feat(hono): add hono integration package (@aura-stack/hono)

[halvaradop]

Description

This pull request introduces the @aura-stack/hono package, providing a dedicated integration for authentication within Hono applications. The package includes built-in middleware and handlers to simplify session management and authentication flows.

The provided utilities, such as the withAuth middleware, validate the user session and infer its type based on the configured identity.schema. This enables strong type inference when accessing session data via ctx.get.

Additionally, the package includes an adapter to bridge Hono (Bun runtime) request/response objects with Web Standard APIs, ensuring compatibility with Aura Auth’s internal architecture.

---

Key Changes

• Introduced dedicated @aura-stack/hono package
• Added withAuth middleware for session validation with type inference
• Added toHandler adapter to convert Bun/Hono request handling to Web Standard APIs
• Updated apps/hono integration example

---

Usage

import { Hono } from "hono"
import { createAuth } from "@/createAuth"

export const app = new Hono()

export const auth = createAuth({
  oauth: ["github"],
  basePath: "/api/auth",
})

app.all("/api/auth/*", auth.toHandler)

app.get("/api/protected", auth.withAuth, (c) => {
  const session = c.get("session")

  if (!session) {
    return c.json({ message: "Unauthorized" }, 401)
  }

  return c.json({
    message: "You have access to this protected resource.",
    session,
  })
})

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth	Ready	Preview, Comment	Apr 10, 2026 11:35pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extracts Hono-specific authentication logic into a new package @aura-stack/hono, adds its build/test configs and docs, replaces local auth implementations in the Hono demo with imports from the new package, updates app deps/tsconfig aliases, and adds tests for the Hono integration.

Changes

Cohort / File(s)	Summary
App README & Config apps/hono/README.md, apps/hono/package.json, apps/hono/tsconfig.json	Updated README text/branding; replaced local auth deps with @aura-stack/hono; added @/* TS path alias.
App auth removal apps/hono/src/auth.ts, apps/hono/src/lib/handler.ts, apps/hono/src/middleware/with-auth.ts	Removed local auth module, handler bridge, and middleware formerly implemented in the app.
App integration apps/hono/src/index.ts, apps/hono/src/lib/auth.ts	Added local lib/auth.ts that uses createAuth from @aura-stack/hono; updated imports and route wiring to use toHandler and withAuth; added auth guard for /api/protected.
New package metadata & docs packages/hono/package.json, packages/hono/README.md, packages/hono/CHANGELOG.md	Added @aura-stack/hono package manifest, README, and changelog with export paths and usage docs.
Package implementation packages/hono/src/index.ts, packages/hono/src/createAuth.ts, packages/hono/src/lib/handler.ts, packages/hono/src/lib/with-auth.ts, packages/hono/src/oauth/index.ts	Implemented createAuth wrapper augmenting core auth with Hono utilities; added toHandler, withAuth, type exports, and OAuth re-exports.
Package build & test config packages/hono/deno.json, packages/hono/tsconfig.json, packages/hono/tsup.config.ts, packages/hono/vitest.config.ts	Added Deno, TS, tsup and Vitest configuration, test env vars, and module alias mappings.
Package tests & presets packages/hono/test/presets.ts, packages/hono/test/index.test.ts	Added test preset app/auth and comprehensive route-level tests for OAuth, session, CSRF, protected routes, and credentials flow.
Workspace / catalog updates deno.json, package.json, pnpm-workspace.yaml, apps/express/package.json, packages/*/package.json	Expanded deno workspace; added catalog entries for hono, bun, and express; adjusted various package scripts and devDeps (minor cleanup across packages).

Sequence Diagram

sequenceDiagram
    participant Client
    participant HonoApp as Hono App
    participant withAuth as withAuth Middleware
    participant toHandler as toHandler
    participant AuthPkg as `@aura-stack/hono` (Auth API)
    participant SessionStore as Session Store

    Client->>HonoApp: GET /api/protected
    HonoApp->>withAuth: run middleware
    withAuth->>AuthPkg: api.getSession(headers)
    AuthPkg->>SessionStore: lookup session
    SessionStore-->>AuthPkg: session or null
    AuthPkg-->>withAuth: session object
    withAuth->>HonoApp: ctx.set("session", session)\nnext()
    HonoApp-->>Client: 200 OK (with session) or 401

    Client->>HonoApp: GET /api/auth/signIn/github
    HonoApp->>toHandler: proxy request
    toHandler->>AuthPkg: handlers.ALL(request)
    AuthPkg-->>toHandler: Response (302 redirect / set-cookie)
    toHandler-->>Client: 302 Redirect + set-cookie

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(examples): add Hono integration app #97: Directly modifies Hono integration (handler bridging and middleware) and overlaps with the same auth-to-package extraction.
• feat(core): introduce api object via createAuth #112: Expands createAuth API and propagates api/toHandler/withAuth surface — closely tied to the new package implementation.
• chore(tsconfig): add per-integration TypeScript configuration files #113: Related TS config/path alias changes affecting apps/hono/tsconfig.json and workspace TS setups.

Poem

🐰 Hopping out of code and cheer,

I bundled auth so it's clear,
withAuth guards and toHandler too,
a tidy package — made for you! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: introducing a new Hono integration package (@aura-stack/hono) as a feature addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-hono-pkg

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

packages/hono/README.md (1)

41-82: Use ts fences for non-JSX examples.

These snippets are TypeScript server code and don’t use JSX; ts improves editor highlighting consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/hono/README.md` around lines 41 - 82, Update the README code fences
from JSX/TSX to TypeScript-only to improve editor highlighting: change the
opening fence markers used around the server examples (the blocks showing
createAuth, export of toHandler/withAuth, the Hono.all mount, and the
withAuth-protected route) from ```tsx to ```ts so examples referencing
createAuth, toHandler, withAuth, and Hono.all are correctly highlighted as
TypeScript.

packages/hono/test/index.test.ts (1)

23-33: Consider extracting session-cookie creation to a small helper.

The JWT + cookie construction is duplicated in two tests; a helper would reduce repetition and keep fixtures aligned.

♻️ Refactor sketch

+const createSessionCookie = async () => {
+    const sessionToken = await auth.jose.encodeJWT({
+        sub: "johndoe",
+        name: "John Doe",
+        email: "johndoe@example.com",
+    })
+    return `aura-auth.session_token=${sessionToken}`
+}

-        const sessionToken = await auth.jose.encodeJWT({
-            sub: "johndoe",
-            name: "John Doe",
-            email: "johndoe@example.com",
-        })
         const res = await app.request("/api/auth/session", {
             headers: {
-                Cookie: `aura-auth.session_token=${sessionToken}`,
+                Cookie: await createSessionCookie(),
             },
         })

Also applies to: 69-79

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/hono/test/index.test.ts` around lines 23 - 33, Extract repeated
JWT+cookie construction into a small helper (e.g., makeSessionCookie or
createSessionCookie) inside the test file so both tests reuse it: move the call
to auth.jose.encodeJWT and the Cookie string assembly into that helper (it
should accept an optional payload or use the same fixture), return the full
Cookie header value like "aura-auth.session_token=..."; then replace the inline
sessionToken + Cookie header in the tests (the block creating sessionToken and
setting headers.Cookie) with a call to the helper to reduce duplication and keep
fixtures aligned.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/hono/README.md`:
- Line 17: Update the overview sentence that incorrectly states the package
provides TypeScript support for "Express" applications: in the README line
referencing the '@aura-stack/hono' package, replace "Express applications" with
"Hono applications" (or "Hono-based applications") so the sentence correctly
reads that '@aura-stack/hono' provides standard middlewares and first-class
TypeScript support for Hono applications.

In `@apps/hono/src/lib/auth.ts`:
- Around line 3-6: The createAuth call that defines the exported auth constant
(auth) is missing the trustedOrigins option; update the createAuth({ ... })
invocation to include a trustedOrigins array (e.g., ["http://localhost:3000",
"https://*.vercel.app"]) to match other app examples and enable origin
validation—add the property inside the existing createAuth config and adjust the
origin entries to match your development/production environments.

In `@packages/hono/deno.json`:
- Around line 14-15: Replace the invalid Deno npm specifier
"npm:`@aura-stack/auth`@workspace:*" with a valid import-map entry: use a concrete
npm version specifier (e.g., change the "@aura-stack/auth" mapping to
"npm:`@aura-stack/auth`@^1.0.0" or another appropriate semver), or remove the
"npm:" specifier and switch to a bare import that the workspace tooling
resolves; update the "@aura-stack/auth" entry in the import map accordingly so
Deno can resolve it.

In `@packages/hono/package.json`:
- Around line 19-20: The "clean:cts" npm script currently runs unguarded and
fails if the dist directory is missing; update the "clean:cts" script entry so
it first checks that the dist directory exists before running the delete command
(i.e., guard the find invocation with a directory-existence test), and keep
"prepublish" invoking "clean:cts" as-is; edit the package.json scripts section
to replace the current "clean:cts" value with a guarded version that only runs
the find delete when dist exists.

In `@packages/hono/src/lib/with-auth.ts`:
- Around line 16-18: The catch block in with-auth.ts currently returns await
next() without setting the session, leaving downstream handlers with an
undefined session; update the catch block in the withAuth middleware to
explicitly set the session to null (e.g., assign ctx.req.ctx.session = null or
the same session key used elsewhere in this file) before calling return await
next() so the middleware contract always provides a session key.

In `@packages/hono/test/index.test.ts`:
- Around line 52-55: The tests call await res.json() which is inferred as
unknown under strict TS and later access properties (e.g., csrfToken), causing
TS18046; update each test to assert a safe type for body before property access
(for example cast the result of res.json() to a specific shape or to
Record<string, any>), and apply this change to every occurrence listed (the body
variables around the csrfToken checks and the other instances at the ranges
noted: lines ~16–20, 35–44, 52–55, 63–65, 81–83, 105–107, 121–123) so subsequent
property reads (e.g., body.csrfToken) are type-safe; locate the body
declarations in the test file (index.test.ts) and replace their type with an
appropriate assertion or interface.

---

Nitpick comments:
In `@packages/hono/README.md`:
- Around line 41-82: Update the README code fences from JSX/TSX to
TypeScript-only to improve editor highlighting: change the opening fence markers
used around the server examples (the blocks showing createAuth, export of
toHandler/withAuth, the Hono.all mount, and the withAuth-protected route) from
```tsx to ```ts so examples referencing createAuth, toHandler, withAuth, and
Hono.all are correctly highlighted as TypeScript.

In `@packages/hono/test/index.test.ts`:
- Around line 23-33: Extract repeated JWT+cookie construction into a small
helper (e.g., makeSessionCookie or createSessionCookie) inside the test file so
both tests reuse it: move the call to auth.jose.encodeJWT and the Cookie string
assembly into that helper (it should accept an optional payload or use the same
fixture), return the full Cookie header value like
"aura-auth.session_token=..."; then replace the inline sessionToken + Cookie
header in the tests (the block creating sessionToken and setting headers.Cookie)
with a call to the helper to reduce duplication and keep fixtures aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c15b70ea-b070-451f-b650-6263c265ba8d

📥 Commits

Reviewing files that changed from the base of the PR and between b49ff7e and 3d57f08.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (22)

• apps/hono/README.md
• apps/hono/package.json
• apps/hono/src/auth.ts
• apps/hono/src/index.ts
• apps/hono/src/lib/auth.ts
• apps/hono/src/lib/handler.ts
• apps/hono/src/middleware/with-auth.ts
• apps/hono/tsconfig.json
• packages/hono/CHANGELOG.md
• packages/hono/README.md
• packages/hono/deno.json
• packages/hono/package.json
• packages/hono/src/createAuth.ts
• packages/hono/src/index.ts
• packages/hono/src/lib/handler.ts
• packages/hono/src/lib/with-auth.ts
• packages/hono/src/oauth/index.ts
• packages/hono/test/index.test.ts
• packages/hono/test/presets.ts
• packages/hono/tsconfig.json
• packages/hono/tsup.config.ts
• packages/hono/vitest.config.ts

💤 Files with no reviewable changes (3)

• apps/hono/src/auth.ts
• apps/hono/src/middleware/with-auth.ts
• apps/hono/src/lib/handler.ts