fix(GRO-563): stabilize OAuth login - upgrade better-auth, fix service worker, add 503 handling

Phase 1 Better Auth stabilization: - Upgrade better-auth to ^1.5.6 in apps/web (matches api) - Switch OAuth state to cookie storage (BA v1.5+ requirement) - Remove manual redirectURI overrides - Exclude /api/auth/* from service worker caching - Add 503 error handling when auth not configured - Display login errors inline on login page - Update infra submodule with social auth env vars Closes GRO-563 Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-11 21:07:41 +00:00
parent 1d76c63137
commit 41dff6f0e2
8 changed files with 38 additions and 13 deletions
@@ -105,7 +105,13 @@ api.use("*", resolveStaffMiddleware);
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
 const authRouter = new Hono();
-authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
+authRouter.all("/*", (c) => {
+  try {
+    return getAuth().handler(c.req.raw);
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+});
 api.route("/auth", authRouter);

 // ── Role guards ────────────────────────────────────────────────────────────────
@@ -170,8 +170,6 @@ export async function initAuth(): Promise<void> {
    const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
    const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);

-    const callbackBase = `${BETTER_AUTH_URL}/api/auth/callback`;
-
    // Build Better-Auth instance using resolved config
    authInstance = betterAuth({
      database: drizzleAdapter(db, {
@@ -179,6 +177,9 @@ export async function initAuth(): Promise<void> {
      }),
      secret: BETTER_AUTH_SECRET,
      baseURL: BETTER_AUTH_URL,
+      account: {
+        storeStateStrategy: "cookie" as const,
+      },
      plugins: [
        genericOAuth({
          config: [
@@ -205,14 +206,12 @@ export async function initAuth(): Promise<void> {
          google: {
            clientId: process.env.GOOGLE_CLIENT_ID!,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/google`,
          },
        } : {}),
        ...(hasGitHub ? {
          github: {
            clientId: process.env.GITHUB_CLIENT_ID!,
            clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/github`,
          },
        } : {}),
      },
@@ -23,7 +23,6 @@ if (process.env.AUTH_DISABLED === "true") {
 }

 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
  if (c.req.path.startsWith("/api/auth/")) {
    await next();
    return;
@@ -37,7 +36,14 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
    return;
  }

-  const session = await getAuth().api.getSession({
+  let auth;
+  try {
+    auth = getAuth();
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+
+  const session = await auth.api.getSession({
    headers: c.req.raw.headers,
  });

@@ -15,7 +15,7 @@
  "dependencies": {
    "@groombook/types": "workspace:*",
    "@tailwindcss/vite": "^4.2.2",
-    "better-auth": "^1.0.0",
+    "better-auth": "^1.5.6",
    "lucide-react": "^0.577.0",
    "react": "^19.0.0",
    "react-dom": "^19.0.0",
@@ -23,17 +23,26 @@ import { useSession, signIn } from "./lib/auth-client.js";
 function LoginPage() {
  const [isLoading, setIsLoading] = useState(false);
  const [providers, setProviders] = useState<string[]>([]);
+  const [error, setError] = useState<string | null>(null);

  useEffect(() => {
    fetch("/api/auth/providers")
      .then((r) => r.json())
      .then((data) => setProviders(data.providers ?? []))
      .catch(() => setProviders([]));
+    const params = new URLSearchParams(window.location.search);
+    const authError = params.get("error");
+    if (authError) setError(authError.replace(/_/g, " "));
  }, []);

  const handleSocialLogin = async (provider: string) => {
    setIsLoading(true);
-    await signIn.social({ provider, callbackURL: window.location.origin });
+    setError(null);
+    const result = await signIn.social({ provider, callbackURL: window.location.origin });
+    if (result?.error) {
+      setError(result.error.message ?? "Sign-in failed");
+      setIsLoading(false);
+    }
  };

  const isGoogle = providers.includes("google");
@@ -65,6 +74,11 @@ function LoginPage() {
        <p style={{ color: "#6b7280", marginBottom: "1.5rem", fontSize: 14 }}>
          Sign in to continue
        </p>
+        {error && (
+          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 6, padding: "0.5rem 0.75rem", marginBottom: "1rem", color: "#991b1b", fontSize: 13 }}>
+            {error}
+          </div>
+        )}
        {isGoogle && (
          <button
            onClick={() => handleSocialLogin("google")}
@@ -41,11 +41,11 @@ export default defineConfig({
      workbox: {
        globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
        navigateFallbackDenylist: [
-          /^\/api\/auth\/oauth2\/callback\//,
+          /^\/api\/auth\//,
        ],
        runtimeCaching: [
          {
-            urlPattern: /^http.*\/api\/.*/i,
+            urlPattern: /^http.*\/api\/(?!auth\/).*/i,
            handler: "NetworkFirst",
            options: {
              cacheName: "api-cache",
@@ -87,7 +87,7 @@ importers:
        specifier: ^4.2.2
        version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      better-auth:
-        specifier: ^1.0.0
+        specifier: ^1.5.6
        version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      lucide-react:
        specifier: ^0.577.0