Replace next-auth with Better Auth, migrate DB columns to camelCase

- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases) - Add multi-provider OAuth support with admin UI configuration - New oauthProviders table with encrypted secrets (AES-256-GCM) - Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable - OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers - Settings page "Authentication Providers" section for admin management - Account linking uses new accounts table (multi-provider per user) - Username plugin for credentials sign-in (replaces email@localhost pattern) - bcrypt password compatibility (existing hashes work) - Database-backed sessions via Kysely adapter (bun:sqlite direct) - Configurable rate limiting via AUTH_RATE_LIMIT_* env vars - All DB columns migrated from snake_case to camelCase - All TypeScript types/models migrated to camelCase properties - Removed casing: "snake_case" from Drizzle config - Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId} - package-lock.json removed and gitignored (using bun.lock) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 21:11:48 +02:00
parent eb78b64c2f
commit 3a16d6e9b1
100 changed files with 3390 additions and 14495 deletions
--- a/app/api/auth/[...all]/route.ts
+++ b/app/api/auth/[...all]/route.ts
@@ -0,0 +1,12 @@
+import { getAuth } from "@/src/lib/auth-server";
+import { toNextJsHandler } from "better-auth/next-js";
+
+export const dynamic = "force-dynamic";
+
+export async function GET(request: Request) {
+  return toNextJsHandler(getAuth()).GET(request);
+}
+
+export async function POST(request: Request) {
+  return toNextJsHandler(getAuth()).POST(request);
+}
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@@ -1,97 +0,0 @@
-import { NextResponse } from "next/server";
-import type { NextRequest } from "next/server";
-import { handlers } from "@/src/lib/auth";
-import { isRateLimited, registerFailedAttempt, resetAttempts } from "@/src/lib/rate-limit";
-
-export const dynamic = 'force-dynamic';
-
-export const { GET } = handlers;
-
-function getClientIp(request: NextRequest): string {
-  // Get client IP from headers
-  // In production, ensure your reverse proxy (Caddy) sets these headers correctly
-  const forwarded = request.headers.get("x-forwarded-for");
-  if (forwarded) {
-    const parts = forwarded.split(",");
-    return parts[parts.length - 1]?.trim() || "unknown";
-  }
-  const real = request.headers.get("x-real-ip");
-  if (real) {
-    return real.trim();
-  }
-  return "unknown";
-}
-
-function buildRateLimitKey(ip: string, username: string) {
-  const normalizedUsername = username.trim().toLowerCase() || "unknown";
-  return `login:${ip}:${normalizedUsername}`;
-}
-
-function buildBlockedResponse(retryAfterMs?: number) {
-  const retryAfterSeconds = retryAfterMs ? Math.ceil(retryAfterMs / 1000) : 60;
-  const retryAfterMinutes = Math.max(1, Math.ceil(retryAfterSeconds / 60));
-  return NextResponse.json(
-    {
-      error: `Too many login attempts. Try again in about ${retryAfterMinutes} minute${retryAfterMinutes === 1 ? "" : "s"}.`
-    },
-    {
-      status: 429,
-      headers: {
-        "Retry-After": retryAfterSeconds.toString()
-      }
-    }
-  );
-}
-
-export async function POST(request: NextRequest) {
-  const formData = await request.clone().formData();
-  const username = String(formData.get("username") ?? "");
-  const ip = getClientIp(request);
-  const rateLimitKey = buildRateLimitKey(ip, username);
-
-  const limitation = isRateLimited(rateLimitKey);
-  if (limitation.blocked) {
-    return buildBlockedResponse(limitation.retryAfterMs);
-  }
-
-  const response = await handlers.POST(request);
-
-  // Determine success/failure by inspecting redirect destination, not status code.
-  // Auth.js returns 302 (direct form) or 200+JSON (X-Auth-Return-Redirect) on both
-  // success and failure — the error is signaled by the destination URL containing "error=".
-  const isFailure = await isAuthFailureResponse(response);
-
-  if (isFailure) {
-    const result = registerFailedAttempt(rateLimitKey);
-    if (result.blocked) {
-      return buildBlockedResponse(result.retryAfterMs);
-    }
-  } else {
-    resetAttempts(rateLimitKey);
-  }
-
-  return response;
-}
-
-async function isAuthFailureResponse(response: Response): Promise<boolean> {
-  // Redirect case: Auth.js sets Location header
-  const location = response.headers.get("location");
-  if (location) {
-    return location.includes("error=");
-  }
-  // JSON case (X-Auth-Return-Redirect: 1): body is {"url": "..."}
-  const contentType = response.headers.get("content-type") ?? "";
-  if (response.status === 200 && contentType.includes("application/json")) {
-    try {
-      const cloned = response.clone();
-      const body = await cloned.json() as { url?: string };
-      if (typeof body.url === "string") {
-        return body.url.includes("error=");
-      }
-    } catch {
-      // ignore parse errors
-    }
-  }
-  // Any 4xx/5xx is a failure
-  return response.status >= 400;
-}
--- a/app/api/auth/logout/route.ts
+++ b/app/api/auth/logout/route.ts
@@ -1,10 +1,14 @@
-import { NextRequest } from "next/server";
-import { signOut, checkSameOrigin } from "@/src/lib/auth";
+import { NextRequest, NextResponse } from "next/server";
+import { getAuth } from "@/src/lib/auth-server";
+import { checkSameOrigin } from "@/src/lib/auth";
+import { headers } from "next/headers";

-export const dynamic = 'force-dynamic';
+export const dynamic = "force-dynamic";

 export async function POST(request: NextRequest) {
  const originCheck = checkSameOrigin(request);
  if (originCheck) return originCheck;
-  await signOut({ redirectTo: "/login" });
+
+  await getAuth().api.signOut({ headers: await headers() });
+  return NextResponse.redirect(new URL("/login", request.url));
 }