refactor(auth): localize admin auth and replace latest ranges

2026-02-10 12:49:59 +01:00
parent ba8abb3b1b
commit 24eca3e740
15 changed files with 81 additions and 132 deletions
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@@ -0,0 +1,86 @@
+import "server-only"
+
+import { normalizeRole, type Role } from "@cms/content/rbac"
+import { db } from "@cms/db"
+import { betterAuth } from "better-auth"
+import { prismaAdapter } from "better-auth/adapters/prisma"
+import { toNextJsHandler } from "better-auth/next-js"
+
+const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
+
+const isProduction = process.env.NODE_ENV === "production"
+
+const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
+const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+function resolveAuthSecret(): string {
+  const value = process.env.BETTER_AUTH_SECRET
+
+  if (value) {
+    return value
+  }
+
+  if (isProduction) {
+    throw new Error("BETTER_AUTH_SECRET is required in production")
+  }
+
+  return FALLBACK_DEV_SECRET
+}
+
+export function isAdminRegistrationEnabled(): boolean {
+  const value = process.env.CMS_ADMIN_REGISTRATION_ENABLED
+
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return !isProduction
+}
+
+export const auth = betterAuth({
+  appName: "CMS Admin",
+  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
+  secret: resolveAuthSecret(),
+  trustedOrigins: [adminOrigin, webOrigin],
+  database: prismaAdapter(db, {
+    provider: "postgresql",
+  }),
+  emailAndPassword: {
+    enabled: true,
+    disableSignUp: !isAdminRegistrationEnabled(),
+  },
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: true,
+        defaultValue: "editor",
+        input: false,
+      },
+      isBanned: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+        input: false,
+      },
+    },
+  },
+})
+
+export const authRouteHandlers = toNextJsHandler(auth)
+
+export type AuthSession = typeof auth.$Infer.Session
+
+export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
+  const sessionUserRole = session?.user?.role
+
+  if (typeof sessionUserRole !== "string") {
+    return null
+  }
+
+  return normalizeRole(sessionUserRole)
+}