feat: add auth provider packages (cloud, workos, better-auth)#13172
feat: add auth provider packages (cloud, workos, better-auth)#13172rphansen91 wants to merge 7 commits intoauth-rbac-core-serverfrom
Conversation
Add standalone auth provider packages with RBAC support: - @mastra/auth-cloud: PKCE OAuth flow, session management, and role-based access control for Mastra Cloud - @mastra/auth-workos: Full auth provider with SSO, RBAC, SCIM directory sync, and admin portal - @mastra/auth-better-auth: Expanded to support EE auth interfaces (IUserProvider, ISessionProvider, ISSOProvider) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 44c10f3 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
github-actions
bot
added
the
Documentation
SimpleAuth no longer requires TUser to extend EEUser, allowing any user type (bare strings, numeric ids, etc.). EE features (getCurrentUser, getUser) still work via duck typing at call sites. Also documents the intentional isProtectedPath default-allow behavior since all routes are already auth-checked via registerRoute/checkRouteAuth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mermaid diagram covering the full auth/RBAC flow from PR #13163: request lifecycle, core middleware, permission enforcement, provider composition, interfaces, and license gating. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Documents the three route categories (built-in, custom API, non-API), default auth config, the full request auth flow as a mermaid diagram, isProtectedPath behavior, and permission derivation conventions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
🚨 Redirect Validation FailedThe redirect validation found issues in Action Required: Review and fix the redirect configuration. |
authenticateToken used request.header() (Hono-specific) but the auth middleware passes c.req.raw (standard Web Request). Use 'raw' in request detection to unwrap HonoRequest, then read headers via the standard request.headers.get() API — matching Cloud and WorkOS providers which already do this correctly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Summary
@mastra/auth-cloud(new): Mastra Cloud authentication with PKCE OAuth flow, session management, and role-based access control@mastra/auth-workos(expanded): Full auth provider with SSO, RBAC, SCIM directory sync, and admin portal support@mastra/auth-better-auth(expanded): Support for new EE auth interfaces (IUserProvider, ISessionProvider, ISSOProvider)Context
PR 2 of 3 in the auth/RBAC split. Depends on #13163 (auth core + server RBAC). These are standalone auth provider packages — each is a self-contained npm package with its own tests.
Verification
cd auth/cloud && pnpm test— cloud auth tests passcd auth/workos && pnpm test— workos tests passpnpm build:packages— all packages build cleanly🤖 Generated with Claude Code