refactor(auth): localize admin auth and replace latest ranges

apps/admin/src/app/api/auth/[...all]/route.ts

@@ -1,3 +1,5 @@
-import { authRouteHandlers } from "@cms/auth/server"
+import { authRouteHandlers } from "@/lib/auth/server"
+
+export const runtime = "nodejs"
 
 export const { GET, POST, PATCH, PUT, DELETE } = authRouteHandlers

apps/admin/src/app/login/page.tsx

@@ -1,7 +1,7 @@
-import { isAdminRegistrationEnabled } from "@cms/auth/server"
 import { redirect } from "next/navigation"
 
 import { resolveRoleFromServerContext } from "@/lib/access-server"
+import { isAdminRegistrationEnabled } from "@/lib/auth/server"
 
 import { LoginForm } from "./login-form"
 

apps/admin/src/lib/access-server.ts

@@ -1,7 +1,9 @@
-import { auth, resolveRoleFromAuthSession } from "@cms/auth/server"
+import "server-only"
+
 import type { Role } from "@cms/content/rbac"
 import { cookies, headers } from "next/headers"
 
+import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
 import { resolveDefaultRole, resolveRoleFromRawValue } from "./access"
 
 export async function resolveRoleFromServerContext(): Promise<Role | null> {

apps/admin/src/lib/auth/server.ts

@@ -0,0 +1,86 @@
+import "server-only"
+
+import { normalizeRole, type Role } from "@cms/content/rbac"
+import { db } from "@cms/db"
+import { betterAuth } from "better-auth"
+import { prismaAdapter } from "better-auth/adapters/prisma"
+import { toNextJsHandler } from "better-auth/next-js"
+
+const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
+
+const isProduction = process.env.NODE_ENV === "production"
+
+const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
+const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+function resolveAuthSecret(): string {
+  const value = process.env.BETTER_AUTH_SECRET
+
+  if (value) {
+    return value
+  }
+
+  if (isProduction) {
+    throw new Error("BETTER_AUTH_SECRET is required in production")
+  }
+
+  return FALLBACK_DEV_SECRET
+}
+
+export function isAdminRegistrationEnabled(): boolean {
+  const value = process.env.CMS_ADMIN_REGISTRATION_ENABLED
+
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return !isProduction
+}
+
+export const auth = betterAuth({
+  appName: "CMS Admin",
+  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
+  secret: resolveAuthSecret(),
+  trustedOrigins: [adminOrigin, webOrigin],
+  database: prismaAdapter(db, {
+    provider: "postgresql",
+  }),
+  emailAndPassword: {
+    enabled: true,
+    disableSignUp: !isAdminRegistrationEnabled(),
+  },
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: true,
+        defaultValue: "editor",
+        input: false,
+      },
+      isBanned: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+        input: false,
+      },
+    },
+  },
+})
+
+export const authRouteHandlers = toNextJsHandler(auth)
+
+export type AuthSession = typeof auth.$Infer.Session
+
+export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
+  const sessionUserRole = session?.user?.role
+
+  if (typeof sessionUserRole !== "string") {
+    return null
+  }
+
+  return normalizeRole(sessionUserRole)
+}