payload-auth 1.0.0

package/dist/better-auth/plugin/helpers/index.d.ts

@@ -0,0 +1 @@
+export { generateVerifyEmailUrl } from './generate-verify-email-url';

package/dist/better-auth/plugin/helpers/index.js

@@ -0,0 +1,3 @@
+export { generateVerifyEmailUrl } from './generate-verify-email-url';
+
+//# sourceMappingURL=index.js.map

package/dist/better-auth/plugin/helpers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/plugin/helpers/index.ts"],"sourcesContent":["export { generateVerifyEmailUrl } from './generate-verify-email-url'; "],"names":["generateVerifyEmailUrl"],"mappings":"AAAA,SAASA,sBAAsB,QAAQ,8BAA8B"}

package/dist/better-auth/plugin/helpers/serialize-cookie.d.ts

@@ -0,0 +1,104 @@
+type CookiePrefixOptions = 'host' | 'secure';
+type CookieOptions = {
+    /**
+     * Domain of the cookie
+     *
+     * The Domain attribute specifies which server can receive a cookie. If specified, cookies are
+     * available on the specified server and its subdomains. If the it is not
+     * specified, the cookies are available on the server that sets it but not on
+     * its subdomains.
+     *
+     * @example
+     * `domain: "example.com"`
+     */
+    domain?: string;
+    /**
+     * A lifetime of a cookie. Permanent cookies are deleted after the date specified in the
+     * Expires attribute:
+     *
+     * Expires has been available for longer than Max-Age, however Max-Age is less error-prone, and
+     * takes precedence when both are set. The rationale behind this is that when you set an
+     * Expires date and time, they're relative to the client the cookie is being set on. If the
+     * server is set to a different time, this could cause errors
+     */
+    expires?: Date;
+    /**
+     * Forbids JavaScript from accessing the cookie, for example, through the Document.cookie
+     * property. Note that a cookie that has been created with HttpOnly will still be sent with
+     * JavaScript-initiated requests, for example, when calling XMLHttpRequest.send() or fetch().
+     * This mitigates attacks against cross-site scripting
+     */
+    httpOnly?: boolean;
+    /**
+     * Indicates the number of seconds until the cookie expires. A zero or negative number will
+     * expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence.
+     *
+     * @example 604800 - 7 days
+     */
+    maxAge?: number;
+    /**
+     * Indicates the path that must exist in the requested URL for the browser to send the Cookie
+     * header.
+     *
+     * @example
+     * "/docs"
+     * // -> the request paths /docs, /docs/, /docs/Web/, and /docs/Web/HTTP will all match. the request paths /, /fr/docs will not match.
+     */
+    path?: string;
+    /**
+     * Indicates that the cookie is sent to the server only when a request is made with the https:
+     * scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.
+     */
+    secure?: boolean;
+    /**
+     * Controls whether or not a cookie is sent with cross-site requests, providing some protection
+     * against cross-site request forgery attacks (CSRF).
+     *
+     * Strict -  Means that the browser sends the cookie only for same-site requests, that is,
+     * requests originating from the same site that set the cookie. If a request originates from a
+     * different domain or scheme (even with the same domain), no cookies with the SameSite=Strict
+     * attribute are sent.
+     *
+     * Lax - Means that the cookie is not sent on cross-site requests, such as on requests to load
+     * images or frames, but is sent when a user is navigating to the origin site from an external
+     * site (for example, when following a link). This is the default behavior if the SameSite
+     * attribute is not specified.
+     *
+     * None - Means that the browser sends the cookie with both cross-site and same-site requests.
+     * The Secure attribute must also be set when setting this value.
+     */
+    sameSite?: 'Strict' | 'Lax' | 'None' | 'strict' | 'lax' | 'none';
+    /**
+     * Indicates that the cookie should be stored using partitioned storage. Note that if this is
+     * set, the Secure directive must also be set.
+     *
+     * @see https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies
+     */
+    partitioned?: boolean;
+    /**
+     * Cooke Prefix
+     *
+     * - secure: `__Secure-` -> `__Secure-cookie-name`
+     * - host: `__Host-` -> `__Host-cookie-name`
+     *
+     * `secure` must be set to true to use prefixes
+     */
+    prefix?: CookiePrefixOptions;
+};
+export declare const verifySignature: (base64Signature: string, value: string, secret: CryptoKey) => Promise<boolean>;
+export declare const signCookieValue: (value: string, secret: string | BufferSource) => Promise<string>;
+export declare const serializeCookie: (key: string, value: string, opt?: CookieOptions) => string;
+export declare const serializeSignedCookie: (key: string, value: string, secret: string, opt?: CookieOptions) => Promise<string>;
+export declare const getCookieKey: (key: string, prefix?: CookiePrefixOptions) => string | undefined;
+export declare function tryDecode(str: string): string;
+/**
+ * Parse an HTTP Cookie header string and returning an object of all cookie
+ * name-value pairs.
+ *
+ * Inspired by https://github.com/unjs/cookie-es/blob/main/src/cookie/parse.ts
+ *
+ * @param str the string representing a `Cookie` header value
+ */
+export declare function parseCookies(str: string): Map<string, string>;
+export declare const getSignedCookie: (key: string, secret: string, headers: Headers, prefix?: CookiePrefixOptions) => Promise<string | false | null>;
+export {};

package/dist/better-auth/plugin/helpers/serialize-cookie.js

@@ -0,0 +1,186 @@
+import { subtle } from 'uncrypto';
+export const verifySignature = async (base64Signature, value, secret)=>{
+    try {
+        const signatureBinStr = atob(base64Signature);
+        const signature = new Uint8Array(signatureBinStr.length);
+        for(let i = 0, len = signatureBinStr.length; i < len; i++){
+            signature[i] = signatureBinStr.charCodeAt(i);
+        }
+        return await subtle.verify(algorithm, secret, signature, new TextEncoder().encode(value));
+    } catch (e) {
+        return false;
+    }
+};
+const _serialize = (key, value, opt = {})=>{
+    let cookie;
+    if (opt?.prefix === 'secure') {
+        cookie = `${`__Secure-${key}`}=${value}`;
+    } else if (opt?.prefix === 'host') {
+        cookie = `${`__Host-${key}`}=${value}`;
+    } else {
+        cookie = `${key}=${value}`;
+    }
+    if (key.startsWith('__Secure-') && !opt.secure) {
+        opt.secure = true;
+    }
+    if (key.startsWith('__Host-')) {
+        if (!opt.secure) {
+            opt.secure = true;
+        }
+        if (opt.path !== '/') {
+            opt.path = '/';
+        }
+        if (opt.domain) {
+            opt.domain = undefined;
+        }
+    }
+    if (opt && typeof opt.maxAge === 'number' && opt.maxAge >= 0) {
+        if (opt.maxAge > 34560000) {
+            throw new Error('Cookies Max-Age SHOULD NOT be greater than 400 days (34560000 seconds) in duration.');
+        }
+        cookie += `; Max-Age=${Math.floor(opt.maxAge)}`;
+    }
+    if (opt.domain && opt.prefix !== 'host') {
+        cookie += `; Domain=${opt.domain}`;
+    }
+    if (opt.path) {
+        cookie += `; Path=${opt.path}`;
+    }
+    if (opt.expires) {
+        if (opt.expires.getTime() - Date.now() > 34560000_000) {
+            throw new Error('Cookies Expires SHOULD NOT be greater than 400 days (34560000 seconds) in the future.');
+        }
+        cookie += `; Expires=${opt.expires.toUTCString()}`;
+    }
+    if (opt.httpOnly) {
+        cookie += '; HttpOnly';
+    }
+    if (opt.secure) {
+        cookie += '; Secure';
+    }
+    if (opt.sameSite) {
+        cookie += `; SameSite=${opt.sameSite.charAt(0).toUpperCase() + opt.sameSite.slice(1)}`;
+    }
+    if (opt.partitioned) {
+        if (!opt.secure) {
+            opt.secure = true;
+        }
+        cookie += '; Partitioned';
+    }
+    return cookie;
+};
+const algorithm = {
+    name: 'HMAC',
+    hash: 'SHA-256'
+};
+const getCryptoKey = async (secret)=>{
+    const secretBuf = typeof secret === 'string' ? new TextEncoder().encode(secret) : secret;
+    return await subtle.importKey('raw', secretBuf, algorithm, false, [
+        'sign',
+        'verify'
+    ]);
+};
+const makeSignature = async (value, secret)=>{
+    const key = await getCryptoKey(secret);
+    const signature = await subtle.sign(algorithm.name, key, new TextEncoder().encode(value));
+    // the returned base64 encoded signature will always be 44 characters long and end with one or two equal signs
+    return btoa(String.fromCharCode(...new Uint8Array(signature)));
+};
+export const signCookieValue = async (value, secret)=>{
+    const signature = await makeSignature(value, secret);
+    value = `${value}.${signature}`;
+    value = encodeURIComponent(value);
+    value = decodeURIComponent(value);
+    return value;
+};
+export const serializeCookie = (key, value, opt)=>{
+    value = encodeURIComponent(value);
+    return _serialize(key, value, opt);
+};
+export const serializeSignedCookie = async (key, value, secret, opt)=>{
+    value = await signCookieValue(value, secret);
+    return _serialize(key, value, opt);
+};
+export const getCookieKey = (key, prefix)=>{
+    let finalKey = key;
+    if (prefix) {
+        if (prefix === 'secure') {
+            finalKey = '__Secure-' + key;
+        } else if (prefix === 'host') {
+            finalKey = '__Host-' + key;
+        } else {
+            return undefined;
+        }
+    }
+    return finalKey;
+};
+export function tryDecode(str) {
+    try {
+        return str.includes('%') ? decodeURIComponent(str) : str;
+    } catch  {
+        return str;
+    }
+}
+/**
+ * Parse an HTTP Cookie header string and returning an object of all cookie
+ * name-value pairs.
+ *
+ * Inspired by https://github.com/unjs/cookie-es/blob/main/src/cookie/parse.ts
+ *
+ * @param str the string representing a `Cookie` header value
+ */ export function parseCookies(str) {
+    if (typeof str !== 'string') {
+        throw new TypeError('argument str must be a string');
+    }
+    const cookies = new Map();
+    let index = 0;
+    while(index < str.length){
+        const eqIdx = str.indexOf('=', index);
+        if (eqIdx === -1) {
+            break;
+        }
+        let endIdx = str.indexOf(';', index);
+        if (endIdx === -1) {
+            endIdx = str.length;
+        } else if (endIdx < eqIdx) {
+            index = str.lastIndexOf(';', eqIdx - 1) + 1;
+            continue;
+        }
+        const key = str.slice(index, eqIdx).trim();
+        if (!cookies.has(key)) {
+            let val = str.slice(eqIdx + 1, endIdx).trim();
+            if (val.codePointAt(0) === 0x22) {
+                val = val.slice(1, -1);
+            }
+            cookies.set(key, tryDecode(val));
+        }
+        index = endIdx + 1;
+    }
+    return cookies;
+}
+export const getSignedCookie = async (key, secret, headers, prefix)=>{
+    const finalKey = getCookieKey(key, prefix);
+    if (!finalKey) {
+        return null;
+    }
+    const cookieHeader = headers.get('cookie');
+    const parsedCookies = cookieHeader ? parseCookies(cookieHeader) : undefined;
+    const value = parsedCookies?.get(finalKey);
+    if (!value) {
+        return null;
+    }
+    const signatureStartPos = value.lastIndexOf('.');
+    if (signatureStartPos < 1) {
+        return null;
+    }
+    const signedValue = value.substring(0, signatureStartPos);
+    const signature = value.substring(signatureStartPos + 1);
+    if (signature.length !== 44 || !signature.endsWith('=')) {
+        return null;
+    }
+    const secretKey = await getCryptoKey(secret);
+    const isVerified = await verifySignature(signature, signedValue, secretKey);
+    return isVerified ? signedValue : false;
+};
+
+//# sourceMappingURL=serialize-cookie.js.map

package/dist/better-auth/plugin/helpers/serialize-cookie.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/plugin/helpers/serialize-cookie.ts"],"sourcesContent":["import { subtle } from 'uncrypto'\n\ntype CookiePrefixOptions = 'host' | 'secure'\n\ntype CookieOptions = {\n  /**\n   * Domain of the cookie\n   *\n   * The Domain attribute specifies which server can receive a cookie. If specified, cookies are\n   * available on the specified server and its subdomains. If the it is not\n   * specified, the cookies are available on the server that sets it but not on\n   * its subdomains.\n   *\n   * @example\n   * `domain: \"example.com\"`\n   */\n  domain?: string\n  /**\n   * A lifetime of a cookie. Permanent cookies are deleted after the date specified in the\n   * Expires attribute:\n   *\n   * Expires has been available for longer than Max-Age, however Max-Age is less error-prone, and\n   * takes precedence when both are set. The rationale behind this is that when you set an\n   * Expires date and time, they're relative to the client the cookie is being set on. If the\n   * server is set to a different time, this could cause errors\n   */\n  expires?: Date\n  /**\n   * Forbids JavaScript from accessing the cookie, for example, through the Document.cookie\n   * property. Note that a cookie that has been created with HttpOnly will still be sent with\n   * JavaScript-initiated requests, for example, when calling XMLHttpRequest.send() or fetch().\n   * This mitigates attacks against cross-site scripting\n   */\n  httpOnly?: boolean\n  /**\n   * Indicates the number of seconds until the cookie expires. A zero or negative number will\n   * expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence.\n   *\n   * @example 604800 - 7 days\n   */\n  maxAge?: number\n  /**\n   * Indicates the path that must exist in the requested URL for the browser to send the Cookie\n   * header.\n   *\n   * @example\n   * \"/docs\"\n   * // -> the request paths /docs, /docs/, /docs/Web/, and /docs/Web/HTTP will all match. the request paths /, /fr/docs will not match.\n   */\n  path?: string\n  /**\n   * Indicates that the cookie is sent to the server only when a request is made with the https:\n   * scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.\n   */\n  secure?: boolean\n  /**\n   * Controls whether or not a cookie is sent with cross-site requests, providing some protection\n   * against cross-site request forgery attacks (CSRF).\n   *\n   * Strict -  Means that the browser sends the cookie only for same-site requests, that is,\n   * requests originating from the same site that set the cookie. If a request originates from a\n   * different domain or scheme (even with the same domain), no cookies with the SameSite=Strict\n   * attribute are sent.\n   *\n   * Lax - Means that the cookie is not sent on cross-site requests, such as on requests to load\n   * images or frames, but is sent when a user is navigating to the origin site from an external\n   * site (for example, when following a link). This is the default behavior if the SameSite\n   * attribute is not specified.\n   *\n   * None - Means that the browser sends the cookie with both cross-site and same-site requests.\n   * The Secure attribute must also be set when setting this value.\n   */\n  sameSite?: 'Strict' | 'Lax' | 'None' | 'strict' | 'lax' | 'none'\n  /**\n   * Indicates that the cookie should be stored using partitioned storage. Note that if this is\n   * set, the Secure directive must also be set.\n   *\n   * @see https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies\n   */\n  partitioned?: boolean\n  /**\n   * Cooke Prefix\n   *\n   * - secure: `__Secure-` -> `__Secure-cookie-name`\n   * - host: `__Host-` -> `__Host-cookie-name`\n   *\n   * `secure` must be set to true to use prefixes\n   */\n  prefix?: CookiePrefixOptions\n}\n\nexport const verifySignature = async (\n  base64Signature: string,\n  value: string,\n  secret: CryptoKey,\n): Promise<boolean> => {\n  try {\n    const signatureBinStr = atob(base64Signature)\n    const signature = new Uint8Array(signatureBinStr.length)\n    for (let i = 0, len = signatureBinStr.length; i < len; i++) {\n      signature[i] = signatureBinStr.charCodeAt(i)\n    }\n    return await subtle.verify(algorithm, secret, signature, new TextEncoder().encode(value))\n  } catch (e) {\n    return false\n  }\n}\n\nconst _serialize = (key: string, value: string, opt: CookieOptions = {}) => {\n  let cookie: string\n\n  if (opt?.prefix === 'secure') {\n    cookie = `${`__Secure-${key}`}=${value}`\n  } else if (opt?.prefix === 'host') {\n    cookie = `${`__Host-${key}`}=${value}`\n  } else {\n    cookie = `${key}=${value}`\n  }\n\n  if (key.startsWith('__Secure-') && !opt.secure) {\n    opt.secure = true\n  }\n\n  if (key.startsWith('__Host-')) {\n    if (!opt.secure) {\n      opt.secure = true\n    }\n\n    if (opt.path !== '/') {\n      opt.path = '/'\n    }\n\n    if (opt.domain) {\n      opt.domain = undefined\n    }\n  }\n\n  if (opt && typeof opt.maxAge === 'number' && opt.maxAge >= 0) {\n    if (opt.maxAge > 34560000) {\n      throw new Error(\n        'Cookies Max-Age SHOULD NOT be greater than 400 days (34560000 seconds) in duration.',\n      )\n    }\n    cookie += `; Max-Age=${Math.floor(opt.maxAge)}`\n  }\n\n  if (opt.domain && opt.prefix !== 'host') {\n    cookie += `; Domain=${opt.domain}`\n  }\n\n  if (opt.path) {\n    cookie += `; Path=${opt.path}`\n  }\n\n  if (opt.expires) {\n    if (opt.expires.getTime() - Date.now() > 34560000_000) {\n      throw new Error(\n        'Cookies Expires SHOULD NOT be greater than 400 days (34560000 seconds) in the future.',\n      )\n    }\n    cookie += `; Expires=${opt.expires.toUTCString()}`\n  }\n\n  if (opt.httpOnly) {\n    cookie += '; HttpOnly'\n  }\n\n  if (opt.secure) {\n    cookie += '; Secure'\n  }\n\n  if (opt.sameSite) {\n    cookie += `; SameSite=${opt.sameSite.charAt(0).toUpperCase() + opt.sameSite.slice(1)}`\n  }\n\n  if (opt.partitioned) {\n    if (!opt.secure) {\n      opt.secure = true\n    }\n    cookie += '; Partitioned'\n  }\n\n  return cookie\n}\n\nconst algorithm = { name: 'HMAC', hash: 'SHA-256' }\n\nconst getCryptoKey = async (secret: string | BufferSource) => {\n  const secretBuf = typeof secret === 'string' ? new TextEncoder().encode(secret) : secret\n  return await subtle.importKey('raw', secretBuf, algorithm, false, ['sign', 'verify'])\n}\n\nconst makeSignature = async (value: string, secret: string | BufferSource): Promise<string> => {\n  const key = await getCryptoKey(secret)\n  const signature = await subtle.sign(algorithm.name, key, new TextEncoder().encode(value))\n  // the returned base64 encoded signature will always be 44 characters long and end with one or two equal signs\n  return btoa(String.fromCharCode(...new Uint8Array(signature)))\n}\n\nexport const signCookieValue = async (value: string, secret: string | BufferSource) => {\n  const signature = await makeSignature(value, secret)\n  value = `${value}.${signature}`\n  value = encodeURIComponent(value)\n  value = decodeURIComponent(value)\n  return value\n}\n\nexport const serializeCookie = (key: string, value: string, opt?: CookieOptions) => {\n  value = encodeURIComponent(value)\n  return _serialize(key, value, opt)\n}\n\nexport const serializeSignedCookie = async (\n  key: string,\n  value: string,\n  secret: string,\n  opt?: CookieOptions,\n) => {\n  value = await signCookieValue(value, secret)\n  return _serialize(key, value, opt)\n}\n\nexport const getCookieKey = (key: string, prefix?: CookiePrefixOptions) => {\n  let finalKey = key\n  if (prefix) {\n    if (prefix === 'secure') {\n      finalKey = '__Secure-' + key\n    } else if (prefix === 'host') {\n      finalKey = '__Host-' + key\n    } else {\n      return undefined\n    }\n  }\n  return finalKey\n}\n\nexport function tryDecode(str: string) {\n  try {\n    return str.includes('%') ? decodeURIComponent(str) : str\n  } catch {\n    return str\n  }\n}\n\n/**\n * Parse an HTTP Cookie header string and returning an object of all cookie\n * name-value pairs.\n *\n * Inspired by https://github.com/unjs/cookie-es/blob/main/src/cookie/parse.ts\n *\n * @param str the string representing a `Cookie` header value\n */\nexport function parseCookies(str: string) {\n  if (typeof str !== 'string') {\n    throw new TypeError('argument str must be a string')\n  }\n\n  const cookies: Map<string, string> = new Map()\n\n  let index = 0\n  while (index < str.length) {\n    const eqIdx = str.indexOf('=', index)\n\n    if (eqIdx === -1) {\n      break\n    }\n\n    let endIdx = str.indexOf(';', index)\n\n    if (endIdx === -1) {\n      endIdx = str.length\n    } else if (endIdx < eqIdx) {\n      index = str.lastIndexOf(';', eqIdx - 1) + 1\n      continue\n    }\n\n    const key = str.slice(index, eqIdx).trim()\n    if (!cookies.has(key)) {\n      let val = str.slice(eqIdx + 1, endIdx).trim()\n      if (val.codePointAt(0) === 0x22) {\n        val = val.slice(1, -1)\n      }\n      cookies.set(key, tryDecode(val))\n    }\n\n    index = endIdx + 1\n  }\n\n  return cookies\n}\n\nexport const getSignedCookie = async (\n  key: string,\n  secret: string,\n  headers: Headers,\n  prefix?: CookiePrefixOptions,\n) => {\n  const finalKey = getCookieKey(key, prefix)\n  if (!finalKey) {\n    return null\n  }\n  const cookieHeader = headers.get('cookie')\n  const parsedCookies = cookieHeader ? parseCookies(cookieHeader) : undefined\n  const value = parsedCookies?.get(finalKey)\n  if (!value) {\n    return null\n  }\n  const signatureStartPos = value.lastIndexOf('.')\n  if (signatureStartPos < 1) {\n    return null\n  }\n  const signedValue = value.substring(0, signatureStartPos)\n  const signature = value.substring(signatureStartPos + 1)\n  if (signature.length !== 44 || !signature.endsWith('=')) {\n    return null\n  }\n  const secretKey = await getCryptoKey(secret)\n  const isVerified = await verifySignature(signature, signedValue, secretKey)\n  return isVerified ? signedValue : false\n}\n"],"names":["subtle","verifySignature","base64Signature","value","secret","signatureBinStr","atob","signature","Uint8Array","length","i","len","charCodeAt","verify","algorithm","TextEncoder","encode","e","_serialize","key","opt","cookie","prefix","startsWith","secure","path","domain","undefined","maxAge","Error","Math","floor","expires","getTime","Date","now","toUTCString","httpOnly","sameSite","charAt","toUpperCase","slice","partitioned","name","hash","getCryptoKey","secretBuf","importKey","makeSignature","sign","btoa","String","fromCharCode","signCookieValue","encodeURIComponent","decodeURIComponent","serializeCookie","serializeSignedCookie","getCookieKey","finalKey","tryDecode","str","includes","parseCookies","TypeError","cookies","Map","index","eqIdx","indexOf","endIdx","lastIndexOf","trim","has","val","codePointAt","set","getSignedCookie","headers","cookieHeader","get","parsedCookies","signatureStartPos","signedValue","substring","endsWith","secretKey","isVerified"],"mappings":"AAAA,SAASA,MAAM,QAAQ,WAAU;AA2FjC,OAAO,MAAMC,kBAAkB,OAC7BC,iBACAC,OACAC;IAEA,IAAI;QACF,MAAMC,kBAAkBC,KAAKJ;QAC7B,MAAMK,YAAY,IAAIC,WAAWH,gBAAgBI,MAAM;QACvD,IAAK,IAAIC,IAAI,GAAGC,MAAMN,gBAAgBI,MAAM,EAAEC,IAAIC,KAAKD,IAAK;YAC1DH,SAAS,CAACG,EAAE,GAAGL,gBAAgBO,UAAU,CAACF;QAC5C;QACA,OAAO,MAAMV,OAAOa,MAAM,CAACC,WAAWV,QAAQG,WAAW,IAAIQ,cAAcC,MAAM,CAACb;IACpF,EAAE,OAAOc,GAAG;QACV,OAAO;IACT;AACF,EAAC;AAED,MAAMC,aAAa,CAACC,KAAahB,OAAeiB,MAAqB,CAAC,CAAC;IACrE,IAAIC;IAEJ,IAAID,KAAKE,WAAW,UAAU;QAC5BD,SAAS,GAAG,CAAC,SAAS,EAAEF,KAAK,CAAC,CAAC,EAAEhB,OAAO;IAC1C,OAAO,IAAIiB,KAAKE,WAAW,QAAQ;QACjCD,SAAS,GAAG,CAAC,OAAO,EAAEF,KAAK,CAAC,CAAC,EAAEhB,OAAO;IACxC,OAAO;QACLkB,SAAS,GAAGF,IAAI,CAAC,EAAEhB,OAAO;IAC5B;IAEA,IAAIgB,IAAII,UAAU,CAAC,gBAAgB,CAACH,IAAII,MAAM,EAAE;QAC9CJ,IAAII,MAAM,GAAG;IACf;IAEA,IAAIL,IAAII,UAAU,CAAC,YAAY;QAC7B,IAAI,CAACH,IAAII,MAAM,EAAE;YACfJ,IAAII,MAAM,GAAG;QACf;QAEA,IAAIJ,IAAIK,IAAI,KAAK,KAAK;YACpBL,IAAIK,IAAI,GAAG;QACb;QAEA,IAAIL,IAAIM,MAAM,EAAE;YACdN,IAAIM,MAAM,GAAGC;QACf;IACF;IAEA,IAAIP,OAAO,OAAOA,IAAIQ,MAAM,KAAK,YAAYR,IAAIQ,MAAM,IAAI,GAAG;QAC5D,IAAIR,IAAIQ,MAAM,GAAG,UAAU;YACzB,MAAM,IAAIC,MACR;QAEJ;QACAR,UAAU,CAAC,UAAU,EAAES,KAAKC,KAAK,CAACX,IAAIQ,MAAM,GAAG;IACjD;IAEA,IAAIR,IAAIM,MAAM,IAAIN,IAAIE,MAAM,KAAK,QAAQ;QACvCD,UAAU,CAAC,SAAS,EAAED,IAAIM,MAAM,EAAE;IACpC;IAEA,IAAIN,IAAIK,IAAI,EAAE;QACZJ,UAAU,CAAC,OAAO,EAAED,IAAIK,IAAI,EAAE;IAChC;IAEA,IAAIL,IAAIY,OAAO,EAAE;QACf,IAAIZ,IAAIY,OAAO,CAACC,OAAO,KAAKC,KAAKC,GAAG,KAAK,cAAc;YACrD,MAAM,IAAIN,MACR;QAEJ;QACAR,UAAU,CAAC,UAAU,EAAED,IAAIY,OAAO,CAACI,WAAW,IAAI;IACpD;IAEA,IAAIhB,IAAIiB,QAAQ,EAAE;QAChBhB,UAAU;IACZ;IAEA,IAAID,IAAII,MAAM,EAAE;QACdH,UAAU;IACZ;IAEA,IAAID,IAAIkB,QAAQ,EAAE;QAChBjB,UAAU,CAAC,WAAW,EAAED,IAAIkB,QAAQ,CAACC,MAAM,CAAC,GAAGC,WAAW,KAAKpB,IAAIkB,QAAQ,CAACG,KAAK,CAAC,IAAI;IACxF;IAEA,IAAIrB,IAAIsB,WAAW,EAAE;QACnB,IAAI,CAACtB,IAAII,MAAM,EAAE;YACfJ,IAAII,MAAM,GAAG;QACf;QACAH,UAAU;IACZ;IAEA,OAAOA;AACT;AAEA,MAAMP,YAAY;IAAE6B,MAAM;IAAQC,MAAM;AAAU;AAElD,MAAMC,eAAe,OAAOzC;IAC1B,MAAM0C,YAAY,OAAO1C,WAAW,WAAW,IAAIW,cAAcC,MAAM,CAACZ,UAAUA;IAClF,OAAO,MAAMJ,OAAO+C,SAAS,CAAC,OAAOD,WAAWhC,WAAW,OAAO;QAAC;QAAQ;KAAS;AACtF;AAEA,MAAMkC,gBAAgB,OAAO7C,OAAeC;IAC1C,MAAMe,MAAM,MAAM0B,aAAazC;IAC/B,MAAMG,YAAY,MAAMP,OAAOiD,IAAI,CAACnC,UAAU6B,IAAI,EAAExB,KAAK,IAAIJ,cAAcC,MAAM,CAACb;IAClF,8GAA8G;IAC9G,OAAO+C,KAAKC,OAAOC,YAAY,IAAI,IAAI5C,WAAWD;AACpD;AAEA,OAAO,MAAM8C,kBAAkB,OAAOlD,OAAeC;IACnD,MAAMG,YAAY,MAAMyC,cAAc7C,OAAOC;IAC7CD,QAAQ,GAAGA,MAAM,CAAC,EAAEI,WAAW;IAC/BJ,QAAQmD,mBAAmBnD;IAC3BA,QAAQoD,mBAAmBpD;IAC3B,OAAOA;AACT,EAAC;AAED,OAAO,MAAMqD,kBAAkB,CAACrC,KAAahB,OAAeiB;IAC1DjB,QAAQmD,mBAAmBnD;IAC3B,OAAOe,WAAWC,KAAKhB,OAAOiB;AAChC,EAAC;AAED,OAAO,MAAMqC,wBAAwB,OACnCtC,KACAhB,OACAC,QACAgB;IAEAjB,QAAQ,MAAMkD,gBAAgBlD,OAAOC;IACrC,OAAOc,WAAWC,KAAKhB,OAAOiB;AAChC,EAAC;AAED,OAAO,MAAMsC,eAAe,CAACvC,KAAaG;IACxC,IAAIqC,WAAWxC;IACf,IAAIG,QAAQ;QACV,IAAIA,WAAW,UAAU;YACvBqC,WAAW,cAAcxC;QAC3B,OAAO,IAAIG,WAAW,QAAQ;YAC5BqC,WAAW,YAAYxC;QACzB,OAAO;YACL,OAAOQ;QACT;IACF;IACA,OAAOgC;AACT,EAAC;AAED,OAAO,SAASC,UAAUC,GAAW;IACnC,IAAI;QACF,OAAOA,IAAIC,QAAQ,CAAC,OAAOP,mBAAmBM,OAAOA;IACvD,EAAE,OAAM;QACN,OAAOA;IACT;AACF;AAEA;;;;;;;CAOC,GACD,OAAO,SAASE,aAAaF,GAAW;IACtC,IAAI,OAAOA,QAAQ,UAAU;QAC3B,MAAM,IAAIG,UAAU;IACtB;IAEA,MAAMC,UAA+B,IAAIC;IAEzC,IAAIC,QAAQ;IACZ,MAAOA,QAAQN,IAAIpD,MAAM,CAAE;QACzB,MAAM2D,QAAQP,IAAIQ,OAAO,CAAC,KAAKF;QAE/B,IAAIC,UAAU,CAAC,GAAG;YAChB;QACF;QAEA,IAAIE,SAAST,IAAIQ,OAAO,CAAC,KAAKF;QAE9B,IAAIG,WAAW,CAAC,GAAG;YACjBA,SAAST,IAAIpD,MAAM;QACrB,OAAO,IAAI6D,SAASF,OAAO;YACzBD,QAAQN,IAAIU,WAAW,CAAC,KAAKH,QAAQ,KAAK;YAC1C;QACF;QAEA,MAAMjD,MAAM0C,IAAIpB,KAAK,CAAC0B,OAAOC,OAAOI,IAAI;QACxC,IAAI,CAACP,QAAQQ,GAAG,CAACtD,MAAM;YACrB,IAAIuD,MAAMb,IAAIpB,KAAK,CAAC2B,QAAQ,GAAGE,QAAQE,IAAI;YAC3C,IAAIE,IAAIC,WAAW,CAAC,OAAO,MAAM;gBAC/BD,MAAMA,IAAIjC,KAAK,CAAC,GAAG,CAAC;YACtB;YACAwB,QAAQW,GAAG,CAACzD,KAAKyC,UAAUc;QAC7B;QAEAP,QAAQG,SAAS;IACnB;IAEA,OAAOL;AACT;AAEA,OAAO,MAAMY,kBAAkB,OAC7B1D,KACAf,QACA0E,SACAxD;IAEA,MAAMqC,WAAWD,aAAavC,KAAKG;IACnC,IAAI,CAACqC,UAAU;QACb,OAAO;IACT;IACA,MAAMoB,eAAeD,QAAQE,GAAG,CAAC;IACjC,MAAMC,gBAAgBF,eAAehB,aAAagB,gBAAgBpD;IAClE,MAAMxB,QAAQ8E,eAAeD,IAAIrB;IACjC,IAAI,CAACxD,OAAO;QACV,OAAO;IACT;IACA,MAAM+E,oBAAoB/E,MAAMoE,WAAW,CAAC;IAC5C,IAAIW,oBAAoB,GAAG;QACzB,OAAO;IACT;IACA,MAAMC,cAAchF,MAAMiF,SAAS,CAAC,GAAGF;IACvC,MAAM3E,YAAYJ,MAAMiF,SAAS,CAACF,oBAAoB;IACtD,IAAI3E,UAAUE,MAAM,KAAK,MAAM,CAACF,UAAU8E,QAAQ,CAAC,MAAM;QACvD,OAAO;IACT;IACA,MAAMC,YAAY,MAAMzC,aAAazC;IACrC,MAAMmF,aAAa,MAAMtF,gBAAgBM,WAAW4E,aAAaG;IACjE,OAAOC,aAAaJ,cAAc;AACpC,EAAC"}

package/dist/better-auth/plugin/index.d.ts

@@ -0,0 +1,7 @@
+import type { Config } from 'payload';
+import type { PayloadBetterAuthPluginOptions } from './types';
+export * from './types';
+export * from './helpers';
+export { sanitizeBetterAuthOptions } from './lib/sanitize-auth-options';
+export { getPayloadAuth } from './lib/get-payload-auth';
+export declare function payloadBetterAuth(pluginOptions: PayloadBetterAuthPluginOptions): (config: Config) => Config;

package/dist/better-auth/plugin/index.js

@@ -0,0 +1,64 @@
+import { sanitizeBetterAuthOptions } from './lib/sanitize-auth-options';
+import { getRequiredCollectionSlugs } from './lib/get-required-collection-slugs';
+import { buildCollectionConfigs } from './lib/build-collection-configs';
+import { respectSaveToJwtFieldsMiddleware } from './lib/respect-save-to-jwt-fields-middleware';
+import { initBetterAuth } from './lib/init-better-auth';
+export * from './types';
+export * from './helpers';
+export { sanitizeBetterAuthOptions } from './lib/sanitize-auth-options';
+export { getPayloadAuth } from './lib/get-payload-auth';
+export function payloadBetterAuth(pluginOptions) {
+    return (config)=>{
+        if (pluginOptions.disabled) {
+            return config;
+        }
+        config.custom = {
+            ...config.custom,
+            hasBetterAuthPlugin: true
+        };
+        if (!config.collections) {
+            config.collections = [];
+        }
+        let sanitzedBetterAuthOptions = sanitizeBetterAuthOptions(pluginOptions);
+        // Determine which collections to add based on the options and plugins
+        const requiredCollectionSlugs = getRequiredCollectionSlugs({
+            logTables: pluginOptions.logTables ?? false,
+            pluginOptions,
+            sanitizedBAOptions: sanitzedBetterAuthOptions
+        });
+        // Update with the required collections + existing collections
+        config.collections = buildCollectionConfigs({
+            incomingCollections: config.collections ?? [],
+            requiredCollectionSlugs,
+            pluginOptions,
+            sanitizedBAOptions: sanitzedBetterAuthOptions
+        });
+        respectSaveToJwtFieldsMiddleware({
+            sanitizedOptions: sanitzedBetterAuthOptions,
+            payloadConfig: config,
+            pluginOptions
+        });
+        const incomingOnInit = config.onInit;
+        config.onInit = async (payload)=>{
+            // Ensure we are executing any existing onInit functions before running our own.
+            if (incomingOnInit) {
+                await incomingOnInit(payload);
+            }
+            // Initialize and set the betterAuth instance
+            const auth = initBetterAuth({
+                payload,
+                options: {
+                    ...sanitzedBetterAuthOptions,
+                    enableDebugLogs: pluginOptions.enableDebugLogs,
+                    plugins: [
+                        ...sanitzedBetterAuthOptions.plugins ?? []
+                    ]
+                }
+            });
+            payload.betterAuth = auth;
+        };
+        return config;
+    };
+}
+
+//# sourceMappingURL=index.js.map

package/dist/better-auth/plugin/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/plugin/index.ts"],"sourcesContent":["import type { BasePayload, Config } from 'payload'\nimport type { PayloadBetterAuthPluginOptions } from './types'\nimport { sanitizeBetterAuthOptions } from './lib/sanitize-auth-options'\nimport { getRequiredCollectionSlugs } from './lib/get-required-collection-slugs'\nimport { buildCollectionConfigs } from './lib/build-collection-configs'\nimport { respectSaveToJwtFieldsMiddleware } from './lib/respect-save-to-jwt-fields-middleware'\nimport { initBetterAuth } from './lib/init-better-auth'\n\nexport * from './types'\nexport * from './helpers'\nexport { sanitizeBetterAuthOptions } from './lib/sanitize-auth-options'\nexport { getPayloadAuth } from './lib/get-payload-auth'\n\nexport function payloadBetterAuth(pluginOptions: PayloadBetterAuthPluginOptions) {\n  return (config: Config): Config => {\n    if (pluginOptions.disabled) {\n      return config\n    }\n    config.custom = {\n      ...config.custom,\n      hasBetterAuthPlugin: true,\n    }\n\n    if (!config.collections) {\n      config.collections = []\n    }\n\n    let sanitzedBetterAuthOptions = sanitizeBetterAuthOptions(pluginOptions)\n\n    // Determine which collections to add based on the options and plugins\n    const requiredCollectionSlugs = getRequiredCollectionSlugs({\n      logTables: pluginOptions.logTables ?? false,\n      pluginOptions,\n      sanitizedBAOptions: sanitzedBetterAuthOptions,\n    })\n\n    // Update with the required collections + existing collections\n    config.collections = buildCollectionConfigs({\n      incomingCollections: config.collections ?? [],\n      requiredCollectionSlugs,\n      pluginOptions,\n      sanitizedBAOptions: sanitzedBetterAuthOptions,\n    })\n\n    respectSaveToJwtFieldsMiddleware({\n      sanitizedOptions: sanitzedBetterAuthOptions,\n      payloadConfig: config,\n      pluginOptions,\n    })\n\n    const incomingOnInit = config.onInit\n\n    config.onInit = async (payload) => {\n      // Ensure we are executing any existing onInit functions before running our own.\n      if (incomingOnInit) {\n        await incomingOnInit(payload)\n      }\n\n      // Initialize and set the betterAuth instance\n      const auth = initBetterAuth<NonNullable<typeof sanitzedBetterAuthOptions.plugins>>({\n        payload,\n        options: {\n          ...sanitzedBetterAuthOptions,\n          enableDebugLogs: pluginOptions.enableDebugLogs,\n          plugins: [...(sanitzedBetterAuthOptions.plugins ?? [])],\n        },\n      })\n      ;(payload as BasePayload & { betterAuth: typeof auth }).betterAuth = auth\n    }\n    return config\n  }\n}\n"],"names":["sanitizeBetterAuthOptions","getRequiredCollectionSlugs","buildCollectionConfigs","respectSaveToJwtFieldsMiddleware","initBetterAuth","getPayloadAuth","payloadBetterAuth","pluginOptions","config","disabled","custom","hasBetterAuthPlugin","collections","sanitzedBetterAuthOptions","requiredCollectionSlugs","logTables","sanitizedBAOptions","incomingCollections","sanitizedOptions","payloadConfig","incomingOnInit","onInit","payload","auth","options","enableDebugLogs","plugins","betterAuth"],"mappings":"AAEA,SAASA,yBAAyB,QAAQ,8BAA6B;AACvE,SAASC,0BAA0B,QAAQ,sCAAqC;AAChF,SAASC,sBAAsB,QAAQ,iCAAgC;AACvE,SAASC,gCAAgC,QAAQ,8CAA6C;AAC9F,SAASC,cAAc,QAAQ,yBAAwB;AAEvD,cAAc,UAAS;AACvB,cAAc,YAAW;AACzB,SAASJ,yBAAyB,QAAQ,8BAA6B;AACvE,SAASK,cAAc,QAAQ,yBAAwB;AAEvD,OAAO,SAASC,kBAAkBC,aAA6C;IAC7E,OAAO,CAACC;QACN,IAAID,cAAcE,QAAQ,EAAE;YAC1B,OAAOD;QACT;QACAA,OAAOE,MAAM,GAAG;YACd,GAAGF,OAAOE,MAAM;YAChBC,qBAAqB;QACvB;QAEA,IAAI,CAACH,OAAOI,WAAW,EAAE;YACvBJ,OAAOI,WAAW,GAAG,EAAE;QACzB;QAEA,IAAIC,4BAA4Bb,0BAA0BO;QAE1D,sEAAsE;QACtE,MAAMO,0BAA0Bb,2BAA2B;YACzDc,WAAWR,cAAcQ,SAAS,IAAI;YACtCR;YACAS,oBAAoBH;QACtB;QAEA,8DAA8D;QAC9DL,OAAOI,WAAW,GAAGV,uBAAuB;YAC1Ce,qBAAqBT,OAAOI,WAAW,IAAI,EAAE;YAC7CE;YACAP;YACAS,oBAAoBH;QACtB;QAEAV,iCAAiC;YAC/Be,kBAAkBL;YAClBM,eAAeX;YACfD;QACF;QAEA,MAAMa,iBAAiBZ,OAAOa,MAAM;QAEpCb,OAAOa,MAAM,GAAG,OAAOC;YACrB,gFAAgF;YAChF,IAAIF,gBAAgB;gBAClB,MAAMA,eAAeE;YACvB;YAEA,6CAA6C;YAC7C,MAAMC,OAAOnB,eAAsE;gBACjFkB;gBACAE,SAAS;oBACP,GAAGX,yBAAyB;oBAC5BY,iBAAiBlB,cAAckB,eAAe;oBAC9CC,SAAS;2BAAKb,0BAA0Ba,OAAO,IAAI,EAAE;qBAAE;gBACzD;YACF;YACEJ,QAAsDK,UAAU,GAAGJ;QACvE;QACA,OAAOf;IACT;AACF"}

package/dist/better-auth/plugin/lib/auth-strategy.d.ts

@@ -0,0 +1,8 @@
+import type { AuthStrategy } from 'payload';
+/**
+ * Auth strategy for BetterAuth
+ * @param adminRoles - Admin roles
+ * @param userSlug - User collection slug
+ * @returns Auth strategy
+ */
+export declare function betterAuthStrategy(adminRoles?: string[], userSlug?: string): AuthStrategy;

package/dist/better-auth/plugin/lib/auth-strategy.js

@@ -0,0 +1,48 @@
+import { getPayloadAuth } from './get-payload-auth';
+/**
+ * Auth strategy for BetterAuth
+ * @param adminRoles - Admin roles
+ * @param userSlug - User collection slug
+ * @returns Auth strategy
+ */ export function betterAuthStrategy(adminRoles, userSlug) {
+    return {
+        name: 'better-auth',
+        authenticate: async ({ payload, headers })=>{
+            const payloadAuth = await getPayloadAuth(payload.config);
+            const session = await payloadAuth.betterAuth.api.getSession({
+                headers
+            });
+            const sessionUserIdField = payloadAuth.betterAuth.options.session?.fields?.userId ?? 'userId';
+            const userId = session?.session?.[sessionUserIdField] ?? session?.user?.id;
+            if (!session || !userId) {
+                return {
+                    user: null
+                };
+            }
+            try {
+                const user = await payloadAuth.findByID({
+                    collection: userSlug ?? 'users',
+                    id: userId
+                });
+                if (!user) {
+                    return {
+                        user: null
+                    };
+                }
+                return {
+                    user: {
+                        ...user,
+                        collection: userSlug ?? 'users',
+                        _strategy: 'better-auth'
+                    }
+                };
+            } catch  {
+                return {
+                    user: null
+                };
+            }
+        }
+    };
+}
+
+//# sourceMappingURL=auth-strategy.js.map

package/dist/better-auth/plugin/lib/auth-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/plugin/lib/auth-strategy.ts"],"sourcesContent":["import type { AuthStrategy } from 'payload'\nimport { getPayloadAuth } from './get-payload-auth'\nimport type { TPlugins } from '..'\n\n/**\n * Auth strategy for BetterAuth\n * @param adminRoles - Admin roles\n * @param userSlug - User collection slug\n * @returns Auth strategy\n */\nexport function betterAuthStrategy(adminRoles?: string[], userSlug?: string): AuthStrategy {\n  return {\n    name: 'better-auth',\n    authenticate: async ({ payload, headers }) => {\n      const payloadAuth = await getPayloadAuth<NonNullable<TPlugins>>(payload.config)\n      const session = await payloadAuth.betterAuth.api.getSession({ headers })\n      const sessionUserIdField = payloadAuth.betterAuth.options.session?.fields?.userId ?? 'userId'\n      const userId = (session?.session as any)?.[sessionUserIdField] ?? session?.user?.id\n\n      if (!session || !userId) {\n        return { user: null }\n      }\n      try {\n        const user = await payloadAuth.findByID({\n          collection: userSlug ?? 'users',\n          id: userId,\n        })\n\n        if (!user) {\n          return { user: null }\n        }\n\n        return {\n          user: {\n            ...user,\n            collection: userSlug ?? 'users',\n            _strategy: 'better-auth',\n          },\n        }\n      } catch {\n        return { user: null }\n      }\n    },\n  }\n}\n"],"names":["getPayloadAuth","betterAuthStrategy","adminRoles","userSlug","name","authenticate","payload","headers","payloadAuth","config","session","betterAuth","api","getSession","sessionUserIdField","options","fields","userId","user","id","findByID","collection","_strategy"],"mappings":"AACA,SAASA,cAAc,QAAQ,qBAAoB;AAGnD;;;;;CAKC,GACD,OAAO,SAASC,mBAAmBC,UAAqB,EAAEC,QAAiB;IACzE,OAAO;QACLC,MAAM;QACNC,cAAc,OAAO,EAAEC,OAAO,EAAEC,OAAO,EAAE;YACvC,MAAMC,cAAc,MAAMR,eAAsCM,QAAQG,MAAM;YAC9E,MAAMC,UAAU,MAAMF,YAAYG,UAAU,CAACC,GAAG,CAACC,UAAU,CAAC;gBAAEN;YAAQ;YACtE,MAAMO,qBAAqBN,YAAYG,UAAU,CAACI,OAAO,CAACL,OAAO,EAAEM,QAAQC,UAAU;YACrF,MAAMA,SAAS,AAACP,SAASA,SAAiB,CAACI,mBAAmB,IAAIJ,SAASQ,MAAMC;YAEjF,IAAI,CAACT,WAAW,CAACO,QAAQ;gBACvB,OAAO;oBAAEC,MAAM;gBAAK;YACtB;YACA,IAAI;gBACF,MAAMA,OAAO,MAAMV,YAAYY,QAAQ,CAAC;oBACtCC,YAAYlB,YAAY;oBACxBgB,IAAIF;gBACN;gBAEA,IAAI,CAACC,MAAM;oBACT,OAAO;wBAAEA,MAAM;oBAAK;gBACtB;gBAEA,OAAO;oBACLA,MAAM;wBACJ,GAAGA,IAAI;wBACPG,YAAYlB,YAAY;wBACxBmB,WAAW;oBACb;gBACF;YACF,EAAE,OAAM;gBACN,OAAO;oBAAEJ,MAAM;gBAAK;YACtB;QACF;IACF;AACF"}

package/dist/better-auth/plugin/lib/build-collection-configs.d.ts

@@ -0,0 +1,11 @@
+import type { PayloadBetterAuthPluginOptions, SanitizedBetterAuthOptions } from '..';
+import { CollectionConfig } from 'payload';
+/**
+ * Builds the required collections based on the BetterAuth options and plugins
+ */
+export declare function buildCollectionConfigs({ incomingCollections, requiredCollectionSlugs, pluginOptions, sanitizedBAOptions, }: {
+    incomingCollections: CollectionConfig[];
+    requiredCollectionSlugs: Set<string>;
+    pluginOptions: PayloadBetterAuthPluginOptions;
+    sanitizedBAOptions: SanitizedBetterAuthOptions;
+}): CollectionConfig[];