Fix storage-agnostic adapter and RBAC integration issues

Copilot · hotlong · Copilot · commit 8e501b999219 · 2026-01-25T10:40:25.000Z
Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/src/adapter/index.ts b/src/adapter/index.ts
@@ -143,13 +143,21 @@ export function createObjectQLAdapter(config: ObjectQLAdapterConfig): Adapter {
       accountId: string,
       data: Partial<AdapterAccount>
     ): Promise<AdapterAccount> {
-      const account = await ql.entity('Account').update({
+      // Storage-agnostic approach: Find by composite fields, then update by ID
+      // This avoids Prisma-specific compound key syntax that may not work with all ObjectQL drivers
+      const existingAccount = await ql.entity('Account').findFirst({
         where: {
-          providerId_accountId: {
-            providerId,
-            accountId,
-          },
+          providerId,
+          accountId,
         },
+      });
+      
+      if (!existingAccount) {
+        throw new Error(`Account not found: ${providerId}/${accountId}`);
+      }
+      
+      const account = await ql.entity('Account').update({
+        where: { id: existingAccount.id },
         data: {
           ...data,
           updatedAt: new Date(),
@@ -159,12 +167,11 @@ export function createObjectQLAdapter(config: ObjectQLAdapterConfig): Adapter {
     },
 
     async deleteAccount(providerId: string, accountId: string): Promise<void> {
-      await ql.entity('Account').delete({
+      // Use deleteMany with where clause for storage-agnostic deletion
+      await ql.entity('Account').deleteMany({
         where: {
-          providerId_accountId: {
-            providerId,
-            accountId,
-          },
+          providerId,
+          accountId,
         },
       });
     },
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -86,32 +86,45 @@ export function createAuthServer(config: ObjectStackAuthServerConfig) {
   // Create Better-Auth instance
   const auth = betterAuth(authOptions);
 
-  // RBAC Integration: Inject permissions into session
-  // This is a custom plugin hook that runs after session retrieval
-  if (onGetPermissions) {
-    const originalGetSession = auth.api.getSession.bind(auth.api);
-    auth.api.getSession = async (request: any) => {
-      const session = await originalGetSession(request);
+  // RBAC Integration: Enhanced session retrieval with permissions
+  // Note: This wraps the session retrieval to inject permissions
+  // If Better-Auth provides official plugin hooks in the future, migrate to those
+  return {
+    ...auth,
+    
+    // Enhanced getSession that includes permissions
+    getSessionWithPermissions: async (request: Request) => {
+      const session = await auth.api.getSession({ request });
       
-      if (session?.user?.id) {
+      if (session?.user?.id && onGetPermissions) {
         try {
           // Query ObjectOS for user permissions
           const permissions = await onGetPermissions(session.user.id);
           
-          // Inject permissions into session object
-          session.user.permissions = permissions;
+          // Return enhanced session with permissions
+          return {
+            ...session,
+            user: {
+              ...session.user,
+              permissions,
+            },
+          };
         } catch (error) {
           console.error('Failed to load user permissions:', error);
-          // Don't fail the session if permissions fail to load
-          session.user.permissions = null;
+          // Return session without permissions on error
+          return {
+            ...session,
+            user: {
+              ...session.user,
+              permissions: null,
+            },
+          };
         }
       }
       
       return session;
-    };
-  }
-
-  return auth;
+    },
+  };
 }
 
 /**
@@ -136,8 +149,17 @@ export interface ObjectStackSession {
 }
 
 /**
- * Utility to extract session from request
+ * Utility to extract session with permissions from request
  */
-export async function getSession(auth: ReturnType<typeof createAuthServer>, request: Request): Promise<ObjectStackSession | null> {
+export async function getSession(
+  auth: ReturnType<typeof createAuthServer>, 
+  request: Request
+): Promise<ObjectStackSession | null> {
+  // Use the enhanced getSessionWithPermissions if available
+  if ('getSessionWithPermissions' in auth && typeof auth.getSessionWithPermissions === 'function') {
+    return await auth.getSessionWithPermissions(request) as ObjectStackSession | null;
+  }
+  
+  // Fallback to standard getSession
   return await auth.api.getSession({ request }) as ObjectStackSession | null;
 }
