Merge pull request #900 from objectstack-ai/copilot/refactor-auth-plugin-better-auth

Author: hotlong

packages/plugins/plugin-auth/src/auth-manager.test.ts

@@ -259,6 +259,45 @@ describe('AuthManager', () => {
     });
   });
 
+  describe('basePath configuration', () => {
+    it('should default basePath to /api/v1/auth when not specified', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.basePath).toBe('/api/v1/auth');
+    });
+
+    it('should use custom basePath when provided', () => {
+      let capturedConfig: any;
+      (betterAuth as any).mockImplementation((config: any) => {
+        capturedConfig = config;
+        return { handler: vi.fn(), api: {} };
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        basePath: '/custom/auth',
+      });
+      manager.getAuthInstance();
+      warnSpy.mockRestore();
+
+      expect(capturedConfig.basePath).toBe('/custom/auth');
+    });
+  });
+
   describe('plugin registration', () => {
     it('should not include any plugins when no plugin config is provided', () => {
       let capturedConfig: any;

packages/plugins/plugin-auth/src/auth-manager.ts

@@ -32,6 +32,14 @@ export interface AuthManagerOptions extends Partial<AuthConfig> {
    * Required for database operations using ObjectQL instead of third-party ORMs
    */
   dataEngine?: IDataEngine;
+
+  /**
+   * Base path for auth routes
+   * Forwarded to better-auth's basePath option so it can match incoming
+   * request URLs without manual path rewriting.
+   * @default '/api/v1/auth'
+   */
+  basePath?: string;
 }
 
 /**
@@ -79,7 +87,7 @@ export class AuthManager {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
       baseURL: this.config.baseUrl || 'http://localhost:3000',
-      basePath: '/',  // ← 关键修复！告诉 better-auth 路径已被剥离
+      basePath: this.config.basePath || '/api/v1/auth',
 
       // Database adapter configuration
       database: this.createDatabaseConfig(),

packages/plugins/plugin-auth/src/auth-plugin.ts

@@ -181,30 +181,13 @@ export class AuthPlugin implements Plugin {
 
     const rawApp = (httpServer as any).getRawApp();
 
-    // Register wildcard route to forward all auth requests to better-auth
-    // Better-auth expects requests at its baseURL, so we need to preserve the full path
+    // Register wildcard route to forward all auth requests to better-auth.
+    // better-auth is configured with basePath matching our route prefix, so we
+    // forward the original request directly — no path rewriting needed.
     rawApp.all(`${basePath}/*`, async (c: any) => {
       try {
-        // Get the Web standard Request from Hono context
-        const request = c.req.raw as Request;
-        
-        // Create a new Request with the path rewritten to match better-auth's expectations
-        // Better-auth expects paths like /sign-in/email, /sign-up/email, etc.
-        // We need to strip our basePath prefix
-        const url = new URL(request.url);
-        const authPath = url.pathname.replace(basePath, '');
-        const rewrittenUrl = new URL(authPath || '/', url.origin);
-        rewrittenUrl.search = url.search; // Preserve query params
-        
-        const rewrittenRequest = new Request(rewrittenUrl, {
-          method: request.method,
-          headers: request.headers,
-          body: request.body,
-          duplex: 'half' as any, // Required for Request with body
-        });
-
-        // Forward to better-auth handler
-        const response = await this.authManager!.handleRequest(rewrittenRequest);
+        // Forward the original request to better-auth handler
+        const response = await this.authManager!.handleRequest(c.req.raw);
 
         // better-auth catches internal errors and returns error Responses
         // without throwing, so the catch block below would never trigger.