@podosoft/podokit-auth
v0.2.0
Published
PodoKit's DB-backed auth configuration pipeline: envelope-encrypted secrets, the AuthConfig model, and a config store on top of better-auth.
Readme
@podosoft/podokit-auth
PodoKit's DB-backed auth configuration pipeline — the layer that sits on top of better-auth so OAuth providers, SMTP, and server-enforced toggles can be managed at runtime (from an admin Settings page) instead of being frozen in environment variables at boot.
It is deliberately free of better-auth and NestJS/TypeORM imports (only
node:crypto and a pg peer), so it can be loaded outside dependency injection
and by the @better-auth/cli during migrations.
What's inside
- Envelope-encrypted secrets —
encryptSecret/decryptSecretstore OAuth client secrets and the SMTP password with AES-256-GCM. The key is derived fromBETTER_AUTH_SECRETvia HKDF-SHA256 and never lives in the database it protects, so a DB leak alone can't decrypt them. - The
AuthConfigmodel — the shape of the runtime config (social providers, SMTP, and server toggles including provider-independent sign-up approval), plusenvAuthConfig()(the env-only fallback), the supported-provider allowlist, andsocialKeyhelpers. - A config store —
createConfigStore(pool)loads the current config from theauth_configtable (with per-field env fallback) and decrypts secrets on read.
Install
npm install @podosoft/podokit-authpg is a peer dependency (your app already provides it).
Usage
import { createConfigStore, envAuthConfig } from "@podosoft/podokit-auth";
const store = createConfigStore(pool); // reads auth_config, env fallback
const config = await store.load(); // AuthConfig (secrets decrypted)
const smtp = await store.smtpConfig(); // resolved SMTP transport config, or nullGenerated by @podosoft/podokit; most apps consume it
through the auth module rather than importing it directly.
License
Apache-2.0
