Skip to content

Migrate authentication from next-auth to Better Auth#7

Merged
theNEXlevel merged 1 commit into
mainfrom
feat/better-auth
Jul 5, 2026
Merged

Migrate authentication from next-auth to Better Auth#7
theNEXlevel merged 1 commit into
mainfrom
feat/better-auth

Conversation

@theNEXlevel

Copy link
Copy Markdown
Contributor

Summary

Replaces next-auth (Auth.js v5 beta) with Better Auth, keeping the existing Google sign-in and adding email/password login with new /signin and /signup pages.

Server

  • src/lib/auth.ts is now a betterAuth instance (Prisma adapter, Google provider, email/password enabled); a getSession() helper replaces auth() in all API routes and server pages with the same session.user.{id,role} shape
  • Admin impersonation is preserved — the cookie-override logic moved from the next-auth session callback into a customSession plugin
  • Handler moved from /api/auth/[...nextauth] to /api/auth/[...all]

Client

  • src/lib/auth-client.ts (better-auth/react) replaces next-auth/react; SessionProvider removed from the root layout; session update() calls became refetch()
  • User menu "Sign In" routes to the new /signin page

Database

  • Schema rebuilt for Better Auth: boolean emailVerified, required name, new Account/Session shapes, Verification replaces VerificationToken
  • Hand-written migration carries over existing Google account links; active sessions are dropped (users sign in again). Google is a trusted linking provider as a fallback
  • Seed rewritten without @auth/prisma-adapter

Config

  • NEXTAUTH_URLBETTER_AUTH_URL (example.env, docker-compose, Dockerfile); AUTH_TRUST_HOST dropped
  • AUTH_SECRET, AUTH_GOOGLE_ID, AUTH_GOOGLE_SECRET unchanged, so existing CI secrets keep working; the Google OAuth callback path is identical (no GCP console changes)

Test plan

  • pnpm build, pnpm test (45 tests), pnpm lint, tsc --noEmit all pass
  • Migration applied cleanly to a database containing existing next-auth data; seed runs
  • Live-verified against the running app: email/password signup, sign-in (and wrong-password rejection), session includes role, /dashboard gating (200 with session, 307 anonymous), sign-out, and Google authorization URL generation
  • Google sign-in completed in a browser (needs interactive login)
  • Impersonation exercised by an admin (logic ported 1:1, typechecked, not live-tested)

🤖 Generated with Claude Code

Replaces next-auth (Auth.js v5 beta) with better-auth, keeping the
existing Google sign-in and adding email/password login.

- betterAuth instance with Prisma adapter, Google provider, and
  email/password enabled; getSession() helper replaces auth() in
  server routes and pages
- Admin impersonation preserved via the customSession plugin
- New /signin and /signup pages; user menu links to /signin
- Prisma schema rebuilt for Better Auth (boolean emailVerified,
  required name, new Account/Session shapes, Verification table);
  migration carries over existing Google account links, active
  sessions are dropped
- Env: NEXTAUTH_URL renamed to BETTER_AUTH_URL; AUTH_SECRET and
  AUTH_GOOGLE_* unchanged; Google OAuth callback path is identical
- Seed rewritten without @auth/prisma-adapter; tests mock
  @/lib/auth-client instead of next-auth/react

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@theNEXlevel theNEXlevel merged commit b5e6cb0 into main Jul 5, 2026
1 check passed
@theNEXlevel theNEXlevel deleted the feat/better-auth branch July 5, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant