diff --git a/.agents/skills/better-auth-best-practices/SKILL.md b/.agents/skills/better-auth-best-practices/SKILL.md new file mode 100644 index 0000000..3458e07 --- /dev/null +++ b/.agents/skills/better-auth-best-practices/SKILL.md @@ -0,0 +1,166 @@ +--- +name: better-auth-best-practices +description: Skill for integrating Better Auth - the comprehensive TypeScript authentication framework. +--- + +# Better Auth Integration Guide + +**Always consult [better-auth.com/docs](https://better-auth.com/docs) for code examples and latest API.** + +Better Auth is a TypeScript-first, framework-agnostic auth framework supporting email/password, OAuth, magic links, passkeys, and more via plugins. + +--- + +## Quick Reference + +### Environment Variables +- `BETTER_AUTH_SECRET` - Encryption secret (min 32 chars). Generate: `openssl rand -base64 32` +- `BETTER_AUTH_URL` - Base URL (e.g., `https://example.com`) + +Only define `baseURL`/`secret` in config if env vars are NOT set. + +### File Location +CLI looks for `auth.ts` in: `./`, `./lib`, `./utils`, or under `./src`. Use `--config` for custom path. + +### CLI Commands +- `npx @better-auth/cli@latest migrate` - Apply schema (built-in adapter) +- `npx @better-auth/cli@latest generate` - Generate schema for Prisma/Drizzle +- `npx @better-auth/cli mcp --cursor` - Add MCP to AI tools + +**Re-run after adding/changing plugins.** + +--- + +## Core Config Options + +| Option | Notes | +|--------|-------| +| `appName` | Optional display name | +| `baseURL` | Only if `BETTER_AUTH_URL` not set | +| `basePath` | Default `/api/auth`. Set `/` for root. | +| `secret` | Only if `BETTER_AUTH_SECRET` not set | +| `database` | Required for most features. See adapters docs. | +| `secondaryStorage` | Redis/KV for sessions & rate limits | +| `emailAndPassword` | `{ enabled: true }` to activate | +| `socialProviders` | `{ google: { clientId, clientSecret }, ... }` | +| `plugins` | Array of plugins | +| `trustedOrigins` | CSRF whitelist | + +--- + +## Database + +**Direct connections:** Pass `pg.Pool`, `mysql2` pool, `better-sqlite3`, or `bun:sqlite` instance. + +**ORM adapters:** Import from `better-auth/adapters/drizzle`, `better-auth/adapters/prisma`, `better-auth/adapters/mongodb`. + +**Critical:** Better Auth uses adapter model names, NOT underlying table names. If Prisma model is `User` mapping to table `users`, use `modelName: "user"` (Prisma reference), not `"users"`. + +--- + +## Session Management + +**Storage priority:** +1. If `secondaryStorage` defined → sessions go there (not DB) +2. Set `session.storeSessionInDatabase: true` to also persist to DB +3. No database + `cookieCache` → fully stateless mode + +**Cookie cache strategies:** +- `compact` (default) - Base64url + HMAC. Smallest. +- `jwt` - Standard JWT. Readable but signed. +- `jwe` - Encrypted. Maximum security. + +**Key options:** `session.expiresIn` (default 7 days), `session.updateAge` (refresh interval), `session.cookieCache.maxAge`, `session.cookieCache.version` (change to invalidate all sessions). + +--- + +## User & Account Config + +**User:** `user.modelName`, `user.fields` (column mapping), `user.additionalFields`, `user.changeEmail.enabled` (disabled by default), `user.deleteUser.enabled` (disabled by default). + +**Account:** `account.modelName`, `account.accountLinking.enabled`, `account.storeAccountCookie` (for stateless OAuth). + +**Required for registration:** `email` and `name` fields. + +--- + +## Email Flows + +- `emailVerification.sendVerificationEmail` - Must be defined for verification to work +- `emailVerification.sendOnSignUp` / `sendOnSignIn` - Auto-send triggers +- `emailAndPassword.sendResetPassword` - Password reset email handler + +--- + +## Security + +**In `advanced`:** +- `useSecureCookies` - Force HTTPS cookies +- `disableCSRFCheck` - ⚠️ Security risk +- `disableOriginCheck` - ⚠️ Security risk +- `crossSubDomainCookies.enabled` - Share cookies across subdomains +- `ipAddress.ipAddressHeaders` - Custom IP headers for proxies +- `database.generateId` - Custom ID generation or `"serial"`/`"uuid"`/`false` + +**Rate limiting:** `rateLimit.enabled`, `rateLimit.window`, `rateLimit.max`, `rateLimit.storage` ("memory" | "database" | "secondary-storage"). + +--- + +## Hooks + +**Endpoint hooks:** `hooks.before` / `hooks.after` - Array of `{ matcher, handler }`. Use `createAuthMiddleware`. Access `ctx.path`, `ctx.context.returned` (after), `ctx.context.session`. + +**Database hooks:** `databaseHooks.user.create.before/after`, same for `session`, `account`. Useful for adding default values or post-creation actions. + +**Hook context (`ctx.context`):** `session`, `secret`, `authCookies`, `password.hash()`/`verify()`, `adapter`, `internalAdapter`, `generateId()`, `tables`, `baseURL`. + +--- + +## Plugins + +**Import from dedicated paths for tree-shaking:** +``` +import { twoFactor } from "better-auth/plugins/two-factor" +``` +NOT `from "better-auth/plugins"`. + +**Popular plugins:** `twoFactor`, `organization`, `passkey`, `magicLink`, `emailOtp`, `username`, `phoneNumber`, `admin`, `apiKey`, `bearer`, `jwt`, `multiSession`, `sso`, `oauthProvider`, `oidcProvider`, `openAPI`, `genericOAuth`. + +Client plugins go in `createAuthClient({ plugins: [...] })`. + +--- + +## Client + +Import from: `better-auth/client` (vanilla), `better-auth/react`, `better-auth/vue`, `better-auth/svelte`, `better-auth/solid`. + +Key methods: `signUp.email()`, `signIn.email()`, `signIn.social()`, `signOut()`, `useSession()`, `getSession()`, `revokeSession()`, `revokeSessions()`. + +--- + +## Type Safety + +Infer types: `typeof auth.$Infer.Session`, `typeof auth.$Infer.Session.user`. + +For separate client/server projects: `createAuthClient()`. + +--- + +## Common Gotchas + +1. **Model vs table name** - Config uses ORM model name, not DB table name +2. **Plugin schema** - Re-run CLI after adding plugins +3. **Secondary storage** - Sessions go there by default, not DB +4. **Cookie cache** - Custom session fields NOT cached, always re-fetched +5. **Stateless mode** - No DB = session in cookie only, logout on cache expiry +6. **Change email flow** - Sends to current email first, then new email + +--- + +## Resources + +- [Docs](https://better-auth.com/docs) +- [Options Reference](https://better-auth.com/docs/reference/options) +- [LLMs.txt](https://better-auth.com/llms.txt) +- [GitHub](https://github.com/better-auth/better-auth) +- [Init Options Source](https://github.com/better-auth/better-auth/blob/main/packages/core/src/types/init-options.ts) \ No newline at end of file diff --git a/.agents/skills/better-auth-security-best-practices/SKILL.MD b/.agents/skills/better-auth-security-best-practices/SKILL.MD new file mode 100644 index 0000000..11249c5 --- /dev/null +++ b/.agents/skills/better-auth-security-best-practices/SKILL.MD @@ -0,0 +1,644 @@ +--- +name: better-auth-security-best-practices +description: This skill provides guidance for implementing security features that span across Better Auth, including rate limiting, CSRF protection, session security, trusted origins, secret management, OAuth security, IP tracking, and security auditing. These topics are not covered in individual plugin skills. +--- + +## Secret Management + +The auth secret is the foundation of Better Auth's security. It's used for signing session tokens, encrypting sensitive data, and generating secure cookies. + +### Configuring the Secret + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + secret: process.env.BETTER_AUTH_SECRET, // or via `BETTER_AUTH_SECRET` env +}); +``` + +Better Auth looks for secrets in this order: +1. `options.secret` in your config +2. `BETTER_AUTH_SECRET` environment variable +3. `AUTH_SECRET` environment variable + +### Secret Requirements + +Better Auth validates your secret and will: +- **Reject** default/placeholder secrets in production +- **Warn** if the secret is shorter than 32 characters +- **Warn** if entropy is below 120 bits + +Generate a secure secret: + +```bash +openssl rand -base64 32 +``` + +**Important**: Never commit secrets to version control. Use environment variables or a secrets manager. + +## Rate Limiting + +Rate limiting protects your authentication endpoints from brute-force attacks and abuse. +By default, rate limiting is enabled in production but disabled in development. To explicitly enable it, set `rateLimit.enabled` to `true` in your auth config. +Better Auth applies rate limiting to all endpoints by default. + +Each plugin can optionally have it's own configuration to adjust rate-limit rules for a given endpoint. + +### Default Configuration + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + rateLimit: { + enabled: true, // Default: true in production + window: 10, // Time window in seconds (default: 10) + max: 100, // Max requests per window (default: 100) + }, +}); +``` + +### Storage Options + +Configure where rate limit counters are stored: + +```ts +rateLimit: { + storage: "database", // Options: "memory", "database", "secondary-storage" +} +``` + +- **`memory`**: Fast, but resets on server restart (default when no secondary storage) +- **`database`**: Persistent, but adds database load +- **`secondary-storage`**: Uses configured secondary storage like Redis (default when available) + +**Note**: It is not recommended to use `memory` especially on serverless platforms. + +### Custom Storage + +Implement your own rate limit storage: + +```ts +rateLimit: { + customStorage: { + get: async (key) => { + // Return { count: number, expiresAt: number } or null + }, + set: async (key, data) => { + // Store the rate limit data + }, + }, +} +``` + +### Per-Endpoint Rules + +Better Auth applies stricter limits to sensitive endpoints by default: +- `/sign-in`, `/sign-up`, `/change-password`, `/change-email`: 3 requests per 10 seconds + +Override or customize rules for specific paths: + +```ts +rateLimit: { + customRules: { + "/api/auth/sign-in/email": { + window: 60, // 1 minute window + max: 5, // 5 attempts + }, + "/api/auth/some-safe-endpoint": false, // Disable rate limiting + }, +} +``` + +## CSRF Protection + +Better Auth implements multiple layers of CSRF protection to prevent cross-site request forgery attacks. + +### How CSRF Protection Works + +1. **Origin Header Validation**: When cookies are present, the `Origin` or `Referer` header must match a trusted origin +2. **Fetch Metadata**: Uses `Sec-Fetch-Site`, `Sec-Fetch-Mode`, and `Sec-Fetch-Dest` headers to detect cross-site requests +3. **First-Login Protection**: Even without cookies, validates origin when Fetch Metadata indicates a cross-site navigation + +### Configuration + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + advanced: { + disableCSRFCheck: false, // Default: false (keep enabled) + }, +}); +``` + +**Warning**: Only disable CSRF protection for testing or if you have an alternative CSRF mechanism in place. + +### Fetch Metadata Blocking + +Better Auth automatically blocks requests where: +- `Sec-Fetch-Site: cross-site` AND +- `Sec-Fetch-Mode: navigate` AND +- `Sec-Fetch-Dest: document` + +This prevents form-based CSRF attacks even on first login when no session cookie exists. + +## Trusted Origins + +Trusted origins control which domains can make authenticated requests to your Better Auth instance. This protects against open redirect attacks and cross-origin abuse. + +### Configuring Trusted Origins + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + baseURL: "https://api.example.com", + trustedOrigins: [ + "https://app.example.com", + "https://admin.example.com", + ], +}); +``` + +**Note**: The `baseURL` origin is automatically trusted. + +### Environment Variable + +Set trusted origins via environment variable (comma-separated): + +```bash +BETTER_AUTH_TRUSTED_ORIGINS=https://app.example.com,https://admin.example.com +``` + +### Wildcard Patterns + +Support for subdomain wildcards: + +```ts +trustedOrigins: [ + "*.example.com", // Matches any subdomain + "https://*.example.com", // Protocol-specific wildcard + "exp://192.168.*.*:*/*", // Custom schemes (e.g., Expo) +] +``` + +### Dynamic Trusted Origins + +Compute trusted origins based on the request: + +```ts +trustedOrigins: async (request) => { + // Validate against database, header, etc. + const tenant = getTenantFromRequest(request); + return [`https://${tenant}.myapp.com`]; +} +``` + +### What Gets Validated + +Better Auth validates these URL parameters against trusted origins: +- `callbackURL` - Where to redirect after authentication +- `redirectTo` - General redirect parameter +- `errorCallbackURL` - Where to redirect on errors +- `newUserCallbackURL` - Where to redirect new users +- `origin` - Request origin header +- and more... + +Invalid URLs receive a 403 Forbidden response. + +## Session Security + +Sessions control how long users stay authenticated and how session data is secured. + +### Session Expiration + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + session: { + expiresIn: 60 * 60 * 24 * 7, // 7 days (default) + updateAge: 60 * 60 * 24, // Refresh session every 24 hours (default) + }, +}); +``` + +### Fresh Sessions for Sensitive Actions + +The `freshAge` setting defines how recently a user must have authenticated to perform sensitive operations: + +```ts +session: { + freshAge: 60 * 60 * 24, // 24 hours (default) +} +``` + +Use this to require re-authentication for actions like changing passwords or viewing sensitive data. + +### Session Caching Strategies + +Cache session data in cookies to reduce database queries: + +```ts +session: { + cookieCache: { + enabled: true, + maxAge: 60 * 5, // 5 minutes + strategy: "compact", // Options: "compact", "jwt", "jwe" + }, +} +``` + +- **`compact`**: Base64url + HMAC-SHA256 (smallest, signed) +- **`jwt`**: HS256 JWT (standard, signed) +- **`jwe`**: A256CBC-HS512 encrypted (largest, encrypted) + +**Note**: Use `jwe` strategy when session data contains sensitive information that shouldn't be readable client-side. + + +## Cookie Security + +Better Auth uses secure cookie defaults but allows customization for specific deployment scenarios. + +### Default Cookie Settings + +- **`secure`**: `true` when baseURL uses HTTPS or in production +- **`sameSite`**: `"lax"` (prevents CSRF while allowing normal navigation) +- **`httpOnly`**: `true` (prevents JavaScript access) +- **`path`**: `"/"` (available site-wide) +- **Prefix**: `__Secure-` when secure is enabled + +### Custom Cookie Configuration + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + advanced: { + useSecureCookies: true, // Force secure cookies + cookiePrefix: "myapp", // Custom prefix (default: "better-auth") + defaultCookieAttributes: { + sameSite: "strict", // Stricter CSRF protection + path: "/auth", // Limit cookie scope + }, + }, +}); +``` + +### Per-Cookie Configuration + +Customize specific cookies: + +```ts +advanced: { + cookies: { + session_token: { + name: "auth-session", + attributes: { + sameSite: "strict", + }, + }, + }, +} +``` + +### Cross-Subdomain Cookies + +Share authentication across subdomains: + +```ts +advanced: { + crossSubDomainCookies: { + enabled: true, + domain: ".example.com", // Note the leading dot + additionalCookies: ["session_token", "session_data"], + }, +} +``` + +**Security Note**: Cross-subdomain cookies expand the attack surface. Only enable if you need authentication sharing and trust all subdomains. + +## OAuth / Social Provider Security + +When using social login providers, Better Auth implements industry-standard security measures. + +### PKCE (Proof Key for Code Exchange) + +Better Auth automatically uses PKCE for all OAuth flows: + +1. Generates a 128-character random `code_verifier` +2. Creates a `code_challenge` using S256 (SHA-256) +3. Sends `code_challenge_method: "S256"` in the authorization URL +4. Validates the code exchange with the original verifier + +This prevents authorization code interception attacks. + +### State Parameter Security + +The state parameter prevents CSRF attacks on OAuth callbacks: + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + account: { + storeStateStrategy: "cookie", // Options: "cookie" (default), "database" + }, +}); +``` + +State tokens: +- Are 32-character random strings +- Expire after 10 minutes +- Contain callback URLs and PKCE verifier (encrypted) + +### Encrypting OAuth Tokens + +Encrypt stored access and refresh tokens in the database: + +```ts +account: { + encryptOAuthTokens: true, // Uses AES-256-GCM +} +``` + +**Recommendation**: Enable this if you store OAuth tokens for API access on behalf of users. + +### Skipping State Cookie Check + +For mobile apps or specific OAuth flows where cookies aren't available: + +```ts +account: { + skipStateCookieCheck: true, // Not recommended for web apps +} +``` + +**Warning**: Only use this for mobile apps that cannot maintain cookies across redirects. + +## IP-Based Security + +Better Auth tracks IP addresses for rate limiting and session security. + +### IP Address Configuration + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + advanced: { + ipAddress: { + ipAddressHeaders: ["x-forwarded-for", "x-real-ip"], // Headers to check + disableIpTracking: false, // Keep enabled for rate limiting + }, + }, +}); +``` + +### IPv6 Subnet Configuration + +For rate limiting, IPv6 addresses can be grouped by subnet: + +```ts +advanced: { + ipAddress: { + ipv6Subnet: 64, // Options: 128, 64, 48, 32 (default: 64) + }, +} +``` + +Smaller values group more addresses together, which is useful when users share IPv6 prefixes. + +### Trusted Proxy Headers + +When behind a reverse proxy, enable trusted headers: + +```ts +advanced: { + trustedProxyHeaders: true, // Trust x-forwarded-host, x-forwarded-proto +} +``` + +**Security Note**: Only enable this if you trust your proxy. Malicious clients could spoof these headers otherwise. + +## Database Hooks for Security Auditing + +Use database hooks to implement security auditing and monitoring. + +### Setting Up Audit Logging + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + databaseHooks: { + session: { + create: { + after: async ({ data, ctx }) => { + await auditLog("session.created", { + userId: data.userId, + ip: ctx?.request?.headers.get("x-forwarded-for"), + userAgent: ctx?.request?.headers.get("user-agent"), + }); + }, + }, + delete: { + before: async ({ data }) => { + await auditLog("session.revoked", { sessionId: data.id }); + }, + }, + }, + user: { + update: { + after: async ({ data, oldData }) => { + if (oldData?.email !== data.email) { + await auditLog("user.email_changed", { + userId: data.id, + oldEmail: oldData?.email, + newEmail: data.email, + }); + } + }, + }, + }, + account: { + create: { + after: async ({ data }) => { + await auditLog("account.linked", { + userId: data.userId, + provider: data.providerId, + }); + }, + }, + }, + }, +}); +``` + +### Blocking Operations + +Return `false` from a `before` hook to prevent an operation: + +```ts +databaseHooks: { + user: { + delete: { + before: async ({ data }) => { + // Prevent deletion of protected users + if (protectedUserIds.includes(data.id)) { + return false; + } + }, + }, + }, +} +``` + +## Background Tasks for Timing Attack Prevention + +Sensitive operations should complete in constant time to prevent timing attacks. + +### Configuring Background Tasks + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + advanced: { + backgroundTasks: { + handler: (promise) => { + // Platform-specific handler + // Vercel: waitUntil(promise) + // Cloudflare: ctx.waitUntil(promise) + waitUntil(promise); + }, + }, + }, +}); +``` + +This ensures operations like sending emails don't affect response timing, which could leak information about whether a user exists. + +## Account Enumeration Prevention + +Better Auth implements several measures to prevent attackers from discovering valid accounts. + +### Built-in Protections + +1. **Consistent Response Messages**: Password reset always returns "If this email exists in our system, check your email for the reset link" +2. **Dummy Operations**: When a user isn't found, Better Auth still performs token generation and database lookups with dummy values +3. **Background Email Sending**: Emails are sent asynchronously to prevent timing differences + +### Additional Recommendations + +For sign-up and sign-in endpoints, consider: + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + // Generic error messages (implement in your error handling) + }, +}); +``` + +Return generic error messages like "Invalid credentials" rather than "User not found" or "Incorrect password". + +## Complete Security Configuration Example + +```ts +import { betterAuth } from "better-auth"; + +export const auth = betterAuth({ + secret: process.env.BETTER_AUTH_SECRET, + baseURL: "https://api.example.com", + trustedOrigins: [ + "https://app.example.com", + "https://*.preview.example.com", + ], + + // Rate limiting + rateLimit: { + enabled: true, + storage: "secondary-storage", + customRules: { + "/api/auth/sign-in/email": { window: 60, max: 5 }, + "/api/auth/sign-up/email": { window: 60, max: 3 }, + }, + }, + + // Session security + session: { + expiresIn: 60 * 60 * 24 * 7, // 7 days + updateAge: 60 * 60 * 24, // 24 hours + freshAge: 60 * 60, // 1 hour for sensitive actions + cookieCache: { + enabled: true, + maxAge: 300, + strategy: "jwe", // Encrypted session data + }, + }, + + // OAuth security + account: { + encryptOAuthTokens: true, + storeStateStrategy: "cookie", + }, + + + // Advanced settings + advanced: { + useSecureCookies: true, + cookiePrefix: "myapp", + defaultCookieAttributes: { + sameSite: "lax", + }, + ipAddress: { + ipAddressHeaders: ["x-forwarded-for"], + ipv6Subnet: 64, + }, + backgroundTasks: { + handler: (promise) => waitUntil(promise), + }, + }, + + // Security auditing + databaseHooks: { + session: { + create: { + after: async ({ data, ctx }) => { + console.log(`New session for user ${data.userId}`); + }, + }, + }, + user: { + update: { + after: async ({ data, oldData }) => { + if (oldData?.email !== data.email) { + console.log(`Email changed for user ${data.id}`); + } + }, + }, + }, + }, +}); +``` + +## Security Checklist + +Before deploying to production: + +- [ ] **Secret**: Use a strong, unique secret (32+ characters, high entropy) +- [ ] **HTTPS**: Ensure `baseURL` uses HTTPS +- [ ] **Trusted Origins**: Configure all valid origins (frontend, mobile apps) +- [ ] **Rate Limiting**: Keep enabled with appropriate limits +- [ ] **CSRF Protection**: Keep enabled (`disableCSRFCheck: false`) +- [ ] **Secure Cookies**: Enabled automatically with HTTPS +- [ ] **OAuth Tokens**: Consider `encryptOAuthTokens: true` if storing tokens +- [ ] **Background Tasks**: Configure for serverless platforms +- [ ] **Audit Logging**: Implement via `databaseHooks` or `hooks` +- [ ] **IP Tracking**: Configure headers if behind a proxy diff --git a/.agents/skills/create-auth-skill/SKILL.md b/.agents/skills/create-auth-skill/SKILL.md new file mode 100644 index 0000000..c99f6dd --- /dev/null +++ b/.agents/skills/create-auth-skill/SKILL.md @@ -0,0 +1,321 @@ +--- +name: create-auth-skill +description: Skill for creating auth layers in TypeScript/JavaScript apps using Better Auth. +--- + +# Create Auth Skill + +Guide for adding authentication to TypeScript/JavaScript applications using Better Auth. + +**For code examples and syntax, see [better-auth.com/docs](https://better-auth.com/docs).** + +--- + +## Phase 1: Planning (REQUIRED before implementation) + +Before writing any code, gather requirements by scanning the project and asking the user structured questions. This ensures the implementation matches their needs. + +### Step 1: Scan the project + +Analyze the codebase to auto-detect: +- **Framework** — Look for `next.config`, `svelte.config`, `nuxt.config`, `astro.config`, `vite.config`, or Express/Hono entry files. +- **Database/ORM** — Look for `prisma/schema.prisma`, `drizzle.config`, `package.json` deps (`pg`, `mysql2`, `better-sqlite3`, `mongoose`, `mongodb`). +- **Existing auth** — Look for existing auth libraries (`next-auth`, `lucia`, `clerk`, `supabase/auth`, `firebase/auth`) in `package.json` or imports. +- **Package manager** — Check for `pnpm-lock.yaml`, `yarn.lock`, `bun.lockb`, or `package-lock.json`. + +Use what you find to pre-fill defaults and skip questions you can already answer. + +### Step 2: Ask planning questions + +Use the `AskQuestion` tool to ask the user **all applicable questions in a single call**. Skip any question you already have a confident answer for from the scan. Group them under a title like "Auth Setup Planning". + +**Questions to ask:** + +1. **Project type** (skip if detected) + - Prompt: "What type of project is this?" + - Options: New project from scratch | Adding auth to existing project | Migrating from another auth library + +2. **Framework** (skip if detected) + - Prompt: "Which framework are you using?" + - Options: Next.js (App Router) | Next.js (Pages Router) | SvelteKit | Nuxt | Astro | Express | Hono | SolidStart | Other + +3. **Database & ORM** (skip if detected) + - Prompt: "Which database setup will you use?" + - Options: PostgreSQL (Prisma) | PostgreSQL (Drizzle) | PostgreSQL (pg driver) | MySQL (Prisma) | MySQL (Drizzle) | MySQL (mysql2 driver) | SQLite (Prisma) | SQLite (Drizzle) | SQLite (better-sqlite3 driver) | MongoDB (Mongoose) | MongoDB (native driver) + +4. **Authentication methods** (always ask, allow multiple) + - Prompt: "Which sign-in methods do you need?" + - Options: Email & password | Social OAuth (Google, GitHub, etc.) | Magic link (passwordless email) | Passkey (WebAuthn) | Phone number + - `allow_multiple: true` + +5. **Social providers** (only if they selected Social OAuth above — ask in a follow-up call) + - Prompt: "Which social providers do you need?" + - Options: Google | GitHub | Apple | Microsoft | Discord | Twitter/X + - `allow_multiple: true` + +6. **Email verification** (only if Email & password was selected above — ask in a follow-up call) + - Prompt: "Do you want to require email verification?" + - Options: Yes | No + +7. **Email provider** (only if email verification is Yes, or if Password reset is selected in features — ask in a follow-up call) + - Prompt: "How do you want to send emails?" + - Options: Resend | Mock it for now (console.log) + +8. **Features & plugins** (always ask, allow multiple) + - Prompt: "Which additional features do you need?" + - Options: Two-factor authentication (2FA) | Organizations / teams | Admin dashboard | API bearer tokens | Password reset | None of these + - `allow_multiple: true` + +9. **Auth pages** (always ask, allow multiple — pre-select based on earlier answers) + - Prompt: "Which auth pages do you need?" + - Options vary based on previous answers: + - Always available: Sign in | Sign up + - If Email & password selected: Forgot password | Reset password + - If email verification enabled: Email verification + - `allow_multiple: true` + +10. **Auth UI style** (always ask) + - Prompt: "What style do you want for the auth pages? Pick one or describe your own." + - Options: Minimal & clean | Centered card with background | Split layout (form + hero image) | Floating / glassmorphism | Other (I'll describe) + +### Step 3: Summarize the plan + +After collecting answers, present a concise implementation plan as a markdown checklist. Example: + +``` +## Auth Implementation Plan + +- **Framework:** Next.js (App Router) +- **Database:** PostgreSQL via Prisma +- **Auth methods:** Email/password, Google OAuth, GitHub OAuth +- **Plugins:** 2FA, Organizations, Email verification +- **UI:** Custom forms + +### Steps +1. Install `better-auth` and `@better-auth/cli` +2. Create `lib/auth.ts` with server config +3. Create `lib/auth-client.ts` with React client +4. Set up route handler at `app/api/auth/[...all]/route.ts` +5. Configure Prisma adapter and generate schema +6. Add Google & GitHub OAuth providers +7. Enable `twoFactor` and `organization` plugins +8. Set up email verification handler +9. Run migrations +10. Create sign-in / sign-up pages +``` + +Ask the user to confirm the plan before proceeding to Phase 2. + +--- + +## Phase 2: Implementation + +Only proceed here after the user confirms the plan from Phase 1. + +Follow the decision tree below, guided by the answers collected above. + +``` +Is this a new/empty project? +├─ YES → New project setup +│ 1. Install better-auth (+ scoped packages per plan) +│ 2. Create auth.ts with all planned config +│ 3. Create auth-client.ts with framework client +│ 4. Set up route handler +│ 5. Set up environment variables +│ 6. Run CLI migrate/generate +│ 7. Add plugins from plan +│ 8. Create auth UI pages +│ +├─ MIGRATING → Migration from existing auth +│ 1. Audit current auth for gaps +│ 2. Plan incremental migration +│ 3. Install better-auth alongside existing auth +│ 4. Migrate routes, then session logic, then UI +│ 5. Remove old auth library +│ 6. See migration guides in docs +│ +└─ ADDING → Add auth to existing project + 1. Analyze project structure + 2. Install better-auth + 3. Create auth config matching plan + 4. Add route handler + 5. Run schema migrations + 6. Integrate into existing pages + 7. Add planned plugins and features +``` + +At the end of implementation, guide users thoroughly on remaining next steps (e.g., setting up OAuth app credentials, deploying env vars, testing flows). + +--- + +## Installation + +**Core:** `npm install better-auth` + +**Scoped packages (as needed):** +| Package | Use case | +|---------|----------| +| `@better-auth/passkey` | WebAuthn/Passkey auth | +| `@better-auth/sso` | SAML/OIDC enterprise SSO | +| `@better-auth/stripe` | Stripe payments | +| `@better-auth/scim` | SCIM user provisioning | +| `@better-auth/expo` | React Native/Expo | + +--- + +## Environment Variables + +```env +BETTER_AUTH_SECRET=<32+ chars, generate with: openssl rand -base64 32> +BETTER_AUTH_URL=http://localhost:3000 +DATABASE_URL= +``` + +Add OAuth secrets as needed: `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, `GOOGLE_CLIENT_ID`, etc. + +--- + +## Server Config (auth.ts) + +**Location:** `lib/auth.ts` or `src/lib/auth.ts` + +**Minimal config needs:** +- `database` - Connection or adapter +- `emailAndPassword: { enabled: true }` - For email/password auth + +**Standard config adds:** +- `socialProviders` - OAuth providers (google, github, etc.) +- `emailVerification.sendVerificationEmail` - Email verification handler +- `emailAndPassword.sendResetPassword` - Password reset handler + +**Full config adds:** +- `plugins` - Array of feature plugins +- `session` - Expiry, cookie cache settings +- `account.accountLinking` - Multi-provider linking +- `rateLimit` - Rate limiting config + +**Export types:** `export type Session = typeof auth.$Infer.Session` + +--- + +## Client Config (auth-client.ts) + +**Import by framework:** +| Framework | Import | +|-----------|--------| +| React/Next.js | `better-auth/react` | +| Vue | `better-auth/vue` | +| Svelte | `better-auth/svelte` | +| Solid | `better-auth/solid` | +| Vanilla JS | `better-auth/client` | + +**Client plugins** go in `createAuthClient({ plugins: [...] })`. + +**Common exports:** `signIn`, `signUp`, `signOut`, `useSession`, `getSession` + +--- + +## Route Handler Setup + +| Framework | File | Handler | +|-----------|------|---------| +| Next.js App Router | `app/api/auth/[...all]/route.ts` | `toNextJsHandler(auth)` → export `{ GET, POST }` | +| Next.js Pages | `pages/api/auth/[...all].ts` | `toNextJsHandler(auth)` → default export | +| Express | Any file | `app.all("/api/auth/*", toNodeHandler(auth))` | +| SvelteKit | `src/hooks.server.ts` | `svelteKitHandler(auth)` | +| SolidStart | Route file | `solidStartHandler(auth)` | +| Hono | Route file | `auth.handler(c.req.raw)` | + +**Next.js Server Components:** Add `nextCookies()` plugin to auth config. + +--- + +## Database Migrations + +| Adapter | Command | +|---------|---------| +| Built-in Kysely | `npx @better-auth/cli@latest migrate` (applies directly) | +| Prisma | `npx @better-auth/cli@latest generate --output prisma/schema.prisma` then `npx prisma migrate dev` | +| Drizzle | `npx @better-auth/cli@latest generate --output src/db/auth-schema.ts` then `npx drizzle-kit push` | + +**Re-run after adding plugins.** + +--- + +## Database Adapters + +| Database | Setup | +|----------|-------| +| SQLite | Pass `better-sqlite3` or `bun:sqlite` instance directly | +| PostgreSQL | Pass `pg.Pool` instance directly | +| MySQL | Pass `mysql2` pool directly | +| Prisma | `prismaAdapter(prisma, { provider: "postgresql" })` from `better-auth/adapters/prisma` | +| Drizzle | `drizzleAdapter(db, { provider: "pg" })` from `better-auth/adapters/drizzle` | +| MongoDB | `mongodbAdapter(db)` from `better-auth/adapters/mongodb` | + +--- + +## Common Plugins + +| Plugin | Server Import | Client Import | Purpose | +|--------|---------------|---------------|---------| +| `twoFactor` | `better-auth/plugins` | `twoFactorClient` | 2FA with TOTP/OTP | +| `organization` | `better-auth/plugins` | `organizationClient` | Teams/orgs | +| `admin` | `better-auth/plugins` | `adminClient` | User management | +| `bearer` | `better-auth/plugins` | - | API token auth | +| `openAPI` | `better-auth/plugins` | - | API docs | +| `passkey` | `@better-auth/passkey` | `passkeyClient` | WebAuthn | +| `sso` | `@better-auth/sso` | - | Enterprise SSO | + +**Plugin pattern:** Server plugin + client plugin + run migrations. + +--- + +## Auth UI Implementation + +**Sign in flow:** +1. `signIn.email({ email, password })` or `signIn.social({ provider, callbackURL })` +2. Handle `error` in response +3. Redirect on success + +**Session check (client):** `useSession()` hook returns `{ data: session, isPending }` + +**Session check (server):** `auth.api.getSession({ headers: await headers() })` + +**Protected routes:** Check session, redirect to `/sign-in` if null. + +--- + +## Security Checklist + +- [ ] `BETTER_AUTH_SECRET` set (32+ chars) +- [ ] `advanced.useSecureCookies: true` in production +- [ ] `trustedOrigins` configured +- [ ] Rate limits enabled +- [ ] Email verification enabled +- [ ] Password reset implemented +- [ ] 2FA for sensitive apps +- [ ] CSRF protection NOT disabled +- [ ] `account.accountLinking` reviewed + +--- + +## Troubleshooting + +| Issue | Fix | +|-------|-----| +| "Secret not set" | Add `BETTER_AUTH_SECRET` env var | +| "Invalid Origin" | Add domain to `trustedOrigins` | +| Cookies not setting | Check `baseURL` matches domain; enable secure cookies in prod | +| OAuth callback errors | Verify redirect URIs in provider dashboard | +| Type errors after adding plugin | Re-run CLI generate/migrate | + +--- + +## Resources + +- [Docs](https://better-auth.com/docs) +- [Examples](https://github.com/better-auth/examples) +- [Plugins](https://better-auth.com/docs/concepts/plugins) +- [CLI](https://better-auth.com/docs/concepts/cli) +- [Migration Guides](https://better-auth.com/docs/guides) diff --git a/.agents/skills/email-and-password-best-practices/SKILL.md b/.agents/skills/email-and-password-best-practices/SKILL.md new file mode 100644 index 0000000..285f8a9 --- /dev/null +++ b/.agents/skills/email-and-password-best-practices/SKILL.md @@ -0,0 +1,224 @@ +--- +name: email-and-password-best-practices +description: This skill provides guidance and enforcement rules for implementing secure email and password authentication using Better Auth. +--- + +## Email Verification Setup + +When enabling email/password authentication, configure `emailVerification.sendVerificationEmail` to verify user email addresses. This helps prevent fake sign-ups and ensures users have access to the email they registered with. + +```ts +import { betterAuth } from "better-auth"; +import { sendEmail } from "./email"; // your email sending function + +export const auth = betterAuth({ + emailVerification: { + sendVerificationEmail: async ({ user, url, token }, request) => { + await sendEmail({ + to: user.email, + subject: "Verify your email address", + text: `Click the link to verify your email: ${url}`, + }); + }, + }, +}); +``` + +**Note**: The `url` parameter contains the full verification link. The `token` is available if you need to build a custom verification URL. + +### Requiring Email Verification + +For stricter security, enable `emailAndPassword.requireEmailVerification` to block sign-in until the user verifies their email. When enabled, unverified users will receive a new verification email on each sign-in attempt. + +```ts +export const auth = betterAuth({ + emailAndPassword: { + requireEmailVerification: true, + }, +}); +``` + +**Note**: This requires `sendVerificationEmail` to be configured and only applies to email/password sign-ins. + +## Client side validation + +While Better Auth validates inputs server-side, implementing client-side validation is still recommended for two key reasons: + +1. **Improved UX**: Users receive immediate feedback when inputs don't meet requirements, rather than waiting for a server round-trip. +2. **Reduced server load**: Invalid requests are caught early, minimizing unnecessary network traffic to your auth server. + +## Callback URLs + +Always use absolute URLs (including the origin) for callback URLs in sign-up and sign-in requests. This prevents Better Auth from needing to infer the origin, which can cause issues when your backend and frontend are on different domains. + +```ts +const { data, error } = await authClient.signUp.email({ + callbackURL: "https://example.com/callback", // absolute URL with origin +}); +``` + +## Password Reset Flows + +Password reset flows are essential to any email/password system, we recommend setting this up. + +To allow users to reset a password first you need to provide `sendResetPassword` function to the email and password authenticator. + +```ts +import { betterAuth } from "better-auth"; +import { sendEmail } from "./email"; // your email sending function + +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + // Custom email sending function to send reset-password email + sendResetPassword: async ({ user, url, token }, request) => { + void sendEmail({ + to: user.email, + subject: "Reset your password", + text: `Click the link to reset your password: ${url}`, + }); + }, + // Optional event hook + onPasswordReset: async ({ user }, request) => { + // your logic here + console.log(`Password for user ${user.email} has been reset.`); + }, + }, +}); +``` + +### Security considerations + +Better Auth implements several security measures in the password reset flow: + +#### Timing attack prevention + +- **Background email sending**: Better Auth uses `runInBackgroundOrAwait` internally to send reset emails without blocking the response. This prevents attackers from measuring response times to determine if an email exists. +- **Dummy operations on invalid requests**: When a user is not found, Better Auth still performs token generation and a database lookup (with a dummy value) to maintain consistent response times. +- **Constant response message**: The API always returns `"If this email exists in our system, check your email for the reset link"` regardless of whether the user exists. + +On serverless platforms, configure a background task handler to ensure emails are sent reliably: + +```ts +export const auth = betterAuth({ + advanced: { + backgroundTasks: { + handler: (promise) => { + // Use platform-specific methods like waitUntil + waitUntil(promise); + }, + }, + }, +}); +``` + +#### Token security + +- **Cryptographically random tokens**: Reset tokens are generated using `generateId(24)`, producing a 24-character alphanumeric string (a-z, A-Z, 0-9) with high entropy. +- **Token expiration**: Tokens expire after **1 hour** by default. Configure with `resetPasswordTokenExpiresIn` (in seconds): + +```ts +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + resetPasswordTokenExpiresIn: 60 * 30, // 30 minutes + }, +}); +``` + +- **Single-use tokens**: Tokens are deleted immediately after successful password reset, preventing reuse. + +#### Session revocation + +Enable `revokeSessionsOnPasswordReset` to invalidate all existing sessions when a password is reset. This ensures that if an attacker has an active session, it will be terminated: + +```ts +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + revokeSessionsOnPasswordReset: true, + }, +}); +``` + +#### Redirect URL validation + +The `redirectTo` parameter is validated against your `trustedOrigins` configuration to prevent open redirect attacks. Malicious redirect URLs will be rejected with a 403 error. + +#### Password requirements + +During password reset, the new password must meet length requirements: +- **Minimum**: 8 characters (default), configurable via `minPasswordLength` +- **Maximum**: 128 characters (default), configurable via `maxPasswordLength` + +```ts +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + minPasswordLength: 12, + maxPasswordLength: 256, + }, +}); +``` + +### Sending the password reset + +Once the password reset configurations are set-up, you can now call the `requestPasswordReset` function to send reset password link to user. If the user exists, it will trigger the `sendResetPassword` function you provided in the auth config. + +```ts +const data = await auth.api.requestPasswordReset({ + body: { + email: "john.doe@example.com", // required + redirectTo: "https://example.com/reset-password", + }, +}); +``` + +Or authClient: + +```ts +const { data, error } = await authClient.requestPasswordReset({ + email: "john.doe@example.com", // required + redirectTo: "https://example.com/reset-password", +}); +``` + +**Note**: While the `email` is required, we also recommend configuring the `redirectTo` for a smoother user experience. + +## Password Hashing + +Better Auth uses `scrypt` by default for password hashing. This is a solid choice because: + +- It's designed to be slow and memory-intensive, making brute-force attacks costly +- It's natively supported by Node.js (no external dependencies) +- OWASP recommends it when Argon2id isn't available + +### Custom Hashing Algorithm + +To use a different algorithm (e.g., Argon2id), provide custom `hash` and `verify` functions in the `emailAndPassword.password` configuration: + +```ts +import { betterAuth } from "better-auth"; +import { hash, verify, type Options } from "@node-rs/argon2"; + +const argon2Options: Options = { + memoryCost: 65536, // 64 MiB + timeCost: 3, // 3 iterations + parallelism: 4, // 4 parallel lanes + outputLen: 32, // 32 byte output + algorithm: 2, // Argon2id variant +}; + +export const auth = betterAuth({ + emailAndPassword: { + enabled: true, + password: { + hash: (password) => hash(password, argon2Options), + verify: ({ password, hash: storedHash }) => + verify(storedHash, password, argon2Options), + }, + }, +}); +``` + +**Note**: If you switch hashing algorithms on an existing system, users with passwords hashed using the old algorithm won't be able to sign in. Plan a migration strategy if needed. diff --git a/.agents/skills/git-commit/SKILL.md b/.agents/skills/git-commit/SKILL.md new file mode 100644 index 0000000..c35f13b --- /dev/null +++ b/.agents/skills/git-commit/SKILL.md @@ -0,0 +1,124 @@ +--- +name: git-commit +description: 'Execute git commit with conventional commit message analysis, intelligent staging, and message generation. Use when user asks to commit changes, create a git commit, or mentions "/commit". Supports: (1) Auto-detecting type and scope from changes, (2) Generating conventional commit messages from diff, (3) Interactive commit with optional type/scope/description overrides, (4) Intelligent file staging for logical grouping' +license: MIT +allowed-tools: Bash +--- + +# Git Commit with Conventional Commits + +## Overview + +Create standardized, semantic git commits using the Conventional Commits specification. Analyze the actual diff to determine appropriate type, scope, and message. + +## Conventional Commit Format + +``` +[optional scope]: + +[optional body] + +[optional footer(s)] +``` + +## Commit Types + +| Type | Purpose | +| ---------- | ------------------------------ | +| `feat` | New feature | +| `fix` | Bug fix | +| `docs` | Documentation only | +| `style` | Formatting/style (no logic) | +| `refactor` | Code refactor (no feature/fix) | +| `perf` | Performance improvement | +| `test` | Add/update tests | +| `build` | Build system/dependencies | +| `ci` | CI/config changes | +| `chore` | Maintenance/misc | +| `revert` | Revert commit | + +## Breaking Changes + +``` +# Exclamation mark after type/scope +feat!: remove deprecated endpoint + +# BREAKING CHANGE footer +feat: allow config to extend other configs + +BREAKING CHANGE: `extends` key behavior changed +``` + +## Workflow + +### 1. Analyze Diff + +```bash +# If files are staged, use staged diff +git diff --staged + +# If nothing staged, use working tree diff +git diff + +# Also check status +git status --porcelain +``` + +### 2. Stage Files (if needed) + +If nothing is staged or you want to group changes differently: + +```bash +# Stage specific files +git add path/to/file1 path/to/file2 + +# Stage by pattern +git add *.test.* +git add src/components/* + +# Interactive staging +git add -p +``` + +**Never commit secrets** (.env, credentials.json, private keys). + +### 3. Generate Commit Message + +Analyze the diff to determine: + +- **Type**: What kind of change is this? +- **Scope**: What area/module is affected? +- **Description**: One-line summary of what changed (present tense, imperative mood, <72 chars) + +### 4. Execute Commit + +```bash +# Single line +git commit -m "[scope]: " + +# Multi-line with body/footer +git commit -m "$(cat <<'EOF' +[scope]: + + + + +EOF +)" +``` + +## Best Practices + +- One logical change per commit +- Present tense: "add" not "added" +- Imperative mood: "fix bug" not "fixes bug" +- Reference issues: `Closes #123`, `Refs #456` +- Keep description under 72 characters + +## Git Safety Protocol + +- NEVER update git config +- NEVER run destructive commands (--force, hard reset) without explicit request +- NEVER skip hooks (--no-verify) unless user asks +- NEVER force push to main/master +- If commit fails due to hooks, fix and create NEW commit (don't amend) diff --git a/.agents/skills/organization-best-practices/SKILL.md b/.agents/skills/organization-best-practices/SKILL.md new file mode 100644 index 0000000..c032018 --- /dev/null +++ b/.agents/skills/organization-best-practices/SKILL.md @@ -0,0 +1,586 @@ +--- +name: organization-best-practices +description: This skill provides guidance and enforcement rules for implementing multi-tenant organizations, teams, and role-based access control using Better Auth's organization plugin. +--- + +## Setting Up Organizations + +When adding organizations to your application, configure the `organization` plugin with appropriate limits and permissions. + +```ts +import { betterAuth } from "better-auth"; +import { organization } from "better-auth/plugins"; + +export const auth = betterAuth({ + plugins: [ + organization({ + allowUserToCreateOrganization: true, + organizationLimit: 5, // Max orgs per user + membershipLimit: 100, // Max members per org + }), + ], +}); +``` + +**Note**: After adding the plugin, run `npx @better-auth/cli migrate` to add the required database tables. + +### Client-Side Setup + +Add the client plugin to access organization methods: + +```ts +import { createAuthClient } from "better-auth/client"; +import { organizationClient } from "better-auth/client/plugins"; + +export const authClient = createAuthClient({ + plugins: [organizationClient()], +}); +``` + +## Creating Organizations + +Organizations are the top-level entity for grouping users. When created, the creator is automatically assigned the `owner` role. + +```ts +const createOrg = async () => { + const { data, error } = await authClient.organization.create({ + name: "My Company", + slug: "my-company", + logo: "https://example.com/logo.png", + metadata: { plan: "pro" }, + }); +}; +``` + +### Controlling Organization Creation + +Restrict who can create organizations based on user attributes: + +```ts +organization({ + allowUserToCreateOrganization: async (user) => { + return user.emailVerified === true; + }, + organizationLimit: async (user) => { + // Premium users get more organizations + return user.plan === "premium" ? 20 : 3; + }, +}); +``` + +### Creating Organizations on Behalf of Users + +Administrators can create organizations for other users (server-side only): + +```ts +await auth.api.createOrganization({ + body: { + name: "Client Organization", + slug: "client-org", + userId: "user-id-who-will-be-owner", // `userId` is required + }, +}); +``` + +**Note**: The `userId` parameter cannot be used alongside session headers. + + +## Active Organizations + +The active organization is stored in the session and scopes subsequent API calls. Always set an active organization after the user selects one. + +```ts +const setActive = async (organizationId: string) => { + const { data, error } = await authClient.organization.setActive({ + organizationId, + }); +}; +``` + +Many endpoints use the active organization when `organizationId` is not provided: + +```ts +// These use the active organization automatically +await authClient.organization.listMembers(); +await authClient.organization.listInvitations(); +await authClient.organization.inviteMember({ email: "user@example.com", role: "member" }); +``` + +### Getting Full Organization Data + +Retrieve the active organization with all its members, invitations, and teams: + +```ts +const { data } = await authClient.organization.getFullOrganization(); +// data.organization, data.members, data.invitations, data.teams +``` + +## Members + +Members are users who belong to an organization. Each member has a role that determines their permissions. + +### Adding Members (Server-Side) + +Add members directly without invitations (useful for admin operations): + +```ts +await auth.api.addMember({ + body: { + userId: "user-id", + role: "member", + organizationId: "org-id", + }, +}); +``` + +**Note**: For client-side member additions, use the invitation system instead. + +### Assigning Multiple Roles + +Members can have multiple roles for fine-grained permissions: + +```ts +await auth.api.addMember({ + body: { + userId: "user-id", + role: ["admin", "moderator"], + organizationId: "org-id", + }, +}); +``` + +### Removing Members + +Remove members by ID or email: + +```ts +await authClient.organization.removeMember({ + memberIdOrEmail: "user@example.com", +}); +``` + +**Important**: The last owner cannot be removed. Assign the owner role to another member first. + +### Updating Member Roles + +```ts +await authClient.organization.updateMemberRole({ + memberId: "member-id", + role: "admin", +}); +``` + +### Membership Limits + +Control the maximum number of members per organization: + +```ts +organization({ + membershipLimit: async (user, organization) => { + if (organization.metadata?.plan === "enterprise") { + return 1000; + } + return 50; + }, +}); +``` + +## Invitations + +The invitation system allows admins to invite users via email. Configure email sending to enable invitations. + +### Setting Up Invitation Emails + +```ts +import { betterAuth } from "better-auth"; +import { organization } from "better-auth/plugins"; +import { sendEmail } from "./email"; + +export const auth = betterAuth({ + plugins: [ + organization({ + sendInvitationEmail: async (data) => { + const { email, organization, inviter, invitation } = data; + + await sendEmail({ + to: email, + subject: `Join ${organization.name}`, + html: ` +

${inviter.user.name} invited you to join ${organization.name}

+ + Accept Invitation + + `, + }); + }, + }), + ], +}); +``` + +### Sending Invitations + +```ts +await authClient.organization.inviteMember({ + email: "newuser@example.com", + role: "member", +}); +``` + +### Creating Shareable Invitation URLs + +For sharing via Slack, SMS, or in-app notifications: + +```ts +const { data } = await authClient.organization.getInvitationURL({ + email: "newuser@example.com", + role: "member", + callbackURL: "https://yourapp.com/dashboard", +}); + +// Share data.url via any channel +``` + +**Note**: This endpoint does not call `sendInvitationEmail`. Handle delivery yourself. + +### Accepting Invitations + +```ts +await authClient.organization.acceptInvitation({ + invitationId: "invitation-id", +}); +``` + +### Invitation Configuration + +```ts +organization({ + invitationExpiresIn: 60 * 60 * 24 * 7, // 7 days (default: 48 hours) + invitationLimit: 100, // Max pending invitations per org + cancelPendingInvitationsOnReInvite: true, // Cancel old invites when re-inviting +}); +``` + +## Roles & Permissions + +The plugin provides role-based access control (RBAC) with three default roles: + +| Role | Description | +|------|-------------| +| `owner` | Full access, can delete organization | +| `admin` | Can manage members, invitations, settings | +| `member` | Basic access to organization resources | + + +### Checking Permissions + +```ts +const { data } = await authClient.organization.hasPermission({ + permission: "member:write", +}); + +if (data?.hasPermission) { + // User can manage members +} +``` + +### Client-Side Permission Checks + +For UI rendering without API calls: + +```ts +const canManageMembers = authClient.organization.checkRolePermission({ + role: "admin", + permissions: ["member:write"], +}); +``` + +**Note**: For dynamic access control, the client side role permission check will not work. Please use the `hasPermission` endpoint. + +## Teams + +Teams allow grouping members within an organization. + +### Enabling Teams + +```ts +import { organization } from "better-auth/plugins"; + +export const auth = betterAuth({ + plugins: [ + organization({ + teams: { + enabled: true + } + }), + ], +}); +``` + +### Creating Teams + +```ts +const { data } = await authClient.organization.createTeam({ + name: "Engineering", +}); +``` + +### Managing Team Members + +```ts +// Add a member to a team (must be org member first) +await authClient.organization.addTeamMember({ + teamId: "team-id", + userId: "user-id", +}); + +// Remove from team (stays in org) +await authClient.organization.removeTeamMember({ + teamId: "team-id", + userId: "user-id", +}); +``` + +### Active Teams + +Similar to active organizations, set an active team for the session: + +```ts +await authClient.organization.setActiveTeam({ + teamId: "team-id", +}); +``` + +### Team Limits + +```ts +organization({ + teams: { + maximumTeams: 20, // Max teams per org + maximumMembersPerTeam: 50, // Max members per team + allowRemovingAllTeams: false, // Prevent removing last team + } +}); +``` + +## Dynamic Access Control + +For applications needing custom roles per organization at runtime, enable dynamic access control. + +### Enabling Dynamic Access Control + +```ts +import { organization } from "better-auth/plugins"; +import { dynamicAccessControl } from "@better-auth/organization/addons"; + +export const auth = betterAuth({ + plugins: [ + organization({ + dynamicAccessControl: { + enabled: true + } + }), + ], +}); +``` + +### Creating Custom Roles + +```ts +await authClient.organization.createRole({ + role: "moderator", + permission: { + member: ["read"], + invitation: ["read"], + }, +}); +``` + +### Updating and Deleting Roles + +```ts +// Update role permissions +await authClient.organization.updateRole({ + roleId: "role-id", + permission: { + member: ["read", "write"], + }, +}); + +// Delete a custom role +await authClient.organization.deleteRole({ + roleId: "role-id", +}); +``` + +**Note**: Pre-defined roles (owner, admin, member) cannot be deleted. Roles assigned to members cannot be deleted until members are reassigned. + +## Lifecycle Hooks + +Execute custom logic at various points in the organization lifecycle: + +```ts +organization({ + hooks: { + organization: { + beforeCreate: async ({ data, user }) => { + // Validate or modify data before creation + return { + data: { + ...data, + metadata: { ...data.metadata, createdBy: user.id }, + }, + }; + }, + afterCreate: async ({ organization, member }) => { + // Post-creation logic (e.g., send welcome email, create default resources) + await createDefaultResources(organization.id); + }, + beforeDelete: async ({ organization }) => { + // Cleanup before deletion + await archiveOrganizationData(organization.id); + }, + }, + member: { + afterCreate: async ({ member, organization }) => { + await notifyAdmins(organization.id, `New member joined`); + }, + }, + invitation: { + afterCreate: async ({ invitation, organization, inviter }) => { + await logInvitation(invitation); + }, + }, + }, +}); +``` + +## Schema Customization + +Customize table names, field names, and add additional fields: + +```ts +organization({ + schema: { + organization: { + modelName: "workspace", // Rename table + fields: { + name: "workspaceName", // Rename fields + }, + additionalFields: { + billingId: { + type: "string", + required: false, + }, + }, + }, + member: { + additionalFields: { + department: { + type: "string", + required: false, + }, + title: { + type: "string", + required: false, + }, + }, + }, + }, +}); +``` + +## Security Considerations + +### Owner Protection + +- The last owner cannot be removed from an organization +- The last owner cannot leave the organization +- The owner role cannot be removed from the last owner + +Always ensure ownership transfer before removing the current owner: + +```ts +// Transfer ownership first +await authClient.organization.updateMemberRole({ + memberId: "new-owner-member-id", + role: "owner", +}); + +// Then the previous owner can be demoted or removed +``` + +### Organization Deletion + +Deleting an organization removes all associated data (members, invitations, teams). Prevent accidental deletion: + +```ts +organization({ + disableOrganizationDeletion: true, // Disable via config +}); +``` + +Or implement soft delete via hooks: + +```ts +organization({ + hooks: { + organization: { + beforeDelete: async ({ organization }) => { + // Archive instead of delete + await archiveOrganization(organization.id); + throw new Error("Organization archived, not deleted"); + }, + }, + }, +}); +``` + +### Invitation Security + +- Invitations expire after 48 hours by default +- Only the invited email address can accept an invitation +- Pending invitations can be cancelled by organization admins + +## Complete Configuration Example + +```ts +import { betterAuth } from "better-auth"; +import { organization } from "better-auth/plugins"; +import { sendEmail } from "./email"; + +export const auth = betterAuth({ + plugins: [ + organization({ + // Organization limits + allowUserToCreateOrganization: true, + organizationLimit: 10, + membershipLimit: 100, + creatorRole: "owner", + + // Slugs + defaultOrganizationIdField: "slug", + + // Invitations + invitationExpiresIn: 60 * 60 * 24 * 7, // 7 days + invitationLimit: 50, + sendInvitationEmail: async (data) => { + await sendEmail({ + to: data.email, + subject: `Join ${data.organization.name}`, + html: `Accept`, + }); + }, + + // Hooks + hooks: { + organization: { + afterCreate: async ({ organization }) => { + console.log(`Organization ${organization.name} created`); + }, + }, + }, + }), + ], +}); +``` diff --git a/.agents/skills/two-factor-authentication-best-practices/SKILL.md b/.agents/skills/two-factor-authentication-best-practices/SKILL.md new file mode 100644 index 0000000..d44f9a3 --- /dev/null +++ b/.agents/skills/two-factor-authentication-best-practices/SKILL.md @@ -0,0 +1,417 @@ +--- +name: two-factor-authentication-best-practices +description: This skill provides guidance and enforcement rules for implementing secure two-factor authentication (2FA) using Better Auth's twoFactor plugin. +--- + +## Setting Up Two-Factor Authentication + +When adding 2FA to your application, configure the `twoFactor` plugin with your app name as the issuer. This name appears in authenticator apps when users scan the QR code. + +```ts +import { betterAuth } from "better-auth"; +import { twoFactor } from "better-auth/plugins"; + +export const auth = betterAuth({ + appName: "My App", // Used as the default issuer for TOTP + plugins: [ + twoFactor({ + issuer: "My App", // Optional: override the app name for 2FA specifically + }), + ], +}); +``` + +**Note**: After adding the plugin, run `npx @better-auth/cli migrate` to add the required database fields and tables. + +### Client-Side Setup + +Add the client plugin and configure the redirect behavior for 2FA verification: + +```ts +import { createAuthClient } from "better-auth/client"; +import { twoFactorClient } from "better-auth/client/plugins"; + +export const authClient = createAuthClient({ + plugins: [ + twoFactorClient({ + onTwoFactorRedirect() { + window.location.href = "/2fa"; // Redirect to your 2FA verification page + }, + }), + ], +}); +``` + +## Enabling 2FA for Users + +When a user enables 2FA, require their password for verification. The enable endpoint returns a TOTP URI for QR code generation and backup codes for account recovery. + +```ts +const enable2FA = async (password: string) => { + const { data, error } = await authClient.twoFactor.enable({ + password, + }); + + if (data) { + // data.totpURI - Use this to generate a QR code + // data.backupCodes - Display these to the user for safekeeping + } +}; +``` + +**Important**: The `twoFactorEnabled` flag on the user is not set to `true` until the user successfully verifies their first TOTP code. This ensures users have properly configured their authenticator app before 2FA is fully active. + +### Skipping Initial Verification + +If you want to enable 2FA immediately without requiring verification, set `skipVerificationOnEnable`: + +```ts +twoFactor({ + skipVerificationOnEnable: true, // Not recommended for most use cases +}); +``` + +**Note**: This is generally not recommended as it doesn't confirm the user has successfully set up their authenticator app. + +## TOTP (Authenticator App) + +TOTP generates time-based codes using an authenticator app (Google Authenticator, Authy, etc.). Codes are valid for 30 seconds by default. + +### Displaying the QR Code + +Use the TOTP URI to generate a QR code for users to scan: + +```tsx +import QRCode from "react-qr-code"; + +const TotpSetup = ({ totpURI }: { totpURI: string }) => { + return ; +}; +``` + +### Verifying TOTP Codes + +Better Auth accepts codes from one period before and one after the current time, accommodating minor clock differences between devices: + +```ts +const verifyTotp = async (code: string) => { + const { data, error } = await authClient.twoFactor.verifyTotp({ + code, + trustDevice: true, // Optional: remember this device for 30 days + }); +}; +``` + +### TOTP Configuration Options + +```ts +twoFactor({ + totpOptions: { + digits: 6, // 6 or 8 digits (default: 6) + period: 30, // Code validity period in seconds (default: 30) + }, +}); +``` + +## OTP (Email/SMS) + +OTP sends a one-time code to the user's email or phone. You must implement the `sendOTP` function to deliver codes. + +### Configuring OTP Delivery + +```ts +import { betterAuth } from "better-auth"; +import { twoFactor } from "better-auth/plugins"; +import { sendEmail } from "./email"; + +export const auth = betterAuth({ + plugins: [ + twoFactor({ + otpOptions: { + sendOTP: async ({ user, otp }, ctx) => { + await sendEmail({ + to: user.email, + subject: "Your verification code", + text: `Your code is: ${otp}`, + }); + }, + period: 5, // Code validity in minutes (default: 3) + digits: 6, // Number of digits (default: 6) + allowedAttempts: 5, // Max verification attempts (default: 5) + }, + }), + ], +}); +``` + +### Sending and Verifying OTP + +```ts +// Request an OTP to be sent +const sendOtp = async () => { + const { data, error } = await authClient.twoFactor.sendOtp(); +}; + +// Verify the OTP code +const verifyOtp = async (code: string) => { + const { data, error } = await authClient.twoFactor.verifyOtp({ + code, + trustDevice: true, + }); +}; +``` + +### OTP Storage Security + +Configure how OTP codes are stored in the database: + +```ts +twoFactor({ + otpOptions: { + storeOTP: "encrypted", // Options: "plain", "encrypted", "hashed" + }, +}); +``` + +For custom encryption: + +```ts +twoFactor({ + otpOptions: { + storeOTP: { + encrypt: async (token) => myEncrypt(token), + decrypt: async (token) => myDecrypt(token), + }, + }, +}); +``` + +## Backup Codes + +Backup codes provide account recovery when users lose access to their authenticator app or phone. They are generated automatically when 2FA is enabled. + +### Displaying Backup Codes + +Always show backup codes to users when they enable 2FA: + +```tsx +const BackupCodes = ({ codes }: { codes: string[] }) => { + return ( +
+

Save these codes in a secure location:

+
    + {codes.map((code, i) => ( +
  • {code}
    • + ))} +
+
+ ); +}; +``` + +### Regenerating Backup Codes + +When users need new codes, regenerate them (this invalidates all previous codes): + +```ts +const regenerateBackupCodes = async (password: string) => { + const { data, error } = await authClient.twoFactor.generateBackupCodes({ + password, + }); + // data.backupCodes contains the new codes +}; +``` + +### Using Backup Codes for Recovery + +```ts +const verifyBackupCode = async (code: string) => { + const { data, error } = await authClient.twoFactor.verifyBackupCode({ + code, + trustDevice: true, + }); +}; +``` + +**Note**: Each backup code can only be used once and is removed from the database after successful verification. + +### Backup Code Configuration + +```ts +twoFactor({ + backupCodeOptions: { + amount: 10, // Number of codes to generate (default: 10) + length: 10, // Length of each code (default: 10) + storeBackupCodes: "encrypted", // Options: "plain", "encrypted" + }, +}); +``` + +## Handling 2FA During Sign-In + +When a user with 2FA enabled signs in, the response includes `twoFactorRedirect: true`: + +```ts +const signIn = async (email: string, password: string) => { + const { data, error } = await authClient.signIn.email( + { + email, + password, + }, + { + onSuccess(context) { + if (context.data.twoFactorRedirect) { + // Redirect to 2FA verification page + window.location.href = "/2fa"; + } + }, + } + ); +}; +``` + +### Server-Side 2FA Detection + +When using `auth.api.signInEmail` on the server, check for 2FA redirect: + +```ts +const response = await auth.api.signInEmail({ + body: { + email: "user@example.com", + password: "password", + }, +}); + +if ("twoFactorRedirect" in response) { + // Handle 2FA verification +} +``` + +## Trusted Devices + +Trusted devices allow users to skip 2FA verification on subsequent sign-ins for a configurable period. + +### Enabling Trust on Verification + +Pass `trustDevice: true` when verifying 2FA: + +```ts +await authClient.twoFactor.verifyTotp({ + code: "123456", + trustDevice: true, +}); +``` + +### Configuring Trust Duration + +```ts +twoFactor({ + trustDeviceMaxAge: 30 * 24 * 60 * 60, // 30 days in seconds (default) +}); +``` + +**Note**: The trust period refreshes on each successful sign-in within the trust window. + +## Security Considerations + +### Session Management + +During the 2FA flow: + +1. User signs in with credentials +2. Session cookie is removed (not yet authenticated) +3. A temporary two-factor cookie is set (default: 10-minute expiration) +4. User verifies via TOTP, OTP, or backup code +5. Session cookie is created upon successful verification + +Configure the two-factor cookie expiration: + +```ts +twoFactor({ + twoFactorCookieMaxAge: 600, // 10 minutes in seconds (default) +}); +``` + +### Rate Limiting + +Better Auth applies built-in rate limiting to all 2FA endpoints (3 requests per 10 seconds). For OTP verification, additional attempt limiting is applied: + +```ts +twoFactor({ + otpOptions: { + allowedAttempts: 5, // Max attempts per OTP code (default: 5) + }, +}); +``` + +### Encryption at Rest + +- TOTP secrets are encrypted using symmetric encryption with your auth secret +- Backup codes are stored encrypted by default +- OTP codes can be configured for plain, encrypted, or hashed storage + +### Constant-Time Comparison + +Better Auth uses constant-time comparison for OTP verification to prevent timing attacks. + +### Credential Account Requirement + +Two-factor authentication can only be enabled for credential (email/password) accounts. For social accounts, it's assumed the provider already handles 2FA. + +## Disabling 2FA + +Allow users to disable 2FA with password confirmation: + +```ts +const disable2FA = async (password: string) => { + const { data, error } = await authClient.twoFactor.disable({ + password, + }); +}; +``` + +**Note**: When 2FA is disabled, trusted device records are revoked. + +## Complete Configuration Example + +```ts +import { betterAuth } from "better-auth"; +import { twoFactor } from "better-auth/plugins"; +import { sendEmail } from "./email"; + +export const auth = betterAuth({ + appName: "My App", + plugins: [ + twoFactor({ + // TOTP settings + issuer: "My App", + totpOptions: { + digits: 6, + period: 30, + }, + // OTP settings + otpOptions: { + sendOTP: async ({ user, otp }) => { + await sendEmail({ + to: user.email, + subject: "Your verification code", + text: `Your code is: ${otp}`, + }); + }, + period: 5, + allowedAttempts: 5, + storeOTP: "encrypted", + }, + // Backup code settings + backupCodeOptions: { + amount: 10, + length: 10, + storeBackupCodes: "encrypted", + }, + // Session settings + twoFactorCookieMaxAge: 600, // 10 minutes + trustDeviceMaxAge: 30 * 24 * 60 * 60, // 30 days + }), + ], +}); +``` diff --git a/.agents/skills/vercel-composition-patterns/AGENTS.md b/.agents/skills/vercel-composition-patterns/AGENTS.md new file mode 100644 index 0000000..558bf9a --- /dev/null +++ b/.agents/skills/vercel-composition-patterns/AGENTS.md @@ -0,0 +1,946 @@ +# React Composition Patterns + +**Version 1.0.0** +Engineering +January 2026 + +> **Note:** +> This document is mainly for agents and LLMs to follow when maintaining, +> generating, or refactoring React codebases using composition. Humans +> may also find it useful, but guidance here is optimized for automation +> and consistency by AI-assisted workflows. + +--- + +## Abstract + +Composition patterns for building flexible, maintainable React components. Avoid boolean prop proliferation by using compound components, lifting state, and composing internals. These patterns make codebases easier for both humans and AI agents to work with as they scale. + +--- + +## Table of Contents + +1. [Component Architecture](#1-component-architecture) — **HIGH** + - 1.1 [Avoid Boolean Prop Proliferation](#11-avoid-boolean-prop-proliferation) + - 1.2 [Use Compound Components](#12-use-compound-components) +2. [State Management](#2-state-management) — **MEDIUM** + - 2.1 [Decouple State Management from UI](#21-decouple-state-management-from-ui) + - 2.2 [Define Generic Context Interfaces for Dependency Injection](#22-define-generic-context-interfaces-for-dependency-injection) + - 2.3 [Lift State into Provider Components](#23-lift-state-into-provider-components) +3. [Implementation Patterns](#3-implementation-patterns) — **MEDIUM** + - 3.1 [Create Explicit Component Variants](#31-create-explicit-component-variants) + - 3.2 [Prefer Composing Children Over Render Props](#32-prefer-composing-children-over-render-props) +4. [React 19 APIs](#4-react-19-apis) — **MEDIUM** + - 4.1 [React 19 API Changes](#41-react-19-api-changes) + +--- + +## 1. Component Architecture + +**Impact: HIGH** + +Fundamental patterns for structuring components to avoid prop +proliferation and enable flexible composition. + +### 1.1 Avoid Boolean Prop Proliferation + +**Impact: CRITICAL (prevents unmaintainable component variants)** + +Don't add boolean props like `isThread`, `isEditing`, `isDMThread` to customize + +component behavior. Each boolean doubles possible states and creates + +unmaintainable conditional logic. Use composition instead. + +**Incorrect: boolean props create exponential complexity** + +```tsx +function Composer({ + onSubmit, + isThread, + channelId, + isDMThread, + dmId, + isEditing, + isForwarding, +}: Props) { + return ( +
+
+ + {isDMThread ? ( + + ) : isThread ? ( + + ) : null} + {isEditing ? ( + + ) : isForwarding ? ( + + ) : ( + + )} +