npm - sa2kit - Versions diffs - 3.2.1 → 3.2.2 - Mend

sa2kit 3.2.1 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/common/auth/components/index.js +18 -0
package/dist/common/auth/components/index.js.map +1 -1
package/dist/common/auth/components/index.mjs +18 -0
package/dist/common/auth/components/index.mjs.map +1 -1
package/dist/common/auth/server/index.d.mts +86 -3
package/dist/common/auth/server/index.d.ts +86 -3
package/dist/common/auth/server/index.js +614 -1
package/dist/common/auth/server/index.js.map +1 -1
package/dist/common/auth/server/index.mjs +599 -3
package/dist/common/auth/server/index.mjs.map +1 -1
package/package.json +8 -1

package/dist/common/auth/server/index.js CHANGED Viewed

@@ -5,6 +5,8 @@ require('../../../chunk-NSBPE2FW.js');
 var betterAuth = require('better-auth');
 var drizzleAdapter = require('@better-auth/drizzle-adapter');
 var plugins = require('better-auth/plugins');
+var drizzleOrm = require('drizzle-orm');
+var crypto = require('better-auth/crypto');
 var nextJs = require('better-auth/next-js');
 // src/common/auth/server/plugins/dev-otp.ts
@@ -18,6 +20,70 @@ function createDevOtpLogger(enabled) {
 }
 var defaultPhoneValidator = (phoneNumber2) => /^1\d{10}$/.test(phoneNumber2);
 var defaultTempEmailFromPhone = (phoneNumber2) => `${phoneNumber2.replace(/\D/g, "")}@phone.sa2kit.local`;
+function createId() {
+  return globalThis.crypto?.randomUUID?.() ?? `acc_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+}
+async function upsertCredentialPassword(db, userId, plainPassword) {
+  const database = db;
+  const now = /* @__PURE__ */ new Date();
+  const passwordHash = await crypto.hashPassword(plainPassword);
+  const existing = await database.select({ id: chunkLGHUCQIU_js.account.id }).from(chunkLGHUCQIU_js.account).where(drizzleOrm.and(drizzleOrm.eq(chunkLGHUCQIU_js.account.userId, userId), drizzleOrm.eq(chunkLGHUCQIU_js.account.providerId, "credential"))).limit(1);
+  if (existing[0]) {
+    await database.update(chunkLGHUCQIU_js.account).set({ password: passwordHash, updatedAt: now }).where(drizzleOrm.eq(chunkLGHUCQIU_js.account.id, existing[0].id));
+    return;
+  }
+  await database.insert(chunkLGHUCQIU_js.account).values({
+    id: createId(),
+    accountId: userId,
+    providerId: "credential",
+    userId,
+    password: passwordHash,
+    createdAt: now,
+    updatedAt: now
+  });
+}
+// src/common/auth/server/phone-signup-intent.ts
+var pendingByPhone = /* @__PURE__ */ new Map();
+var TTL_MS = 5 * 60 * 1e3;
+function normalizePhone(phoneNumber2) {
+  return phoneNumber2.replace(/\D/g, "");
+}
+function stashPhoneSignupPassword(phoneNumber2, password) {
+  pendingByPhone.set(normalizePhone(phoneNumber2), {
+    password,
+    expiresAt: Date.now() + TTL_MS
+  });
+}
+function consumePhoneSignupPassword(phoneNumber2) {
+  const key = normalizePhone(phoneNumber2);
+  const entry = pendingByPhone.get(key);
+  pendingByPhone.delete(key);
+  if (!entry) return void 0;
+  if (entry.expiresAt < Date.now()) return void 0;
+  return entry.password;
+}
+async function handlePhoneSignupIntentRequest(request) {
+  if (request.method !== "POST") {
+    return new Response("Method Not Allowed", { status: 405 });
+  }
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "invalid_json" }, { status: 400 });
+  }
+  const phoneNumber2 = String(body.phoneNumber ?? "").trim();
+  const password = String(body.password ?? "");
+  if (!defaultPhoneValidator(phoneNumber2)) {
+    return Response.json({ error: "invalid_phone" }, { status: 400 });
+  }
+  if (password.length < 6) {
+    return Response.json({ error: "invalid_password" }, { status: 400 });
+  }
+  stashPhoneSignupPassword(phoneNumber2, password);
+  return Response.json({ ok: true });
+}
 // src/common/auth/server/create-auth.ts
 function createSa2kitAuth(config) {
@@ -65,7 +131,13 @@ function createSa2kitAuth(config) {
         async sendOTP({ phoneNumber: phone, code }) {
           devLog?.("sms", phone, code);
           if (config.sms?.sendOTP) {
-            void config.sms.sendOTP(phone, code);
+            await config.sms.sendOTP(phone, code);
+          }
+        },
+        async callbackOnVerification({ phoneNumber: phone, user: user2 }) {
+          const pendingPassword = consumePhoneSignupPassword(phone);
+          if (pendingPassword && user2?.id) {
+            await upsertCredentialPassword(config.db, String(user2.id), pendingPassword);
           }
         },
         signUpOnVerification: {
@@ -77,6 +149,530 @@ function createSa2kitAuth(config) {
   });
   return auth;
 }
+// src/common/auth/server/env/auth-env-catalog.ts
+var AUTH_FEATURES = [
+  {
+    id: "core",
+    name: "\u6838\u5FC3\u8BA4\u8BC1",
+    description: "Better Auth \u670D\u52A1\u7AEF\u57FA\u7840\u80FD\u529B\uFF08\u4F1A\u8BDD\u3001Cookie\u3001API \u8DEF\u7531\uFF09",
+    envKeys: ["BETTER_AUTH_SECRET", "BETTER_AUTH_URL"]
+  },
+  {
+    id: "client",
+    name: "Web \u5BA2\u6237\u7AEF",
+    description: "\u6D4F\u89C8\u5668\u7AEF AuthProvider / \u767B\u5F55\u5F39\u7A97\u8BF7\u6C42\u6B63\u786E origin",
+    envKeys: ["NEXT_PUBLIC_APP_URL"]
+  },
+  {
+    id: "trusted_origins",
+    name: "\u8DE8\u57DF\u4FE1\u4EFB\u6E90",
+    description: "\u591A\u57DF\u540D / \u9884\u89C8\u73AF\u5883 CORS \u4E0E Cookie",
+    envKeys: ["BETTER_AUTH_TRUSTED_ORIGINS"]
+  },
+  {
+    id: "sms_phone_otp",
+    name: "\u624B\u673A\u77ED\u4FE1 OTP",
+    description: "\u624B\u673A\u53F7\u6CE8\u518C / \u767B\u5F55 / \u627E\u56DE\u5BC6\u7801\u7684\u77ED\u4FE1\u9A8C\u8BC1\u7801",
+    envKeys: [
+      "SA2KIT_SMS_PROVIDER",
+      "ALIYUN_SMS_ACCESS_KEY_ID",
+      "ALIYUN_SMS_ACCESS_KEY_SECRET",
+      "ALIYUN_SMS_SIGN_NAME",
+      "ALIYUN_SMS_TEMPLATE_CODE",
+      "ALIYUN_SMS_COUNTRY_CODE",
+      "ALIYUN_SMS_CODE_VALID_MINUTES",
+      "ALIYUN_SMS_ENDPOINT"
+    ]
+  },
+  {
+    id: "email_otp",
+    name: "\u90AE\u7BB1 OTP",
+    description: "\u90AE\u7BB1\u9A8C\u8BC1\u7801\uFF08\u9700\u5728 createSa2kitAuth \u4F20\u5165 email.sendVerificationOTP\uFF09",
+    envKeys: ["SA2KIT_EMAIL_PROVIDER"]
+  },
+  {
+    id: "database",
+    name: "\u6570\u636E\u5E93",
+    description: "Drizzle + PostgreSQL \u6301\u4E45\u5316 user/session\uFF08\u7531\u5BBF\u4E3B\u9879\u76EE\u914D\u7F6E\uFF09",
+    envKeys: ["DATABASE_URL"]
+  }
+];
+var AUTH_ENV_CATALOG = [
+  {
+    key: "BETTER_AUTH_SECRET",
+    featureId: "core",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "Better Auth \u7B7E\u540D\u5BC6\u94A5\uFF0C\u81F3\u5C11 32 \u5B57\u7B26\u3002\u53EF\u517C\u5BB9\u8BFB\u53D6 NEXTAUTH_SECRET\u3002",
+    example: "openssl rand -base64 32",
+    secret: true
+  },
+  {
+    key: "BETTER_AUTH_URL",
+    featureId: "core",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u5BF9\u5916\u53EF\u8BBF\u95EE\u7684\u7AD9\u70B9 URL\uFF08\u542B\u534F\u8BAE\u4E0E\u7AEF\u53E3\uFF09\u3002\u53EF\u56DE\u9000 NEXT_PUBLIC_APP_URL / NEXTAUTH_URL\u3002",
+    example: "https://example.com"
+  },
+  {
+    key: "NEXT_PUBLIC_APP_URL",
+    featureId: "client",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u6D4F\u89C8\u5668\u7AEF auth client \u7684 baseURL\u3002",
+    example: "https://example.com"
+  },
+  {
+    key: "BETTER_AUTH_TRUSTED_ORIGINS",
+    featureId: "trusted_origins",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u9017\u53F7\u5206\u9694\u7684\u53EF\u4FE1 origin \u5217\u8868\uFF0C\u7528\u4E8E\u9884\u89C8\u57DF / \u591A\u57DF\u540D\u90E8\u7F72\u3002",
+    example: "https://example.com,https://www.example.com"
+  },
+  {
+    key: "SA2KIT_SMS_PROVIDER",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1 provider\uFF1Aconsole\uFF08\u5F00\u53D1\u65E5\u5FD7\uFF09| aliyun-pnvs\uFF08\u751F\u4EA7\uFF09| none\u3002\u5F00\u53D1\u9ED8\u8BA4 console\uFF0C\u751F\u4EA7\u672A\u914D\u7F6E\u5219\u65E0\u6CD5\u53D1\u77ED\u4FE1\u3002",
+    example: "aliyun-pnvs"
+  },
+  {
+    key: "ALIYUN_SMS_ACCESS_KEY_ID",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u963F\u91CC\u4E91 RAM AccessKey ID\uFF08\u77ED\u4FE1\u8BA4\u8BC1 SendSmsVerifyCode\uFF09\u3002",
+    secret: true
+  },
+  {
+    key: "ALIYUN_SMS_ACCESS_KEY_SECRET",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u963F\u91CC\u4E91 RAM AccessKey Secret\u3002",
+    secret: true
+  },
+  {
+    key: "ALIYUN_SMS_SIGN_NAME",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1\u8BA4\u8BC1\u63A7\u5236\u53F0\u8D60\u9001/\u7533\u8BF7\u7684\u7B7E\u540D\u540D\u79F0\u3002",
+    example: "\u901F\u901A\u4E92\u8054\u9A8C\u8BC1\u7801"
+  },
+  {
+    key: "ALIYUN_SMS_TEMPLATE_CODE",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1\u8BA4\u8BC1\u63A7\u5236\u53F0\u8D60\u9001/\u7533\u8BF7\u7684\u6A21\u677F CODE\u3002",
+    example: "100001"
+  },
+  {
+    key: "ALIYUN_SMS_COUNTRY_CODE",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u56FD\u5BB6\u7801\uFF0C\u9ED8\u8BA4 86\uFF08\u4E2D\u56FD\u5927\u9646\uFF09\u3002",
+    example: "86"
+  },
+  {
+    key: "ALIYUN_SMS_CODE_VALID_MINUTES",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u77ED\u4FE1\u6A21\u677F\u4E2D\u5C55\u793A\u7684\u6709\u6548\u5206\u949F\u6570\uFF0C\u9ED8\u8BA4 5\uFF08\u4E0E Better Auth OTP \u6709\u6548\u671F\u72EC\u7ACB\uFF09\u3002",
+    example: "5"
+  },
+  {
+    key: "ALIYUN_SMS_ENDPOINT",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u53EF\u9009\uFF0C\u9ED8\u8BA4 https://dypnsapi.aliyuncs.com"
+  },
+  {
+    key: "SA2KIT_EMAIL_PROVIDER",
+    featureId: "email_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u90AE\u7BB1 OTP \u7531\u5BBF\u4E3B\u5B9E\u73B0 config.email.sendVerificationOTP\uFF1B\u6B64\u53D8\u91CF\u4EC5\u7528\u4E8E env \u68C0\u67E5\u63D0\u793A\u3002",
+    example: "resend | smtp | console"
+  },
+  {
+    key: "DATABASE_URL",
+    featureId: "database",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env", "database"],
+    description: "PostgreSQL \u8FDE\u63A5\u4E32\uFF08\u5BBF\u4E3B\u9879\u76EE Drizzle \u4F7F\u7528\uFF0C\u975E sa2kit \u76F4\u63A5\u8BFB\u53D6\uFF09\u3002",
+    secret: true
+  },
+  {
+    key: "SA2KIT_AUTH_LOG_OTP",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u8BBE\u4E3A 1 \u65F6\u5728\u975E\u751F\u4EA7\u73AF\u5883\u5C06 OTP \u6253\u5370\u5230\u670D\u52A1\u7AEF\u65E5\u5FD7\uFF1B\u751F\u4EA7\u73AF\u5883\u5FFD\u7565\u3002\u8BBE\u4E3A 0 \u53EF\u5173\u95ED\u5F00\u53D1\u65E5\u5FD7\u3002",
+    example: "1"
+  }
+];
+var AUTH_ENV_ALIASES = {
+  BETTER_AUTH_SECRET: ["NEXTAUTH_SECRET"],
+  BETTER_AUTH_URL: ["NEXT_PUBLIC_APP_URL", "NEXTAUTH_URL"]
+};
+// src/common/auth/server/sms/providers/aliyun-pnvs.ts
+async function loadPopCore() {
+  try {
+    const mod = await import('@alicloud/pop-core');
+    return mod.default ?? mod;
+  } catch {
+    throw new Error(
+      "\u542F\u7528 SA2KIT_SMS_PROVIDER=aliyun-pnvs \u9700\u8981\u5B89\u88C5 @alicloud/pop-core\uFF1Apnpm add @alicloud/pop-core"
+    );
+  }
+}
+function createAliyunPnvsSmsProvider(config) {
+  return {
+    async sendOTP(phoneNumber2, code) {
+      const Core = await loadPopCore();
+      const client = new Core({
+        accessKeyId: config.accessKeyId,
+        accessKeySecret: config.accessKeySecret,
+        endpoint: config.endpoint ?? "https://dypnsapi.aliyuncs.com",
+        apiVersion: "2017-05-25"
+      });
+      const minutes = String(config.codeValidMinutes ?? 5);
+      const result = await client.request(
+        "SendSmsVerifyCode",
+        {
+          PhoneNumber: phoneNumber2,
+          CountryCode: config.countryCode ?? "86",
+          SignName: config.signName,
+          TemplateCode: config.templateCode,
+          TemplateParam: JSON.stringify({ code, min: minutes })
+        },
+        { method: "POST" }
+      );
+      if (result.Code !== "OK" && result.Success !== true) {
+        throw new Error(
+          `\u963F\u91CC\u4E91\u77ED\u4FE1\u8BA4\u8BC1\u53D1\u9001\u5931\u8D25: ${result.Message ?? result.Code ?? "unknown error"}`
+        );
+      }
+    }
+  };
+}
+// src/common/auth/server/sms/providers/console.ts
+function createConsoleSmsProvider() {
+  return {
+    async sendOTP(phoneNumber2, code) {
+      console.info(`[sa2kit/auth][sms][console] ${phoneNumber2} => ${code}`);
+    }
+  };
+}
+// src/common/auth/server/sms/create-sms-provider-from-env.ts
+function readEnv(key) {
+  const value = process.env[key];
+  return value && value.trim().length > 0 ? value.trim() : void 0;
+}
+function resolveSmsProviderId(explicit) {
+  if (explicit) return explicit;
+  const fromEnv = readEnv("SA2KIT_SMS_PROVIDER");
+  if (fromEnv) return fromEnv;
+  if (process.env.NODE_ENV !== "production") return "console";
+  return void 0;
+}
+function createSmsProviderFromEnv(options) {
+  const providerId = resolveSmsProviderId(options?.providerId);
+  if (!providerId || providerId === "none") return void 0;
+  if (providerId === "console") {
+    return createConsoleSmsProvider();
+  }
+  if (providerId === "aliyun-pnvs") {
+    const accessKeyId = readEnv("ALIYUN_SMS_ACCESS_KEY_ID");
+    const accessKeySecret = readEnv("ALIYUN_SMS_ACCESS_KEY_SECRET");
+    const signName = readEnv("ALIYUN_SMS_SIGN_NAME");
+    const templateCode = readEnv("ALIYUN_SMS_TEMPLATE_CODE");
+    if (!accessKeyId || !accessKeySecret || !signName || !templateCode) {
+      throw new Error(
+        "SA2KIT_SMS_PROVIDER=aliyun-pnvs \u9700\u8981 ALIYUN_SMS_ACCESS_KEY_ID\u3001ALIYUN_SMS_ACCESS_KEY_SECRET\u3001ALIYUN_SMS_SIGN_NAME\u3001ALIYUN_SMS_TEMPLATE_CODE"
+      );
+    }
+    const codeValidMinutes = Number.parseInt(readEnv("ALIYUN_SMS_CODE_VALID_MINUTES") ?? "5", 10);
+    return createAliyunPnvsSmsProvider({
+      accessKeyId,
+      accessKeySecret,
+      signName,
+      templateCode,
+      countryCode: readEnv("ALIYUN_SMS_COUNTRY_CODE") ?? "86",
+      codeValidMinutes: Number.isFinite(codeValidMinutes) ? codeValidMinutes : 5,
+      endpoint: readEnv("ALIYUN_SMS_ENDPOINT")
+    });
+  }
+  throw new Error(`\u672A\u77E5\u7684 SA2KIT_SMS_PROVIDER: ${providerId}`);
+}
+// src/common/auth/server/env/resolve-auth-env.ts
+function readEnv2(key) {
+  const value = process.env[key];
+  return value && value.trim().length > 0 ? value.trim() : void 0;
+}
+function readEnvWithAliases(key) {
+  const direct = readEnv2(key);
+  if (direct) return direct;
+  for (const alias of AUTH_ENV_ALIASES[key] ?? []) {
+    const value = readEnv2(alias);
+    if (value) return value;
+  }
+  return void 0;
+}
+function parseTrustedOrigins(baseURL) {
+  const fromEnv = readEnv2("BETTER_AUTH_TRUSTED_ORIGINS");
+  const defaults = [baseURL, "http://localhost:3000", "http://127.0.0.1:3000"];
+  const extra = fromEnv ? fromEnv.split(",").map((item) => item.trim()).filter(Boolean) : [];
+  return [...defaults, ...extra].filter((origin, index, list) => list.indexOf(origin) === index);
+}
+function resolveAuthEnv(input) {
+  const baseURL = input.baseURL ?? readEnvWithAliases("BETTER_AUTH_URL") ?? readEnv2("NEXT_PUBLIC_APP_URL") ?? "http://localhost:3000";
+  const secret = input.secret ?? readEnvWithAliases("BETTER_AUTH_SECRET") ?? (process.env.NODE_ENV !== "production" ? "dev-better-auth-secret-min-32-chars!!" : void 0);
+  if (!secret || secret.length < 32) {
+    throw new Error("BETTER_AUTH_SECRET \u81F3\u5C11 32 \u5B57\u7B26\uFF08\u6216\u5F00\u53D1\u73AF\u5883\u4F7F\u7528\u9ED8\u8BA4 dev secret\uFF09");
+  }
+  const smsProvider = createSmsProviderFromEnv();
+  const sms = input.sms ?? (smsProvider ? { sendOTP: smsProvider.sendOTP.bind(smsProvider) } : void 0);
+  const config = {
+    db: input.db,
+    baseURL,
+    secret,
+    trustedOrigins: input.trustedOrigins ?? parseTrustedOrigins(baseURL),
+    basePath: input.basePath,
+    sms,
+    email: input.email,
+    phoneNumberValidator: input.phoneNumberValidator,
+    logOtpInDev: input.logOtpInDev ?? (process.env.SA2KIT_AUTH_LOG_OTP === "1" || process.env.NODE_ENV !== "production")
+  };
+  const envSnapshot = {
+    BETTER_AUTH_SECRET: readEnvWithAliases("BETTER_AUTH_SECRET") ? "[set]" : void 0,
+    BETTER_AUTH_URL: readEnvWithAliases("BETTER_AUTH_URL"),
+    NEXT_PUBLIC_APP_URL: readEnv2("NEXT_PUBLIC_APP_URL"),
+    BETTER_AUTH_TRUSTED_ORIGINS: readEnv2("BETTER_AUTH_TRUSTED_ORIGINS"),
+    SA2KIT_SMS_PROVIDER: String(resolveSmsProviderId() ?? ""),
+    ALIYUN_SMS_ACCESS_KEY_ID: readEnv2("ALIYUN_SMS_ACCESS_KEY_ID") ? "[set]" : void 0,
+    ALIYUN_SMS_ACCESS_KEY_SECRET: readEnv2("ALIYUN_SMS_ACCESS_KEY_SECRET") ? "[set]" : void 0,
+    ALIYUN_SMS_SIGN_NAME: readEnv2("ALIYUN_SMS_SIGN_NAME"),
+    ALIYUN_SMS_TEMPLATE_CODE: readEnv2("ALIYUN_SMS_TEMPLATE_CODE"),
+    SA2KIT_EMAIL_PROVIDER: readEnv2("SA2KIT_EMAIL_PROVIDER"),
+    DATABASE_URL: readEnv2("DATABASE_URL") ? "[set]" : void 0,
+    NODE_ENV: process.env.NODE_ENV
+  };
+  return { config, envSnapshot };
+}
+// src/common/auth/server/env/check-auth-env.ts
+function isSet(snapshot, key) {
+  const value = snapshot[key];
+  return value !== void 0 && value !== "[unset]" && value.length > 0;
+}
+function featureById(id) {
+  return AUTH_FEATURES.find((f) => f.id === id);
+}
+function varsForFeature(featureId) {
+  return AUTH_ENV_CATALOG.filter((item) => item.featureId === featureId);
+}
+function checkAuthEnv(envSnapshot) {
+  const issues = [];
+  const enabledFeatures = [];
+  const disabledFeatures = [];
+  const checkRequiredFeature = (featureId, productionOnly = false) => {
+    const feature = featureById(featureId);
+    const requiredVars = varsForFeature(featureId).filter((item) => item.required);
+    const missing = requiredVars.filter((item) => !isSet(envSnapshot, item.key)).map((item) => item.key);
+    if (missing.length === 0) {
+      enabledFeatures.push(featureId);
+      return;
+    }
+    if (productionOnly && envSnapshot.NODE_ENV !== "production") {
+      disabledFeatures.push(featureId);
+      issues.push({
+        level: "info",
+        featureId,
+        featureName: feature.name,
+        message: `\u5F00\u53D1\u73AF\u5883\u53EF\u6682\u7F3A\uFF1A${missing.join(", ")}`,
+        missingKeys: missing
+      });
+      return;
+    }
+    disabledFeatures.push(featureId);
+    issues.push({
+      level: "error",
+      featureId,
+      featureName: feature.name,
+      message: `\u7F3A\u5C11\u5FC5\u9700\u73AF\u5883\u53D8\u91CF\uFF1A${missing.join(", ")}`,
+      missingKeys: missing
+    });
+  };
+  checkRequiredFeature("core");
+  checkRequiredFeature("client", true);
+  checkRequiredFeature("database", true);
+  const smsFeature = featureById("sms_phone_otp");
+  const smsProvider = envSnapshot.SA2KIT_SMS_PROVIDER;
+  if (smsProvider === "aliyun-pnvs") {
+    const aliyunKeys = [
+      "ALIYUN_SMS_ACCESS_KEY_ID",
+      "ALIYUN_SMS_ACCESS_KEY_SECRET",
+      "ALIYUN_SMS_SIGN_NAME",
+      "ALIYUN_SMS_TEMPLATE_CODE"
+    ];
+    const missing = aliyunKeys.filter((key) => !isSet(envSnapshot, key));
+    if (missing.length === 0) {
+      enabledFeatures.push("sms_phone_otp");
+    } else {
+      disabledFeatures.push("sms_phone_otp");
+      issues.push({
+        level: "error",
+        featureId: "sms_phone_otp",
+        featureName: smsFeature.name,
+        message: `SA2KIT_SMS_PROVIDER=aliyun-pnvs \u4F46\u7F3A\u5C11\uFF1A${missing.join(", ")}`,
+        missingKeys: missing,
+        hints: ["\u5728 GitHub Secrets \u6216 .env.production \u4E2D\u914D\u7F6E ALIYUN_SMS_*"]
+      });
+    }
+  } else if (smsProvider === "console") {
+    enabledFeatures.push("sms_phone_otp");
+    if (envSnapshot.NODE_ENV === "production") {
+      issues.push({
+        level: "warning",
+        featureId: "sms_phone_otp",
+        featureName: smsFeature.name,
+        message: "\u751F\u4EA7\u73AF\u5883\u4ECD\u5728\u4F7F\u7528 SA2KIT_SMS_PROVIDER=console\uFF0C\u9A8C\u8BC1\u7801\u4EC5\u8F93\u51FA\u5230\u65E5\u5FD7\uFF0C\u7528\u6237\u6536\u4E0D\u5230\u77ED\u4FE1\u3002",
+        hints: ["\u751F\u4EA7\u8BF7\u6539\u4E3A aliyun-pnvs \u5E76\u914D\u7F6E ALIYUN_SMS_*"]
+      });
+    }
+  } else {
+    disabledFeatures.push("sms_phone_otp");
+    issues.push({
+      level: envSnapshot.NODE_ENV === "production" ? "warning" : "info",
+      featureId: "sms_phone_otp",
+      featureName: smsFeature.name,
+      message: envSnapshot.NODE_ENV === "production" ? "\u672A\u914D\u7F6E\u77ED\u4FE1 provider\uFF0C\u624B\u673A\u53F7 OTP \u65E0\u6CD5\u9001\u8FBE\uFF08\u7528\u6237\u6536\u4E0D\u5230\u9A8C\u8BC1\u7801\uFF09\u3002" : "\u672A\u914D\u7F6E\u77ED\u4FE1 provider\uFF1B\u5F00\u53D1\u73AF\u5883\u53EF\u8BBE\u7F6E SA2KIT_SMS_PROVIDER=console \u5E76\u5728\u670D\u52A1\u7AEF\u65E5\u5FD7\u67E5\u770B OTP\u3002",
+      hints: [
+        "\u5F00\u53D1\uFF1ASA2KIT_SMS_PROVIDER=console",
+        "\u751F\u4EA7\uFF1ASA2KIT_SMS_PROVIDER=aliyun-pnvs + ALIYUN_SMS_*"
+      ]
+    });
+  }
+  if (isSet(envSnapshot, "SA2KIT_EMAIL_PROVIDER")) {
+    enabledFeatures.push("email_otp");
+  } else {
+    disabledFeatures.push("email_otp");
+    issues.push({
+      level: "info",
+      featureId: "email_otp",
+      featureName: featureById("email_otp").name,
+      message: "\u672A\u58F0\u660E SA2KIT_EMAIL_PROVIDER\uFF1B\u82E5\u9700\u90AE\u7BB1\u9A8C\u8BC1\u7801\u8BF7\u5728 createSa2kitAuth \u914D\u7F6E email.sendVerificationOTP\u3002"
+    });
+  }
+  if (isSet(envSnapshot, "BETTER_AUTH_TRUSTED_ORIGINS")) {
+    enabledFeatures.push("trusted_origins");
+  } else {
+    disabledFeatures.push("trusted_origins");
+    issues.push({
+      level: "info",
+      featureId: "trusted_origins",
+      featureName: featureById("trusted_origins").name,
+      message: "\u672A\u8BBE\u7F6E BETTER_AUTH_TRUSTED_ORIGINS\uFF0C\u4EC5\u4F7F\u7528 baseURL + localhost \u9ED8\u8BA4\u503C\u3002"
+    });
+  }
+  const ok = !issues.some((issue) => issue.level === "error");
+  return { ok, issues, enabledFeatures, disabledFeatures };
+}
+var loggedOnce = false;
+function logAuthEnvReport(report, options) {
+  if (loggedOnce && !options?.force) return;
+  loggedOnce = true;
+  const lines = ["[sa2kit/auth] \u73AF\u5883\u914D\u7F6E\u68C0\u67E5"];
+  for (const issue of report.issues) {
+    const prefix = issue.level === "error" ? "\u2717" : issue.level === "warning" ? "\u26A0" : "\u25CB";
+    lines.push(`${prefix} ${issue.featureName}: ${issue.message}`);
+    if (issue.hints?.length) {
+      for (const hint of issue.hints) {
+        lines.push(`    \u2192 ${hint}`);
+      }
+    }
+  }
+  if (report.issues.length === 0) {
+    lines.push("\u2713 \u6240\u6709\u5DF2\u542F\u7528\u80FD\u529B\u7684\u73AF\u5883\u53D8\u91CF\u5747\u5DF2\u5C31\u7EEA");
+  }
+  lines.push(`  \u5DF2\u542F\u7528: ${report.enabledFeatures.join(", ") || "\u65E0"}`);
+  console.info(lines.join("\n"));
+}
+function formatAuthEnvSetupMarkdown(report) {
+  const lines = [
+    "# sa2kit Auth \u73AF\u5883\u53D8\u91CF",
+    "",
+    "\u5B8C\u6574\u8BF4\u660E\u89C1 sa2kit \u6587\u6863\uFF1A`docs/auth-env.md`",
+    "",
+    "## \u529F\u80FD \u2194 \u73AF\u5883\u53D8\u91CF",
+    ""
+  ];
+  for (const feature of AUTH_FEATURES) {
+    lines.push(`### ${feature.name} (\`${feature.id}\`)`);
+    lines.push("");
+    lines.push(feature.description);
+    lines.push("");
+    const vars = varsForFeature(feature.id);
+    lines.push("| \u53D8\u91CF | \u5FC5\u9700 | \u5B58\u653E\u4F4D\u7F6E | \u8BF4\u660E |");
+    lines.push("|------|------|----------|------|");
+    for (const item of vars) {
+      lines.push(
+        `| \`${item.key}\` | ${item.required ? "\u662F" : "\u5426"} | ${item.placement.join(", ")} | ${item.description} |`
+      );
+    }
+    lines.push("");
+  }
+  if (report) {
+    lines.push("## \u5F53\u524D\u68C0\u67E5\u7ED3\u679C");
+    lines.push("");
+    for (const issue of report.issues) {
+      lines.push(`- **${issue.featureName}** (${issue.level}): ${issue.message}`);
+    }
+  }
+  return lines.join("\n");
+}
+function checkAuthEnvFromProcessEnv(extraSnapshot) {
+  const snapshot = {
+    BETTER_AUTH_SECRET: process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET ? "[set]" : void 0,
+    BETTER_AUTH_URL: process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_APP_URL,
+    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
+    BETTER_AUTH_TRUSTED_ORIGINS: process.env.BETTER_AUTH_TRUSTED_ORIGINS,
+    SA2KIT_SMS_PROVIDER: process.env.SA2KIT_SMS_PROVIDER ?? (process.env.NODE_ENV !== "production" ? "console" : void 0),
+    ALIYUN_SMS_ACCESS_KEY_ID: process.env.ALIYUN_SMS_ACCESS_KEY_ID ? "[set]" : void 0,
+    ALIYUN_SMS_ACCESS_KEY_SECRET: process.env.ALIYUN_SMS_ACCESS_KEY_SECRET ? "[set]" : void 0,
+    ALIYUN_SMS_SIGN_NAME: process.env.ALIYUN_SMS_SIGN_NAME,
+    ALIYUN_SMS_TEMPLATE_CODE: process.env.ALIYUN_SMS_TEMPLATE_CODE,
+    SA2KIT_EMAIL_PROVIDER: process.env.SA2KIT_EMAIL_PROVIDER,
+    DATABASE_URL: process.env.DATABASE_URL ? "[set]" : void 0,
+    NODE_ENV: process.env.NODE_ENV,
+    ...extraSnapshot
+  };
+  return checkAuthEnv(snapshot);
+}
+// src/common/auth/server/create-auth-from-env.ts
+function createSa2kitAuthFromEnv(input, options) {
+  const resolved = resolveAuthEnv(input);
+  const report = checkAuthEnv(resolved.envSnapshot);
+  if (options?.logEnvReport !== false) {
+    logAuthEnvReport(report);
+  }
+  return createSa2kitAuth(resolved.config);
+}
 function mountNextAuthHandler(auth) {
   return nextJs.toNextJsHandler(auth);
 }
@@ -164,14 +760,31 @@ Object.defineProperty(exports, "verifications", {
   enumerable: true,
   get: function () { return chunkLGHUCQIU_js.verifications; }
 });
+exports.AUTH_ENV_ALIASES = AUTH_ENV_ALIASES;
+exports.AUTH_ENV_CATALOG = AUTH_ENV_CATALOG;
+exports.AUTH_FEATURES = AUTH_FEATURES;
+exports.checkAuthEnv = checkAuthEnv;
+exports.checkAuthEnvFromProcessEnv = checkAuthEnvFromProcessEnv;
+exports.consumePhoneSignupPassword = consumePhoneSignupPassword;
+exports.createAliyunPnvsSmsProvider = createAliyunPnvsSmsProvider;
 exports.createAuthRouteHandlers = createAuthRouteHandlers;
+exports.createConsoleSmsProvider = createConsoleSmsProvider;
 exports.createSa2kitAuth = createSa2kitAuth;
+exports.createSa2kitAuthFromEnv = createSa2kitAuthFromEnv;
 exports.createSessionValidator = createSessionValidator;
+exports.createSmsProviderFromEnv = createSmsProviderFromEnv;
 exports.defaultPhoneValidator = defaultPhoneValidator;
 exports.defaultTempEmailFromPhone = defaultTempEmailFromPhone;
+exports.formatAuthEnvSetupMarkdown = formatAuthEnvSetupMarkdown;
 exports.getSessionUser = getSessionUser;
 exports.getSessionUserNumeric = getSessionUserNumeric;
+exports.handlePhoneSignupIntentRequest = handlePhoneSignupIntentRequest;
+exports.logAuthEnvReport = logAuthEnvReport;
 exports.mountAuthHandler = mountAuthHandler;
 exports.mountNextAuthHandler = mountNextAuthHandler;
+exports.resolveAuthEnv = resolveAuthEnv;
+exports.resolveSmsProviderId = resolveSmsProviderId;
+exports.stashPhoneSignupPassword = stashPhoneSignupPassword;
+exports.upsertCredentialPassword = upsertCredentialPassword;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map