feat(core): add experimental signUp flow API and endpoint

[halvaradop]

Description

This pull request introduces an experimental signUp flow for both the API and endpoint definitions.

The new action enables user account creation within the authentication system and provides customizable payload validation through supported schema libraries, including Zod, Valibot, TypeBox, and ArkType. To enable this feature, developers must configure the signUp option when calling createAuth.

The sign-up flow is exposed through both the api object and the /signUp endpoint. Both entry points provide the same behavior; the primary difference is their intended usage:

• api.signUp() is designed for server-side integrations.
• /signUp is designed for client-side and external HTTP integrations.

Although this PR introduces support for the api object and the /signUp endpoint, it does not include support for createAuthClient or framework-specific hooks. Those integrations will be introduced in a separate pull request to keep the scope manageable and reduce the amount of code reviewed in a single PR.

Features

• Experimental sign-up flow
• User account creation support
• Schema-based payload validation
• Support for Zod, Valibot, TypeBox, and ArkType
• Server-side API integration via api.signUp()
• HTTP endpoint integration via /signUp

Config

import { createAuth } from "@aura-stack/auth"
import { z } from "zod" 

const { api } = createAuth({
  oauth: [],
  signUp: {
    schema: z.object({
      name: z.string(),
      lastName: z.string(),
      email: z.string(),
    }),
    onCreateUser: async ({ payload }) => {
      const { name, lastName, email } = payload

      await db.createUser({
        name,
        lastName,
        email,
      })

      return {
        sub: "12345678890",
        name,
        image: "...",
        email,
      }
    },
  },
})

Usage (API)

await api.signUp({
  payload: {
    name: "John",
    lastName: "Doe",
    email: "john@doe.com",
  },
})

Usage (Endpoint)

const response = await fetch(
  "http://localhost:3000/auth/signUp",
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      name: "John",
      lastName: "Doe",
      email: "john@doe.com",
    }),
  }
)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
auth	Skipped		Jun 10, 2026 4:49pm

[coderabbitai]

Warning

Review limit reached

@halvaradop, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 36 minutes and 36 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f70bbee9-3a9d-42be-9b7b-4990cb81d6bc

📥 Commits

Reviewing files that changed from the base of the PR and between a09208c and 9b6f6c4.

📒 Files selected for processing (8)

• packages/core/CHANGELOG.md
• packages/core/src/@types/config.ts
• packages/elysia/CHANGELOG.md
• packages/express/CHANGELOG.md
• packages/hono/CHANGELOG.md
• packages/next/CHANGELOG.md
• packages/react-router/CHANGELOG.md
• packages/react/CHANGELOG.md

📝 Walkthrough

Walkthrough

This PR introduces a new sign-up feature into the auth system. It adds type contracts for sign-up API options and responses, extends configuration types with a SignUpSchema generic parameter, implements a core signUp orchestration function that manages user creation via callbacks and session management, wires a POST /signUp action endpoint, and integrates sign-up throughout the auth initialization chain. Comprehensive tests validate success/failure paths, redirect behavior, and schema validation.

Changes

Sign-up Feature Implementation

Layer / File(s)	Summary
Type contracts for sign-up API and configuration packages/core/src/@types/api.ts, packages/core/src/@types/config.ts	SignUpAPIOptions, SignUpReturnData, and SignUpAPIReturn define the programmatic API surface. AuthConfig, AuthAPI, RouterGlobalContext, AuthInstance, and InternalContext all gain a SignUpSchema generic parameter to parameterize sign-up behavior. New SignUpConfig and OnCreateUserContext types define the configuration contract.
Sign-up orchestration API implementation packages/core/src/api/signUp.ts, packages/core/src/api/index.ts	Core signUp function accepts payload and optional request/headers/redirect parameters, invokes the configured onCreateUser callback to derive the user, creates a session and CSRF token, sets secure cookies, computes redirect behavior, and returns a SignUpAPIReturn with toResponse() factory that emits JSON with appropriate HTTP status (302 for server redirect, 200 for client-side, 400 for errors).
Sign-up action endpoint packages/core/src/actions/signUp/signUp.ts, packages/core/src/actions/index.ts	signUpAction endpoint wired via createEndpoint with request body schema and redirect search params. Handler extracts body payload and calls the underlying signUp API, returning the response via toResponse().
Auth system integration and wiring packages/core/src/createAuth.ts, packages/core/src/router/context.ts, packages/core/src/api/createApi.ts, packages/core/src/actions/signIn/authorization.ts	createContext, createInternalConfig, createAuthInstance, and createAuth all extended with SignUpSchema generic parameter and wire sign-up configuration through the auth context. createAuthAPI exposes signUp method delegating to the orchestration function. getTrustedOrigins type updated to reflect new AuthConfig generic signature.
Tests and supporting configuration packages/core/test/api/signUp.test.ts, packages/core/test/actions/signUp/signUp.test.ts, packages/core/test/presets.ts, packages/core/test/types.test-d.ts, packages/core/src/shared/logger.ts	Comprehensive test suites validate successful sign-up with session token verification, failure paths (null returns, validation), BASE_URL validation, and redirect scenarios (relative/absolute redirectTo, malicious URL fallback). Logger updated with SIGN_UP_SUCCESS message. Test presets include signUp.onCreateUser handler. Type tests assert api.signUp method signature and payload inference for multiple schema providers.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• aura-stack-ts/auth#143: SignUpAPIReturn is built on the standardized AuthActionAPIReturn shape introduced in this PR, making the return-type contracts directly connected.
• aura-stack-ts/auth#160: Main PR's SignUpSchema generic threading through AuthConfig extends the schema/type system changes that added broader schema inference support to the config.
• aura-stack-ts/auth#174: Sign-up endpoint wires RedirectOptionsSchema for redirect/redirectTo handling, which is the same standardized redirect convention introduced in this retrieved PR.

Suggested labels

feature, experimental

---

🐇 A curious bunny hops through the auth fields,
With sign-up schemas and session tokens sealed,
Callbacks craft users, redirects flow clean,
The finest sign-up system ever seen! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(core): add experimental signUp flow API and endpoint' clearly and specifically summarizes the main changes across the pull request, which introduces new signUp API types, implementation, and endpoint handler.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-sign-up-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/core/test/api/signUp.test.ts (1)

60-70: ⚡ Quick win

Add a toResponse() assertion on the failure case to lock API contract parity.

This test already checks the object shape; adding checks for await output.toResponse().json() (including error.code) will prevent silent drift between object and response paths.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/test/api/signUp.test.ts` around lines 60 - 70, The test
currently asserts the returned output object shape but not the HTTP response
body; add an assertion that calls await output.toResponse().json() and verifies
the response JSON matches the failure payload (at minimum that
response.error.code === "USER_CREATION_FAILED" and response.error.message
matches the expected message) to keep the toResponse() path in sync with the
object shape produced by the sign-up flow (look for usages of output and
output.toResponse in signUp.test.ts).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/core/src/actions/signUp/signUp.ts`:
- Around line 28-37: The signUp handler currently calls signInCredentials
(skipping the sign-up path and onCreateUser), so change the flow to execute the
sign-up callback before signing in: either call the existing signUpCredentials
helper (or invoke onCreateUser directly) to create the user using the
signUp.schema-validated payload and then call signInCredentials to produce the
session/response; ensure the code references the same payload and
request/headers (ctx.request, ctx.request.headers,
ctx.searchParams.redirect/redirectTo) and that onCreateUser is awaited and its
result used when constructing the sign-in call so onCreateUser is not bypassed.

In `@packages/core/src/api/signUp.ts`:
- Around line 65-80: The toResponse() implementation in signUp.ts currently
returns a body without the error payload and omits the response headers; update
the toResponse() function to return a Response.json payload that includes the
same error object (code and message) and other fields (success, redirect,
redirectURL), and attach the existing Headers instance (secureApiHeaders or the
returned headers) to the Response so callers using toResponse() receive
identical body and headers as the top-level return. Locate the toResponse method
in the sign-up response object and ensure it serializes the error object and
uses new Response(..., { headers: headersInstance }) when building the Response.

In `@packages/core/src/createAuth.ts`:
- Line 50: The sign-up route is being registered unconditionally using a forced
cast of config.context.signUp to SignUpConfig, which crashes when signUp is
absent; modify the registration logic in createAuth (where signUpAction(...) is
invoked) to first check that config.context.signUp is defined (e.g., if
(config.context.signUp) ...) and only then call signUpAction with the properly
typed config.context.signUp (avoid the forced cast). Ensure any route array or
middleware list that currently unconditionally includes signUpAction is
conditionally appended based on presence of signUp so initialization skips
sign-up when not configured.

---

Nitpick comments:
In `@packages/core/test/api/signUp.test.ts`:
- Around line 60-70: The test currently asserts the returned output object shape
but not the HTTP response body; add an assertion that calls await
output.toResponse().json() and verifies the response JSON matches the failure
payload (at minimum that response.error.code === "USER_CREATION_FAILED" and
response.error.message matches the expected message) to keep the toResponse()
path in sync with the object shape produced by the sign-up flow (look for usages
of output and output.toResponse in signUp.test.ts).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b65dde41-eb4b-4e1a-9045-a5099fa420fe

📥 Commits

Reviewing files that changed from the base of the PR and between b339302 and 812271e.

📒 Files selected for processing (16)

• packages/core/src/@types/api.ts
• packages/core/src/@types/config.ts
• packages/core/src/actions/index.ts
• packages/core/src/actions/signIn/authorization.ts
• packages/core/src/actions/signUp/signUp.ts
• packages/core/src/api/createApi.ts
• packages/core/src/api/index.ts
• packages/core/src/api/signUp.ts
• packages/core/src/client/client.ts
• packages/core/src/createAuth.ts
• packages/core/src/router/context.ts
• packages/core/src/shared/identity.ts
• packages/core/src/shared/logger.ts
• packages/core/test/api/signUp.test.ts
• packages/core/test/presets.ts
• packages/core/test/types.test-d.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/core/src/`@types/config.ts:
- Line 18: The AuthConfig type was made stricter by adding a required
SignUpSchema generic, breaking existing AuthConfig<Identity> usage; restore
public compatibility by giving the SignUpSchema generic a default (aligning with
other public types). Update the declaration of AuthConfig to provide a default
for SignUpSchema (using the existing SchemaTypes type) so callers can omit the
second generic; keep the Identity generic bounded by Identities as before and
leave the rest of the type unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 868bc0c6-25f4-42c3-8cb9-0f91558175c3

📥 Commits

Reviewing files that changed from the base of the PR and between 812271e and a09208c.

📒 Files selected for processing (15)

• packages/core/src/@types/api.ts
• packages/core/src/@types/config.ts
• packages/core/src/actions/signIn/authorization.ts
• packages/core/src/actions/signUp/signUp.ts
• packages/core/src/api/createApi.ts
• packages/core/src/api/signUp.ts
• packages/core/src/client/client.ts
• packages/core/src/createAuth.ts
• packages/core/src/router/context.ts
• packages/core/src/shared/logger.ts
• packages/core/test/actions/signUp/signUp.test.ts
• packages/core/test/api/signInCredentials.test.ts
• packages/core/test/api/signUp.test.ts
• packages/core/test/presets.ts
• packages/core/test/types.test-d.ts

✅ Files skipped from review due to trivial changes (1)

• packages/core/src/client/client.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/core/src/@types/api.ts
• packages/core/src/actions/signIn/authorization.ts