groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(GRO-564): Better Auth Phase 2 Security Hardening #265

Merged
groombook-engineer[bot] merged 5 commits from feature/gro-564-better-auth-security-hardening into main 2026-04-11 23:07:37 +00:00
Conversation 2 Commits 5 Files Changed 4
+19 -7
5 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 8002a3db96 - Show all commits
apps/api/src/index.ts
+7 -1
View File
@@ -105,7 +105,13 @@ api.use("*", resolveStaffMiddleware);
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
const authRouter = new Hono();
authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
authRouter.all("/*", (c) => {
try {
return getAuth().handler(c.req.raw);
} catch {
return c.json({ error: "Authentication not configured" }, 503);
}
});
api.route("/auth", authRouter);
// ── Role guards ────────────────────────────────────────────────────────────────
apps/api/src/middleware/auth.ts
+8 -2
View File
@@ -23,7 +23,6 @@ if (process.env.AUTH_DISABLED === "true") {
}
export const authMiddleware: MiddlewareHandler = async (c, next) => {
// Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
if (c.req.path.startsWith("/api/auth/")) {
await next();
return;
@@ -37,7 +36,14 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
return;
}
const session = await getAuth().api.getSession({
let auth;
try {
auth = getAuth();
} catch {
return c.json({ error: "Authentication not configured" }, 503);
}
const session = await auth.api.getSession({
headers: c.req.raw.headers,
});
apps/web/package.json
+1 -1
View File
@@ -15,7 +15,7 @@
"dependencies": {
"@groombook/types": "workspace:*",
"@tailwindcss/vite": "^4.2.2",
"better-auth": "^1.0.0",
"better-auth": "^1.5.6",
"lucide-react": "^0.577.0",
"react": "^19.0.0",
"react-dom": "^19.0.0",
apps/web/vite.config.ts
+2 -2
View File
@@ -41,11 +41,11 @@ export default defineConfig({
workbox: {
globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
navigateFallbackDenylist: [
/^\/api\/auth\/oauth2\/callback\//,
/^\/api\/auth\//,
],
runtimeCaching: [
{
urlPattern: /^http.*\/api\/.*/i,
urlPattern: /^http.*\/api\/(?!auth\/).*/i,
handler: "NetworkFirst",
options: {
cacheName: "api-cache",
pnpm-lock.yaml
Generated
+1 -1
View File
@@ -87,7 +87,7 @@ importers:
specifier: ^4.2.2
version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
better-auth:
specifier: ^1.0.0
specifier: ^1.5.6
version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
lucide-react:
specifier: ^0.577.0