create-authhero 0.46.0 → 0.47.0

package/dist/cloudflare-wfp-tenant/.dev.vars.example

@@ -0,0 +1,17 @@
+# ============================================================================
+# Development Environment Variables — WFP Tenant Worker
+# ============================================================================
+# Copy this file to .dev.vars and fill in your values.
+# ============================================================================
+
+# This tenant's own at-rest encryption key (base64-encoded 32 bytes).
+# `create-authhero` writes a generated key here for local dev. In production:
+#   wrangler secret put ENCRYPTION_KEY
+# Generate one with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+
+# The CONTROL PLANE key (key id "cp"). Decrypts the shared secrets the control
+# plane projected into this tenant's database. Must be byte-identical to the
+# control plane's CONTROL_PLANE_ENCRYPTION_KEY. In production:
+#   wrangler secret put CONTROL_PLANE_ENCRYPTION_KEY
+# CONTROL_PLANE_ENCRYPTION_KEY=

package/dist/cloudflare-wfp-tenant/README.md

@@ -0,0 +1,62 @@
+# AuthHero — WFP Tenant Worker
+
+The full `authhero` app for **one tenant**, deployed into a Workers-for-Platforms
+dispatch namespace. It reads only its **own D1** and inherits the control
+plane's defaults (shared social logins, prompts, branding, system resource
+servers, inheritable hooks) from rows the **control plane rollout** projects
+into that database.
+
+This is one of three pieces:
+
+| Piece | Template |
+| --- | --- |
+| Front door (host → tenant → dispatch) | `cloudflare-wfp-dispatcher` |
+| **This tenant Worker** | `cloudflare-wfp-tenant` |
+| Control plane (rollout source + management) | `cloudflare-control-plane` |
+
+## How defaults work
+
+`src/index.ts` layers the data adapter:
+
+```
+D1 → keyed encryption (tenant key + "cp" key) → withRuntimeFallback(control_plane)
+```
+
+`withRuntimeFallback` resolves the control-plane rows that the rollout wrote into
+this database under the `control_plane` tenant id — the same read path a
+control-plane-colocated tenant uses. **No request-time call to the control
+plane.**
+
+## Secrets
+
+Two keys, both Worker secrets (never in the database):
+
+- `ENCRYPTION_KEY` — this tenant's own secrets.
+- `CONTROL_PLANE_ENCRYPTION_KEY` — the shared `cp` key. Decrypts the inherited
+  secrets (e.g. Google `client_secret`). It must be **byte-identical** to the
+  control plane's key, or the inherited secrets won't decrypt. A raw export of
+  `AUTH_DB` keeps those secrets opaque without it.
+
+## Setup
+
+```bash
+npm install
+npm run setup            # creates wrangler.local.toml + .dev.vars (ENCRYPTION_KEY generated)
+# paste CONTROL_PLANE_ENCRYPTION_KEY (from the control plane) into .dev.vars
+npm run migrate          # apply schema to this tenant's D1
+npm run dev
+```
+
+## Deploy into the namespace
+
+```bash
+# one Worker per tenant
+wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth
+wrangler secret put ENCRYPTION_KEY                --name tenant-<id>-auth
+wrangler secret put CONTROL_PLANE_ENCRYPTION_KEY  --name tenant-<id>-auth
+```
+
+After the Worker and its D1 exist, run the control plane's
+`sync-defaults` for this tenant so its inherited rows are populated. See the
+[Control Plane Defaults](https://authhero.net/docs/customization/multi-tenancy/control-plane-defaults)
+docs for the full flow.

package/dist/cloudflare-wfp-tenant/copy-assets.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+
+/**
+ * Copy AuthHero assets to dist directory
+ *
+ * This script copies static assets from the authhero package to the dist directory
+ * so they can be served as static files. Most deployment targets do not support
+ * serving files directly from node_modules.
+ */
+
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const sourceDir = path.join(
+  __dirname,
+  "node_modules",
+  "authhero",
+  "dist",
+  "assets",
+);
+const targetDir = path.join(__dirname, "dist", "assets");
+
+/**
+ * Recursively copy directory contents
+ */
+function copyDirectory(src, dest) {
+  // Create destination directory if it doesn't exist
+  if (!fs.existsSync(dest)) {
+    fs.mkdirSync(dest, { recursive: true });
+  }
+
+  // Read source directory
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDirectory(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+try {
+  console.log("📦 Copying AuthHero assets...");
+
+  if (!fs.existsSync(sourceDir)) {
+    console.error(`❌ Source directory not found: ${sourceDir}`);
+    console.error("Make sure the authhero package is installed.");
+    process.exit(1);
+  }
+
+  // Clean target directory to remove stale files from previous builds
+  if (fs.existsSync(targetDir)) {
+    fs.rmSync(targetDir, { recursive: true });
+    console.log("🧹 Cleaned old assets");
+  }
+
+  copyDirectory(sourceDir, targetDir);
+
+  // Also copy widget files from @authhero/widget package
+  const widgetSourceDir = path.join(
+    __dirname,
+    "node_modules",
+    "@authhero",
+    "widget",
+    "dist",
+    "authhero-widget",
+  );
+  const widgetTargetDir = path.join(targetDir, "u", "widget");
+
+  if (fs.existsSync(widgetSourceDir)) {
+    console.log("📦 Copying widget assets...");
+    copyDirectory(widgetSourceDir, widgetTargetDir);
+  } else {
+    console.warn(`⚠️  Widget directory not found: ${widgetSourceDir}`);
+    console.warn(
+      "Widget features may not work. Install @authhero/widget to enable.",
+    );
+  }
+
+  // Copy admin UI files from @authhero/admin package
+  const adminSourceDir = path.join(
+    __dirname,
+    "node_modules",
+    "@authhero",
+    "admin",
+    "dist",
+  );
+
+  if (fs.existsSync(adminSourceDir)) {
+    console.log("📦 Copying admin UI assets...");
+    const adminTargetDir = path.join(targetDir, "admin");
+    copyDirectory(adminSourceDir, adminTargetDir);
+
+    // Inject runtime config into index.html
+    // Uses window.location.origin so the admin UI automatically points to its own server
+    const adminIndexPath = path.join(adminSourceDir, "index.html");
+    const adminHtml = fs
+      .readFileSync(adminIndexPath, "utf-8")
+      .replace(/src="\.\/assets\//g, 'src="/admin/assets/')
+      .replace(/href="\.\/assets\//g, 'href="/admin/assets/');
+    const configScript = `<script>window.__AUTHHERO_ADMIN_CONFIG__={domain:window.location.origin,clientId:"default",basePath:"/admin"}</script>`;
+    const injectedHtml = adminHtml.replace(
+      "</head>",
+      configScript + "\n</head>",
+    );
+
+    // Write injected HTML to CDN assets (for direct /admin/ access)
+    fs.writeFileSync(path.join(adminTargetDir, "index.html"), injectedHtml);
+
+    // Write as TS module for worker to import (for SPA fallback on deep links)
+    const srcDir = path.join(__dirname, "src");
+    fs.writeFileSync(
+      path.join(srcDir, "admin-index-html.ts"),
+      `export default ${JSON.stringify(injectedHtml)};\n`,
+    );
+    console.log("✅ Admin UI assets copied and configured");
+  }
+
+  console.log(`✅ Assets copied to ${targetDir}`);
+} catch (error) {
+  console.error("❌ Error copying assets:", error.message);
+  process.exit(1);
+}

package/dist/cloudflare-wfp-tenant/drizzle.config.ts

@@ -0,0 +1,17 @@
+import { defineConfig } from "drizzle-kit";
+
+// ⚠️ WARNING: Do not run `drizzle-kit generate` or `npm run db:generate`
+//
+// This configuration is for reference only. Migrations are pre-generated and
+// shipped with the @authhero/drizzle package. The schema is managed by AuthHero
+// and should not be customized to ensure compatibility with future updates.
+//
+// To apply migrations:
+//   Local:  npm run migrate
+//   Remote: npm run db:migrate:remote
+
+export default defineConfig({
+  out: "./node_modules/@authhero/drizzle/drizzle",
+  schema: "./node_modules/@authhero/drizzle/src/schema/sqlite/index.ts",
+  dialect: "sqlite",
+});

package/dist/cloudflare-wfp-tenant/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/cloudflare-wfp-tenant/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/cloudflare-wfp-tenant/src/app.ts

@@ -0,0 +1,37 @@
+import { Context } from "hono";
+import { AuthHeroConfig, init } from "authhero";
+import { swaggerUI } from "@hono/swagger-ui";
+
+// A WFP tenant Worker serves a single tenant; its defaults are inherited from
+// the control plane via the rows projected into its own database (see
+// src/index.ts). No multi-tenancy routing is needed here.
+export default function createApp(config: AuthHeroConfig) {
+  const { app } = init(config);
+
+  app
+    .onError((err, ctx) => {
+      // Duck-typing avoids instanceof issues with bundled dependencies.
+      if (
+        err &&
+        typeof err === "object" &&
+        "getResponse" in err &&
+        typeof (err as { getResponse?: unknown }).getResponse === "function"
+      ) {
+        return (err as { getResponse: () => Response }).getResponse();
+      }
+      console.error(err);
+      return ctx.text(
+        err instanceof Error ? err.message : "Internal Server Error",
+        500,
+      );
+    })
+    .get("/", async (ctx: Context) => {
+      return ctx.json({
+        name: "AuthHero WFP Tenant Server",
+        status: "running",
+      });
+    })
+    .get("/docs", swaggerUI({ url: "/api/v2/spec" }));
+
+  return app;
+}

package/dist/cloudflare-wfp-tenant/src/index.ts

@@ -0,0 +1,69 @@
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import {
+  AuthHeroConfig,
+  DataAdapters,
+  createEncryptedDataAdapter,
+  createEncryptedDataAdapterWithKeyRing,
+  loadEncryptionKey,
+  type KeyRing,
+} from "authhero";
+import { withRuntimeFallback } from "@authhero/multi-tenancy";
+import createApp from "./app";
+import { Env } from "./types";
+
+// The control plane tenant id whose projected defaults this tenant inherits.
+// Must match the control plane Worker's CONTROL_PLANE_TENANT_ID.
+const CONTROL_PLANE_TENANT_ID = "control_plane";
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const issuer = `${url.protocol}//${url.host}/`;
+    const origin = request.headers.get("Origin") || "";
+
+    const db = drizzle(env.AUTH_DB, { schema });
+    let dataAdapter: DataAdapters = createAdapters(db, {
+      useTransactions: false,
+    });
+
+    // Encrypt at rest. With both keys present, this tenant's own secrets use
+    // ENCRYPTION_KEY while control-plane-tenant rows (the inherited Google
+    // secret, etc.) use the "cp" key id — readable by this Worker, but opaque
+    // in a raw export of AUTH_DB.
+    if (env.ENCRYPTION_KEY && env.CONTROL_PLANE_ENCRYPTION_KEY) {
+      const ring: KeyRing = {
+        default: await loadEncryptionKey(env.ENCRYPTION_KEY),
+        keys: { cp: await loadEncryptionKey(env.CONTROL_PLANE_ENCRYPTION_KEY) },
+      };
+      dataAdapter = createEncryptedDataAdapterWithKeyRing(dataAdapter, ring, {
+        resolveEncryptKeyId: (tenantId) =>
+          tenantId === CONTROL_PLANE_TENANT_ID ? "cp" : undefined,
+      });
+    } else if (env.ENCRYPTION_KEY) {
+      // Single-key fallback (no inherited control-plane secrets).
+      dataAdapter = createEncryptedDataAdapter(
+        dataAdapter,
+        await loadEncryptionKey(env.ENCRYPTION_KEY),
+      );
+    }
+
+    // Resolve inherited defaults (connections by strategy, is_system resource
+    // servers, inheritable hooks, email provider) from the control-plane rows
+    // the rollout projected into THIS tenant's database — identical read path
+    // to a control-plane-colocated tenant.
+    dataAdapter = withRuntimeFallback(dataAdapter, {
+      controlPlaneTenantId: CONTROL_PLANE_TENANT_ID,
+    });
+
+    const config: AuthHeroConfig = {
+      dataAdapter,
+      allowedOrigins: [origin].filter(Boolean),
+    };
+
+    const app = createApp(config);
+
+    return app.fetch(request, { ...env, ISSUER: issuer });
+  },
+};

package/dist/cloudflare-wfp-tenant/src/types.ts

@@ -0,0 +1,16 @@
+/// <reference types="@cloudflare/workers-types" />
+
+export interface Env {
+  // This tenant's own D1 database. Each WFP tenant Worker has its own.
+  AUTH_DB: D1Database;
+
+  // Base64-encoded 32-byte key for this tenant's own secrets at rest.
+  // `wrangler secret put ENCRYPTION_KEY` (per tenant Worker).
+  ENCRYPTION_KEY?: string;
+
+  // Base64-encoded 32-byte CONTROL PLANE key. Decrypts the shared secrets
+  // (e.g. Google client_secret) that the control plane projected into this
+  // tenant's database under the "cp" key id. The Worker holds it as a binding;
+  // a raw export of AUTH_DB cannot be decrypted without it.
+  CONTROL_PLANE_ENCRYPTION_KEY?: string;
+}

package/dist/cloudflare-wfp-tenant/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}

package/dist/cloudflare-wfp-tenant/wrangler.toml

@@ -0,0 +1,46 @@
+# ════════════════════════════════════════════════════════════════════════════
+# AuthHero WFP Tenant Worker
+# ════════════════════════════════════════════════════════════════════════════
+# The full authhero app for ONE tenant, deployed into the `authhero-tenants`
+# dispatch namespace and fronted by the WFP dispatcher. It reads only its own
+# D1 and inherits the control plane's defaults from rows the control plane
+# rollout projected into that D1.
+#
+# Deploy into the namespace (one per tenant):
+#   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth
+#
+# Sensitive IDs (database_id) go in wrangler.local.toml (gitignored).
+# ════════════════════════════════════════════════════════════════════════════
+
+name = "tenant-auth"
+main = "src/index.ts"
+compatibility_date = "2026-05-01"
+compatibility_flags = ["nodejs_compat"]
+
+[assets]
+directory = "./dist/assets"
+
+# ════════════════════════════════════════════════════════════════════════════
+# This tenant's own D1 database
+# ════════════════════════════════════════════════════════════════════════════
+# Each tenant Worker has its own database. Create one per tenant and set its id
+# in wrangler.local.toml:
+#   npx wrangler d1 create tenant-<id>-db
+[[d1_databases]]
+binding = "AUTH_DB"
+database_name = "tenant-db"
+database_id = "local"  # Use "local" for local dev, or your actual ID in wrangler.local.toml
+migrations_dir = "node_modules/@authhero/drizzle/drizzle"
+
+# ════════════════════════════════════════════════════════════════════════════
+# Encryption keys (set as secrets, not here)
+# ════════════════════════════════════════════════════════════════════════════
+#   wrangler secret put ENCRYPTION_KEY                  # this tenant's own key
+#   wrangler secret put CONTROL_PLANE_ENCRYPTION_KEY    # shared "cp" key
+#
+# CONTROL_PLANE_ENCRYPTION_KEY must be byte-identical to the key the control
+# plane used to project this tenant's inherited secrets, or they won't decrypt.
+
+# Optional: Enable observability
+# [observability]
+# enabled = true