@authfn/core
v0.1.1
Published
Core authfn contracts and plugin composition primitives
Maintainers
21nativeReadme
@authfn/core
@authfn/core is the authfn session and identity kernel for the Superfunctions ecosystem. It composes browser-session auth, password auth, email OTP, social OAuth, API keys, 2FA, multi-region routing, shared OpenAPI generation, and @superfunctions/auth provider integration without duplicating shared HTTP, DB, or OAuth primitives.
What It Ships
- Cookie-backed browser sessions with CSRF protection
- Bundled plugins for:
- password sign-up/sign-in
- email OTP send/verify and password reset
- Google, Apple, and GitHub social sign-in
- user-owned API keys
- TOTP-based 2FA
- multi-region lookup and runtime overlays
- Shared OpenAPI generation through
@superfunctions/http-openapi - Structured lifecycle events through
config.observability.emit(...)
Package Inventory
@authfn/core- core runtime, router composition, schema generation, provider integration
@authfn/client- typed browser client using cookie credentials by default
@authfn/svelte- thin Svelte stores over the browser client
Quick Start
import { memoryAdapter } from '@superfunctions/db/testing';
import {
authFnEmailOtpPlugin,
authFnMultiRegionPlugin,
authFnPasswordPlugin,
authFnSocialOAuthPlugin,
authFnTwoFactorPlugin,
createAuthFn
} from '@authfn/core';
const auth = createAuthFn({
database: memoryAdapter({ debug: false }),
namespace: 'authfn',
openApi: {
title: 'AuthFn API',
version: '1.0.0'
},
observability: {
emit(event) {
console.log(event.type, event.requestId);
}
},
plugins: [
authFnPasswordPlugin(),
authFnEmailOtpPlugin({
delivery: {
async send(input) {
return { sent: true, metadata: { channel: input.channel } };
}
}
}),
authFnSocialOAuthPlugin({
providers: {
google: {
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
allowlistedReturnTo: ['https://app.example.com/post-auth']
}
}
}),
authFnTwoFactorPlugin(),
authFnMultiRegionPlugin()
]
});Consumers mount auth.router with a @superfunctions/http adapter and use auth.provider anywhere an @superfunctions/auth provider is expected.
Route Surface
Base routes:
GET /auth/sessionGET /auth/sessionsPOST /auth/sign-outPOST /auth/sessions/:sessionId/revoke
Password routes:
POST /auth/sign-up/passwordPOST /auth/sign-in/passwordPOST /auth/password/reset/startPOST /auth/password/reset/complete
OTP routes:
POST /auth/otp/sendPOST /auth/otp/verify
Social routes:
POST /auth/social/startGET /auth/social/callback/:providerPOST /auth/social/disconnect/:provider
API key routes:
POST /auth/api-keysGET /auth/api-keysDELETE /auth/api-keys/:keyId
2FA routes:
POST /auth/2fa/enrollPOST /auth/2fa/confirmPOST /auth/2fa/challengePOST /auth/2fa/disable
Multi-region routes:
POST /auth/regions/lookupGET /auth/runtime
OpenAPI
OpenAPI output is generated through the shared packages layer, not by authfn-specific code:
const document = auth.openApi?.();The generated document is deterministic and includes auth-prefixed paths like:
/auth/session/auth/sign-up/password/auth/sign-in/password/auth/otp/send/auth/social/start
Observability
Provide config.observability.emit(event) to receive structured lifecycle events. The current event surface includes:
authfn.user.createdauthfn.session.issuedauthfn.session.revokedauthfn.otp.sentauthfn.otp.verifiedauthfn.oauth.startedauthfn.oauth.completedauthfn.api_key.createdauthfn.api_key.revokedauthfn.2fa.enabledauthfn.2fa.challengedauthfn.region.lookupauthfn.plugin.failed
Sensitive values such as passwords, OTP codes, API key secrets, and OAuth tokens are redacted or omitted from emitted events.
Notes
authfndoes not bundle framework adapters. Use the shared@superfunctions/http-*adapters directly.authfndoes not bundle email or SMS delivery. Plug a provider in through the OTP delivery interface today, or layersendfnin at the application boundary.- Migration and cutover planning from Better Auth is intentionally out of scope for this spec bundle.