feat(auth): add better-auth core wiring for admin and db

packages/auth/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@cms/auth",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts",
+    "./server": "./src/server.ts"
+  },
+  "scripts": {
+    "lint": "biome check src",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@cms/content": "workspace:*",
+    "@cms/db": "workspace:*",
+    "better-auth": "^1.4.18"
+  },
+  "devDependencies": {
+    "@cms/config": "workspace:*",
+    "@biomejs/biome": "latest",
+    "@types/node": "latest",
+    "typescript": "latest"
+  }
+}

packages/auth/src/index.ts

@@ -0,0 +1,7 @@
+export {
+  type AuthSession,
+  auth,
+  authRouteHandlers,
+  isAdminRegistrationEnabled,
+  resolveRoleFromAuthSession,
+} from "./server"

packages/auth/src/server.ts

@@ -0,0 +1,84 @@
+import { normalizeRole, type Role } from "@cms/content/rbac"
+import { db } from "@cms/db"
+import { betterAuth } from "better-auth"
+import { prismaAdapter } from "better-auth/adapters/prisma"
+import { toNextJsHandler } from "better-auth/next-js"
+
+const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
+
+const isProduction = process.env.NODE_ENV === "production"
+
+const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
+const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+function resolveAuthSecret(): string {
+  const value = process.env.BETTER_AUTH_SECRET
+
+  if (value) {
+    return value
+  }
+
+  if (isProduction) {
+    throw new Error("BETTER_AUTH_SECRET is required in production")
+  }
+
+  return FALLBACK_DEV_SECRET
+}
+
+export function isAdminRegistrationEnabled(): boolean {
+  const value = process.env.CMS_ADMIN_REGISTRATION_ENABLED
+
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return !isProduction
+}
+
+export const auth = betterAuth({
+  appName: "CMS Admin",
+  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
+  secret: resolveAuthSecret(),
+  trustedOrigins: [adminOrigin, webOrigin],
+  database: prismaAdapter(db, {
+    provider: "postgresql",
+  }),
+  emailAndPassword: {
+    enabled: true,
+    disableSignUp: !isAdminRegistrationEnabled(),
+  },
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: true,
+        defaultValue: "editor",
+        input: false,
+      },
+      isBanned: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+        input: false,
+      },
+    },
+  },
+})
+
+export const authRouteHandlers = toNextJsHandler(auth)
+
+export type AuthSession = typeof auth.$Infer.Session
+
+export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
+  const sessionUserRole = session?.user?.role
+
+  if (typeof sessionUserRole !== "string") {
+    return null
+  }
+
+  return normalizeRole(sessionUserRole)
+}

packages/auth/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "@cms/config/tsconfig/base",
+  "compilerOptions": {
+    "noEmit": false,
+    "outDir": "dist"
+  },
+  "include": ["src/**/*.ts"]
+}