kitcn 0.0.1 → 0.12.1

package/dist/auth/client/index.js

@@ -0,0 +1,217 @@
+'use client';
+import { C as defaultIsUnauthorized, S as CRPCClientError, d as isSessionSyncGraceActive, g as useAuthValue, h as useAuthStore, n as AuthProvider, o as FetchAccessTokenContext, u as decodeJwtExp } from "../../auth-store-Cljlmdmi.js";
+import { convexClient } from "@convex-dev/better-auth/client/plugins";
+import { ConvexProviderWithAuth, useConvexAuth } from "convex/react";
+import { useCallback, useEffect, useMemo, useRef } from "react";
+import { jsx } from "react/jsx-runtime";
+
+//#region src/auth-client/convex-auth-provider.tsx
+const defaultMutationHandler = () => {
+	throw new CRPCClientError({
+		code: "UNAUTHORIZED",
+		functionName: "mutation"
+	});
+};
+const hasActiveSessionData = (session) => {
+	if (!session || typeof session !== "object") return false;
+	return Boolean(session.session);
+};
+/**
+* Unified auth provider for Convex + Better Auth.
+* Handles token sync, HMR persistence, and auth callbacks.
+*
+* Structure: AuthProvider wraps ConvexAuthProviderInner so that
+* useAuthStore() is available when creating fetchAccessToken.
+*/
+function ConvexAuthProvider({ children, client, authClient, initialToken, onMutationUnauthorized, onQueryUnauthorized, isUnauthorized }) {
+	useOTTHandler(authClient);
+	return /* @__PURE__ */ jsx(AuthProvider, {
+		initialValues: useMemo(() => ({
+			expiresAt: initialToken ? decodeJwtExp(initialToken) : null,
+			token: initialToken ?? null
+		}), [initialToken]),
+		isUnauthorized: isUnauthorized ?? defaultIsUnauthorized,
+		onMutationUnauthorized: onMutationUnauthorized ?? defaultMutationHandler,
+		onQueryUnauthorized: onQueryUnauthorized ?? (() => {}),
+		children: /* @__PURE__ */ jsx(ConvexAuthProviderInner, {
+			authClient,
+			client,
+			children
+		})
+	});
+}
+/**
+* Inner provider that has access to AuthStore via useAuthStore().
+* Creates fetchAccessToken and passes it through context (no race condition).
+*/
+function ConvexAuthProviderInner({ children, client, authClient }) {
+	const authStore = useAuthStore();
+	const { data: session, isPending } = authClient.useSession();
+	const sessionRef = useRef(session);
+	const isPendingRef = useRef(isPending);
+	const pendingTokenRef = useRef(null);
+	sessionRef.current = session;
+	isPendingRef.current = isPending;
+	useEffect(() => {
+		if (hasActiveSessionData(session)) {
+			authStore.set("sessionSyncGraceUntil", null);
+			return;
+		}
+		if (!isPending && !isSessionSyncGraceActive(authStore.get("sessionSyncGraceUntil"))) {
+			authStore.set("token", null);
+			authStore.set("expiresAt", null);
+			authStore.set("isAuthenticated", false);
+			authStore.set("sessionSyncGraceUntil", null);
+		}
+	}, [
+		session,
+		isPending,
+		authStore
+	]);
+	const fetchAccessToken = useCallback(async ({ forceRefreshToken = false } = {}) => {
+		const fetchFreshToken = () => {
+			if (pendingTokenRef.current) return pendingTokenRef.current;
+			const cachedToken = authStore.get("token");
+			const fetchOptions = { throw: false };
+			if (cachedToken && decodeJwtExp(cachedToken) === null) {
+				fetchOptions.credentials = "omit";
+				fetchOptions.headers = { Authorization: `Bearer ${cachedToken}` };
+			}
+			pendingTokenRef.current = authClient.convex.token({ fetchOptions }).then((result) => {
+				const jwt = result.data?.token || null;
+				if (jwt) {
+					const exp = decodeJwtExp(jwt);
+					authStore.set("token", jwt);
+					authStore.set("expiresAt", exp);
+					authStore.set("sessionSyncGraceUntil", null);
+					return jwt;
+				}
+				authStore.set("token", null);
+				authStore.set("expiresAt", null);
+				authStore.set("sessionSyncGraceUntil", null);
+				return null;
+			}).catch((error) => {
+				authStore.set("token", null);
+				authStore.set("expiresAt", null);
+				authStore.set("sessionSyncGraceUntil", null);
+				console.error("[fetchAccessToken] error", error);
+				return null;
+			}).finally(() => {
+				pendingTokenRef.current = null;
+			});
+			return pendingTokenRef.current;
+		};
+		const fetchFreshTokenForced = async () => {
+			if (pendingTokenRef.current) {
+				const token = await pendingTokenRef.current;
+				if (token) return token;
+			}
+			return fetchFreshToken();
+		};
+		const currentSession = sessionRef.current;
+		const currentIsPending = isPendingRef.current;
+		const hasSession = hasActiveSessionData(currentSession);
+		const hasSessionSyncGrace = isSessionSyncGraceActive(authStore.get("sessionSyncGraceUntil"));
+		if (!hasSession) {
+			if (currentIsPending || hasSessionSyncGrace) {
+				const cachedToken = authStore.get("token");
+				if (!forceRefreshToken) {
+					if (cachedToken && decodeJwtExp(cachedToken) !== null) return cachedToken;
+					return fetchFreshToken();
+				}
+				const freshToken = await fetchFreshTokenForced();
+				if (!freshToken && cachedToken && decodeJwtExp(cachedToken) !== null) {
+					authStore.set("token", cachedToken);
+					authStore.set("expiresAt", decodeJwtExp(cachedToken));
+					return cachedToken;
+				}
+				return freshToken;
+			}
+			authStore.set("token", null);
+			authStore.set("expiresAt", null);
+			authStore.set("sessionSyncGraceUntil", null);
+			return null;
+		}
+		const cachedToken = authStore.get("token");
+		const expiresAt = authStore.get("expiresAt");
+		const timeRemaining = expiresAt ? expiresAt - Date.now() : 0;
+		if (!forceRefreshToken && cachedToken && expiresAt && timeRemaining >= 6e4) return cachedToken;
+		if (!forceRefreshToken && pendingTokenRef.current) return pendingTokenRef.current;
+		if (forceRefreshToken) return fetchFreshTokenForced();
+		return fetchFreshToken();
+	}, [authStore, authClient]);
+	const useAuth = useCallback(function useConvexAuthHook() {
+		const token = authStore.get("token");
+		const hasSession = hasActiveSessionData(sessionRef.current);
+		const sessionMissing = !hasSession && !isPendingRef.current;
+		return {
+			isLoading: isPendingRef.current && !token,
+			isAuthenticated: sessionMissing ? false : hasSession || token !== null,
+			fetchAccessToken
+		};
+	}, [fetchAccessToken, authStore]);
+	return /* @__PURE__ */ jsx(FetchAccessTokenContext.Provider, {
+		value: fetchAccessToken,
+		children: /* @__PURE__ */ jsx(ConvexProviderWithAuth, {
+			client,
+			useAuth,
+			children: /* @__PURE__ */ jsx(AuthStateSync, { children })
+		})
+	});
+}
+/**
+* Syncs auth state from useConvexAuth() to the auth store.
+* MUST be inside ConvexProviderWithAuth to access useConvexAuth().
+*
+* Defensive isLoading computation handles SSR hydration race:
+* 1. SSR sets token from cookie
+* 2. Client hydrates
+* 3. Better Auth's useSession() briefly returns null before loading cookie
+* 4. Convex sets isConvexAuthenticated = false (no auth to wait for)
+* 5. Without defensive check, we'd sync { isLoading: false, isAuthenticated: false }
+* 6. Queries would throw UNAUTHORIZED before token is validated
+*/
+function AuthStateSync({ children }) {
+	const { isLoading: convexIsLoading, isAuthenticated } = useConvexAuth();
+	const authStore = useAuthStore();
+	const token = useAuthValue("token");
+	useEffect(() => {
+		const isLoading = convexIsLoading || !!token && !isAuthenticated;
+		authStore.set("isLoading", isLoading);
+		authStore.set("isAuthenticated", isAuthenticated);
+	}, [
+		convexIsLoading,
+		isAuthenticated,
+		token,
+		authStore
+	]);
+	return children;
+}
+/**
+* Handles cross-domain one-time token (OTT) verification.
+*/
+function useOTTHandler(authClient) {
+	useEffect(() => {
+		(async () => {
+			if (typeof window === "undefined" || !window.location?.href) return;
+			const url = new URL(window.location.href);
+			const token = url.searchParams.get("ott");
+			if (token) {
+				const authClientWithCrossDomain = authClient;
+				url.searchParams.delete("ott");
+				window.history.replaceState({}, "", url);
+				const session = (await authClientWithCrossDomain.crossDomain.oneTimeToken.verify({ token })).data?.session;
+				if (session) {
+					await authClient.getSession({ fetchOptions: {
+						credentials: "omit",
+						headers: { Authorization: `Bearer ${session.token}` }
+					} });
+					authClientWithCrossDomain.updateSession();
+				}
+			}
+		})();
+	}, [authClient]);
+}
+
+//#endregion
+export { ConvexAuthProvider, convexClient };

package/dist/auth/config/index.d.ts

@@ -0,0 +1,45 @@
+import { JwtOptions } from "better-auth/plugins";
+
+//#region src/auth/auth-config.d.ts
+type JwksDoc = {
+  id: string;
+  publicKey: string;
+  privateKey: string;
+  createdAt: number;
+  expiresAt?: number;
+  alg?: string;
+  crv?: string;
+};
+declare const createPublicJwks: (jwks: JwksDoc[], options?: JwtOptions) => {
+  keys: any[];
+};
+declare const getAuthConfigProvider: (opts?: {
+  basePath?: string;
+  /**
+   * @param jwks - Optional static JWKS to avoid fetching from the database.
+   *
+   * This should be a stringified document from the Better Auth JWKS table. You
+   * can create one in the console.
+   *
+   * Example:
+   * ```bash
+   * npx convex run generated/auth:generateJwk | npx convex env set JWKS
+   * ```
+   *
+   * Then use it in your auth config:
+   * ```ts
+   * export default {
+   *   providers: [getAuthConfigProvider({ jwks: process.env.JWKS })],
+   * } satisfies AuthConfig;
+   * ```
+   */
+  jwks?: string;
+}) => {
+  type: "customJwt";
+  issuer: string;
+  applicationID: string;
+  algorithm: "RS256";
+  jwks: string;
+};
+//#endregion
+export { createPublicJwks, getAuthConfigProvider };

package/dist/auth/config/index.js

@@ -0,0 +1,24 @@
+//#region src/auth/auth-config.ts
+const createPublicJwks = (jwks, options) => {
+	const keyPairConfig = options?.jwks?.keyPairConfig;
+	const defaultCrv = keyPairConfig && "crv" in keyPairConfig ? keyPairConfig.crv : void 0;
+	return { keys: jwks.map((keySet) => ({
+		alg: keySet.alg ?? options?.jwks?.keyPairConfig?.alg ?? "EdDSA",
+		crv: keySet.crv ?? defaultCrv,
+		...JSON.parse(keySet.publicKey),
+		kid: keySet.id
+	})) };
+};
+const getAuthConfigProvider = (opts) => {
+	const parsedJwks = opts?.jwks ? JSON.parse(opts.jwks) : void 0;
+	return {
+		type: "customJwt",
+		issuer: `${process.env.CONVEX_SITE_URL}`,
+		applicationID: "convex",
+		algorithm: "RS256",
+		jwks: parsedJwks ? `data:text/plain;charset=utf-8;base64,${btoa(JSON.stringify(createPublicJwks(parsedJwks)))}` : `${process.env.CONVEX_SITE_URL}${opts?.basePath ?? "/api/auth"}/convex/jwks`
+	};
+};
+
+//#endregion
+export { createPublicJwks, getAuthConfigProvider };

package/dist/auth/generated/index.d.ts

@@ -0,0 +1,2 @@
+import { S as defineAuth, _ as GenericAuthBeforeResult, b as GenericAuthTriggerHandlers, g as BetterAuthOptionsWithoutDatabase, i as getGeneratedAuthDisabledReason, n as GeneratedAuthDisabledReasonKind, r as createDisabledAuthRuntime, t as AuthRuntime, v as GenericAuthDefinition, x as GenericAuthTriggers, y as GenericAuthTriggerChange } from "../../generated-contract-disabled-D-sOFy92.js";
+export { type AuthRuntime, BetterAuthOptionsWithoutDatabase, type GeneratedAuthDisabledReasonKind, GenericAuthBeforeResult, GenericAuthDefinition, GenericAuthTriggerChange, GenericAuthTriggerHandlers, GenericAuthTriggers, createDisabledAuthRuntime, defineAuth, getGeneratedAuthDisabledReason };

package/dist/auth/generated/index.js

@@ -0,0 +1,3 @@
+import { i as defineAuth, n as createDisabledAuthRuntime, r as getGeneratedAuthDisabledReason } from "../../generated-contract-disabled-Cih4eITO.js";
+
+export { createDisabledAuthRuntime, defineAuth, getGeneratedAuthDisabledReason };

package/dist/auth/http/index.d.ts

@@ -0,0 +1,64 @@
+import { t as GetAuth } from "../../types-BiJE7qxR.js";
+import { HttpRouter } from "convex/server";
+import { MiddlewareHandler } from "hono";
+
+//#region src/auth/middleware.d.ts
+interface AuthMiddlewareOptions {
+  /** Base path for auth routes (default: '/api/auth') */
+  basePath?: string;
+  /** Log request/response headers for debugging */
+  verbose?: boolean;
+}
+/**
+ * Create auth middleware that handles auth routes and OpenID well-known redirect.
+ *
+ * @example
+ * ```ts
+ * import { Hono } from 'hono';
+ * import { cors } from 'hono/cors';
+ * import { authMiddleware } from 'kitcn/auth/http';
+ * import { createHttpRouter } from 'kitcn/server';
+ *
+ * const app = new Hono();
+ * app.use('/api/*', cors({ origin: process.env.SITE_URL, credentials: true }));
+ * app.use(authMiddleware(getAuth));
+ *
+ * export default createHttpRouter(app, httpRouter);
+ * ```
+ */
+declare function authMiddleware<Ctx = unknown>(getAuth: GetAuth<Ctx, {
+  handler: (request: Request) => Promise<Response>;
+}>, opts?: AuthMiddlewareOptions): MiddlewareHandler;
+//#endregion
+//#region src/auth/registerRoutes.d.ts
+type TrustedOriginsOption = (string | null | undefined)[] | ((request?: Request) => (string | null | undefined)[] | Promise<(string | null | undefined)[]>);
+type AuthRouteContract = {
+  $context: Promise<{
+    options: {
+      trustedOrigins?: TrustedOriginsOption;
+    };
+  }>;
+  handler: (request: Request) => Promise<Response>;
+  options: {
+    basePath?: string;
+    baseURL?: string;
+    trustedOrigins?: TrustedOriginsOption;
+  };
+};
+declare const registerRoutes: <Ctx>(http: HttpRouter, getAuth: GetAuth<Ctx, AuthRouteContract>, opts?: {
+  cors?: {
+    allowedHeaders?: string[];
+    allowedOrigins?: string[];
+    exposedHeaders?: string[];
+  } | boolean;
+  verbose?: boolean;
+}) => void;
+//#endregion
+//#region src/auth-http/index.d.ts
+/**
+ * Install Convex-safe polyfills required by Better Auth's HTTP handling.
+ * This runs automatically when importing `kitcn/auth/http`.
+ */
+declare function installAuthHttpPolyfills(): void;
+//#endregion
+export { authMiddleware, installAuthHttpPolyfills, registerRoutes };