Replace next-auth with Better Auth, migrate DB columns to camelCase

- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases) - Add multi-provider OAuth support with admin UI configuration - New oauthProviders table with encrypted secrets (AES-256-GCM) - Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable - OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers - Settings page "Authentication Providers" section for admin management - Account linking uses new accounts table (multi-provider per user) - Username plugin for credentials sign-in (replaces email@localhost pattern) - bcrypt password compatibility (existing hashes work) - Database-backed sessions via Kysely adapter (bun:sqlite direct) - Configurable rate limiting via AUTH_RATE_LIMIT_* env vars - All DB columns migrated from snake_case to camelCase - All TypeScript types/models migrated to camelCase properties - Removed casing: "snake_case" from Drizzle config - Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId} - package-lock.json removed and gitignored (using bun.lock) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 21:11:48 +02:00
parent eb78b64c2f
commit 3a16d6e9b1
100 changed files with 3390 additions and 14495 deletions
--- a/app/api/user/unlink-oauth/route.ts
+++ b/app/api/user/unlink-oauth/route.ts
@@ -3,9 +3,8 @@ import { auth, checkSameOrigin } from "@/src/lib/auth";
 import { getUserById } from "@/src/lib/models/user";
 import { createAuditEvent } from "@/src/lib/models/audit";
 import db from "@/src/lib/db";
-import { users } from "@/src/lib/db/schema";
-import { eq } from "drizzle-orm";
-import { nowIso } from "@/src/lib/db";
+import { accounts } from "@/src/lib/db/schema";
+import { and, eq, ne } from "drizzle-orm";

 export async function POST(request: NextRequest) {
  const originCheck = checkSameOrigin(request);
@@ -25,35 +24,37 @@ export async function POST(request: NextRequest) {
    }

    // Must have a password before unlinking OAuth
-    if (!user.password_hash) {
+    if (!user.passwordHash) {
      return NextResponse.json(
        { error: "Cannot unlink OAuth: You must set a password first" },
        { status: 400 }
      );
    }

-    // Must be using OAuth to unlink
-    if (user.provider === "credentials") {
+    // Check if user has any OAuth account links
+    const oauthAccounts = await db.select().from(accounts).where(
+      and(
+        eq(accounts.userId, userId),
+        ne(accounts.providerId, "credential")
+      )
+    );
+
+    if (oauthAccounts.length === 0) {
      return NextResponse.json(
        { error: "No OAuth account to unlink" },
        { status: 400 }
      );
    }

-    const previousProvider = user.provider;
+    const previousProvider = oauthAccounts[0].providerId;

-    // Revert to credentials-only
-    const email = user.email;
-    const username = email.replace(/@localhost$/, "") || email.split("@")[0];
-
-    await db
-      .update(users)
-      .set({
-        provider: "credentials",
-        subject: `${username}@localhost`,
-        updatedAt: nowIso()
-      })
-      .where(eq(users.id, userId));
+    // Delete the OAuth account link(s)
+    await db.delete(accounts).where(
+      and(
+        eq(accounts.userId, userId),
+        ne(accounts.providerId, "credential")
+      )
+    );

    // Audit log
    await createAuditEvent({