From 370b22960cc22e30dbd12fa24343b6ebec1bfecc Mon Sep 17 00:00:00 2001 From: Paperclip Date: Fri, 27 Mar 2026 21:12:33 +0000 Subject: [PATCH] feat(api): add Better-Auth configuration (GRO-118) Exports the better-auth() instance configured with: - Drizzle PG adapter - genericOAuth plugin for Authentik OIDC - 7-day session with 5-min cookie cache Co-Authored-By: Paperclip --- apps/api/src/lib/auth.ts | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 apps/api/src/lib/auth.ts diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts new file mode 100644 index 0000000..a1f3a95 --- /dev/null +++ b/apps/api/src/lib/auth.ts @@ -0,0 +1,42 @@ +import { betterAuth } from "better-auth"; +import { drizzleAdapter } from "better-auth/adapters/drizzle"; +import { genericOAuth } from "better-auth/plugins"; +import { getDb } from "@groombook/db"; + +const OIDC_ISSUER = process.env.OIDC_ISSUER; +const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID; +const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET; +const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET; +const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://localhost:3000"; + +export const auth = betterAuth({ + database: drizzleAdapter(getDb(), { + provider: "pg", + }), + secret: BETTER_AUTH_SECRET, + baseURL: BETTER_AUTH_URL, + plugins: [ + genericOAuth({ + config: [ + { + providerId: "authentik", + clientId: OIDC_CLIENT_ID ?? "", + clientSecret: OIDC_CLIENT_SECRET ?? "", + discoveryUrl: OIDC_ISSUER + ? `${OIDC_ISSUER}/.well-known/openid-configuration` + : undefined, + scopes: ["openid", "profile", "email"], + }, + ], + }), + ], + session: { + expiresIn: 60 * 60 * 24 * 7, // 7 days + updateAge: 60 * 60 * 24, // 1 day + cookieCache: { + enabled: true, + maxAge: 5 * 60, // 5 minutes + }, + }, + trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"], +});