hylekit 1.0.0

package/dist/index.js

@@ -0,0 +1,666 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/auth.ts
+import { betterAuth } from "better-auth";
+import { drizzleAdapter } from "better-auth/adapters/drizzle";
+
+// src/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  account: () => account,
+  accountRelations: () => accountRelations,
+  oauthAccessToken: () => oauthAccessToken,
+  oauthAccessTokenRelations: () => oauthAccessTokenRelations,
+  oauthApplication: () => oauthApplication,
+  oauthApplicationRelations: () => oauthApplicationRelations,
+  oauthConsent: () => oauthConsent,
+  oauthConsentRelations: () => oauthConsentRelations,
+  session: () => session,
+  sessionRelations: () => sessionRelations,
+  user: () => user,
+  userRelations: () => userRelations,
+  verification: () => verification
+});
+import { relations, sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+var user = sqliteTable("user", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: integer("email_verified", { mode: "boolean" }).default(false).notNull(),
+  image: text("image"),
+  createdAt: integer("created_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+});
+var session = sqliteTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" }).$onUpdate(() => /* @__PURE__ */ new Date()).notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" })
+  },
+  (table) => [index("session_userId_idx").on(table.userId)]
+);
+var account = sqliteTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" }).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [index("account_userId_idx").on(table.userId)]
+);
+var verification = sqliteTable(
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" }).default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)]
+);
+var oauthApplication = sqliteTable(
+  "oauth_application",
+  {
+    id: text("id").primaryKey(),
+    name: text("name"),
+    icon: text("icon"),
+    metadata: text("metadata"),
+    clientId: text("client_id").unique(),
+    clientSecret: text("client_secret"),
+    redirectUrls: text("redirect_urls"),
+    type: text("type"),
+    disabled: integer("disabled", { mode: "boolean" }).default(false),
+    userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+  },
+  (table) => [index("oauthApplication_userId_idx").on(table.userId)]
+);
+var oauthAccessToken = sqliteTable(
+  "oauth_access_token",
+  {
+    id: text("id").primaryKey(),
+    accessToken: text("access_token").unique(),
+    refreshToken: text("refresh_token").unique(),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    clientId: text("client_id").references(() => oauthApplication.clientId, {
+      onDelete: "cascade"
+    }),
+    userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+    scopes: text("scopes"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+  },
+  (table) => [
+    index("oauthAccessToken_clientId_idx").on(table.clientId),
+    index("oauthAccessToken_userId_idx").on(table.userId)
+  ]
+);
+var oauthConsent = sqliteTable(
+  "oauth_consent",
+  {
+    id: text("id").primaryKey(),
+    clientId: text("client_id").references(() => oauthApplication.clientId, {
+      onDelete: "cascade"
+    }),
+    userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+    scopes: text("scopes"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" }),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" }),
+    consentGiven: integer("consent_given", { mode: "boolean" })
+  },
+  (table) => [
+    index("oauthConsent_clientId_idx").on(table.clientId),
+    index("oauthConsent_userId_idx").on(table.userId)
+  ]
+);
+var userRelations = relations(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+  oauthApplications: many(oauthApplication),
+  oauthAccessTokens: many(oauthAccessToken),
+  oauthConsents: many(oauthConsent)
+}));
+var sessionRelations = relations(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id]
+  })
+}));
+var accountRelations = relations(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id]
+  })
+}));
+var oauthApplicationRelations = relations(
+  oauthApplication,
+  ({ one, many }) => ({
+    user: one(user, {
+      fields: [oauthApplication.userId],
+      references: [user.id]
+    }),
+    oauthAccessTokens: many(oauthAccessToken),
+    oauthConsents: many(oauthConsent)
+  })
+);
+var oauthAccessTokenRelations = relations(
+  oauthAccessToken,
+  ({ one }) => ({
+    oauthApplication: one(oauthApplication, {
+      fields: [oauthAccessToken.clientId],
+      references: [oauthApplication.clientId]
+    }),
+    user: one(user, {
+      fields: [oauthAccessToken.userId],
+      references: [user.id]
+    })
+  })
+);
+var oauthConsentRelations = relations(oauthConsent, ({ one }) => ({
+  oauthApplication: one(oauthApplication, {
+    fields: [oauthConsent.clientId],
+    references: [oauthApplication.clientId]
+  }),
+  user: one(user, {
+    fields: [oauthConsent.userId],
+    references: [user.id]
+  })
+}));
+
+// src/auth.ts
+var createAuth = (db, config) => {
+  return betterAuth({
+    database: drizzleAdapter(db, {
+      provider: "sqlite",
+      schema: {
+        ...schema_exports
+      }
+    }),
+    socialProviders: {
+      google: {
+        enabled: true,
+        clientId: process.env.GOOGLE_CLIENT_ID ?? "",
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET ?? ""
+      }
+    },
+    ...config
+  });
+};
+
+// src/client/types.ts
+var DEFAULT_CONFIG = {
+  authorizeEndpoint: "/api/auth/oauth2/authorize",
+  tokenEndpoint: "/api/auth/oauth2/token",
+  userEndpoint: "/api/auth/oauth2/userinfo",
+  cookieName: "access_token",
+  cookieMaxAge: 60 * 60 * 24 * 7
+  // 7 Days
+};
+function resolveConfig(config) {
+  return {
+    ...DEFAULT_CONFIG,
+    ...config
+  };
+}
+function buildAuthorizationUrl(config, clientConfig, options) {
+  const targetUrl = new URL(config.url + config.authorizeEndpoint);
+  const scopes = ["openid", "profile", "email"];
+  if (options?.additionalScopes) {
+    scopes.push(...options.additionalScopes);
+  }
+  targetUrl.searchParams.set("response_type", "code");
+  targetUrl.searchParams.set("client_id", clientConfig.clientId);
+  targetUrl.searchParams.set("redirect_uri", clientConfig.redirectUri);
+  targetUrl.searchParams.set("scope", scopes.join(" "));
+  if (options?.state) {
+    targetUrl.searchParams.set("state", options.state);
+  }
+  return targetUrl.toString();
+}
+async function exchangeCodeForTokens(config, clientConfig, code) {
+  const response = await fetch(config.url + config.tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: clientConfig.clientId,
+      client_secret: clientConfig.clientSecret,
+      redirect_uri: clientConfig.redirectUri,
+      code
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Token exchange failed (${response.status}): ${errorText}`);
+  }
+  const tokens = await response.json();
+  if (!tokens.access_token) {
+    throw new Error("No access token in response");
+  }
+  return tokens;
+}
+async function fetchUserInfo(config, accessToken) {
+  try {
+    const response = await fetch(config.url + config.userEndpoint, {
+      headers: {
+        "Authorization": `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+
+// src/client/sveltekit.ts
+import { redirect } from "@sveltejs/kit";
+function createSvelteKitClient(centralAuthConfig) {
+  const config = resolveConfig(centralAuthConfig);
+  return {
+    /**
+     * Get the current Central Auth configuration.
+     */
+    getConfig: () => ({ ...config }),
+    /**
+     * Initiates the OAuth2 sign-in flow by redirecting to the Central Auth Server.
+     * Uses SvelteKit's redirect() which throws a redirect response.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @throws Redirect to the Central Auth authorization endpoint
+     */
+    signIn: (clientConfig, options) => {
+      const authUrl = buildAuthorizationUrl(config, clientConfig, options);
+      redirect(302, authUrl);
+    },
+    /**
+     * Builds the authorization URL without redirecting.
+     * Useful when you need to return the URL for client-side navigation.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns The authorization URL string
+     */
+    getSignInUrl: (clientConfig, options) => {
+      return buildAuthorizationUrl(config, clientConfig, options);
+    },
+    /**
+     * Handles the OAuth2 callback, exchanges the code for tokens, and sets the session cookie.
+     * Uses SvelteKit's cookies API for cookie management.
+     * 
+     * @param event - SvelteKit RequestEvent
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional callback options
+     * @throws Redirect on success, throws error on failure
+     */
+    handleSignInCallback: async (event, clientConfig, options) => {
+      const { url, cookies: cookies2 } = event;
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        throw new Error(`Authentication failed: ${errorDescription || error}`);
+      }
+      if (!code) {
+        throw new Error("Missing authorization code");
+      }
+      try {
+        const tokens = await exchangeCodeForTokens(config, clientConfig, code);
+        cookies2.set(config.cookieName, tokens.access_token, {
+          httpOnly: true,
+          secure: event.url.protocol === "https:",
+          sameSite: "lax",
+          path: "/",
+          maxAge: config.cookieMaxAge
+        });
+        const successPath = options?.successRedirectPath || "/";
+        redirect(302, successPath);
+      } catch (err) {
+        if (err && typeof err === "object" && "status" in err) {
+          throw err;
+        }
+        console.error("Auth callback error:", err);
+        throw new Error("Authentication failed");
+      }
+    },
+    /**
+     * Signs out the user by clearing the session cookie.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @param redirectPath - Path to redirect to after sign out (default: "/")
+     * @throws Redirect to the specified path
+     */
+    signOut: (cookies2, redirectPath = "/") => {
+      cookies2.delete(config.cookieName, { path: "/" });
+      redirect(302, redirectPath);
+    },
+    /**
+     * Clears the session cookie without redirecting.
+     * Useful when you need more control over the response.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     */
+    clearSession: (cookies2) => {
+      cookies2.delete(config.cookieName, { path: "/" });
+    },
+    /**
+     * Retrieves the access token from cookies.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns The access token or null if not found
+     */
+    getAccessToken: (cookies2) => {
+      return cookies2.get(config.cookieName) ?? null;
+    },
+    /**
+     * Fetches user information from the Central Auth Server.
+     * 
+     * @param accessToken - The access token to use for authentication
+     * @returns The user information or null if the request fails
+     */
+    getUser: async (accessToken) => {
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session from cookies.
+     * Combines getAccessToken and getUser for convenience.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns The user information or null if not authenticated
+     */
+    getSession: async (cookies2) => {
+      const accessToken = cookies2.get(config.cookieName);
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Checks if the user is authenticated (has access token in cookies).
+     * Note: This only checks for token presence, not validity.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns true if an access token is present
+     */
+    isAuthenticated: (cookies2) => {
+      return !!cookies2.get(config.cookieName);
+    },
+    /**
+     * Protects a route by checking authentication and redirecting if needed.
+     * Use in +page.server.ts or +layout.server.ts load functions.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @throws Redirect to login path if not authenticated
+     */
+    requireAuth: (cookies2, loginPath = "/login") => {
+      if (!cookies2.get(config.cookieName)) {
+        redirect(302, loginPath);
+      }
+    }
+  };
+}
+var svelteClient = createSvelteKitClient;
+
+// src/client/nextjs.ts
+import { cookies } from "next/headers";
+import { redirect as redirect2 } from "next/navigation";
+import { NextResponse } from "next/server";
+function createNextClient(centralAuthConfig) {
+  const config = resolveConfig(centralAuthConfig);
+  return {
+    /**
+     * Get the current Central Auth configuration.
+     */
+    getConfig: () => ({ ...config }),
+    /**
+     * Initiates the OAuth2 sign-in flow by returning a redirect Response.
+     * Use in Route Handlers (App Router).
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns NextResponse redirect to the Central Auth authorization endpoint
+     */
+    signIn: (clientConfig, options) => {
+      const authUrl = buildAuthorizationUrl(config, clientConfig, options);
+      return NextResponse.redirect(authUrl);
+    },
+    /**
+     * Builds the authorization URL without redirecting.
+     * Useful for client-side navigation or custom redirect logic.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns The authorization URL string
+     */
+    getSignInUrl: (clientConfig, options) => {
+      return buildAuthorizationUrl(config, clientConfig, options);
+    },
+    /**
+     * Handles the OAuth2 callback in Route Handlers.
+     * Exchanges the code for tokens and sets the session cookie.
+     * 
+     * @param request - NextRequest object
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional callback options
+     * @returns NextResponse with redirect and cookie set
+     */
+    handleSignInCallback: async (request, clientConfig, options) => {
+      const { searchParams } = new URL(request.url);
+      const code = searchParams.get("code");
+      const error = searchParams.get("error");
+      const errorDescription = searchParams.get("error_description");
+      if (error) {
+        return NextResponse.json(
+          { error: errorDescription || error },
+          { status: 400 }
+        );
+      }
+      if (!code) {
+        return NextResponse.json(
+          { error: "Missing authorization code" },
+          { status: 400 }
+        );
+      }
+      try {
+        const tokens = await exchangeCodeForTokens(config, clientConfig, code);
+        const successPath = options?.successRedirectPath || "/";
+        const successUrl = new URL(successPath, clientConfig.appUrl);
+        const response = NextResponse.redirect(successUrl);
+        response.cookies.set(config.cookieName, tokens.access_token, {
+          httpOnly: true,
+          secure: process.env.NODE_ENV === "production",
+          sameSite: "lax",
+          path: "/",
+          maxAge: config.cookieMaxAge
+        });
+        return response;
+      } catch (err) {
+        console.error("Auth callback error:", err);
+        return NextResponse.json(
+          { error: "Authentication failed" },
+          { status: 500 }
+        );
+      }
+    },
+    /**
+     * Signs out the user by clearing the session cookie.
+     * Use in Route Handlers.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param redirectPath - Path to redirect to after sign out (default: "/")
+     * @returns NextResponse with redirect and cookie cleared
+     */
+    signOut: (clientConfig, redirectPath = "/") => {
+      const redirectUrl = new URL(redirectPath, clientConfig.appUrl);
+      const response = NextResponse.redirect(redirectUrl);
+      response.cookies.set(config.cookieName, "", {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/",
+        maxAge: 0
+      });
+      return response;
+    },
+    /**
+     * Retrieves the access token from cookies.
+     * Use in Server Components or Route Handlers.
+     * 
+     * @returns The access token or null if not found
+     */
+    getAccessToken: async () => {
+      const cookieStore = await cookies();
+      return cookieStore.get(config.cookieName)?.value ?? null;
+    },
+    /**
+     * Retrieves the access token from a NextRequest.
+     * Use in middleware or Route Handlers when you have the request object.
+     * 
+     * @param request - NextRequest object
+     * @returns The access token or null if not found
+     */
+    getAccessTokenFromRequest: (request) => {
+      return request.cookies.get(config.cookieName)?.value ?? null;
+    },
+    /**
+     * Fetches user information from the Central Auth Server.
+     * 
+     * @param accessToken - The access token to use for authentication
+     * @returns The user information or null if the request fails
+     */
+    getUser: async (accessToken) => {
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session.
+     * Use in Server Components.
+     * 
+     * @returns The user information or null if not authenticated
+     */
+    getSession: async () => {
+      const cookieStore = await cookies();
+      const accessToken = cookieStore.get(config.cookieName)?.value;
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session from a request.
+     * Use in middleware or Route Handlers.
+     * 
+     * @param request - NextRequest object
+     * @returns The user information or null if not authenticated
+     */
+    getSessionFromRequest: async (request) => {
+      const accessToken = request.cookies.get(config.cookieName)?.value;
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Checks if the user is authenticated.
+     * Use in Server Components.
+     * 
+     * @returns true if an access token is present
+     */
+    isAuthenticated: async () => {
+      const cookieStore = await cookies();
+      return !!cookieStore.get(config.cookieName)?.value;
+    },
+    /**
+     * Checks if the request is authenticated.
+     * Use in middleware.
+     * 
+     * @param request - NextRequest object
+     * @returns true if an access token is present
+     */
+    isAuthenticatedRequest: (request) => {
+      return !!request.cookies.get(config.cookieName)?.value;
+    },
+    /**
+     * Protects a route by checking authentication and redirecting if needed.
+     * Use in Server Components.
+     * 
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @throws Redirect to login path if not authenticated
+     */
+    requireAuth: async (loginPath = "/login") => {
+      const cookieStore = await cookies();
+      if (!cookieStore.get(config.cookieName)?.value) {
+        redirect2(loginPath);
+      }
+    },
+    /**
+     * Creates a middleware-compatible auth check.
+     * Returns a NextResponse redirect if not authenticated.
+     * 
+     * @param request - NextRequest object  
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @returns NextResponse redirect if not authenticated, null otherwise
+     */
+    middlewareAuth: (request, loginPath = "/login") => {
+      if (!request.cookies.get(config.cookieName)?.value) {
+        const loginUrl = new URL(loginPath, request.url);
+        loginUrl.searchParams.set("from", request.nextUrl.pathname);
+        return NextResponse.redirect(loginUrl);
+      }
+      return null;
+    }
+  };
+}
+var nextClient = createNextClient;
+export {
+  DEFAULT_CONFIG,
+  account,
+  accountRelations,
+  createAuth,
+  createNextClient,
+  createSvelteKitClient,
+  nextClient,
+  oauthAccessToken,
+  oauthAccessTokenRelations,
+  oauthApplication,
+  oauthApplicationRelations,
+  oauthConsent,
+  oauthConsentRelations,
+  session,
+  sessionRelations,
+  svelteClient,
+  user,
+  userRelations,
+  verification
+};
+//# sourceMappingURL=index.js.map