Use better-auth's universal handler instead of manual API wrappers

[Copilot]

PR #580 implemented manual wrapper methods for each auth endpoint. Better-auth provides a universal handler designed for this use case.

Changes

AuthManager - Replaced manual API wrappers with direct handler delegation:

• Removed 156 lines of placeholder wrapper methods (login, register, logout, etc.)
• Added handleRequest(request: Request): Promise<Response> that forwards to auth.handler()
• Exposed api getter for programmatic access to better-auth methods

AuthPlugin - Switched from individual routes to wildcard routing:

• Replaced ~10 individual route handlers with single wildcard route basePath/*
• Added path rewriting to map /api/v1/auth/sign-in/email → /sign-in/email for better-auth compatibility
• Added runtime validation for Hono server (required for getRawApp() wildcard support)

Implementation

// Before: Individual routes calling wrapper methods
httpServer.post('/auth/login', async (req, res) => {
  const result = await authManager.login(req.body);
  res.json(result);
});
// ... 10+ more routes

// After: Single wildcard forwarding to better-auth
rawApp.all('/api/v1/auth/*', async (c) => {
  const request = c.req.raw; // Web Request
  const response = await authManager.handleRequest(request);
  return response; // Web Response
});

Impact

• Code reduction: Net -132 lines (156 removed, 24 added)
• Feature coverage: All better-auth features (OAuth, 2FA, passkeys, magic links) now functional without custom implementation
• Maintenance: Better-auth updates no longer require wrapper code changes
• Type safety: Full better-auth TypeScript definitions now available

Documentation

• Added ARCHITECTURE.md explaining the decision rationale
• Updated README.md with better-auth endpoint documentation
• Updated usage examples to reflect configuration-based feature enablement

Original prompt

拉取请求: #580

评估是否应该将请求直接转发到better-auth还是要去具体实现每一个Api细节

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-studio	Ready	Preview, Comment	Feb 10, 2026 5:46am
spec	Ready	Preview, Comment	Feb 10, 2026 5:46am

[Copilot]

Pull request overview

This PR updates @objectstack/plugin-auth to integrate better-auth using its universal handler(Request) -> Response pattern, replacing the prior per-endpoint wrapper approach and routing everything through a single wildcard route.

Changes:

• Replace manual auth endpoint wrappers with AuthManager.handleRequest(request) delegating directly to auth.handler().
• Switch AuthPlugin route registration from individual endpoints to a single wildcard route (/api/v1/auth/*) with URL path rewriting before forwarding.
• Update docs/examples/tests to reflect the forwarding-based integration and available better-auth endpoints.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Lockfile updates reflecting dependency resolution changes (notably drizzle-orm version).
packages/plugins/plugin-auth/src/auth-plugin.ts	Implements wildcard route forwarding and URL rewrite; adds runtime requirement for getRawApp().
packages/plugins/plugin-auth/src/auth-plugin.test.ts	Updates tests to expect wildcard registration via getRawApp().all(...).
packages/plugins/plugin-auth/src/auth-manager.ts	Removes placeholder endpoint wrappers; adds handleRequest() and exposes api getter.
packages/plugins/plugin-auth/examples/basic-usage.ts	Updates example output to list better-auth endpoints under /api/v1/auth/*.
packages/plugins/plugin-auth/README.md	Updates documentation to describe wildcard forwarding and better-auth endpoints.
packages/plugins/plugin-auth/ARCHITECTURE.md	Adds rationale/architecture doc for direct forwarding approach.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[Copilot]

The catch-all error handler returns err.message to the client. For auth endpoints this can leak internal details (e.g., adapter errors, stack-adjacent messages). Prefer returning a generic message (and/or an error code / request id) while keeping the detailed error only in logs; optionally gate detailed messages behind an explicit dev/debug flag.

Suggested change

	// Return error response
	return new Response(
	JSON.stringify({
	success: false,
	error: err.message,
	// Return generic error response to avoid leaking internal details
	return new Response(
	JSON.stringify({
	success: false,
	error: 'Internal authentication error',

[Copilot]

Current tests only assert that the wildcard route is registered, but they don't exercise the forwarded handler logic (especially the URL/path rewrite) or the new failure mode when getRawApp() is missing. Consider capturing the handler passed to mockRawApp.all and adding assertions that it rewrites /api/v1/auth/... to the expected better-auth path, and add a test that start() throws with the intended message when getRawApp is not available.

[Copilot]

The README labels several items as "Production Ready Features", but AuthManager.createDatabaseConfig() is still an in-memory placeholder and warns that the adapter integration isn't complete. Until persistence/session storage is implemented, describing the plugin as production-ready (especially for sessions, password reset, etc.) is misleading; consider rewording this section to clarify the current limitations and what is actually production-ready today.

[Copilot]

The Architecture snippet shows forwarding c.req.raw directly into authManager.handleRequest(request), but the actual implementation rewrites the URL path (strips basePath) before forwarding. This doc/code mismatch may confuse users trying to replicate the integration; update the snippet (and/or add a brief note explaining why the rewrite is needed when mounting under /api/v1/auth).

Suggested change

	const request = c.req.raw; // Web standard Request
	const basePath = '/api/v1/auth';
	// better-auth expects paths like `/sign-in`, not `/api/v1/auth/sign-in`,
	// so we strip the mounted basePath before forwarding the request.
	const originalUrl = new URL(c.req.url);
	const strippedPathname = originalUrl.pathname.replace(basePath, '') || '/';
	const rewrittenUrl = new URL(strippedPathname + originalUrl.search, originalUrl.origin);
	// Create a new Request with the rewritten URL, preserving the original request details
	const request = new Request(rewrittenUrl, c.req.raw);

[Copilot]

This references an analysis document under /tmp/..., which won’t exist for readers of the repo and can’t be accessed in most environments. Consider removing this reference or replacing it with a committed document/link in the repository (issue, PR comment permalink, or a file in this package).

Suggested change

	- Analysis Document: `/tmp/better-auth-approach-analysis.md`
	- Architectural analysis: Captured in this document and in PR #580 discussion

[Copilot]

basePath is interpolated directly into the wildcard route (rawApp.all(${basePath}/*, ...)). If a caller configures basePath with a trailing slash (e.g. /api/v1/auth/), this becomes /api/v1/auth//* and may not match requests. Consider normalizing basePath (trim trailing /, ensure leading /) once before registering the route and using that normalized value for both routing and path stripping.