Update adapters to use AuthPlugin service for authentication

[Copilot]

Adapters (Hono/Next.js/NestJS) bypassed the AuthPlugin service, routing auth through the deprecated HttpDispatcher.handleAuth(). This PR wires them to kernel.getService('auth') with graceful fallback.

Adapter changes

• Hono: Forwards c.req.raw (Web Request) directly to authService.handleRequest()
• Next.js: Forwards NextRequest to authService.handleRequest(), converts Web Response back to NextResponse
• NestJS: Constructs Web Request from Express/Fastify req (URL, headers, body), forwards to authService.handleRequest(), pipes response back through res
• All three fall back to dispatcher.handleAuth() when no auth service is registered

// New preferred path (all adapters)
const authService = typeof kernel.getService === 'function'
  ? kernel.getService('auth')
  : null;

if (authService && typeof authService.handleRequest === 'function') {
  return await authService.handleRequest(request);
}

// Legacy fallback
const result = await dispatcher.handleAuth(path, method, body, { request });

Tests

• 12 new auth integration tests (4 per adapter): service usage, fallback, GET forwarding, error handling
• All 84 tests pass (24 existing + 4 new per adapter)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-play	Ready	Preview, Comment	Feb 10, 2026 2:52pm
spec	Canceled		Feb 10, 2026 2:52pm

[Copilot]

Pull request overview

This PR updates the Hono, Next.js, and NestJS adapters to route authentication through the AuthPlugin service (kernel.getService('auth').handleRequest(...)) when available, with a backward-compatible fallback to the deprecated HttpDispatcher.handleAuth() path.

Changes:

• Add AuthPlugin-first routing in all three adapters, with dispatcher fallback.
• Add new adapter-level integration tests validating service usage, fallback behavior, GET forwarding, and error handling.
• Implement response/request bridging where needed (notably Next.js and NestJS) to adapt between framework request/response types and Web Request/Response.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/adapters/nextjs/src/index.ts	Routes auth/* via AuthPlugin service first and converts Web Response to NextResponse.
packages/adapters/nextjs/src/nextjs.test.ts	Adds tests covering AuthPlugin-service routing for the Next.js adapter.
packages/adapters/nestjs/src/index.ts	Routes auth/* via AuthPlugin service first by constructing a Web Request and piping the Web Response back to Nest’s response.
packages/adapters/nestjs/src/nestjs.test.ts	Adds tests covering AuthPlugin-service routing for the NestJS adapter.
packages/adapters/hono/src/index.ts	Routes auth/* via AuthPlugin service first by forwarding c.req.raw directly.
packages/adapters/hono/src/hono.test.ts	Adds tests covering AuthPlugin-service routing for the Hono adapter.

[Copilot]

Converting the Web Response to NextResponse via await response.text() and a Record<string,string> drops streaming bodies and cannot preserve multi-value headers (notably set-cookie, which auth flows commonly rely on). Prefer returning a NextResponse backed by response.body and forward headers using a Headers/HeadersInit that preserves duplicates.

Suggested change

	// Convert Web Response to NextResponse
	const body = await response.text();
	const headers: Record<string, string> = {};
	response.headers.forEach((v: string, k: string) => { headers[k] = v; });
	return new NextResponse(body, { status: response.status, headers });
	// Convert Web Response to NextResponse while preserving streaming body and multi-value headers
	const headers = new Headers(response.headers);
	return new NextResponse(response.body, {
	status: response.status,
	headers,
	});

[Copilot]

When piping the AuthPlugin Response back to res, using response.headers.forEach((v,k)=>res.setHeader(k,v)) plus await response.text() will (1) lose streaming/binary bodies and (2) mishandle multi-value headers like set-cookie (only one value survives / may be comma-joined depending on fetch impl). Consider forwarding response.body as a stream when available and ensure set-cookie is set as an array / appended per value.

[Copilot]

The same AuthPlugin-detection logic (checking kernel.getService('auth') and handleRequest) is now duplicated across adapters. To reduce drift, consider extracting a small shared helper (e.g., in @objectstack/runtime or a local adapters util) that returns an auth handler or null, and reuse it here.