feat: bump deps

apps/web/app/_components/auth-showcase.tsx

@@ -1,8 +1,10 @@
-import { auth, signOut } from '@yuki/auth'
+import { auth } from '@yuki/auth'
 import { Button } from '@yuki/ui/button'
 import { DiscordIcon, GithubIcon } from '@yuki/ui/icons'
 import { Typography } from '@yuki/ui/typography'
 
+import { api } from '@/lib/trpc/server'
+
 export async function AuthShowcase() {
   const session = await auth()
 
@@ -24,7 +26,12 @@ export async function AuthShowcase() {
     <div className="mb-4 flex flex-col items-center justify-center gap-4">
       <Typography className="text-xl">Logged in as {session.user.name}</Typography>
 
-      <form action={signOut}>
+      <form
+        action={async () => {
+          'use server'
+          await api.auth.signOut()
+        }}
+      >
         <Button>Sign out</Button>
       </form>
     </div>

apps/web/app/_components/theme-btn.tsx

@@ -1,10 +1,10 @@
 'use client'
 
 import { useEffect, useState } from 'react'
+import { useTheme } from 'next-themes'
 
 import { Button } from '@yuki/ui/button'
 import { MoonIcon, SunIcon } from '@yuki/ui/icons'
-import { useTheme } from '@yuki/ui/utils'
 
 export const ThemeBtn: React.FC = () => {
   const { theme, setTheme } = useTheme()

apps/web/app/api/trpc/[trpc]/route.ts

@@ -1,4 +1,5 @@
 import type { NextRequest } from 'next/server'
+import { cookies } from 'next/headers'
 import { fetchRequestHandler } from '@trpc/server/adapters/fetch'
 
 import { appRouter, createTRPCContext } from '@yuki/api'
@@ -21,11 +22,15 @@ export const OPTIONS = () => {
 }
 
 const handler = async (req: NextRequest) => {
+  const heads = new Headers(req.headers)
+  const token = (await cookies()).get('auth_token')?.value ?? ''
+  if (!heads.get('Authorization')) heads.set('Authorization', `Bearer ${token}`)
+
   const response = await fetchRequestHandler({
     endpoint: '/api/trpc',
     router: appRouter,
     req,
-    createContext: () => createTRPCContext({ headers: req.headers }),
+    createContext: () => createTRPCContext({ headers: heads }),
     onError({ error, path }) {
       console.error(`>>> tRPC Error on '${path}'`, error)
     },

apps/web/hooks/use-session.tsx

@@ -7,9 +7,9 @@ import type { Session } from '@yuki/auth'
 
 const sessionContext = React.createContext<
   | {
-    session?: Session
-    isLoading: boolean
-  }
+      session?: Session
+      isLoading: boolean
+    }
   | undefined
 >(undefined)
 

apps/web/lib/trpc/server.ts

@@ -1,5 +1,5 @@
 import { cache } from 'react'
-import { headers } from 'next/headers'
+import { cookies, headers } from 'next/headers'
 import { createHydrationHelpers } from '@trpc/react-query/rsc'
 
 import type { AppRouter } from '@yuki/api'
@@ -13,7 +13,9 @@ import { createQueryClient } from '@/lib/trpc/query-client'
  */
 const createContext = cache(async () => {
   const heads = new Headers(await headers())
+  const token = (await cookies()).get('auth_token')?.value
   heads.set('x-trpc-source', 'rsc')
+  heads.set('Authorization', `Bearer ${token}`)
   return createTRPCContext({ headers: heads })
 })
 

apps/web/package.json

@@ -16,7 +16,7 @@
   "prettier": "@yuki/prettier-config",
   "dependencies": {
     "@t3-oss/env-nextjs": "^0.12.0",
-    "@tanstack/react-query": "^5.64.2",
+    "@tanstack/react-query": "^5.65.1",
     "@trpc/client": "^11.0.0-rc.729",
     "@trpc/react-query": "^11.0.0-rc.729",
     "@trpc/server": "^11.0.0-rc.729",
@@ -25,14 +25,15 @@
     "@yuki/db": "workspace:*",
     "@yuki/ui": "workspace:*",
     "next": "15.1.6",
+    "next-themes": "^0.4.4",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "superjson": "^2.2.2",
     "zod": "^3.24.1"
   },
   "devDependencies": {
-    "@tailwindcss/postcss": "^4.0.0",
-    "@types/node": "^22.10.10",
+    "@tailwindcss/postcss": "^4.0.1",
+    "@types/node": "^22.12.0",
     "@types/react": "^19.0.8",
     "@types/react-dom": "^19.0.3",
     "@yuki/eslint-config": "workspace:*",
@@ -42,7 +43,7 @@
     "eslint": "latest",
     "postcss": "^8.5.1",
     "prettier": "latest",
-    "tailwindcss": "^4.0.0",
+    "tailwindcss": "^4.0.1",
     "typescript": "latest"
   }
 }

package.json

@@ -36,7 +36,7 @@
     "turbo": "^2.3.4",
     "typescript": "^5.7.3"
   },
-  "packageManager": "bun@1.2.0",
+  "packageManager": "bun@1.2.1",
   "engines": {
     "bun": ">=1.2.0",
     "node": ">=20.18.1"

packages/api/src/trpc.ts

@@ -11,18 +11,19 @@ import { initTRPC, TRPCError } from '@trpc/server'
 import superjson from 'superjson'
 import { ZodError } from 'zod'
 
-import { auth, validateSessionToken } from '@yuki/auth'
+import type { Session } from '@yuki/auth';
+import { validateSessionToken } from '@yuki/auth'
 import { db } from '@yuki/db'
 
 /**
  * Isomorphic Session getter for API requests
  * - Expo requests will have a session token in the Authorization header
  * - Next.js requests will have a session token in cookies
  */
-const isomorphicGetSession = async (headers: Headers) => {
+const isomorphicGetSession = async (headers: Headers): Promise<Session> => {
   const authToken = headers.get('Authorization') ?? null
   if (authToken) return validateSessionToken(authToken.replace('Bearer ', ''))
-  return auth()
+  return { expires: new Date(Date.now()) }
 }
 
 /**

packages/auth/package.json

@@ -25,6 +25,7 @@
   },
   "prettier": "@yuki/prettier-config",
   "dependencies": {
+    "@node-rs/argon2": "^2.0.2",
     "@oslojs/crypto": "^1.0.1",
     "@oslojs/encoding": "^1.1.0",
     "@t3-oss/env-nextjs": "^0.12.0",

packages/auth/src/config.ts

@@ -5,12 +5,7 @@ import { Discord, GitHub } from 'arctic'
 
 import type { Session } from './lib/session'
 import { env } from './env'
-import {
-  createSession,
-  generateSessionToken,
-  invalidateSessionToken,
-  validateSessionToken,
-} from './lib/session'
+import { validateSessionToken } from './lib/session'
 
 const getOAuthConfig = (callbackUrl: string) => ({
   // add more configs based on the OAuth providers you want to use
@@ -47,32 +42,5 @@ const auth = async (): Promise<Session> => {
   return validateSessionToken(token)
 }
 
-const signIn = async (userId: string) => {
-  const token = generateSessionToken()
-  const session = await createSession(token, userId)
-  ;(await cookies()).set(KEY, token, {
-    httpOnly: true,
-    path: '/',
-    secure: env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    expires: session.expiresAt,
-  })
-}
-
-const signOut = async () => {
-  const token = (await cookies()).get(KEY)?.value ?? ''
-  if (!token) return
-
-  await invalidateSessionToken(`Bearer ${token}`)
-  ;(await cookies()).set(KEY, '', {
-    httpOnly: true,
-    path: '/',
-    secure: env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    maxAge: 0,
-  })
-}
-
-export { getOAuthConfig }
-export { auth, signIn, signOut }
+export { auth, getOAuthConfig }
 export type { Session }

packages/auth/src/index.rsc.ts

@@ -1,6 +1,6 @@
 import { cache } from 'react'
 
-import { signIn, signOut, auth as uncachedAuth } from './config'
+import { auth as uncachedAuth } from './config'
 
 /**
  * This is the main way to get session data for your RSCs.
@@ -12,5 +12,10 @@ export { OAuth2RequestError } from 'arctic'
 
 export type { Session } from './config'
 export { handlers } from './lib/handlers'
-export { auth, signIn, signOut }
-export { invalidateSessionToken, validateSessionToken } from './lib/session'
+export { auth }
+export { hashPassword, verifyHashedPassword } from './lib/password'
+export {
+  createSession,
+  invalidateSessionToken,
+  validateSessionToken,
+} from './lib/session'

packages/auth/src/index.ts

@@ -2,5 +2,10 @@ export { OAuth2RequestError } from 'arctic'
 
 export type { Session } from './config'
 export { handlers } from './lib/handlers'
-export { auth, signIn, signOut } from './config'
-export { invalidateSessionToken, validateSessionToken } from './lib/session'
+export { auth } from './config'
+export { hashPassword, verifyHashedPassword } from './lib/password'
+export {
+  createSession,
+  invalidateSessionToken,
+  validateSessionToken,
+} from './lib/session'

packages/auth/src/lib/handlers.ts

@@ -3,8 +3,10 @@ import { cookies } from 'next/headers'
 import { NextResponse } from 'next/server'
 import { OAuth2RequestError } from 'arctic'
 
-import { auth, signIn } from '../config'
+import { auth } from '../config'
+import { env } from '../env'
 import { OAuth } from './OAuth'
+import { createSession } from './session'
 
 export const handlers = async (
   req: NextRequest,
@@ -31,7 +33,14 @@ export const handlers = async (
       nextUrl,
       req.cookies.get('oauth_state')?.value,
     )
-    await signIn(user.id)
+    const { token, expiresAt } = await createSession(user.id)
+    ;(await cookies()).set('auth_token', token, {
+      httpOnly: true,
+      path: '/',
+      secure: env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      expires: expiresAt,
+    })
     ;(await cookies()).delete('oauth_state')
 
     return NextResponse.redirect(new URL('/', nextUrl))

packages/auth/src/lib/password.ts

@@ -0,0 +1,14 @@
+import { hash, verify } from '@node-rs/argon2'
+
+export const hashPassword = async (password: string): Promise<string> =>
+  await hash(password, {
+    memoryCost: 19456,
+    timeCost: 2,
+    outputLen: 32,
+    parallelism: 1,
+  })
+
+export const verifyHashedPassword = async (
+  hash: string,
+  password: string,
+): Promise<boolean> => await verify(hash, password)

packages/auth/src/lib/session.ts

@@ -1,7 +1,7 @@
 import { sha256 } from '@oslojs/crypto/sha2'
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding'
 
-import type { Session as PrismaSession, User } from '@yuki/db'
+import type { User } from '@yuki/db'
 import { db } from '@yuki/db'
 
 interface Session {
@@ -18,14 +18,18 @@ const generateSessionToken = (): string => {
   return token
 }
 
-const createSession = async (token: string, userId: string): Promise<PrismaSession> => {
+const createSession = async (
+  userId: string,
+): Promise<{ token: string; expiresAt: Date }> => {
+  const token = generateSessionToken()
   const session = {
     sessionToken: encodeHexLowerCase(sha256(new TextEncoder().encode(token))),
     expiresAt: new Date(Date.now() + EXPIRES_IN),
     user: { connect: { id: userId } },
   }
 
-  return await db.session.create({ data: session })
+  await db.session.create({ data: session })
+  return { token, expiresAt: session.expiresAt }
 }
 
 const validateSessionToken = async (token: string): Promise<Session> => {

packages/db/package.json

@@ -25,8 +25,8 @@
   "prettier": "@yuki/prettier-config",
   "dependencies": {
     "@neondatabase/serverless": "^0.10.4",
-    "@prisma/adapter-neon": "^6.2.1",
-    "@prisma/client": "^6.2.1"
+    "@prisma/adapter-neon": "^6.3.0",
+    "@prisma/client": "^6.3.0"
   },
   "devDependencies": {
     "@yuki/eslint-config": "workspace:*",
@@ -35,7 +35,7 @@
     "dotenv-cli": "^8.0.0",
     "eslint": "latest",
     "prettier": "latest",
-    "prisma": "^6.2.1",
+    "prisma": "^6.3.0",
     "typescript": "latest"
   }
 }

packages/ui/package.json

@@ -38,10 +38,9 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "lucide-react": "^0.474.0",
-    "next-themes": "^0.4.4",
     "react": "^19.0.0",
-    "tailwind-merge": "^2.6.0",
-    "tailwindcss": "^4.0.0"
+    "tailwind-merge": "^3.0.1",
+    "tailwindcss": "^4.0.1"
   },
   "devDependencies": {
     "@types/react": "^19.0.8",

packages/ui/src/utils.ts

@@ -5,5 +5,3 @@ import { twMerge } from 'tailwind-merge'
 export function cn(...inputs: ClassValue[]) {
   return twMerge(clsx(inputs))
 }
-
-export * from 'next-themes'

tooling/eslint/package.json

@@ -21,7 +21,7 @@
     "eslint-plugin-react": "^7.37.4",
     "eslint-plugin-react-hooks": "^5.1.0",
     "eslint-plugin-turbo": "^2.3.4",
-    "typescript-eslint": "^8.21.0"
+    "typescript-eslint": "^8.22.0"
   },
   "devDependencies": {
     "@yuki/prettier-config": "workspace:*",