refactor(auth): localize admin auth and replace latest ranges

apps/admin/package.json

@@ -11,27 +11,27 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
-    "@cms/auth": "workspace:*",
     "@cms/content": "workspace:*",
     "@cms/db": "workspace:*",
     "@cms/ui": "workspace:*",
-    "@tanstack/react-form": "latest",
-    "@tanstack/react-query": "latest",
-    "@tanstack/react-query-devtools": "latest",
-    "@tanstack/react-table": "latest",
-    "next": "latest",
-    "react": "latest",
-    "react-dom": "latest",
-    "zustand": "latest"
+    "@tanstack/react-form": "1.28.0",
+    "@tanstack/react-query": "5.90.20",
+    "@tanstack/react-query-devtools": "5.91.3",
+    "@tanstack/react-table": "8.21.3",
+    "better-auth": "1.4.18",
+    "next": "16.1.6",
+    "react": "19.2.4",
+    "react-dom": "19.2.4",
+    "zustand": "5.0.11"
   },
   "devDependencies": {
     "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "@tailwindcss/postcss": "latest",
-    "@types/node": "latest",
-    "@types/react": "latest",
-    "@types/react-dom": "latest",
-    "tailwindcss": "latest",
-    "typescript": "latest"
+    "@biomejs/biome": "2.3.14",
+    "@tailwindcss/postcss": "4.1.18",
+    "@types/node": "25.2.2",
+    "@types/react": "19.2.13",
+    "@types/react-dom": "19.2.3",
+    "tailwindcss": "4.1.18",
+    "typescript": "5.9.3"
   }
 }

apps/admin/src/app/api/auth/[...all]/route.ts

@@ -1,3 +1,5 @@
-import { authRouteHandlers } from "@cms/auth/server"
+import { authRouteHandlers } from "@/lib/auth/server"
+
+export const runtime = "nodejs"
 
 export const { GET, POST, PATCH, PUT, DELETE } = authRouteHandlers

apps/admin/src/app/login/page.tsx

@@ -1,7 +1,7 @@
-import { isAdminRegistrationEnabled } from "@cms/auth/server"
 import { redirect } from "next/navigation"
 
 import { resolveRoleFromServerContext } from "@/lib/access-server"
+import { isAdminRegistrationEnabled } from "@/lib/auth/server"
 
 import { LoginForm } from "./login-form"
 

apps/admin/src/lib/access-server.ts

@@ -1,7 +1,9 @@
-import { auth, resolveRoleFromAuthSession } from "@cms/auth/server"
+import "server-only"
+
 import type { Role } from "@cms/content/rbac"
 import { cookies, headers } from "next/headers"
 
+import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
 import { resolveDefaultRole, resolveRoleFromRawValue } from "./access"
 
 export async function resolveRoleFromServerContext(): Promise<Role | null> {

apps/admin/src/lib/auth/server.ts

@@ -0,0 +1,86 @@
+import "server-only"
+
+import { normalizeRole, type Role } from "@cms/content/rbac"
+import { db } from "@cms/db"
+import { betterAuth } from "better-auth"
+import { prismaAdapter } from "better-auth/adapters/prisma"
+import { toNextJsHandler } from "better-auth/next-js"
+
+const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
+
+const isProduction = process.env.NODE_ENV === "production"
+
+const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
+const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+function resolveAuthSecret(): string {
+  const value = process.env.BETTER_AUTH_SECRET
+
+  if (value) {
+    return value
+  }
+
+  if (isProduction) {
+    throw new Error("BETTER_AUTH_SECRET is required in production")
+  }
+
+  return FALLBACK_DEV_SECRET
+}
+
+export function isAdminRegistrationEnabled(): boolean {
+  const value = process.env.CMS_ADMIN_REGISTRATION_ENABLED
+
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return !isProduction
+}
+
+export const auth = betterAuth({
+  appName: "CMS Admin",
+  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
+  secret: resolveAuthSecret(),
+  trustedOrigins: [adminOrigin, webOrigin],
+  database: prismaAdapter(db, {
+    provider: "postgresql",
+  }),
+  emailAndPassword: {
+    enabled: true,
+    disableSignUp: !isAdminRegistrationEnabled(),
+  },
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: true,
+        defaultValue: "editor",
+        input: false,
+      },
+      isBanned: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+        input: false,
+      },
+    },
+  },
+})
+
+export const authRouteHandlers = toNextJsHandler(auth)
+
+export type AuthSession = typeof auth.$Infer.Session
+
+export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
+  const sessionUserRole = session?.user?.role
+
+  if (typeof sessionUserRole !== "string") {
+    return null
+  }
+
+  return normalizeRole(sessionUserRole)
+}

apps/web/package.json

@@ -14,21 +14,21 @@
     "@cms/content": "workspace:*",
     "@cms/db": "workspace:*",
     "@cms/ui": "workspace:*",
-    "@tanstack/react-query": "latest",
-    "@tanstack/react-query-devtools": "latest",
-    "next": "latest",
-    "react": "latest",
-    "react-dom": "latest",
-    "zustand": "latest"
+    "@tanstack/react-query": "5.90.20",
+    "@tanstack/react-query-devtools": "5.91.3",
+    "next": "16.1.6",
+    "react": "19.2.4",
+    "react-dom": "19.2.4",
+    "zustand": "5.0.11"
   },
   "devDependencies": {
     "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "@tailwindcss/postcss": "latest",
-    "@types/node": "latest",
-    "@types/react": "latest",
-    "@types/react-dom": "latest",
-    "tailwindcss": "latest",
-    "typescript": "latest"
+    "@biomejs/biome": "2.3.14",
+    "@tailwindcss/postcss": "4.1.18",
+    "@types/node": "25.2.2",
+    "@types/react": "19.2.13",
+    "@types/react-dom": "19.2.3",
+    "tailwindcss": "4.1.18",
+    "typescript": "5.9.3"
   }
 }