refactor: address code review feedback for auth client refactoring

- Simplify window origin detection into separate getWindowOrigin helper
- Define proper ForgetPasswordFn type for better-auth method access
- Throw error instead of returning empty AuthUser on updateUser failure
- Replace nested ternary with if-else in test URL extraction

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

ROADMAP.md

@@ -1305,7 +1305,7 @@ Plugin architecture refactoring to support true modular development, plugin isol
 **Fix:**
 1. Added `AuthPlugin` from `@objectstack/plugin-auth` to `objectstack.config.ts` for server mode (`pnpm dev:server`).
 2. Created `authHandlers.ts` with in-memory mock implementations of better-auth endpoints for MSW mode (`pnpm dev`). Mock handlers are added to `customHandlers` in both `browser.ts` and `server.ts`.
-3. Mock handlers support: sign-up/email, sign-in/email, get-session, sign-out, forgot-password, reset-password, update-user.
+3. Mock handlers support: sign-up/email, sign-in/email, get-session, sign-out, forget-password (better-auth convention), reset-password, update-user.
 
 **Tests:** 11 new auth handler tests, all existing MSW (7) and auth (24) tests pass.
 

apps/console/src/__tests__/authHandlers.test.ts

@@ -143,8 +143,8 @@ describe('Mock Auth Handlers', () => {
     expect(sessionRes.status).toBe(401);
   });
 
-  it('should handle forgot-password', async () => {
-    const res = await fetch(`${BASE_URL}/forgot-password`, {
+  it('should handle forget-password', async () => {
+    const res = await fetch(`${BASE_URL}/forget-password`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ email: 'alice@example.com' }),

packages/auth/README.md

@@ -8,7 +8,7 @@ Authentication system for Object UI — AuthProvider, guards, login/register for
 - 🛡️ **AuthGuard** - Protect routes and components from unauthenticated access
 - 📝 **Pre-built Forms** - LoginForm, RegisterForm, and ForgotPasswordForm ready to use
 - 👤 **UserMenu** - Display authenticated user info with sign-out support
-- 🔑 **Auth Client Factory** - `createAuthClient` for pluggable backend integration
+- 🔑 **Auth Client Factory** - `createAuthClient` powered by official [better-auth](https://better-auth.com) client
 - 🌐 **Authenticated Fetch** - `createAuthenticatedFetch` for automatic token injection
 - 👀 **Preview Mode** - Auto-login with simulated identity for marketplace demos and app showcases
 - 🎯 **Type-Safe** - Full TypeScript support with exported types
@@ -30,8 +30,7 @@ import { AuthProvider, useAuth, AuthGuard } from '@object-ui/auth';
 import { createAuthClient } from '@object-ui/auth';
 
 const authClient = createAuthClient({
-  provider: 'custom',
-  apiUrl: 'https://api.example.com/auth',
+  baseURL: 'https://api.example.com/auth',
 });
 
 function App() {

packages/auth/src/__tests__/createAuthClient.test.ts

@@ -13,7 +13,14 @@ import type { AuthClient } from '../types';
 function createMockFetch(handlers: Record<string, { status?: number; body: unknown }>) {
   const calls: Array<{ url: string; method: string; body: string | null }> = [];
   const mockFn = vi.fn(async (input: string | URL | Request, init?: RequestInit) => {
-    const url = typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url;
+    let url: string;
+    if (typeof input === 'string') {
+      url = input;
+    } else if (input instanceof URL) {
+      url = input.toString();
+    } else {
+      url = input.url;
+    }
     calls.push({ url, method: init?.method ?? 'GET', body: init?.body as string | null });
     for (const [pattern, handler] of Object.entries(handlers)) {
       if (url.includes(pattern)) {

packages/auth/src/createAuthClient.ts

@@ -23,16 +23,23 @@ function resolveAuthURL(baseURL: string): { origin: string; basePath: string } {
     return { origin: url.origin, basePath: url.pathname.replace(/\/$/, '') };
   } catch {
     // Relative URL – resolve against the current origin when available
-    const origin =
-      typeof globalThis !== 'undefined' &&
-      typeof (globalThis as Record<string, unknown>).window !== 'undefined' &&
-      (globalThis as Record<string, unknown> & { window: { location?: { origin?: string } } }).window?.location?.origin
-        ? String((globalThis as Record<string, unknown> & { window: { location: { origin: string } } }).window.location.origin)
-        : 'http://localhost';
+    const origin = getWindowOrigin() ?? 'http://localhost';
     return { origin, basePath: baseURL.replace(/\/$/, '') };
   }
 }
 
+/** Safely read window.location.origin when available (browser environments). */
+function getWindowOrigin(): string | undefined {
+  try {
+    if (typeof window !== 'undefined' && window.location?.origin) {
+      return window.location.origin;
+    }
+  } catch {
+    // window may be defined but accessing location can throw in some SSR environments
+  }
+  return undefined;
+}
+
 /**
  * Create an auth client instance backed by the official better-auth client.
  *
@@ -104,8 +111,11 @@ export function createAuthClient(config: AuthClientConfig): AuthClient {
     },
 
     async forgotPassword(email: string) {
-      // better-auth spells this "forgetPassword"; cast to access it
-      const forgetPw = (betterAuth as unknown as Record<string, (opts: unknown) => Promise<{ error: { message?: string; status: number } | null }>>).forgetPassword;
+      // better-auth uses "forgetPassword" (without the "o"); the method
+      // exists at runtime but is not present in the default TS types.
+      type ForgetPasswordFn = (opts: { email: string; redirectTo: string }) =>
+        Promise<{ error: { message?: string; status: number } | null }>;
+      const forgetPw = (betterAuth as unknown as { forgetPassword: ForgetPasswordFn }).forgetPassword;
       const { error } = await forgetPw({ email, redirectTo: '/' });
       if (error) {
         throw new Error(error.message ?? `Auth request failed with status ${error.status}`);
@@ -124,10 +134,12 @@ export function createAuthClient(config: AuthClientConfig): AuthClient {
       if (error) {
         throw new Error(error.message ?? `Auth request failed with status ${error.status}`);
       }
+      if (!data) {
+        throw new Error('Update user returned no data');
+      }
       // The server response may wrap the user in a `user` key or return it directly
       const raw = data as unknown as Record<string, unknown>;
-      const user = (raw && typeof raw === 'object' && 'user' in raw ? raw.user : raw) as AuthUser;
-      return user ?? ({} as AuthUser);
+      return (raw && typeof raw === 'object' && 'user' in raw ? raw.user : raw) as AuthUser;
     },
   };
 }