hylekit 1.0.2 → 1.0.4

package/dist/index.js

@@ -5,13 +5,10 @@ var __export = (target, all) => {
 };
 
 // src/lib/auth.ts
+import "server-only";
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 
-// src/lib/db.ts
-import { drizzle } from "drizzle-orm/libsql";
-import { createClient } from "@libsql/client";
-
 // src/lib/schema.ts
 var schema_exports = {};
 __export(schema_exports, {
@@ -100,209 +97,211 @@ var accountRelations = relations(account, ({ one }) => ({
   })
 }));
 
-// src/lib/db.ts
-var client = createClient({
-  url: process.env.DATABASE_URL,
-  authToken: process.env.DATABASE_AUTH_TOKEN
-});
-var db = drizzle(client, { schema: schema_exports });
-
 // src/lib/auth.ts
-var auth = betterAuth({
-  database: drizzleAdapter(db, {
-    provider: "sqlite",
-    schema: {
-      ...schema_exports
-    }
-  }),
-  baseURL: process.env.BETTER_AUTH_URL || process.env.PUBLIC_APP_URL || process.env.NEXT_PUBLIC_APP_URL,
-  secret: process.env.BETTER_AUTH_SECRET,
-  trustedOrigins: process.env.TRUSTED_ORIGINS ? process.env.TRUSTED_ORIGINS.split(",") : void 0,
-  socialProviders: {
-    google: {
-      clientId: process.env.GOOGLE_CLIENT_ID || "",
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET || ""
-    }
-  },
-  session: {
-    expiresIn: 60 * 60 * 24 * 7,
+function assertServerOnly(configName) {
+  if (typeof window !== "undefined") {
+    throw new Error(
+      `[hylekit] SECURITY ERROR: "${configName}" contains secrets and must not be used on the client side. Only call ${configName}() in server-side code (e.g., API routes, server components, +page.server.ts).`
+    );
+  }
+}
+function createAuth(db, config) {
+  assertServerOnly("createAuth");
+  const sessionConfig = {
+    expiresIn: config.session?.expiresIn ?? 60 * 60 * 24 * 7,
     // 7 days
-    updateAge: 60 * 60 * 24,
-    // Update session every 24 hours
+    updateAge: config.session?.updateAge ?? 60 * 60 * 24,
+    // 24 hours
     cookieCache: {
-      enabled: true,
-      maxAge: 60 * 5
+      enabled: config.session?.cookieCache?.enabled ?? true,
+      maxAge: config.session?.cookieCache?.maxAge ?? 60 * 5
       // 5 minutes
     }
+  };
+  return betterAuth({
+    database: drizzleAdapter(db, {
+      provider: "sqlite",
+      schema: {
+        ...schema_exports
+      }
+    }),
+    baseURL: config.baseURL,
+    secret: config.secret,
+    trustedOrigins: config.trustedOrigins,
+    socialProviders: config.google ? {
+      google: {
+        clientId: config.google.clientId,
+        clientSecret: config.google.clientSecret
+      }
+    } : void 0,
+    session: sessionConfig
+  });
+}
+
+// src/lib/db.ts
+import "server-only";
+import { drizzle } from "drizzle-orm/libsql";
+import { createClient } from "@libsql/client";
+function assertServerOnly2(configName) {
+  if (typeof window !== "undefined") {
+    throw new Error(
+      `[hylekit] SECURITY ERROR: "${configName}" contains secrets and must not be used on the client side. Only call ${configName}() in server-side code (e.g., API routes, server components, +page.server.ts).`
+    );
   }
-});
+}
+function createDb(config) {
+  assertServerOnly2("createDb");
+  const client = createClient({
+    url: config.url,
+    authToken: config.authToken
+  });
+  return drizzle(client, { schema: schema_exports });
+}
 
-// src/client/sveltekit.ts
+// src/server/sveltekit.ts
+import "server-only";
 import { toSvelteKitHandler } from "better-auth/svelte-kit";
-import { createAuthClient } from "better-auth/svelte";
-var handler = toSvelteKitHandler(auth);
-var authClient = createAuthClient();
-var client2 = {
-  ...authClient,
-  /**
-   * Alias for signIn.
-   */
-  login: authClient.signIn
-};
-var server = {
-  /**
-   * The underlying BetterAuth instance.
-   */
-  auth,
-  /**
-   * SvelteKit request handler for auth routes.
-   * Place this in `src/routes/api/auth/[...auth]/+server.ts`
-   */
-  handler: {
-    GET: handler,
-    POST: handler
-  },
-  /**
-   * Creates a SvelteKit handle hook for session management.
-   */
-  createHandle: () => {
-    return async ({ event, resolve }) => {
-      const session2 = await auth.api.getSession({
+function createSvelteKitServer(auth, db) {
+  const handler = toSvelteKitHandler(auth);
+  return {
+    /**
+     * The underlying BetterAuth instance.
+     */
+    auth,
+    /**
+     * SvelteKit request handler for auth routes.
+     * Place this in `src/routes/api/auth/[...auth]/+server.ts`
+     */
+    handler: {
+      GET: handler,
+      POST: handler
+    },
+    /**
+     * Creates a SvelteKit handle hook for session management.
+     */
+    createHandle: () => {
+      return async ({ event, resolve }) => {
+        const session2 = await auth.api.getSession({
+          headers: event.request.headers
+        });
+        event.locals.session = session2;
+        event.locals.user = session2?.user ?? null;
+        return resolve(event);
+      };
+    },
+    /**
+     * Get session from request event.
+     */
+    getSession: async (event) => {
+      return auth.api.getSession({
         headers: event.request.headers
       });
-      event.locals.session = session2;
-      event.locals.user = session2?.user ?? null;
-      return resolve(event);
-    };
-  },
-  /**
-   * Get session from request event.
-   */
-  getSession: async (event) => {
-    return auth.api.getSession({
-      headers: event.request.headers
-    });
-  },
-  /**
-   * Check if user is authenticated.
-   */
-  isAuthenticated: async (event) => {
-    const session2 = await auth.api.getSession({
-      headers: event.request.headers
-    });
-    return session2 !== null;
-  },
-  /**
-   * Wraps a function to ensure the user is authenticated before execution.
-   * Injects the user, session, and db into the first argument.
-   */
-  makeAuthenticatedCall: (fn) => {
-    return async (event, ...args) => {
+    },
+    /**
+     * Check if user is authenticated.
+     */
+    isAuthenticated: async (event) => {
       const session2 = await auth.api.getSession({
         headers: event.request.headers
       });
-      if (!session2) {
-        throw new Error("Unauthorized");
-      }
-      return fn({ user: session2.user, session: session2.session, db, event }, ...args);
-    };
-  }
-};
+      return session2 !== null;
+    },
+    /**
+     * Wraps a function to ensure the user is authenticated before execution.
+     * Injects the user, session, and db into the first argument.
+     */
+    makeAuthenticatedCall: (fn) => {
+      return async (event, ...args) => {
+        const session2 = await auth.api.getSession({
+          headers: event.request.headers
+        });
+        if (!session2) {
+          throw new Error("Unauthorized");
+        }
+        return fn({ user: session2.user, session: session2.session, db, event }, ...args);
+      };
+    }
+  };
+}
 
-// src/client/nextjs.ts
+// src/server/nextjs.ts
+import "server-only";
 import { toNextJsHandler } from "better-auth/next-js";
-import { createAuthClient as createAuthClient2 } from "better-auth/react";
 import { headers } from "next/headers";
-var handler2 = toNextJsHandler(auth);
-var authClient2 = createAuthClient2();
-var client3 = {
-  ...authClient2,
-  /**
-   * Alias for signIn.
-   */
-  login: authClient2.signIn
-};
-var server2 = {
-  /**
-   * The underlying BetterAuth instance.
-   */
-  auth,
-  /**
-   * Next.js route handler for auth routes.
-   * Place this in `app/api/auth/[...auth]/route.ts`
-   */
-  handler: {
-    GET: handler2,
-    POST: handler2
-  },
-  /**
-   * Get session from current request headers.
-   * Use in Server Components or Route Handlers.
-   */
-  getSession: async () => {
-    const requestHeaders = await headers();
-    return auth.api.getSession({
-      headers: requestHeaders
-    });
-  },
-  /**
-   * Get session from specific headers.
-   * Use when you have direct access to headers.
-   */
-  getSessionFromHeaders: async (requestHeaders) => {
-    return auth.api.getSession({
-      headers: requestHeaders
-    });
-  },
-  /**
-   * Check if user is authenticated.
-   * Use in Server Components.
-   */
-  isAuthenticated: async () => {
-    const requestHeaders = await headers();
-    const session2 = await auth.api.getSession({
-      headers: requestHeaders
-    });
-    return session2 !== null;
-  },
-  /**
-   * Get the current user or null.
-   * Convenience method for Server Components.
-   */
-  getUser: async () => {
-    const requestHeaders = await headers();
-    const session2 = await auth.api.getSession({
-      headers: requestHeaders
-    });
-    return session2?.user ?? null;
-  },
-  /**
-   * Wraps a function to ensure the user is authenticated before execution.
-   * Injects the user, session, and db into the first argument.
-   */
-  makeAuthenticatedCall: (fn) => {
-    return async (...args) => {
+function createNextJsServer(auth, db) {
+  const handler = toNextJsHandler(auth);
+  return {
+    /**
+     * The underlying BetterAuth instance.
+     */
+    auth,
+    /**
+     * Next.js route handler for auth routes.
+     * Place this in `app/api/auth/[...auth]/route.ts`
+     */
+    handler: {
+      GET: handler,
+      POST: handler
+    },
+    /**
+     * Get session from current request headers.
+     * Use in Server Components or Route Handlers.
+     */
+    getSession: async () => {
+      const requestHeaders = await headers();
+      return auth.api.getSession({
+        headers: requestHeaders
+      });
+    },
+    /**
+     * Get session from specific headers.
+     * Use when you have direct access to headers.
+     */
+    getSessionFromHeaders: async (requestHeaders) => {
+      return auth.api.getSession({
+        headers: requestHeaders
+      });
+    },
+    /**
+     * Check if user is authenticated.
+     * Use in Server Components.
+     */
+    isAuthenticated: async () => {
       const requestHeaders = await headers();
       const session2 = await auth.api.getSession({
         headers: requestHeaders
       });
-      if (!session2) {
-        throw new Error("Unauthorized");
-      }
-      return fn({ user: session2.user, session: session2.session, db }, ...args);
-    };
-  }
-};
-
-// src/client/index.ts
-var client4 = {
-  sveltekit: client2,
-  nextjs: client3
-};
-var server3 = {
-  sveltekit: server,
-  nextjs: server2
-};
+      return session2 !== null;
+    },
+    /**
+     * Get the current user or null.
+     * Convenience method for Server Components.
+     */
+    getUser: async () => {
+      const requestHeaders = await headers();
+      const session2 = await auth.api.getSession({
+        headers: requestHeaders
+      });
+      return session2?.user ?? null;
+    },
+    /**
+     * Wraps a function to ensure the user is authenticated before execution.
+     * Injects the user, session, and db into the first argument.
+     */
+    makeAuthenticatedCall: (fn) => {
+      return async (...args) => {
+        const requestHeaders = await headers();
+        const session2 = await auth.api.getSession({
+          headers: requestHeaders
+        });
+        if (!session2) {
+          throw new Error("Unauthorized");
+        }
+        return fn({ user: session2.user, session: session2.session, db }, ...args);
+      };
+    }
+  };
+}
 
 // src/bff/client.ts
 var BffClientBase = class {
@@ -348,13 +347,14 @@ var BffClientBase = class {
 // src/bff/nextjs.ts
 import { headers as headers2 } from "next/headers";
 var NextJsBffClient = class extends BffClientBase {
-  constructor(config) {
+  constructor(auth, config) {
     super(config);
+    this.auth = auth;
   }
   async getAuthHeaders() {
     try {
       const requestHeaders = await headers2();
-      const sessionData = await auth.api.getSession({
+      const sessionData = await this.auth.api.getSession({
         headers: requestHeaders
       });
       if (!sessionData) return {};
@@ -420,9 +420,9 @@ var NextJsBffClient = class extends BffClientBase {
     });
   }
 };
-var createNextJsBff = (baseUrlOrConfig) => {
+var createNextJsBff = (auth, baseUrlOrConfig) => {
   const config = typeof baseUrlOrConfig === "string" ? { baseUrl: baseUrlOrConfig } : baseUrlOrConfig;
-  return new NextJsBffClient(config);
+  return new NextJsBffClient(auth, config);
 };
 
 // src/bff/sveltekit.ts
@@ -495,76 +495,84 @@ function isUnauthenticatedRoute(path, patterns) {
   }
   return false;
 }
-var middleware = (options = {}) => {
-  const {
-    unauthenticatedRoutes = [],
-    verifySession = false,
-    required = true
-  } = options;
-  return async (req, res, next) => {
-    const authReq = req;
-    if (isUnauthenticatedRoute(req.path, unauthenticatedRoutes)) {
-      return next();
+var createExpressMiddleware = (db) => {
+  return (options = {}) => {
+    const {
+      unauthenticatedRoutes = [],
+      verifySession = false,
+      required = true
+    } = options;
+    if (verifySession && !db) {
+      throw new Error(
+        "[hylekit] CONFIGURATION ERROR: verifySession requires a database instance. Pass a db instance to createExpressMiddleware(db)."
+      );
     }
-    try {
-      const userHeader = req.headers["x-hyle-user"];
-      const sessionHeader = req.headers["x-hyle-session"];
-      if (!sessionHeader || typeof sessionHeader !== "string") {
-        if (required) {
-          return res.status(401).json({ error: "Unauthorized" });
-        }
+    return async (req, res, next) => {
+      const authReq = req;
+      if (isUnauthenticatedRoute(req.path, unauthenticatedRoutes)) {
         return next();
       }
-      const sessionData = JSON.parse(
-        Buffer.from(sessionHeader, "base64").toString("utf-8")
-      );
-      if (verifySession) {
-        const result = await db.select({
-          session,
-          user
-        }).from(session).innerJoin(user, eq(session.userId, user.id)).where(
-          and(
-            eq(session.id, sessionData.id),
-            gt(session.expiresAt, /* @__PURE__ */ new Date())
-          )
-        ).limit(1);
-        if (result.length === 0) {
+      try {
+        const userHeader = req.headers["x-hyle-user"];
+        const sessionHeader = req.headers["x-hyle-session"];
+        if (!sessionHeader || typeof sessionHeader !== "string") {
           if (required) {
-            return res.status(401).json({ error: "Invalid or expired session" });
+            return res.status(401).json({ error: "Unauthorized" });
           }
           return next();
         }
-        authReq.authUser = result[0].user;
-        authReq.authSession = result[0].session;
-        authReq.user = authReq.authUser;
-        authReq.session = authReq.authSession;
-        return next();
-      }
-      let userData;
-      if (userHeader && typeof userHeader === "string") {
-        userData = JSON.parse(
-          Buffer.from(userHeader, "base64").toString("utf-8")
+        const sessionData = JSON.parse(
+          Buffer.from(sessionHeader, "base64").toString("utf-8")
         );
+        if (verifySession && db) {
+          const result = await db.select({
+            session,
+            user
+          }).from(session).innerJoin(user, eq(session.userId, user.id)).where(
+            and(
+              eq(session.id, sessionData.id),
+              gt(session.expiresAt, /* @__PURE__ */ new Date())
+            )
+          ).limit(1);
+          if (result.length === 0) {
+            if (required) {
+              return res.status(401).json({ error: "Invalid or expired session" });
+            }
+            return next();
+          }
+          authReq.authUser = result[0].user;
+          authReq.authSession = result[0].session;
+          authReq.user = authReq.authUser;
+          authReq.session = authReq.authSession;
+          return next();
+        }
+        let userData;
+        if (userHeader && typeof userHeader === "string") {
+          userData = JSON.parse(
+            Buffer.from(userHeader, "base64").toString("utf-8")
+          );
+        }
+        if (!userData && required) {
+          return res.status(401).json({ error: "Unauthorized" });
+        }
+        if (userData) {
+          authReq.authUser = userData;
+          authReq.authSession = sessionData;
+          authReq.user = authReq.authUser;
+          authReq.session = authReq.authSession;
+        }
+        next();
+      } catch (error) {
+        console.error("[hyle] Auth middleware error:", error);
+        if (required) {
+          return res.status(401).json({ error: "Authentication failed" });
+        }
+        next();
       }
-      if (!userData && required) {
-        return res.status(401).json({ error: "Unauthorized" });
-      }
-      if (userData) {
-        authReq.authUser = userData;
-        authReq.authSession = sessionData;
-        authReq.user = authReq.authUser;
-        authReq.session = authReq.authSession;
-      }
-      next();
-    } catch (error) {
-      console.error("[hyle] Auth middleware error:", error);
-      if (required) {
-        return res.status(401).json({ error: "Authentication failed" });
-      }
-      next();
-    }
+    };
   };
 };
+var middleware = createExpressMiddleware();
 function isAuthenticated(req) {
   return !!req.authUser;
 }
@@ -576,6 +584,8 @@ function getAuthContext(req) {
   return { user: authReq.authUser, session: authReq.authSession };
 }
 var expressAdapter = {
+  createMiddleware: createExpressMiddleware,
+  /** @deprecated Use createMiddleware instead */
   middleware,
   isAuthenticated,
   getAuthContext
@@ -587,12 +597,12 @@ var bff = {
   createSvelteKitBff
 };
 var hyle = {
-  auth,
-  db,
+  createDb,
+  createAuth,
   schema: schema_exports,
-  client: client4,
   server: {
-    ...server3,
+    createSvelteKitServer,
+    createNextJsServer,
     express: expressAdapter
   },
   bff
@@ -600,18 +610,20 @@ var hyle = {
 var src_default = hyle;
 export {
   account,
-  auth,
   bff,
-  client4 as client,
+  createAuth,
+  createDb,
+  createExpressMiddleware,
   createNextJsBff,
+  createNextJsServer,
   createSvelteKitBff,
-  db,
+  createSvelteKitServer,
   src_default as default,
   expressAdapter as express,
   middleware as expressMiddleware,
   getAuthContext,
   isAuthenticated,
-  server3 as server,
+  schema_exports as schema,
   session,
   user,
   verification