hylekit 1.0.3 → 1.0.4

package/dist/index.cjs

@@ -21,18 +21,20 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   account: () => account,
-  auth: () => auth,
   bff: () => bff,
-  client: () => client4,
+  createAuth: () => createAuth,
+  createDb: () => createDb,
+  createExpressMiddleware: () => createExpressMiddleware,
   createNextJsBff: () => createNextJsBff,
+  createNextJsServer: () => createNextJsServer,
   createSvelteKitBff: () => createSvelteKitBff,
-  db: () => db,
+  createSvelteKitServer: () => createSvelteKitServer,
   default: () => src_default,
   express: () => expressAdapter,
   expressMiddleware: () => middleware,
   getAuthContext: () => getAuthContext,
   isAuthenticated: () => isAuthenticated,
-  server: () => server3,
+  schema: () => schema_exports,
   session: () => session,
   user: () => user,
   verification: () => verification
@@ -40,13 +42,10 @@ __export(src_exports, {
 module.exports = __toCommonJS(src_exports);
 
 // src/lib/auth.ts
+var import_server_only = require("server-only");
 var import_better_auth = require("better-auth");
 var import_drizzle = require("better-auth/adapters/drizzle");
 
-// src/lib/db.ts
-var import_libsql = require("drizzle-orm/libsql");
-var import_client = require("@libsql/client");
-
 // src/lib/schema.ts
 var schema_exports = {};
 __export(schema_exports, {
@@ -135,209 +134,211 @@ var accountRelations = (0, import_drizzle_orm.relations)(account, ({ one }) => (
   })
 }));
 
-// src/lib/db.ts
-var client = (0, import_client.createClient)({
-  url: process.env.HYLE_DATABASE_URL,
-  authToken: process.env.HYLE_DATABASE_AUTH_TOKEN
-});
-var db = (0, import_libsql.drizzle)(client, { schema: schema_exports });
-
 // src/lib/auth.ts
-var auth = (0, import_better_auth.betterAuth)({
-  database: (0, import_drizzle.drizzleAdapter)(db, {
-    provider: "sqlite",
-    schema: {
-      ...schema_exports
-    }
-  }),
-  baseURL: process.env.BETTER_AUTH_URL || process.env.PUBLIC_APP_URL || process.env.NEXT_PUBLIC_APP_URL,
-  secret: process.env.BETTER_AUTH_SECRET,
-  trustedOrigins: process.env.TRUSTED_ORIGINS ? process.env.TRUSTED_ORIGINS.split(",") : void 0,
-  socialProviders: {
-    google: {
-      clientId: process.env.GOOGLE_CLIENT_ID || "",
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET || ""
-    }
-  },
-  session: {
-    expiresIn: 60 * 60 * 24 * 7,
+function assertServerOnly(configName) {
+  if (typeof window !== "undefined") {
+    throw new Error(
+      `[hylekit] SECURITY ERROR: "${configName}" contains secrets and must not be used on the client side. Only call ${configName}() in server-side code (e.g., API routes, server components, +page.server.ts).`
+    );
+  }
+}
+function createAuth(db, config) {
+  assertServerOnly("createAuth");
+  const sessionConfig = {
+    expiresIn: config.session?.expiresIn ?? 60 * 60 * 24 * 7,
     // 7 days
-    updateAge: 60 * 60 * 24,
-    // Update session every 24 hours
+    updateAge: config.session?.updateAge ?? 60 * 60 * 24,
+    // 24 hours
     cookieCache: {
-      enabled: true,
-      maxAge: 60 * 5
+      enabled: config.session?.cookieCache?.enabled ?? true,
+      maxAge: config.session?.cookieCache?.maxAge ?? 60 * 5
       // 5 minutes
     }
+  };
+  return (0, import_better_auth.betterAuth)({
+    database: (0, import_drizzle.drizzleAdapter)(db, {
+      provider: "sqlite",
+      schema: {
+        ...schema_exports
+      }
+    }),
+    baseURL: config.baseURL,
+    secret: config.secret,
+    trustedOrigins: config.trustedOrigins,
+    socialProviders: config.google ? {
+      google: {
+        clientId: config.google.clientId,
+        clientSecret: config.google.clientSecret
+      }
+    } : void 0,
+    session: sessionConfig
+  });
+}
+
+// src/lib/db.ts
+var import_server_only2 = require("server-only");
+var import_libsql = require("drizzle-orm/libsql");
+var import_client = require("@libsql/client");
+function assertServerOnly2(configName) {
+  if (typeof window !== "undefined") {
+    throw new Error(
+      `[hylekit] SECURITY ERROR: "${configName}" contains secrets and must not be used on the client side. Only call ${configName}() in server-side code (e.g., API routes, server components, +page.server.ts).`
+    );
   }
-});
+}
+function createDb(config) {
+  assertServerOnly2("createDb");
+  const client = (0, import_client.createClient)({
+    url: config.url,
+    authToken: config.authToken
+  });
+  return (0, import_libsql.drizzle)(client, { schema: schema_exports });
+}
 
-// src/client/sveltekit.ts
+// src/server/sveltekit.ts
+var import_server_only3 = require("server-only");
 var import_svelte_kit = require("better-auth/svelte-kit");
-var import_svelte = require("better-auth/svelte");
-var handler = (0, import_svelte_kit.toSvelteKitHandler)(auth);
-var authClient = (0, import_svelte.createAuthClient)();
-var client2 = {
-  ...authClient,
-  /**
-   * Alias for signIn.
-   */
-  login: authClient.signIn
-};
-var server = {
-  /**
-   * The underlying BetterAuth instance.
-   */
-  auth,
-  /**
-   * SvelteKit request handler for auth routes.
-   * Place this in `src/routes/api/auth/[...auth]/+server.ts`
-   */
-  handler: {
-    GET: handler,
-    POST: handler
-  },
-  /**
-   * Creates a SvelteKit handle hook for session management.
-   */
-  createHandle: () => {
-    return async ({ event, resolve }) => {
-      const session2 = await auth.api.getSession({
+function createSvelteKitServer(auth, db) {
+  const handler = (0, import_svelte_kit.toSvelteKitHandler)(auth);
+  return {
+    /**
+     * The underlying BetterAuth instance.
+     */
+    auth,
+    /**
+     * SvelteKit request handler for auth routes.
+     * Place this in `src/routes/api/auth/[...auth]/+server.ts`
+     */
+    handler: {
+      GET: handler,
+      POST: handler
+    },
+    /**
+     * Creates a SvelteKit handle hook for session management.
+     */
+    createHandle: () => {
+      return async ({ event, resolve }) => {
+        const session2 = await auth.api.getSession({
+          headers: event.request.headers
+        });
+        event.locals.session = session2;
+        event.locals.user = session2?.user ?? null;
+        return resolve(event);
+      };
+    },
+    /**
+     * Get session from request event.
+     */
+    getSession: async (event) => {
+      return auth.api.getSession({
         headers: event.request.headers
       });
-      event.locals.session = session2;
-      event.locals.user = session2?.user ?? null;
-      return resolve(event);
-    };
-  },
-  /**
-   * Get session from request event.
-   */
-  getSession: async (event) => {
-    return auth.api.getSession({
-      headers: event.request.headers
-    });
-  },
-  /**
-   * Check if user is authenticated.
-   */
-  isAuthenticated: async (event) => {
-    const session2 = await auth.api.getSession({
-      headers: event.request.headers
-    });
-    return session2 !== null;
-  },
-  /**
-   * Wraps a function to ensure the user is authenticated before execution.
-   * Injects the user, session, and db into the first argument.
-   */
-  makeAuthenticatedCall: (fn) => {
-    return async (event, ...args) => {
+    },
+    /**
+     * Check if user is authenticated.
+     */
+    isAuthenticated: async (event) => {
       const session2 = await auth.api.getSession({
         headers: event.request.headers
       });
-      if (!session2) {
-        throw new Error("Unauthorized");
-      }
-      return fn({ user: session2.user, session: session2.session, db, event }, ...args);
-    };
-  }
-};
+      return session2 !== null;
+    },
+    /**
+     * Wraps a function to ensure the user is authenticated before execution.
+     * Injects the user, session, and db into the first argument.
+     */
+    makeAuthenticatedCall: (fn) => {
+      return async (event, ...args) => {
+        const session2 = await auth.api.getSession({
+          headers: event.request.headers
+        });
+        if (!session2) {
+          throw new Error("Unauthorized");
+        }
+        return fn({ user: session2.user, session: session2.session, db, event }, ...args);
+      };
+    }
+  };
+}
 
-// src/client/nextjs.ts
+// src/server/nextjs.ts
+var import_server_only4 = require("server-only");
 var import_next_js = require("better-auth/next-js");
-var import_react = require("better-auth/react");
 var import_headers = require("next/headers");
-var handler2 = (0, import_next_js.toNextJsHandler)(auth);
-var authClient2 = (0, import_react.createAuthClient)();
-var client3 = {
-  ...authClient2,
-  /**
-   * Alias for signIn.
-   */
-  login: authClient2.signIn
-};
-var server2 = {
-  /**
-   * The underlying BetterAuth instance.
-   */
-  auth,
-  /**
-   * Next.js route handler for auth routes.
-   * Place this in `app/api/auth/[...auth]/route.ts`
-   */
-  handler: {
-    GET: handler2,
-    POST: handler2
-  },
-  /**
-   * Get session from current request headers.
-   * Use in Server Components or Route Handlers.
-   */
-  getSession: async () => {
-    const requestHeaders = await (0, import_headers.headers)();
-    return auth.api.getSession({
-      headers: requestHeaders
-    });
-  },
-  /**
-   * Get session from specific headers.
-   * Use when you have direct access to headers.
-   */
-  getSessionFromHeaders: async (requestHeaders) => {
-    return auth.api.getSession({
-      headers: requestHeaders
-    });
-  },
-  /**
-   * Check if user is authenticated.
-   * Use in Server Components.
-   */
-  isAuthenticated: async () => {
-    const requestHeaders = await (0, import_headers.headers)();
-    const session2 = await auth.api.getSession({
-      headers: requestHeaders
-    });
-    return session2 !== null;
-  },
-  /**
-   * Get the current user or null.
-   * Convenience method for Server Components.
-   */
-  getUser: async () => {
-    const requestHeaders = await (0, import_headers.headers)();
-    const session2 = await auth.api.getSession({
-      headers: requestHeaders
-    });
-    return session2?.user ?? null;
-  },
-  /**
-   * Wraps a function to ensure the user is authenticated before execution.
-   * Injects the user, session, and db into the first argument.
-   */
-  makeAuthenticatedCall: (fn) => {
-    return async (...args) => {
+function createNextJsServer(auth, db) {
+  const handler = (0, import_next_js.toNextJsHandler)(auth);
+  return {
+    /**
+     * The underlying BetterAuth instance.
+     */
+    auth,
+    /**
+     * Next.js route handler for auth routes.
+     * Place this in `app/api/auth/[...auth]/route.ts`
+     */
+    handler: {
+      GET: handler,
+      POST: handler
+    },
+    /**
+     * Get session from current request headers.
+     * Use in Server Components or Route Handlers.
+     */
+    getSession: async () => {
+      const requestHeaders = await (0, import_headers.headers)();
+      return auth.api.getSession({
+        headers: requestHeaders
+      });
+    },
+    /**
+     * Get session from specific headers.
+     * Use when you have direct access to headers.
+     */
+    getSessionFromHeaders: async (requestHeaders) => {
+      return auth.api.getSession({
+        headers: requestHeaders
+      });
+    },
+    /**
+     * Check if user is authenticated.
+     * Use in Server Components.
+     */
+    isAuthenticated: async () => {
       const requestHeaders = await (0, import_headers.headers)();
       const session2 = await auth.api.getSession({
         headers: requestHeaders
       });
-      if (!session2) {
-        throw new Error("Unauthorized");
-      }
-      return fn({ user: session2.user, session: session2.session, db }, ...args);
-    };
-  }
-};
-
-// src/client/index.ts
-var client4 = {
-  sveltekit: client2,
-  nextjs: client3
-};
-var server3 = {
-  sveltekit: server,
-  nextjs: server2
-};
+      return session2 !== null;
+    },
+    /**
+     * Get the current user or null.
+     * Convenience method for Server Components.
+     */
+    getUser: async () => {
+      const requestHeaders = await (0, import_headers.headers)();
+      const session2 = await auth.api.getSession({
+        headers: requestHeaders
+      });
+      return session2?.user ?? null;
+    },
+    /**
+     * Wraps a function to ensure the user is authenticated before execution.
+     * Injects the user, session, and db into the first argument.
+     */
+    makeAuthenticatedCall: (fn) => {
+      return async (...args) => {
+        const requestHeaders = await (0, import_headers.headers)();
+        const session2 = await auth.api.getSession({
+          headers: requestHeaders
+        });
+        if (!session2) {
+          throw new Error("Unauthorized");
+        }
+        return fn({ user: session2.user, session: session2.session, db }, ...args);
+      };
+    }
+  };
+}
 
 // src/bff/client.ts
 var BffClientBase = class {
@@ -383,13 +384,14 @@ var BffClientBase = class {
 // src/bff/nextjs.ts
 var import_headers2 = require("next/headers");
 var NextJsBffClient = class extends BffClientBase {
-  constructor(config) {
+  constructor(auth, config) {
     super(config);
+    this.auth = auth;
   }
   async getAuthHeaders() {
     try {
       const requestHeaders = await (0, import_headers2.headers)();
-      const sessionData = await auth.api.getSession({
+      const sessionData = await this.auth.api.getSession({
         headers: requestHeaders
       });
       if (!sessionData) return {};
@@ -455,9 +457,9 @@ var NextJsBffClient = class extends BffClientBase {
     });
   }
 };
-var createNextJsBff = (baseUrlOrConfig) => {
+var createNextJsBff = (auth, baseUrlOrConfig) => {
   const config = typeof baseUrlOrConfig === "string" ? { baseUrl: baseUrlOrConfig } : baseUrlOrConfig;
-  return new NextJsBffClient(config);
+  return new NextJsBffClient(auth, config);
 };
 
 // src/bff/sveltekit.ts
@@ -530,76 +532,84 @@ function isUnauthenticatedRoute(path, patterns) {
   }
   return false;
 }
-var middleware = (options = {}) => {
-  const {
-    unauthenticatedRoutes = [],
-    verifySession = false,
-    required = true
-  } = options;
-  return async (req, res, next) => {
-    const authReq = req;
-    if (isUnauthenticatedRoute(req.path, unauthenticatedRoutes)) {
-      return next();
+var createExpressMiddleware = (db) => {
+  return (options = {}) => {
+    const {
+      unauthenticatedRoutes = [],
+      verifySession = false,
+      required = true
+    } = options;
+    if (verifySession && !db) {
+      throw new Error(
+        "[hylekit] CONFIGURATION ERROR: verifySession requires a database instance. Pass a db instance to createExpressMiddleware(db)."
+      );
     }
-    try {
-      const userHeader = req.headers["x-hyle-user"];
-      const sessionHeader = req.headers["x-hyle-session"];
-      if (!sessionHeader || typeof sessionHeader !== "string") {
-        if (required) {
-          return res.status(401).json({ error: "Unauthorized" });
-        }
+    return async (req, res, next) => {
+      const authReq = req;
+      if (isUnauthenticatedRoute(req.path, unauthenticatedRoutes)) {
         return next();
       }
-      const sessionData = JSON.parse(
-        Buffer.from(sessionHeader, "base64").toString("utf-8")
-      );
-      if (verifySession) {
-        const result = await db.select({
-          session,
-          user
-        }).from(session).innerJoin(user, (0, import_drizzle_orm2.eq)(session.userId, user.id)).where(
-          (0, import_drizzle_orm2.and)(
-            (0, import_drizzle_orm2.eq)(session.id, sessionData.id),
-            (0, import_drizzle_orm2.gt)(session.expiresAt, /* @__PURE__ */ new Date())
-          )
-        ).limit(1);
-        if (result.length === 0) {
+      try {
+        const userHeader = req.headers["x-hyle-user"];
+        const sessionHeader = req.headers["x-hyle-session"];
+        if (!sessionHeader || typeof sessionHeader !== "string") {
           if (required) {
-            return res.status(401).json({ error: "Invalid or expired session" });
+            return res.status(401).json({ error: "Unauthorized" });
           }
           return next();
         }
-        authReq.authUser = result[0].user;
-        authReq.authSession = result[0].session;
-        authReq.user = authReq.authUser;
-        authReq.session = authReq.authSession;
-        return next();
-      }
-      let userData;
-      if (userHeader && typeof userHeader === "string") {
-        userData = JSON.parse(
-          Buffer.from(userHeader, "base64").toString("utf-8")
+        const sessionData = JSON.parse(
+          Buffer.from(sessionHeader, "base64").toString("utf-8")
         );
+        if (verifySession && db) {
+          const result = await db.select({
+            session,
+            user
+          }).from(session).innerJoin(user, (0, import_drizzle_orm2.eq)(session.userId, user.id)).where(
+            (0, import_drizzle_orm2.and)(
+              (0, import_drizzle_orm2.eq)(session.id, sessionData.id),
+              (0, import_drizzle_orm2.gt)(session.expiresAt, /* @__PURE__ */ new Date())
+            )
+          ).limit(1);
+          if (result.length === 0) {
+            if (required) {
+              return res.status(401).json({ error: "Invalid or expired session" });
+            }
+            return next();
+          }
+          authReq.authUser = result[0].user;
+          authReq.authSession = result[0].session;
+          authReq.user = authReq.authUser;
+          authReq.session = authReq.authSession;
+          return next();
+        }
+        let userData;
+        if (userHeader && typeof userHeader === "string") {
+          userData = JSON.parse(
+            Buffer.from(userHeader, "base64").toString("utf-8")
+          );
+        }
+        if (!userData && required) {
+          return res.status(401).json({ error: "Unauthorized" });
+        }
+        if (userData) {
+          authReq.authUser = userData;
+          authReq.authSession = sessionData;
+          authReq.user = authReq.authUser;
+          authReq.session = authReq.authSession;
+        }
+        next();
+      } catch (error) {
+        console.error("[hyle] Auth middleware error:", error);
+        if (required) {
+          return res.status(401).json({ error: "Authentication failed" });
+        }
+        next();
       }
-      if (!userData && required) {
-        return res.status(401).json({ error: "Unauthorized" });
-      }
-      if (userData) {
-        authReq.authUser = userData;
-        authReq.authSession = sessionData;
-        authReq.user = authReq.authUser;
-        authReq.session = authReq.authSession;
-      }
-      next();
-    } catch (error) {
-      console.error("[hyle] Auth middleware error:", error);
-      if (required) {
-        return res.status(401).json({ error: "Authentication failed" });
-      }
-      next();
-    }
+    };
   };
 };
+var middleware = createExpressMiddleware();
 function isAuthenticated(req) {
   return !!req.authUser;
 }
@@ -611,6 +621,8 @@ function getAuthContext(req) {
   return { user: authReq.authUser, session: authReq.authSession };
 }
 var expressAdapter = {
+  createMiddleware: createExpressMiddleware,
+  /** @deprecated Use createMiddleware instead */
   middleware,
   isAuthenticated,
   getAuthContext
@@ -622,12 +634,12 @@ var bff = {
   createSvelteKitBff
 };
 var hyle = {
-  auth,
-  db,
+  createDb,
+  createAuth,
   schema: schema_exports,
-  client: client4,
   server: {
-    ...server3,
+    createSvelteKitServer,
+    createNextJsServer,
     express: expressAdapter
   },
   bff
@@ -636,17 +648,19 @@ var src_default = hyle;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   account,
-  auth,
   bff,
-  client,
+  createAuth,
+  createDb,
+  createExpressMiddleware,
   createNextJsBff,
+  createNextJsServer,
   createSvelteKitBff,
-  db,
+  createSvelteKitServer,
   express,
   expressMiddleware,
   getAuthContext,
   isAuthenticated,
-  server,
+  schema,
   session,
   user,
   verification