Merge pull request #1173 from objectstack-ai/copilot/fix-issue-1172

plugin-auth: always register better-auth `bearer()` for cross-origin / mobile token auth

Author: xuyushun441-sys

packages/plugins/plugin-auth/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## Unreleased
+
+### Minor Changes
+
+- Always register better-auth's `bearer()` plugin so cross-origin browsers
+  (where third-party cookies are blocked) and native mobile clients can
+  authenticate via `Authorization: Bearer <token>` headers and pick up
+  rotated tokens from the `set-auth-token` response header (fixes #1172).
+
 ## 4.0.4
 
 ### Patch Changes

packages/plugins/plugin-auth/README.md

@@ -28,6 +28,9 @@ Authentication & Identity Plugin for ObjectStack.
 - ✅ **Passkeys** - WebAuthn/Passkey support (when enabled)
 - ✅ **Magic Links** - Passwordless authentication (when enabled)
 - ✅ **Organizations** - Multi-tenant support (when enabled)
+- ✅ **Bearer-token Auth** - Cross-origin and mobile clients can authenticate
+  via `Authorization: Bearer <token>` and receive rotated tokens on the
+  `set-auth-token` response header (always enabled, no config required).
 
 ### ObjectQL-Based Database Architecture
 - ✅ **Native ObjectQL Data Persistence** - Uses ObjectQL's IDataEngine interface

packages/plugins/plugin-auth/src/auth-manager.test.ts

@@ -299,7 +299,7 @@ describe('AuthManager', () => {
   });
 
   describe('plugin registration', () => {
-    it('should not include any plugins when no plugin config is provided', () => {
+    it('should always register the bearer plugin even with no plugin config', () => {
       let capturedConfig: any;
       (betterAuth as any).mockImplementation((config: any) => {
         capturedConfig = config;
@@ -314,7 +314,7 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig.plugins).toEqual([]);
+      expect(capturedConfig.plugins.map((p: any) => p.id)).toEqual(['bearer']);
     });
 
     it('should register organization plugin with schema mapping when enabled', () => {
@@ -404,13 +404,35 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig.plugins).toHaveLength(3);
+      expect(capturedConfig.plugins).toHaveLength(4);
       expect(capturedConfig.plugins.map((p: any) => p.id).sort()).toEqual(
-        ['magic-link', 'organization', 'two-factor'],
+        ['bearer', 'magic-link', 'organization', 'two-factor'],
       );
     });
   });
 
+  describe('bearer plugin (cross-origin / mobile token auth)', () => {
+    it('should always register the bearer plugin regardless of other flags', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        plugins: { organization: true },
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      const bearerPlugin = capturedConfig.plugins.find((p: any) => p.id === 'bearer');
+      expect(bearerPlugin).toBeDefined();
+    });
+  });
+
   describe('trustedOrigins passthrough', () => {
     it('should forward trustedOrigins to betterAuth when provided', () => {
       let capturedConfig: any;

packages/plugins/plugin-auth/src/auth-manager.ts

@@ -5,6 +5,7 @@ import type { Auth, BetterAuthOptions } from 'better-auth';
 import { organization } from 'better-auth/plugins/organization';
 import { twoFactor } from 'better-auth/plugins/two-factor';
 import { magicLink } from 'better-auth/plugins/magic-link';
+import { bearer } from 'better-auth/plugins/bearer';
 import type {
   AuthConfig,
   EmailAndPasswordConfig,
@@ -204,6 +205,22 @@ export class AuthManager {
     const pluginConfig = this.config.plugins;
     const plugins: any[] = [];
 
+    // bearer() — ALWAYS enabled.
+    //
+    // Enables token-based authentication for cross-origin and mobile clients
+    // where third-party cookies are blocked (e.g. Safari ITP, Chrome CHIPS,
+    // native apps). The plugin:
+    //   • Accepts `Authorization: Bearer <token>` on incoming requests and
+    //     transparently resolves the session as if a cookie had been sent.
+    //   • Emits a `set-auth-token` response header on sign-in / session-refresh
+    //     that the client can store (e.g. in `localStorage`) and replay on
+    //     subsequent requests.
+    //
+    // This mirrors how Salesforce, Notion, Supabase and first-party mobile
+    // SDKs handle auth. Cookie-based auth remains available for same-origin
+    // browser deployments; bearer is additive, not a replacement.
+    plugins.push(bearer());
+
     if (pluginConfig?.organization) {
       plugins.push(organization({
         schema: buildOrganizationPluginSchema(),

packages/plugins/plugin-hono-server/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @objectstack/plugin-hono-server
 
+## Unreleased
+
+### Minor Changes
+
+- CORS middleware now exposes `set-auth-token` by default so clients can
+  capture rotated bearer tokens emitted by `@objectstack/plugin-auth`.
+- `HonoCorsOptions` accepts `allowHeaders` and `exposeHeaders`. User-supplied
+  `exposeHeaders` are merged with the `set-auth-token` default.
+
 ## 4.0.4
 
 ### Patch Changes

packages/plugins/plugin-hono-server/README.md

@@ -100,6 +100,28 @@ kernel.use(new HonoServerPlugin({
 }));
 ```
 
+### Bearer token auth (`set-auth-token`)
+
+The CORS middleware always includes `set-auth-token` in `Access-Control-Expose-Headers`
+so that `@objectstack/plugin-auth`'s `bearer()` plugin can deliver rotated session
+tokens to cross-origin and mobile clients. `Authorization` is included in
+`Access-Control-Allow-Headers` by default so `Authorization: Bearer <token>`
+requests succeed preflight.
+
+You can contribute additional exposed / allowed headers — `exposeHeaders`
+entries you supply are **merged** with the `set-auth-token` default:
+
+```typescript
+kernel.use(new HonoServerPlugin({
+  cors: {
+    origins: ['https://app.example.com'],
+    credentials: true,
+    exposeHeaders: ['X-Request-Id'],           // in addition to set-auth-token
+    allowHeaders: ['Content-Type', 'Authorization', 'X-Tenant-Id'],
+  },
+}));
+```
+
 ## Architecture
 
 This plugin wraps `@objectstack/hono` to provide a turnkey HTTP server solution for the Runtime. It binds the standard `HttpDispatcher` to a Hono application and starts listening on the configured port.

packages/plugins/plugin-hono-server/src/adapter.ts

@@ -16,6 +16,22 @@ export interface HonoCorsOptions {
     enabled?: boolean;
     origins?: string | string[];
     methods?: string[];
+    /**
+     * Request headers allowed on preflight (`Access-Control-Allow-Headers`).
+     *
+     * Defaults to `['Content-Type', 'Authorization', 'X-Requested-With']`,
+     * which is sufficient for cookie and bearer-token auth.
+     */
+    allowHeaders?: string[];
+    /**
+     * Response headers exposed to JS (`Access-Control-Expose-Headers`).
+     *
+     * Defaults to `['set-auth-token']` so that better-auth's `bearer()` plugin
+     * can hand rotated session tokens to cross-origin clients. User-supplied
+     * values are merged with this default — `set-auth-token` is always
+     * exposed unless CORS is disabled entirely.
+     */
+    exposeHeaders?: string[];
     credentials?: boolean;
     maxAge?: number;
 }

packages/plugins/plugin-hono-server/src/hono-plugin.test.ts

@@ -33,6 +33,16 @@ vi.mock('./adapter', () => ({
     })
 }));
 
+// Capture the config passed to hono/cors so we can assert allowHeaders / exposeHeaders.
+const corsConfigCapture: { last?: any } = {};
+vi.mock('hono/cors', () => ({
+    cors: vi.fn((config: any) => {
+        corsConfigCapture.last = config;
+        // Return a no-op middleware
+        return async (_c: any, next: any) => next();
+    }),
+}));
+
 describe('HonoServerPlugin', () => {
     let context: any;
     let logger: any;
@@ -232,5 +242,47 @@ describe('HonoServerPlugin', () => {
                 delete process.env.CORS_ENABLED;
             }
         });
+
+        it('should always expose set-auth-token header (for better-auth bearer plugin)', async () => {
+            corsConfigCapture.last = undefined;
+
+            const plugin = new HonoServerPlugin();
+            await plugin.init(context as PluginContext);
+
+            expect(corsConfigCapture.last).toBeDefined();
+            expect(corsConfigCapture.last.exposeHeaders).toContain('set-auth-token');
+            // Default allowHeaders should include Authorization so Bearer tokens work
+            expect(corsConfigCapture.last.allowHeaders).toContain('Authorization');
+        });
+
+        it('should merge user-supplied exposeHeaders with set-auth-token default', async () => {
+            corsConfigCapture.last = undefined;
+
+            const plugin = new HonoServerPlugin({
+                cors: {
+                    exposeHeaders: ['X-Request-Id', 'X-Rate-Limit'],
+                },
+            });
+            await plugin.init(context as PluginContext);
+
+            expect(corsConfigCapture.last.exposeHeaders).toEqual(
+                expect.arrayContaining(['set-auth-token', 'X-Request-Id', 'X-Rate-Limit']),
+            );
+        });
+
+        it('should honor custom allowHeaders while still allowing bearer auth header when explicitly provided', async () => {
+            corsConfigCapture.last = undefined;
+
+            const plugin = new HonoServerPlugin({
+                cors: {
+                    allowHeaders: ['Content-Type', 'Authorization', 'X-Tenant-Id'],
+                },
+            });
+            await plugin.init(context as PluginContext);
+
+            expect(corsConfigCapture.last.allowHeaders).toEqual(
+                ['Content-Type', 'Authorization', 'X-Tenant-Id'],
+            );
+        });
     });
 });

packages/plugins/plugin-hono-server/src/hono-plugin.ts

@@ -209,11 +209,23 @@ export class HonoServerPlugin implements Plugin {
                 }
 
                 const rawApp = this.server.getRawApp();
+                // Always include `set-auth-token` in exposed headers so that
+                // the better-auth `bearer()` plugin can deliver rotated
+                // session tokens to cross-origin clients (see plugin-auth).
+                // User-supplied exposeHeaders are merged with this default.
+                const defaultAllowHeaders = ['Content-Type', 'Authorization', 'X-Requested-With'];
+                const defaultExposeHeaders = ['set-auth-token'];
+                const allowHeaders = corsOpts.allowHeaders ?? defaultAllowHeaders;
+                const exposeHeaders = Array.from(new Set([
+                    ...defaultExposeHeaders,
+                    ...(corsOpts.exposeHeaders ?? []),
+                ]));
+
                 rawApp.use('*', cors({
                     origin: origin as any,
                     allowMethods: corsOpts.methods || ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS'],
-                    allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
-                    exposeHeaders: [],
+                    allowHeaders,
+                    exposeHeaders,
                     credentials,
                     maxAge,
                 }));