.join(
+    __dirname,
+    "node_modules",
+    "@authhero",
+    "admin",
+    "dist",
+  );
+
+  if (fs.existsSync(adminSourceDir)) {
+    console.log("📦 Copying admin UI assets...");
+    const adminTargetDir = path.join(targetDir, "admin");
+    copyDirectory(adminSourceDir, adminTargetDir);
+
+    // Inject runtime config into index.html
+    // Uses window.location.origin so the admin UI automatically points to its own server
+    const adminIndexPath = path.join(adminSourceDir, "index.html");
+    const adminHtml = fs
+      .readFileSync(adminIndexPath, "utf-8")
+      .replace(/src="\.\/assets\//g, 'src="/admin/assets/')
+      .replace(/href="\.\/assets\//g, 'href="/admin/assets/');
+    const configScript = `<script>window.__AUTHHERO_ADMIN_CONFIG__={domain:window.location.origin,clientId:"default",basePath:"/admin"}</script>`;
+    const injectedHtml = adminHtml.replace(
+      "</head>",
+      configScript + "\n</head>",
+    );
+
+    // Write injected HTML to CDN assets (for direct /admin/ access)
+    fs.writeFileSync(path.join(adminTargetDir, "index.html"), injectedHtml);
+
+    // Write as TS module for worker to import (for SPA fallback on deep links)
+    const srcDir = path.join(__dirname, "src");
+    fs.writeFileSync(
+      path.join(srcDir, "admin-index-html.ts"),
+      `export default ${JSON.stringify(injectedHtml)};\n`,
+    );
+    console.log("✅ Admin UI assets copied and configured");
+  }
+
+  console.log(`✅ Assets copied to ${targetDir}`);
+} catch (error) {
+  console.error("❌ Error copying assets:", error.message);
+  process.exit(1);
+}

package/dist/cloudflare-control-plane/drizzle.config.ts

@@ -0,0 +1,17 @@
+import { defineConfig } from "drizzle-kit";
+
+// ⚠️ WARNING: Do not run `drizzle-kit generate` or `npm run db:generate`
+//
+// This configuration is for reference only. Migrations are pre-generated and
+// shipped with the @authhero/drizzle package. The schema is managed by AuthHero
+// and should not be customized to ensure compatibility with future updates.
+//
+// To apply migrations:
+//   Local:  npm run migrate
+//   Remote: npm run db:migrate:remote
+
+export default defineConfig({
+  out: "./node_modules/@authhero/drizzle/drizzle",
+  schema: "./node_modules/@authhero/drizzle/src/schema/sqlite/index.ts",
+  dialect: "sqlite",
+});

package/dist/cloudflare-control-plane/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/cloudflare-control-plane/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/cloudflare-control-plane/seed-helper.js

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+
+/**
+ * Helper script to seed the Cloudflare D1 database
+ * This script starts the seed worker, makes a request to it, and then stops it
+ */
+
+import { spawn } from "child_process";
+import { setTimeout } from "timers/promises";
+
+const adminUsername = process.argv[2] || process.env.ADMIN_USERNAME || "admin";
+const adminPassword = process.argv[3] || process.env.ADMIN_PASSWORD || "admin";
+const mode = process.argv[4] || "local";
+
+console.log(`Starting seed worker in ${mode} mode...`);
+
+const wranglerArgs = ["dev", "src/seed.ts"];
+if (mode === "remote") {
+  wranglerArgs.push("--remote");
+}
+
+const worker = spawn("wrangler", wranglerArgs, {
+  stdio: ["inherit", "pipe", "inherit"],
+});
+
+let workerUrl = "http://localhost:8787";
+let workerReady = false;
+
+// Listen for the worker output to get the URL
+worker.stdout?.on("data", (data) => {
+  const output = data.toString();
+  process.stdout.write(output);
+
+  // Look for the URL in the output
+  const urlMatch = output.match(/http:\/\/[^\s]+/);
+  if (urlMatch) {
+    workerUrl = urlMatch[0].replace(/\/$/, ""); // Remove trailing slash
+  }
+
+  // Detect when the worker is ready
+  if (output.includes("Ready on") || output.includes("Listening on")) {
+    workerReady = true;
+  }
+});
+
+// Function to wait for worker to be ready with retries
+async function waitForWorker(maxAttempts = 30, delayMs = 1000) {
+  for (let i = 0; i < maxAttempts; i++) {
+    try {
+      // Just check if the server responds (even with an error is fine)
+      const response = await fetch(workerUrl, {
+        signal: AbortSignal.timeout(2000),
+      });
+      // Any response means the server is up
+      return true;
+    } catch (e) {
+      // ECONNREFUSED means server not ready yet
+      if (e.cause?.code !== "ECONNREFUSED") {
+        // Other errors might mean the server is actually responding
+        return true;
+      }
+    }
+
+    if (workerReady) {
+      // Give it a bit more time after wrangler reports ready
+      await setTimeout(500);
+      return true;
+    }
+
+    await setTimeout(delayMs);
+    if (i > 0 && i % 5 === 0) {
+      console.log(
+        `Still waiting for worker... (attempt ${i + 1}/${maxAttempts})`,
+      );
+    }
+  }
+  return false;
+}
+
+console.log("Waiting for seed worker to start...");
+const isReady = await waitForWorker();
+
+if (!isReady) {
+  console.error("\n❌ Seed worker failed to start within timeout");
+  worker.kill();
+  process.exit(1);
+}
+
+console.log(`\nMaking seed request to ${workerUrl}...`);
+
+try {
+  const url = `${workerUrl}/?username=${encodeURIComponent(adminUsername)}&password=${encodeURIComponent(adminPassword)}`;
+
+  const response = await fetch(url);
+  const result = await response.json();
+
+  if (response.ok) {
+    console.log("\n✅ Seed completed successfully!");
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.error("\n❌ Seed failed:");
+    console.error(JSON.stringify(result, null, 2));
+    process.exit(1);
+  }
+} catch (error) {
+  console.error("\n❌ Failed to connect to seed worker:");
+  console.error(error);
+  process.exit(1);
+} finally {
+  // Stop the worker
+  console.log("\nStopping seed worker...");
+  worker.kill();
+}

package/dist/cloudflare-control-plane/src/app.ts

@@ -0,0 +1,74 @@
+import { Context } from "hono";
+import { swaggerUI } from "@hono/swagger-ui";
+import { AuthHeroConfig, DataAdapters } from "authhero";
+import {
+  initMultiTenant,
+  type ControlPlaneRolloutAdapter,
+} from "@authhero/multi-tenancy";
+
+// Control plane configuration. Tenants inherit this tenant's defaults.
+const CONTROL_PLANE_TENANT_ID = "control_plane";
+const CONTROL_PLANE_CLIENT_ID = "default";
+
+export default function createApp(
+  config: AuthHeroConfig & { dataAdapter: DataAdapters },
+  rollout: ControlPlaneRolloutAdapter,
+) {
+  // initMultiTenant syncs resource servers and roles, mounts /api/v2/tenants,
+  // and wraps adapters with runtime fallback for colocated tenants.
+  const { app } = initMultiTenant({
+    ...config,
+    controlPlane: {
+      tenantId: CONTROL_PLANE_TENANT_ID,
+      clientId: CONTROL_PLANE_CLIENT_ID,
+    },
+  });
+
+  app
+    .onError((err, ctx) => {
+      // Duck-typing avoids instanceof issues with bundled dependencies.
+      if (
+        err &&
+        typeof err === "object" &&
+        "getResponse" in err &&
+        typeof (err as { getResponse?: unknown }).getResponse === "function"
+      ) {
+        return (err as { getResponse: () => Response }).getResponse();
+      }
+      console.error(err);
+      return ctx.text(
+        err instanceof Error ? err.message : "Internal Server Error",
+        500,
+      );
+    })
+    .get("/", async (ctx: Context) => {
+      return ctx.json({
+        name: "AuthHero Control Plane",
+        status: "running",
+        docs: "/docs",
+        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,
+      });
+    })
+    .get("/docs", swaggerUI({ url: "/api/v2/spec" }))
+    // Project the control plane defaults into a WFP tenant's own database.
+    // Call after a tenant is provisioned, and after rotating shared secrets.
+    //
+    // ⚠️  Protect this route before production (service binding, mTLS, or an
+    // admin token). It re-keys tenant databases.
+    .post("/internal/tenants/:id/sync-defaults", async (ctx: Context) => {
+      try {
+        const result = await rollout.syncDefaults(ctx.req.param("id"));
+        return ctx.json({ ok: true, result });
+      } catch (err) {
+        return ctx.json(
+          {
+            ok: false,
+            error: err instanceof Error ? err.message : String(err),
+          },
+          500,
+        );
+      }
+    });
+
+  return app;
+}

package/dist/cloudflare-control-plane/src/index.ts

@@ -0,0 +1,72 @@
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import {
+  AuthHeroConfig,
+  DataAdapters,
+  createEncryptedDataAdapter,
+  loadEncryptionKey,
+} from "authhero";
+import { createDirectRolloutAdapter } from "@authhero/multi-tenancy";
+import createApp from "./app";
+import { Env } from "./types";
+
+const CONTROL_PLANE_TENANT_ID = "control_plane";
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const issuer = `${url.protocol}//${url.host}/`;
+    const origin = request.headers.get("Origin") || "";
+
+    const db = drizzle(env.AUTH_DB, { schema });
+    let dataAdapter: DataAdapters = createAdapters(db, {
+      useTransactions: false,
+    });
+
+    if (env.ENCRYPTION_KEY) {
+      dataAdapter = createEncryptedDataAdapter(
+        dataAdapter,
+        await loadEncryptionKey(env.ENCRYPTION_KEY),
+      );
+    }
+
+    // Rollout source: project the control plane's inheritable defaults into a
+    // WFP tenant's own database. Runs inline here; swap for a Cloudflare
+    // Workflows implementation of ControlPlaneRolloutAdapter when you outgrow it.
+    const rollout = createDirectRolloutAdapter({
+      controlPlaneTenantId: CONTROL_PLANE_TENANT_ID,
+      getControlPlaneAdapters: async () => dataAdapter,
+      getAdapters: (tenantId) => buildTenantAdapters(env, tenantId),
+    });
+
+    const config: AuthHeroConfig & { dataAdapter: DataAdapters } = {
+      dataAdapter,
+      allowedOrigins: [origin].filter(Boolean),
+    };
+
+    const app = createApp(config, rollout);
+
+    return app.fetch(request, { ...env, ISSUER: issuer });
+  },
+};
+
+/**
+ * Return the DataAdapters over the given tenant's OWN D1, wrapped with the same
+ * control-plane key ring the tenant Worker uses (see the cloudflare-wfp-tenant
+ * template), so projected secrets are re-encrypted under the "cp" key id.
+ *
+ * How you reach a tenant's D1 is platform-specific — a per-tenant binding, or
+ * the Cloudflare D1 HTTP API. Implement this before calling sync-defaults; until
+ * then the /internal sync endpoint returns 501 with this message.
+ */
+function buildTenantAdapters(
+  _env: Env,
+  _tenantId: string,
+): Promise<DataAdapters> {
+  throw new Error(
+    "buildTenantAdapters is not configured: return the DataAdapters over the " +
+      "tenant's own D1, wrapped with the control-plane key ring (default key + " +
+      "{ cp: CONTROL_PLANE_ENCRYPTION_KEY }).",
+  );
+}

package/dist/cloudflare-control-plane/src/seed.ts

@@ -0,0 +1,56 @@
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
+
+interface Env {
+  AUTH_DB: D1Database;
+  ENCRYPTION_KEY?: string;
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const adminUsername = url.searchParams.get("username") || "admin";
+    const adminPassword = url.searchParams.get("password") || "admin";
+    const issuer = `${url.protocol}//${url.host}/`;
+
+    try {
+      const db = drizzle(env.AUTH_DB, { schema });
+      let adapters = createAdapters(db, { useTransactions: false });
+
+      if (env.ENCRYPTION_KEY) {
+        const encryptionKey = await loadEncryptionKey(env.ENCRYPTION_KEY);
+        adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+      }
+
+      const result = await seed(adapters, {
+        adminUsername,
+        adminPassword,
+        issuer,
+        tenantId: "control_plane",
+        tenantName: "Control Plane",
+        isControlPlane: true,
+        clientId: "default",
+      });
+
+      return new Response(
+        JSON.stringify({
+          success: true,
+          message: "Control plane seeded successfully",
+          result,
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    } catch (error) {
+      console.error("Seed error:", error);
+      return new Response(
+        JSON.stringify({
+          error: "Failed to seed database",
+          message: error instanceof Error ? error.message : String(error),
+        }),
+        { status: 500, headers: { "Content-Type": "application/json" } },
+      );
+    }
+  },
+};

package/dist/cloudflare-control-plane/src/types.ts

@@ -0,0 +1,14 @@
+/// <reference types="@cloudflare/workers-types" />
+
+export interface Env {
+  // The control plane's shared database (also home to colocated tenants).
+  AUTH_DB: D1Database;
+
+  // Base64-encoded 32-byte key for the control plane's own secrets at rest.
+  ENCRYPTION_KEY?: string;
+
+  // Base64-encoded 32-byte key (key id "cp") that shared secrets are encrypted
+  // under when projected into a tenant's database. The control plane holds it
+  // so the rollout can re-encrypt secrets the tenant Worker will decrypt.
+  CONTROL_PLANE_ENCRYPTION_KEY?: string;
+}

package/dist/cloudflare-control-plane/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}