Skip to content

feat(auth): migrate NextAuth → better-auth (fleet standard)#6

Merged
aneebbaig merged 2 commits into
mainfrom
feat/better-auth
Jul 4, 2026
Merged

feat(auth): migrate NextAuth → better-auth (fleet standard)#6
aneebbaig merged 2 commits into
mainfrom
feat/better-auth

Conversation

@aneebbaig

Copy link
Copy Markdown
Owner

Migrates sidekit off NextAuth to better-auth — the fleet auth standard defined in app-starter-skills. Sidekit is the reference implementation the other repos will copy.

What changed

  • better-auth server (lib/auth.ts): email+password, twoFactor (TOTP + single-use backup codes + built-in verify lockout), bearer (mobile/native tokens), rateLimit, and a databaseHooks single-owner guard (first sign-up allowed, later ones rejected even via direct API).
  • Route handler api/auth/[...all], client lib/auth-client.ts (twoFactorClient), middleware via getSessionCookie (edge-safe).
  • Rewrote auth-actions/auth-service/_helpers/layout/account to the better-auth server API. Removed the NextAuth files + custom bcrypt/passwordHash path.
  • Prisma: better-auth tables generated via CLI; dropped User.passwordHash.
  • 2FA UI: account card (password step-up to enable and disable) + /login/2fa.
  • Seed no longer creates a default-credential user — owner is created at /setup. Removed next-auth, @auth/prisma-adapter, bcryptjs.

Verification

tsc clean, and exercised against the dev DB:

  • Owner signup → 200 ✅
  • Second signup → 400 "Registration is closed. Single owner." ✅
  • Login → 200 ✅ · Wrong password → 401 ✅

🤖 Generated with Claude Code

aneebbaig and others added 2 commits July 4, 2026 17:52
Bland flat dark-only UI with generic indigo accent and hardcoded
dark-only status colors (unreadable if light mode ever shipped).
Wires up next-themes (already a dependency, unused), swaps accent to
teal, adds real elevation layering, promotes status colors to
semantic theme tokens, and upgrades the shared DataTable primitive
(pagination, sticky header) used by every table in the app.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Vo2PcDtDzHok5EFJ4STR8F
Adopts better-auth as the single auth system per the app-starter-skills
standard. Verified end-to-end against the dev DB: owner signup, single-
owner lockdown, login, and wrong-password rejection all behave correctly.

- better-auth server (lib/auth.ts): email+password, twoFactor (TOTP +
  backup codes, built-in verification lockout), bearer (mobile tokens),
  rateLimit, and a databaseHooks guard enforcing SINGLE OWNER (first
  sign-up allowed, all later ones rejected even via direct API).
- Route handler api/auth/[...all]; client lib/auth-client.ts with
  twoFactorClient; middleware uses getSessionCookie (edge-safe).
- Rewrote auth-actions/auth-service/_helpers/layout/account to the
  better-auth server API; removed the NextAuth files and the custom
  bcrypt/passwordHash path.
- Prisma: better-auth tables (user/session/account/verification/
  twoFactor) generated via the CLI; dropped User.passwordHash.
- 2FA UI: account TotpCard (password step-up to enable AND disable) and
  a /login/2fa step; login routes there on twoFactorRedirect.
- Seed no longer creates a default-credential user; the owner is created
  through /setup. Removed next-auth, @auth/prisma-adapter, bcryptjs.
@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
anhib-hustle Ignored Ignored Jul 4, 2026 3:51pm

@aneebbaig aneebbaig merged commit 002f032 into main Jul 4, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant