feat(elysia): add elysia integration package (@aura-stack/elysia)

[halvaradop]

Description

This pull request introduces the @aura-stack/elysia package, providing seamless authentication integration for the Elysia framework. The package includes built-in plugins and adapters to bridge Web Standard APIs (Request, Response) with Elysia’s internal interfaces.

The integration provides utilities that can be used within Elysia’s derive and resolve lifecycle functions, enabling type-safe session handling and simplified authentication flows.

---

Key Changes

• Introduced dedicated @aura-stack/elysia package
• Added withAuth plugin for use with derive and resolve
• Added toHandler adapter for Web API ↔ Elysia interoperability
• Updated apps/elysia integration example
• Added tests to validate functionality

---

Usage

import { Elysia } from "elysia"
import { createAuth } from "@/createAuth"

export const auth = createAuth({
  oauth: ["github"],
  basePath: "/api/auth",
})

export const app = new Elysia()

app.all("/api/auth/*", auth.toHandler)

app.derive(auth.withAuth).get("/api/protected", ({ session }) => {
  if (!session) {
    return new Response(JSON.stringify({ message: "Unauthorized" }), {
      status: 401,
      headers: { "Content-Type": "application/json" },
    })
  }

  return {
    message: "You have access to this protected resource.",
    session,
  }
})

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
auth	Skipped		Apr 11, 2026 1:45am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a67dea42-eae8-4100-abb6-78d4a92de832

📥 Commits

Reviewing files that changed from the base of the PR and between 4416d0f and 849f647.

📒 Files selected for processing (4)

• packages/elysia/CHANGELOG.md
• packages/elysia/README.md
• packages/elysia/src/index.ts
• packages/elysia/src/lib/with-auth.ts

✅ Files skipped from review due to trivial changes (2)

• packages/elysia/CHANGELOG.md
• packages/elysia/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/elysia/src/lib/with-auth.ts
• packages/elysia/src/index.ts

---

📝 Walkthrough

Walkthrough

Introduces a new @aura-stack/elysia package (createAuth, toHandler, withAuth), moves Elysia-specific auth bridging into that package, refactors the Elysia app to use the new package APIs, adds tests and package tooling, and updates workspace/tsconfig manifests.

Changes

Cohort / File(s)	Summary
Elysia app docs & manifest apps/elysia/README.md, apps/elysia/package.json	Added README content describing use of @aura-stack/elysia; swapped dependency from @aura-stack/auth → @aura-stack/elysia.
Elysia app wiring apps/elysia/src/index.ts, apps/elysia/src/auth.ts, apps/elysia/src/lib/auth.ts, apps/elysia/src/plugins/with-auth.ts	Removed in-repo auth plugin and previous exports; added lib/auth.ts that imports and re-exports api, jose, toHandler, withAuth from the new package; routing updated to use toHandler and .derive(withAuth) pattern.
Elysia app TS config apps/elysia/tsconfig.json	Added @/ path alias to point to ./src/*.
New @aura-stack/elysia package — core packages/elysia/src/createAuth.ts, packages/elysia/src/index.ts, packages/elysia/src/lib/handler.ts, packages/elysia/src/lib/with-auth.ts	Added createAuth wrapper producing Elysia-specific API surface; added toHandler bridge and typed withAuth resolver; re-exports core types and utilities.
New @aura-stack/elysia package — config & tooling packages/elysia/package.json, packages/elysia/deno.json, packages/elysia/tsconfig.json, packages/elysia/tsup.config.ts, packages/elysia/vitest.config.ts	New package manifests, Deno/tsconfig, build config, and Vitest config with exports, aliases, scripts, and test env setup.
New @aura-stack/elysia tests & presets packages/elysia/test/index.test.ts, packages/elysia/test/presets.ts	Added Vitest suite and presets exercising OAuth/sign-in/session/csrf and protected route behaviors using package helpers.
Workspace / misc deno.json, packages/hono/tsconfig.json	Replaced explicit Deno workspace list with packages/** glob; reformatted packages/hono/tsconfig.json (style-only).
Package docs & changelog packages/elysia/README.md, packages/elysia/CHANGELOG.md	Added package README and changelog documenting features and usage examples.

Sequence Diagram

sequenceDiagram
    participant Client
    participant ElysiaApp as Elysia App
    participant ElysiaPkg as `@aura-stack/elysia`
    participant AuthAPI as Auth API

    Client->>ElysiaApp: GET /api/protected
    ElysiaApp->>ElysiaPkg: derive(withAuth) resolver invoked
    activate ElysiaPkg
    ElysiaPkg->>AuthAPI: api.getSession({ headers })
    activate AuthAPI
    AuthAPI-->>ElysiaPkg: session | throws
    deactivate AuthAPI
    ElysiaPkg-->>ElysiaApp: { session: Session | null }
    deactivate ElysiaPkg

    alt session present
        ElysiaApp->>ElysiaApp: handler reads ctx.session
        ElysiaApp-->>Client: 200 + protected content
    else no session
        ElysiaApp-->>Client: 401 Unauthorized
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat(express): add express integration package (@aura-stack/express) #138: Similar refactor introducing framework-specific integration packages (matches pattern used here).
• feat(hono): add hono integration package (@aura-stack/hono) #139: Implements the same extraction of createAuth/toHandler/withAuth into framework packages.
• chore(examples): add Elysia integration app #98: Prior Elysia example that this change replaces/refactors into the new @aura-stack/elysia package.

Poem

🐰 I hopped in code, with handlers bright,

WithAuth derived, sessions in sight,
toHandler bridges the auth parade,
Elysia dances, no plugin shade,
A tiny rabbit cheers—auth made light!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and specifically describes the main change: adding a new Elysia integration package to the aura-stack ecosystem.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-elysia-pkg

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/elysia/test/index.test.ts (1)

129-129: Strengthen cookie assertion to validate the auth cookie key.

toBeDefined() can pass on unrelated cookies; asserting the cookie name/value prefix will make this test more regression-resistant.

Suggested test tightening

-        expect(res.headers.get("set-cookie")).toBeDefined()
+        const setCookie = res.headers.get("set-cookie")
+        expect(setCookie).toBeTruthy()
+        expect(setCookie).toContain("aura-auth.session_token=")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/elysia/test/index.test.ts` at line 129, The test currently only
checks that res.headers.get("set-cookie") is defined, which can pass for
unrelated cookies; update the assertion to verify the auth cookie key/value
prefix instead (e.g., assert the Set-Cookie header contains the expected cookie
name like "auth=" or matches a regex such as /^auth=.+/). Locate the assertion
using res.headers.get("set-cookie") in the test
(packages/elysia/test/index.test.ts) and replace the toBeDefined() check with a
stricter assertion such as expect(setCookie).toMatch(/(^|;\s*)auth=[^;]+/) or
expect(setCookie).toContain("auth=") to ensure the auth cookie is present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/elysia/CHANGELOG.md`:
- Line 13: Update the changelog entry that currently references PR `#139` to the
correct PR `#140`: edit the line "Introduced seamless Elysia integration
package..." and replace the link/text
"[`#139`](https://github.com/aura-stack-ts/auth/pull/139)" with
"[`#140`](https://github.com/aura-stack-ts/auth/pull/140)" so the changelog
correctly points to PR `#140`.

In `@packages/elysia/README.md`:
- Around line 82-85: The README.md contains a broken relative license link "[MIT
License](LICENSE)"; either add a package-local LICENSE file to satisfy the
existing link or update the markdown link in README.md to point to the repo root
LICENSE (for example change "[MIT License](LICENSE)" to "[MIT
License](../../LICENSE)"); modify the file README.md and/or add the missing
LICENSE to packages/elysia so the link resolves correctly.

In `@packages/elysia/src/lib/with-auth.ts`:
- Around line 16-23: In with-auth.ts, avoid turning every exception from
api.getSession into session: null; update the try/catch around api.getSession so
that you only convert authentication failures (e.g., an explicit AuthError type
or an error indicating HTTP 401/unauthorized from api.getSession) into return {
session: null }, and for any other unexpected errors rethrow (or propagate) the
error so real server/runtime issues are not masked; locate the api.getSession
call and its surrounding catch in withAuth and implement error-type/status
checking before deciding to return { session: null } versus rethrowing.

---

Nitpick comments:
In `@packages/elysia/test/index.test.ts`:
- Line 129: The test currently only checks that res.headers.get("set-cookie") is
defined, which can pass for unrelated cookies; update the assertion to verify
the auth cookie key/value prefix instead (e.g., assert the Set-Cookie header
contains the expected cookie name like "auth=" or matches a regex such as
/^auth=.+/). Locate the assertion using res.headers.get("set-cookie") in the
test (packages/elysia/test/index.test.ts) and replace the toBeDefined() check
with a stricter assertion such as
expect(setCookie).toMatch(/(^|;\s*)auth=[^;]+/) or
expect(setCookie).toContain("auth=") to ensure the auth cookie is present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c3ca1e0-3448-4859-80db-2e7957be71f3

📥 Commits

Reviewing files that changed from the base of the PR and between 4d4cfd6 and 4416d0f.

⛔ Files ignored due to path filters (3)

• bun.lock is excluded by !**/*.lock
• deno.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (22)

• apps/elysia/README.md
• apps/elysia/package.json
• apps/elysia/src/auth.ts
• apps/elysia/src/index.ts
• apps/elysia/src/lib/auth.ts
• apps/elysia/src/plugins/with-auth.ts
• apps/elysia/tsconfig.json
• deno.json
• packages/elysia/CHANGELOG.md
• packages/elysia/README.md
• packages/elysia/deno.json
• packages/elysia/package.json
• packages/elysia/src/createAuth.ts
• packages/elysia/src/index.ts
• packages/elysia/src/lib/handler.ts
• packages/elysia/src/lib/with-auth.ts
• packages/elysia/test/index.test.ts
• packages/elysia/test/presets.ts
• packages/elysia/tsconfig.json
• packages/elysia/tsup.config.ts
• packages/elysia/vitest.config.ts
• packages/hono/tsconfig.json

💤 Files with no reviewable changes (2)

• apps/elysia/src/auth.ts
• apps/elysia/src/plugins/with-auth.ts