Add auth endpoint specification and update client to use better-auth paths

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

content/docs/references/api/auth.mdx

@@ -1,18 +1,136 @@
 ---
 title: Auth
-description: Auth protocol schemas
+description: Auth protocol schemas and endpoints
 ---
 
 Authentication Service Protocol
 
 Defines the standard API contracts for Identity, Session Management,
-
 and Access Control.
 
 <Callout type="info">
-**Source:** `packages/spec/src/api/auth.zod.ts`
+**Source:** `packages/spec/src/api/auth.zod.ts`, `packages/spec/src/api/auth-endpoints.zod.ts`
 </Callout>
 
+## Endpoints
+
+The authentication service uses [better-auth](https://www.better-auth.com/) endpoints as the canonical API contract.
+All endpoints are relative to the auth base path (default: `/api/v1/auth`).
+
+### Email/Password Authentication
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Sign In** | `POST` | `/sign-in/email` | Sign in with email and password |
+| **Sign Up** | `POST` | `/sign-up/email` | Register new user with email and password |
+| **Sign Out** | `POST` | `/sign-out` | Sign out current user |
+
+### Session Management
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Get Session** | `GET` | `/get-session` | Get current user session |
+
+### Password Management
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Forget Password** | `POST` | `/forget-password` | Request password reset email |
+| **Reset Password** | `POST` | `/reset-password` | Reset password with token |
+
+### Email Verification
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Send Verification** | `POST` | `/send-verification-email` | Send email verification link |
+| **Verify Email** | `GET` | `/verify-email` | Verify email with token |
+
+### OAuth (when providers configured)
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Authorize** | `GET` | `/authorize/:provider` | Start OAuth flow |
+| **Callback** | `GET` | `/callback/:provider` | OAuth callback |
+
+### 2FA (when enabled)
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Enable 2FA** | `POST` | `/two-factor/enable` | Enable two-factor authentication |
+| **Verify 2FA** | `POST` | `/two-factor/verify` | Verify 2FA code |
+
+### Passkeys (when enabled)
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Register Passkey** | `POST` | `/passkey/register` | Register a passkey |
+| **Authenticate** | `POST` | `/passkey/authenticate` | Authenticate with passkey |
+
+### Magic Links (when enabled)
+
+| Endpoint | Method | Path | Description |
+| :--- | :--- | :--- | :--- |
+| **Send Magic Link** | `POST` | `/magic-link/send` | Send magic link email |
+| **Verify Magic Link** | `GET` | `/magic-link/verify` | Verify magic link |
+
+## Usage Examples
+
+### Using the ObjectStack Client
+
+```typescript
+import { ObjectStackClient } from '@objectstack/client';
+
+const client = new ObjectStackClient({
+  baseUrl: 'http://localhost:3000'
+});
+
+// Register
+await client.auth.register({
+  email: 'user@example.com',
+  password: 'SecurePassword123!',
+  name: 'John Doe'
+});
+
+// Login
+await client.auth.login({
+  type: 'email',
+  email: 'user@example.com',
+  password: 'SecurePassword123!'
+});
+
+// Get session
+const session = await client.auth.me();
+
+// Logout
+await client.auth.logout();
+```
+
+### Using Direct API Calls
+
+```bash
+# Register
+curl -X POST http://localhost:3000/api/v1/auth/sign-up/email \
+  -H "Content-Type: application/json" \
+  -d '{"email":"user@example.com","password":"SecurePassword123!","name":"John Doe"}'
+
+# Login
+curl -X POST http://localhost:3000/api/v1/auth/sign-in/email \
+  -H "Content-Type: application/json" \
+  -d '{"email":"user@example.com","password":"SecurePassword123!"}'
+
+# Get session
+curl http://localhost:3000/api/v1/auth/get-session \
+  -H "Authorization: Bearer YOUR_TOKEN"
+
+# Logout
+curl -X POST http://localhost:3000/api/v1/auth/sign-out \
+  -H "Authorization: Bearer YOUR_TOKEN"
+```
+
+---
+
+## Request/Response Schemas
+
 ## TypeScript Usage
 
 ```typescript

packages/client/src/index.ts

@@ -479,9 +479,13 @@ export class ObjectStackClient {
    * Authentication Services
    */
   auth = {
+    /**
+     * Login with email and password
+     * Uses better-auth endpoint: POST /sign-in/email
+     */
     login: async (request: LoginRequest): Promise<SessionResponse> => {
         const route = this.getRoute('auth');
-        const res = await this.fetch(`${this.baseUrl}${route}/login`, {
+        const res = await this.fetch(`${this.baseUrl}${route}/sign-in/email`, {
             method: 'POST',
             body: JSON.stringify(request)
         });
@@ -493,24 +497,33 @@ export class ObjectStackClient {
         return data;
     },
 
+    /**
+     * Logout current user
+     * Uses better-auth endpoint: POST /sign-out
+     */
     logout: async () => {
         const route = this.getRoute('auth');
-        await this.fetch(`${this.baseUrl}${route}/logout`, { method: 'POST' });
+        await this.fetch(`${this.baseUrl}${route}/sign-out`, { method: 'POST' });
         this.token = undefined;
     },
 
+    /**
+     * Get current user session
+     * Uses better-auth endpoint: GET /get-session
+     */
     me: async (): Promise<SessionResponse> => {
         const route = this.getRoute('auth');
-        const res = await this.fetch(`${this.baseUrl}${route}/me`);
+        const res = await this.fetch(`${this.baseUrl}${route}/get-session`);
         return res.json();
     },
 
     /**
      * Register a new user account
+     * Uses better-auth endpoint: POST /sign-up/email
      */
     register: async (request: RegisterRequest): Promise<SessionResponse> => {
       const route = this.getRoute('auth');
-      const res = await this.fetch(`${this.baseUrl}${route}/register`, {
+      const res = await this.fetch(`${this.baseUrl}${route}/sign-up/email`, {
         method: 'POST',
         body: JSON.stringify(request)
       });
@@ -523,12 +536,14 @@ export class ObjectStackClient {
 
     /**
      * Refresh an authentication token
+     * Note: better-auth handles token refresh automatically via /get-session
      */
     refreshToken: async (refreshToken: string): Promise<SessionResponse> => {
       const route = this.getRoute('auth');
-      const res = await this.fetch(`${this.baseUrl}${route}/refresh`, {
-        method: 'POST',
-        body: JSON.stringify({ refreshToken })
+      // better-auth doesn't have a separate refresh endpoint
+      // Session refresh is handled automatically when calling /get-session
+      const res = await this.fetch(`${this.baseUrl}${route}/get-session`, {
+        method: 'GET'
       });
       const data = await res.json();
       if (data.data?.token) {

packages/spec/src/api/auth-endpoints.test.ts

@@ -0,0 +1,145 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { describe, it, expect } from 'vitest';
+import {
+  AuthEndpointPaths,
+  AuthEndpointSchema,
+  AuthEndpointAliases,
+  EndpointMapping,
+  getAuthEndpointUrl,
+} from './auth-endpoints.zod';
+
+describe('AuthEndpointPaths', () => {
+  it('should define email/password authentication endpoints', () => {
+    expect(AuthEndpointPaths.signInEmail).toBe('/sign-in/email');
+    expect(AuthEndpointPaths.signUpEmail).toBe('/sign-up/email');
+    expect(AuthEndpointPaths.signOut).toBe('/sign-out');
+  });
+
+  it('should define session management endpoints', () => {
+    expect(AuthEndpointPaths.getSession).toBe('/get-session');
+  });
+
+  it('should define password management endpoints', () => {
+    expect(AuthEndpointPaths.forgetPassword).toBe('/forget-password');
+    expect(AuthEndpointPaths.resetPassword).toBe('/reset-password');
+  });
+
+  it('should define email verification endpoints', () => {
+    expect(AuthEndpointPaths.sendVerificationEmail).toBe('/send-verification-email');
+    expect(AuthEndpointPaths.verifyEmail).toBe('/verify-email');
+  });
+
+  it('should define 2FA endpoints', () => {
+    expect(AuthEndpointPaths.twoFactorEnable).toBe('/two-factor/enable');
+    expect(AuthEndpointPaths.twoFactorVerify).toBe('/two-factor/verify');
+  });
+
+  it('should define passkey endpoints', () => {
+    expect(AuthEndpointPaths.passkeyRegister).toBe('/passkey/register');
+    expect(AuthEndpointPaths.passkeyAuthenticate).toBe('/passkey/authenticate');
+  });
+
+  it('should define magic link endpoints', () => {
+    expect(AuthEndpointPaths.magicLinkSend).toBe('/magic-link/send');
+    expect(AuthEndpointPaths.magicLinkVerify).toBe('/magic-link/verify');
+  });
+});
+
+describe('AuthEndpointSchema', () => {
+  it('should validate signInEmail endpoint', () => {
+    const endpoint = AuthEndpointSchema.shape.signInEmail.parse({
+      method: 'POST',
+      path: '/sign-in/email',
+      description: 'Sign in with email and password',
+    });
+
+    expect(endpoint.method).toBe('POST');
+    expect(endpoint.path).toBe('/sign-in/email');
+  });
+
+  it('should validate signUpEmail endpoint', () => {
+    const endpoint = AuthEndpointSchema.shape.signUpEmail.parse({
+      method: 'POST',
+      path: '/sign-up/email',
+      description: 'Register new user with email and password',
+    });
+
+    expect(endpoint.method).toBe('POST');
+    expect(endpoint.path).toBe('/sign-up/email');
+  });
+
+  it('should validate getSession endpoint', () => {
+    const endpoint = AuthEndpointSchema.shape.getSession.parse({
+      method: 'GET',
+      path: '/get-session',
+      description: 'Get current user session',
+    });
+
+    expect(endpoint.method).toBe('GET');
+    expect(endpoint.path).toBe('/get-session');
+  });
+
+  it('should reject invalid HTTP method', () => {
+    expect(() =>
+      AuthEndpointSchema.shape.signInEmail.parse({
+        method: 'GET', // Should be POST
+        path: '/sign-in/email',
+        description: 'Sign in with email and password',
+      })
+    ).toThrow();
+  });
+
+  it('should reject invalid path', () => {
+    expect(() =>
+      AuthEndpointSchema.shape.signInEmail.parse({
+        method: 'POST',
+        path: '/wrong-path', // Should be /sign-in/email
+        description: 'Sign in with email and password',
+      })
+    ).toThrow();
+  });
+});
+
+describe('AuthEndpointAliases', () => {
+  it('should map common names to canonical endpoints', () => {
+    expect(AuthEndpointAliases.login).toBe('/sign-in/email');
+    expect(AuthEndpointAliases.register).toBe('/sign-up/email');
+    expect(AuthEndpointAliases.logout).toBe('/sign-out');
+    expect(AuthEndpointAliases.me).toBe('/get-session');
+  });
+});
+
+describe('EndpointMapping', () => {
+  it('should map legacy paths to canonical paths', () => {
+    expect(EndpointMapping['/login']).toBe('/sign-in/email');
+    expect(EndpointMapping['/register']).toBe('/sign-up/email');
+    expect(EndpointMapping['/logout']).toBe('/sign-out');
+    expect(EndpointMapping['/me']).toBe('/get-session');
+    expect(EndpointMapping['/refresh']).toBe('/get-session');
+  });
+});
+
+describe('getAuthEndpointUrl', () => {
+  it('should construct full endpoint URLs', () => {
+    const basePath = '/api/v1/auth';
+
+    expect(getAuthEndpointUrl(basePath, 'signInEmail')).toBe('/api/v1/auth/sign-in/email');
+    expect(getAuthEndpointUrl(basePath, 'signUpEmail')).toBe('/api/v1/auth/sign-up/email');
+    expect(getAuthEndpointUrl(basePath, 'getSession')).toBe('/api/v1/auth/get-session');
+  });
+
+  it('should handle trailing slash in basePath', () => {
+    const basePath = '/api/v1/auth/';
+
+    expect(getAuthEndpointUrl(basePath, 'signInEmail')).toBe('/api/v1/auth/sign-in/email');
+    expect(getAuthEndpointUrl(basePath, 'getSession')).toBe('/api/v1/auth/get-session');
+  });
+
+  it('should work with different base paths', () => {
+    expect(getAuthEndpointUrl('/custom/auth', 'signInEmail')).toBe('/custom/auth/sign-in/email');
+    expect(getAuthEndpointUrl('http://localhost:3000/api/auth', 'signUpEmail')).toBe(
+      'http://localhost:3000/api/auth/sign-up/email'
+    );
+  });
+});