@yantra-app/cloud-auth-js
v0.2.0
Published
Yantra Cloud Auth JS — zero-config auth for Yantra-generated apps; drop-in for @lovable.dev/cloud-auth-js
Maintainers
Readme
@yantra-app/cloud-auth-js
Zero-config auth SDK for Yantra-generated apps — the Yantra equivalent of
Lovable's @lovable.dev/cloud-auth-js (yantra-app issue #434).
Apps get Google/social sign-in without creating their own OAuth credentials: the flow is brokered through the central better-auth server, which holds platform-level provider credentials.
How it works
App (any domain) Better Auth server (auth2.cdebase.dev)
──────────────── ──────────────────────────────────────
signInWithOAuth('google')
→ GET /~oauth/initiate ─────▶ validates redirect_uri origin,
sets signed state cookie,
302 → Google (platform credentials)
│
Google ◀────────┘
│ callback
▼
/api/auth/callback/google (better-auth session)
│
▼
/~oauth/callback
top-level → 302 app#access_token=…&refresh_token=…&state=…
iframe → popup postMessage {type:'authorization_response', …}access_token— JWT signed by the server's jwt plugin. Verify with the public JWKS at/api/auth/jwks(stateless, any backend).refresh_token— opaque session credential; exchange atPOST /~oauth/token.
Usage (generated apps)
import { createYantraAuth } from "@yantra-app/cloud-auth-js";
const auth = createYantraAuth({
// Relative by default (edge-proxied). Absolute URL to talk to the server directly:
oauthBrokerUrl: "https://auth2.cdebase.dev/~oauth/initiate",
});
// Social (redirect at top level, popup+postMessage inside builder preview iframes)
await auth.signInWithOAuth("google");
// Email/password
await auth.signUpWithEmail({ name, email, password });
await auth.signInWithEmail({ email, password });
auth.getUser(); // decoded JWT payload
await auth.refreshSession();
await auth.signOut();Templates for scaffolding into generated apps are in templates/
(integrations/yantra/index.ts wrapper + pages/AuthPage.tsx).
Replacing @lovable.dev/cloud-auth-js (drop-in)
The package exports Lovable's exact API surface (createLovableAuth,
LovableAuth, LovableAuthConfig, same SignInWithOAuthResult shapes), so a
Lovable-generated app can switch to the Yantra auth server three ways:
Zero code changes — npm alias. In the generated app's
package.json:"@lovable.dev/cloud-auth-js": "npm:@yantra-app/cloud-auth-js@^0.2.0"(or
file:/tarball URL while unpublished). The auto-generatedsrc/integrations/lovable/index.tskeeps working as-is.Change the import. Swap
@lovable.dev/cloud-auth-js→@yantra-app/cloud-auth-jsinsrc/integrations/lovable/index.ts(a ready-made copy is intemplates/integrations/lovable/index.ts).Full Yantra integration. Scaffold
templates/integrations/yantra/and drop supabase auth entirely.
Because the generated file calls createLovableAuth() with no arguments,
point the SDK at your server one of these ways (checked in order):
<!-- index.html — works with the npm-alias path, no source changes -->
<script>window.__YANTRA_AUTH_URL__ = "https://auth-l0g8a.cdebase.dev";</script># Vite env (build-time)
VITE_YANTRA_AUTH_BROKER_URL=https://auth-l0g8a.cdebase.devA bare origin works — /~oauth/initiate is appended automatically. The app's
origin must be in the server's BROKER_ALLOWED_ORIGINS
(broker.allowedOrigins in the helm values; wildcards like
https://*.pages.dev are supported).
Compat notes:
createLovableAuth()leaves the redirect-return URL fragment alone (like Lovable's SDK) so supabase-jsdetectSessionInUrlcan consume it;createYantraAuth()consumes it into localStorage itself.- The generated integration passes our tokens to
supabase.auth.setSession(). supabase-js stores them without verifying the signature, so the client-side session works; per-app Supabase data calls only authenticate once the Supabase stack is configured to trust this server's JWKS (/api/auth/jwks) as a third-party issuer.
Server configuration
The broker lives in the better-auth server app (app/src/broker.ts):
BROKER_ALLOWED_ORIGINS— CSV of app origins allowed asredirect_uritargets; supports wildcards (https://*.pages.dev).TRUSTED_ORIGINSare always included.- Social providers come from the existing
socialProviderConfigtable (admin UI → Connections) or env credentials. - Requires the
jwtplugin (enabled by default).
Roadmap (issue #434)
- [x] Broker endpoints + SDK + templates (MVP, central user pool)
- [ ] Edge interception of
/~oauth/*(Cloudflare Pages Function for webbuilder; sub-path proxy route for e2b/ui-host previews) so apps need zero config - [ ] Per-app tenant user pools (@adminide-stack tenant provisioning)
- [ ] Per-app origin registration at deploy time (replace BROKER_ALLOWED_ORIGINS)
- [ ] Mobile deep-link flow
