# Better Auth Baseline

## Scope

This baseline activates Better Auth for the admin app with email/password login and Prisma-backed sessions.

Implemented in MVP0:

- Shared auth package: `@cms/auth`
- Admin auth API routes: `apps/admin/src/app/api/auth/[...all]/route.ts`
- Admin login page: `/login`
- Prisma auth models (`user`, `session`, `account`, `verification`)
- Registration toggle via `CMS_ADMIN_REGISTRATION_ENABLED`

## Environment

Required variables:

- `BETTER_AUTH_SECRET`
- `BETTER_AUTH_URL`
- `CMS_ADMIN_ORIGIN`
- `CMS_WEB_ORIGIN`
- `DATABASE_URL`

Optional:

- `CMS_ADMIN_REGISTRATION_ENABLED`
- `CMS_DEV_ROLE` (development-only middleware bypass)

## Notes

- Owner bootstrap, hidden support user, and owner invariant are tracked as upcoming MVP0 tasks in `TODO.md`.
- Email verification and forgot/reset password pipelines are tracked for MVP2.