akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Replace next-auth with Better Auth, migrate DB columns to camelCase

Browse Source 
- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-12 21:11:48 +02:00
parent eb78b64c2f
commit 3a16d6e9b1
100 changed files with 3390 additions and 14495 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/api/auth/[...all]/route.ts Normal file
View File

@@ -0,0 +1,12 @@
import { getAuth } from "@/src/lib/auth-server";
import { toNextJsHandler } from "better-auth/next-js";
export const dynamic = "force-dynamic";
export async function GET(request: Request) {
return toNextJsHandler(getAuth()).GET(request);
}
export async function POST(request: Request) {
return toNextJsHandler(getAuth()).POST(request);
}

97
app/api/auth/[...nextauth]/route.ts
View File

@@ -1,97 +0,0 @@
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import { handlers } from "@/src/lib/auth";
import { isRateLimited, registerFailedAttempt, resetAttempts } from "@/src/lib/rate-limit";
export const dynamic = 'force-dynamic';
export const { GET } = handlers;
function getClientIp(request: NextRequest): string {
// Get client IP from headers
// In production, ensure your reverse proxy (Caddy) sets these headers correctly
const forwarded = request.headers.get("x-forwarded-for");
if (forwarded) {
const parts = forwarded.split(",");
return parts[parts.length - 1]?.trim() || "unknown";
}
const real = request.headers.get("x-real-ip");
if (real) {
return real.trim();
}
return "unknown";
}
function buildRateLimitKey(ip: string, username: string) {
const normalizedUsername = username.trim().toLowerCase() || "unknown";
return `login:${ip}:${normalizedUsername}`;
}
function buildBlockedResponse(retryAfterMs?: number) {
const retryAfterSeconds = retryAfterMs ? Math.ceil(retryAfterMs / 1000) : 60;
const retryAfterMinutes = Math.max(1, Math.ceil(retryAfterSeconds / 60));
return NextResponse.json(
{
error: `Too many login attempts. Try again in about ${retryAfterMinutes} minute${retryAfterMinutes === 1 ? "" : "s"}.`
},
{
status: 429,
headers: {
"Retry-After": retryAfterSeconds.toString()
}
}
);
}
export async function POST(request: NextRequest) {
const formData = await request.clone().formData();
const username = String(formData.get("username") ?? "");
const ip = getClientIp(request);
const rateLimitKey = buildRateLimitKey(ip, username);
const limitation = isRateLimited(rateLimitKey);
if (limitation.blocked) {
return buildBlockedResponse(limitation.retryAfterMs);
}
const response = await handlers.POST(request);
// Determine success/failure by inspecting redirect destination, not status code.
// Auth.js returns 302 (direct form) or 200+JSON (X-Auth-Return-Redirect) on both
// success and failure — the error is signaled by the destination URL containing "error=".
const isFailure = await isAuthFailureResponse(response);
if (isFailure) {
const result = registerFailedAttempt(rateLimitKey);
if (result.blocked) {
return buildBlockedResponse(result.retryAfterMs);
}
} else {
resetAttempts(rateLimitKey);
}
return response;
}
async function isAuthFailureResponse(response: Response): Promise<boolean> {
// Redirect case: Auth.js sets Location header
const location = response.headers.get("location");
if (location) {
return location.includes("error=");
}
// JSON case (X-Auth-Return-Redirect: 1): body is {"url": "..."}
const contentType = response.headers.get("content-type") ?? "";
if (response.status === 200 && contentType.includes("application/json")) {
try {
const cloned = response.clone();
const body = await cloned.json() as { url?: string };
if (typeof body.url === "string") {
return body.url.includes("error=");
}
} catch {
// ignore parse errors
}
}
// Any 4xx/5xx is a failure
return response.status >= 400;
}

12
app/api/auth/logout/route.ts
View File

@@ -1,10 +1,14 @@
import { NextRequest } from "next/server";
import { signOut, checkSameOrigin } from "@/src/lib/auth";
import { NextRequest, NextResponse } from "next/server";
import { getAuth } from "@/src/lib/auth-server";
import { checkSameOrigin } from "@/src/lib/auth";
import { headers } from "next/headers";
export const dynamic = 'force-dynamic';
export const dynamic = "force-dynamic";
export async function POST(request: NextRequest) {
const originCheck = checkSameOrigin(request);
if (originCheck) return originCheck;
await signOut({ redirectTo: "/login" });
await getAuth().api.signOut({ headers: await headers() });
return NextResponse.redirect(new URL("/login", request.url));
}

8
app/api/user/change-password/route.ts
View File

@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
}
// If user has a password, verify current password
if (user.password_hash) {
if (user.passwordHash) {
if (!currentPassword) {
return NextResponse.json(
{ error: "Current password is required" },
@@ -68,7 +68,7 @@ export async function POST(request: NextRequest) {
);
}
const isValid = bcrypt.compareSync(currentPassword, user.password_hash);
const isValid = bcrypt.compareSync(currentPassword, user.passwordHash);
if (!isValid) {
registerFailedAttempt(rateLimitKey);
return NextResponse.json(
@@ -90,10 +90,10 @@ export async function POST(request: NextRequest) {
// Audit log
await createAuditEvent({
userId,
action: user.password_hash ? "password_changed" : "password_set",
action: user.passwordHash ? "password_changed" : "password_set",
entityType: "user",
entityId: userId,
summary: user.password_hash ? "User changed their password" : "User set a password",
summary: user.passwordHash ? "User changed their password" : "User set a password",
});
return NextResponse.json({

39
app/api/user/unlink-oauth/route.ts
View File

@@ -3,9 +3,8 @@ import { auth, checkSameOrigin } from "@/src/lib/auth";
import { getUserById } from "@/src/lib/models/user";
import { createAuditEvent } from "@/src/lib/models/audit";
import db from "@/src/lib/db";
import { users } from "@/src/lib/db/schema";
import { eq } from "drizzle-orm";
import { nowIso } from "@/src/lib/db";
import { accounts } from "@/src/lib/db/schema";
import { and, eq, ne } from "drizzle-orm";
export async function POST(request: NextRequest) {
const originCheck = checkSameOrigin(request);
@@ -25,35 +24,37 @@ export async function POST(request: NextRequest) {
}
// Must have a password before unlinking OAuth
if (!user.password_hash) {
if (!user.passwordHash) {
return NextResponse.json(
{ error: "Cannot unlink OAuth: You must set a password first" },
{ status: 400 }
);
}
// Must be using OAuth to unlink
if (user.provider === "credentials") {
// Check if user has any OAuth account links
const oauthAccounts = await db.select().from(accounts).where(
and(
eq(accounts.userId, userId),
ne(accounts.providerId, "credential")
)
);
if (oauthAccounts.length === 0) {
return NextResponse.json(
{ error: "No OAuth account to unlink" },
{ status: 400 }
);
}
const previousProvider = user.provider;
const previousProvider = oauthAccounts[0].providerId;
// Revert to credentials-only
const email = user.email;
const username = email.replace(/@localhost$/, "") || email.split("@")[0];
await db
.update(users)
.set({
provider: "credentials",
subject: `${username}@localhost`,
updatedAt: nowIso()
})
.where(eq(users.id, userId));
// Delete the OAuth account link(s)
await db.delete(accounts).where(
and(
eq(accounts.userId, userId),
ne(accounts.providerId, "credential")
)
);
// Audit log
await createAuditEvent({

4
app/api/user/update-avatar/route.ts
View File

@@ -47,7 +47,7 @@ export async function POST(request: NextRequest) {
// Update user avatar
const updatedUser = await updateUserProfile(userId, {
avatar_url: avatarUrl
avatarUrl: avatarUrl
});
if (!updatedUser) {
@@ -69,7 +69,7 @@ export async function POST(request: NextRequest) {
return NextResponse.json({
success: true,
avatarUrl: updatedUser.avatar_url
avatarUrl: updatedUser.avatarUrl
});
} catch (error) {
console.error("Avatar update error:", error);

120
app/api/v1/oauth-providers/[id]/route.ts Normal file
View File

@@ -0,0 +1,120 @@
import { NextRequest, NextResponse } from "next/server";
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
import { getOAuthProvider, updateOAuthProvider, deleteOAuthProvider } from "@/src/lib/models/oauth-providers";
import type { OAuthProvider } from "@/src/lib/models/oauth-providers";
import { createAuditEvent } from "@/src/lib/models/audit";
import { invalidateProviderCache } from "@/src/lib/auth-server";
function redactSecrets(provider: OAuthProvider) {
const clientId = provider.clientId;
return {
...provider,
clientId: clientId.length > 4 ? "••••" + clientId.slice(-4) : "••••",
clientSecret: "••••••••",
};
}
export async function GET(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
try {
await requireApiAdmin(request);
const { id } = await params;
const provider = await getOAuthProvider(id);
if (!provider) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
return NextResponse.json(redactSecrets(provider));
} catch (error) {
return apiErrorResponse(error);
}
}
export async function PUT(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
try {
const { userId } = await requireApiAdmin(request);
const { id } = await params;
const body = await request.json();
const existing = await getOAuthProvider(id);
if (!existing) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
// Env-sourced providers can only have `enabled` toggled
if (existing.source === "env") {
const allowedKeys = ["enabled"];
const bodyKeys = Object.keys(body).filter((k) => body[k] !== undefined);
const disallowed = bodyKeys.filter((k) => !allowedKeys.includes(k));
if (disallowed.length > 0) {
return NextResponse.json(
{ error: `Environment-sourced providers can only update: ${allowedKeys.join(", ")}` },
{ status: 400 }
);
}
}
const updated = await updateOAuthProvider(id, body);
if (!updated) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
invalidateProviderCache();
await createAuditEvent({
userId,
action: "update",
entityType: "oauth_provider",
entityId: null,
summary: `Updated OAuth provider "${updated.name}"`,
data: JSON.stringify({ providerId: updated.id, fields: Object.keys(body) }),
});
return NextResponse.json(redactSecrets(updated));
} catch (error) {
return apiErrorResponse(error);
}
}
export async function DELETE(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
try {
const { userId } = await requireApiAdmin(request);
const { id } = await params;
const existing = await getOAuthProvider(id);
if (!existing) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
if (existing.source === "env") {
return NextResponse.json(
{ error: "Cannot delete an environment-sourced OAuth provider" },
{ status: 400 }
);
}
await deleteOAuthProvider(id);
invalidateProviderCache();
await createAuditEvent({
userId,
action: "delete",
entityType: "oauth_provider",
entityId: null,
summary: `Deleted OAuth provider "${existing.name}"`,
data: JSON.stringify({ providerId: existing.id, name: existing.name }),
});
return NextResponse.json({ ok: true });
} catch (error) {
return apiErrorResponse(error);
}
}

71
app/api/v1/oauth-providers/route.ts Normal file
View File

@@ -0,0 +1,71 @@
import { NextRequest, NextResponse } from "next/server";
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
import { listOAuthProviders, createOAuthProvider } from "@/src/lib/models/oauth-providers";
import type { OAuthProvider } from "@/src/lib/models/oauth-providers";
import { createAuditEvent } from "@/src/lib/models/audit";
import { invalidateProviderCache } from "@/src/lib/auth-server";
function redactSecrets(provider: OAuthProvider) {
const clientId = provider.clientId;
return {
...provider,
clientId: clientId.length > 4 ? "••••" + clientId.slice(-4) : "••••",
clientSecret: "••••••••",
};
}
export async function GET(request: NextRequest) {
try {
await requireApiAdmin(request);
const providers = await listOAuthProviders();
return NextResponse.json(providers.map(redactSecrets));
} catch (error) {
return apiErrorResponse(error);
}
}
export async function POST(request: NextRequest) {
try {
const { userId } = await requireApiAdmin(request);
const body = await request.json();
if (!body.name || typeof body.name !== "string") {
return NextResponse.json({ error: "name is required" }, { status: 400 });
}
if (!body.clientId || typeof body.clientId !== "string") {
return NextResponse.json({ error: "clientId is required" }, { status: 400 });
}
if (!body.clientSecret || typeof body.clientSecret !== "string") {
return NextResponse.json({ error: "clientSecret is required" }, { status: 400 });
}
const provider = await createOAuthProvider({
name: body.name,
type: body.type ?? "oidc",
clientId: body.clientId,
clientSecret: body.clientSecret,
issuer: body.issuer ?? null,
authorizationUrl: body.authorizationUrl ?? null,
tokenUrl: body.tokenUrl ?? null,
userinfoUrl: body.userinfoUrl ?? null,
scopes: body.scopes ?? "openid email profile",
autoLink: body.autoLink ?? false,
source: "ui",
});
invalidateProviderCache();
await createAuditEvent({
userId,
action: "create",
entityType: "oauth_provider",
entityId: null,
summary: `Created OAuth provider "${provider.name}"`,
data: JSON.stringify({ providerId: provider.id, name: provider.name, type: provider.type }),
});
return NextResponse.json(redactSecrets(provider), { status: 201 });
} catch (error) {
return apiErrorResponse(error);
}
}

10
app/api/v1/openapi.json/route.ts
View File

@@ -1982,7 +1982,7 @@ const spec = {
},
User: {
type: "object",
description: "User account (password_hash is never exposed)",
description: "User account (passwordHash is never exposed)",
properties: {
id: { type: "integer" },
email: { type: "string" },
@@ -1990,12 +1990,12 @@ const spec = {
role: { type: "string", enum: ["admin", "user", "viewer"] },
provider: { type: "string", example: "credentials" },
subject: { type: "string" },
avatar_url: { type: ["string", "null"] },
avatarUrl: { type: ["string", "null"] },
status: { type: "string", enum: ["active", "inactive"] },
created_at: { type: "string", format: "date-time" },
updated_at: { type: "string", format: "date-time" },
createdAt: { type: "string", format: "date-time" },
updatedAt: { type: "string", format: "date-time" },
},
required: ["id", "email", "role", "provider", "subject", "status", "created_at", "updated_at"],
required: ["id", "email", "role", "provider", "subject", "status", "createdAt", "updatedAt"],
},
AuditLogEvent: {
type: "object",

6
app/api/v1/users/[id]/route.ts
View File

@@ -3,7 +3,7 @@ import { requireApiUser, requireApiAdmin, apiErrorResponse, ApiAuthError } from
import { getUserById, updateUserProfile, updateUserRole, updateUserStatus, deleteUser } from "@/src/lib/models/user";
function stripPasswordHash(user: Record<string, unknown>) {
const { password_hash: _, ...rest } = user;
const { passwordHash: _, ...rest } = user;
void _;
return rest;
}
@@ -62,9 +62,9 @@ export async function PUT(
const profileFields: Record<string, unknown> = {};
if (body.email !== undefined) profileFields.email = body.email;
if (body.name !== undefined) profileFields.name = body.name;
if (body.avatar_url !== undefined) profileFields.avatar_url = body.avatar_url;
if (body.avatarUrl !== undefined) profileFields.avatarUrl = body.avatarUrl;
if (Object.keys(profileFields).length > 0) {
await updateUserProfile(targetId, profileFields as { email?: string; name?: string | null; avatar_url?: string | null });
await updateUserProfile(targetId, profileFields as { email?: string; name?: string | null; avatarUrl?: string | null });
}
const user = await getUserById(targetId);

2
app/api/v1/users/route.ts
View File

@@ -3,7 +3,7 @@ import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
import { listUsers } from "@/src/lib/models/user";
function stripPasswordHash(user: Record<string, unknown>) {
const { password_hash: _, ...rest } = user;
const { passwordHash: _, ...rest } = user;
void _;
return rest;
}