objectstack-ai
diff --git a/‎packages/plugins/better-auth/README.md‎
Lines changed: 128 additions & 0 deletions b/‎packages/plugins/better-auth/README.md‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎packages/plugins/better-auth/package.json‎
Lines changed: 28 additions & 0 deletions b/‎packages/plugins/better-auth/package.json‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎packages/plugins/better-auth/src/auth-client.ts‎
Lines changed: 158 additions & 0 deletions b/‎packages/plugins/better-auth/src/auth-client.ts‎
Lines changed: 158 additions & 0 deletions
diff --git a/‎packages/plugins/better-auth/src/index.ts‎
Lines changed: 33 additions & 0 deletions b/‎packages/plugins/better-auth/src/index.ts‎
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,128 @@
+# @objectos/plugin-better-auth
+
+Authentication plugin for ObjectOS based on [Better-Auth](https://www.better-auth.com/) library.
+
+## Features
+
+- 🔐 **Email/Password Authentication** - Built-in email and password authentication
+- 🏢 **Organization Management** - Multi-tenant organization support with teams
+- 👥 **Role-Based Access Control (RBAC)** - Flexible role and permission system
+- 💾 **Multi-Database Support** - Works with PostgreSQL, MongoDB, and SQLite
+- 🔌 **Plugin Architecture** - Follows ObjectOS plugin lifecycle and conventions
+
+## Installation
+
+This plugin is part of the ObjectOS monorepo. It's already available in the workspace.
+
+```bash
+pnpm install
+```
+
+## Usage
+
+### Basic Usage
+
+```typescript
+import { ObjectOS } from '@objectos/kernel';
+import { BetterAuthPlugin } from '@objectos/plugin-better-auth';
+
+const os = new ObjectOS({
+  plugins: [BetterAuthPlugin],
+  // ... other config
+});
+
+await os.init();
+```
+
+### Custom Configuration
+
+```typescript
+import { createBetterAuthPlugin } from '@objectos/plugin-better-auth';
+
+const customAuthPlugin = createBetterAuthPlugin({
+  databaseUrl: 'postgres://localhost:5432/mydb',
+  baseURL: 'https://myapp.com/api/auth',
+  trustedOrigins: ['https://myapp.com', 'https://app.myapp.com']
+});
+
+const os = new ObjectOS({
+  plugins: [customAuthPlugin],
+  // ... other config
+});
+```
+
+## API Endpoints
+
+Once enabled, the plugin registers the following authentication endpoints:
+
+- `POST /api/auth/sign-up` - User registration
+- `POST /api/auth/sign-in/email` - Email/password login
+- `POST /api/auth/sign-out` - Logout
+- `GET /api/auth/get-session` - Get current session
+- And more... (see [Better-Auth documentation](https://www.better-auth.com/docs))
+
+## Configuration Options
+
+### BetterAuthPluginOptions
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `databaseUrl` | `string` | `process.env.OBJECTQL_DATABASE_URL` | Database connection string |
+| `baseURL` | `string` | `http://localhost:3000/api/auth` | Base URL for authentication endpoints |
+| `trustedOrigins` | `string[]` | `['http://localhost:5173', 'http://localhost:3000']` | Allowed origins for CORS |
+
+## Database Support
+
+The plugin automatically detects the database type from the connection string:
+
+- **PostgreSQL**: `postgres://...` or `postgresql://...`
+- **MongoDB**: `mongodb://...`
+- **SQLite**: `sqlite:...` or any other (default)
+
+### First User Setup
+
+The first user to register automatically receives the `super_admin` role. Subsequent users get the `user` role by default.
+
+## Organization & Roles
+
+The plugin includes Better-Auth's organization plugin with the following default roles:
+
+- **owner** - Full organization control
+- **admin** - Organization management (cannot delete organization)
+- **user** - Read-only access
+
+## Plugin Lifecycle
+
+The plugin implements all standard ObjectOS plugin lifecycle hooks:
+
+- `onInstall` - Stores installation metadata
+- `onEnable` - Initializes Better-Auth and registers routes
+- `onDisable` - Gracefully disables authentication (preserves data)
+- `onUninstall` - Cleans up plugin storage (preserves user data)
+
+## Events
+
+The plugin contributes the following events to the ObjectOS event system:
+
+- `auth.user.created` - Fired when a new user is created
+- `auth.user.login` - Fired when a user logs in
+- `auth.user.logout` - Fired when a user logs out
+- `auth.session.created` - Fired when a new session is created
+- `auth.session.expired` - Fired when a session expires
+
+## Security
+
+- First user automatically becomes `super_admin`
+- Supports CORS with configurable trusted origins
+- Session-based authentication with secure cookies
+- Database hooks for user creation validation
+
+## License
+
+AGPL-3.0
+
+## Related
+
+- [Better-Auth Documentation](https://www.better-auth.com/docs)
+- [ObjectOS Documentation](../../README.md)
+- [@objectstack/spec](https://github.com/objectstack-ai/spec)
@@ -0,0 +1,28 @@
+{
+  "name": "@objectos/plugin-better-auth",
+  "version": "0.1.0",
+  "license": "AGPL-3.0",
+  "description": "Better-Auth authentication plugin for ObjectOS",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "test": "jest --passWithNoTests"
+  },
+  "dependencies": {
+    "@objectstack/spec": "0.6.0",
+    "better-auth": "^1.4.10",
+    "better-sqlite3": "^12.6.0",
+    "mongodb": "^7.0.0",
+    "pg": "^8.11.3"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "@types/pg": "^8.11.0",
+    "@types/better-sqlite3": "^7.6.0",
+    "typescript": "^5.9.3"
+  },
+  "peerDependencies": {
+    "@objectql/core": "^3.0.1"
+  }
+}
@@ -0,0 +1,158 @@
+/**
+ * Better-Auth Client Configuration
+ * 
+ * This module provides the Better-Auth instance configuration
+ * with support for multiple database backends (PostgreSQL, MongoDB, SQLite)
+ */
+
+let authInstance: any;
+
+export interface BetterAuthConfig {
+    databaseUrl?: string;
+    baseURL?: string;
+    trustedOrigins?: string[];
+}
+
+export const getBetterAuth = async (config: BetterAuthConfig = {}) => {
+    if (authInstance) return authInstance;
+    
+    const { betterAuth } = await import("better-auth");
+    const { organization } = await import("better-auth/plugins");
+    const { role } = await import("better-auth/plugins/access");
+    
+    try {
+        let database;
+        const dbUrl = config.databaseUrl || process.env.OBJECTQL_DATABASE_URL;
+        const isPostgres = dbUrl && dbUrl.startsWith('postgres');
+        const isMongo = dbUrl && dbUrl.startsWith('mongodb');
+
+        // Initialize database connection based on database type
+        if (isPostgres) {
+            const { Pool } = await import("pg");
+            database = new Pool({
+                connectionString: dbUrl!
+            });
+        } else if (isMongo) {
+            const { MongoClient } = await import("mongodb");
+            const client = new MongoClient(dbUrl!);
+            await client.connect();
+            database = client.db();
+        } else {
+            const sqlite3Import = await import("better-sqlite3");
+            // Handle both ESM/Interop (default export) and CJS (direct export)
+            const Database = (sqlite3Import.default || sqlite3Import) as any;
+            const filename = (dbUrl && dbUrl.replace('sqlite:', '')) ? (dbUrl && dbUrl.replace('sqlite:', '')) : 'objectos.db';
+            console.log(`[Better-Auth Plugin] Initializing with SQLite database: ${filename}`);
+            database = new Database(filename);
+        }
+
+        // Configure Better-Auth with organization and role plugins
+        authInstance = betterAuth({
+            database: database,
+            baseURL: config.baseURL || process.env.BETTER_AUTH_URL || "http://localhost:3000/api/auth",
+            trustedOrigins: config.trustedOrigins || [
+                "http://localhost:5173", 
+                "http://localhost:3000", 
+                "http://[::1]:3000", 
+                "http://[::1]:5173"
+            ],
+            emailAndPassword: {
+                enabled: true
+            },
+            user: {
+                additionalFields: {
+                    role: {
+                        type: "string",
+                        required: false,
+                        defaultValue: 'user',
+                        input: false
+                    }
+                }
+            },
+            databaseHooks: {
+                user: {
+                    create: {
+                        before: async (user) => {
+                            try {
+                                let count = 0;
+                                
+                                // Get user count to determine if this is the first user (admin)
+                                if (isPostgres) {
+                                    const result = await database.query('SELECT count(*) FROM "user"');
+                                    count = parseInt(result.rows[0].count);
+                                } else if (isMongo) {
+                                    const collection = database.collection('user');
+                                    count = await collection.countDocuments();
+                                } else {
+                                    try {
+                                        const stmt = database.prepare('SELECT count(*) as count FROM user');
+                                        const result = stmt.get() as any;
+                                        count = result.count;
+                                    } catch {
+                                        count = 0;
+                                    }
+                                }
+
+                                // First user gets super_admin role
+                                const role = count === 0 ? 'super_admin' : 'user';
+                                console.log(`[Better-Auth Plugin] Creating user with role: ${role} (current count: ${count})`);
+                                
+                                return {
+                                    data: {
+                                        ...user,
+                                        role
+                                    }
+                                };
+                            } catch (e) {
+                                console.error("[Better-Auth Plugin] Error in user create hook:", e);
+                                return { data: user };
+                            }
+                        }
+                    }
+                }
+            },
+            plugins: [
+                organization({
+                    dynamicAccessControl: {
+                        enabled: true
+                    },
+                    teams: {
+                        enabled: true
+                    },
+                    creatorRole: 'owner',
+                    roles: {
+                        owner: role({
+                            organization: ['update', 'delete', 'read'],
+                            member: ['create', 'update', 'delete', 'read'],
+                            invitation: ['create', 'cancel', 'read'],
+                            team: ['create', 'update', 'delete', 'read']
+                        }),
+                        admin: role({
+                            organization: ['update', 'read'],
+                            member: ['create', 'update', 'delete', 'read'],
+                            invitation: ['create', 'cancel', 'read'],
+                            team: ['create', 'update', 'delete', 'read']
+                        }),
+                        user: role({
+                            organization: ['read'],
+                            member: ['read'],
+                            team: ['read']
+                        })
+                    }
+                })
+            ]
+        });
+        
+        console.log('[Better-Auth Plugin] Initialized successfully');
+        return authInstance;
+    } catch (e: any) {
+        console.error("[Better-Auth Plugin] Initialization Error:", e);
+        throw e;
+    }
+};
+
+export const resetAuthInstance = () => {
+    authInstance = undefined;
+};
+
+export default { getBetterAuth, resetAuthInstance };
@@ -0,0 +1,33 @@
+/**
+ * @objectos/plugin-better-auth
+ * 
+ * Authentication plugin for ObjectOS based on Better-Auth library
+ * 
+ * @example
+ * ```typescript
+ * import { BetterAuthPlugin, createBetterAuthPlugin } from '@objectos/plugin-better-auth';
+ * 
+ * // Use default plugin
+ * const os = new ObjectOS({
+ *   plugins: [BetterAuthPlugin]
+ * });
+ * 
+ * // Or create with custom configuration
+ * const customAuthPlugin = createBetterAuthPlugin({
+ *   databaseUrl: 'postgres://localhost:5432/mydb',
+ *   baseURL: 'https://myapp.com/api/auth',
+ *   trustedOrigins: ['https://myapp.com']
+ * });
+ * ```
+ */
+
+export {
+    BetterAuthPlugin,
+    BetterAuthManifest,
+    createBetterAuthPlugin,
+    getBetterAuth,
+    type BetterAuthPluginOptions,
+    type BetterAuthConfig,
+} from './plugin';
+
+export { resetAuthInstance } from './auth-client';