feat(website): replace auth-astro with better-auth

Dockerfile_website

@@ -3,7 +3,7 @@
 FROM node:24-alpine AS base
 WORKDIR /app
 
-COPY website/package.json website/package-lock.json website/patches ./
+COPY website/package.json website/package-lock.json ./
 
 FROM base AS prod-deps
 RUN npm clean-install --omit=dev

website/astro.config.mjs

@@ -1,12 +1,11 @@
 import { defineConfig } from 'astro/config';
 import react from '@astrojs/react';
 import node from '@astrojs/node';
-import auth from 'auth-astro';
 import tailwindcss from '@tailwindcss/vite';
 
 // https://astro.build/config
 export default defineConfig({
-    integrations: [react(), auth({ configFile: './src/auth.config' })],
+    integrations: [react()],
     output: 'server',
     adapter: node({
         mode: 'standalone',

website/package.json

@@ -14,7 +14,6 @@
         "check-types": "astro sync && tsc --noEmit",
         "check-astro": "astro check",
         "check-lint": "eslint .",
-        "postinstall": "patch-package",
         "test": "vitest",
         "test:node": "vitest --project node",
         "test:headed": "vitest --browser.headless false",
@@ -26,16 +25,14 @@
     },
     "dependencies": {
         "@astrojs/node": "^9.5.3",
-        "@auth/core": "^0.37.4",
         "@genspectrum/dashboard-components": "^1.17.0",
         "@tanstack/react-query": "^5.100.5",
         "astro": "^5.18.1",
-        "auth-astro": "^4.2.0",
         "axios": "^1.15.2",
+        "better-auth": "^1.6.9",
         "cookie": "^1.1.1",
         "dayjs": "^1.11.20",
         "katex": "^0.16.45",
-        "patch-package": "^8.0.1",
         "react": "^19.2.5",
         "react-dom": "^19.2.5",
         "react-katex": "^3.1.0",

website/src/auth.ts

@@ -0,0 +1,38 @@
+import { betterAuth } from 'better-auth';
+
+import { getGitHubClientId, getGitHubClientSecret } from './config';
+
+export const auth = betterAuth({
+    // TODO - maybe we can check again if this is read automatically? Should be, according to the docs.
+    secret: process.env.AUTH_SECRET,
+    session: {
+        cookieCache: {
+            enabled: true,
+            maxAge: 60 * 60,
+            strategy: 'jwe',
+        },
+    },
+    user: {
+        additionalFields: {
+            githubId: {
+                type: 'string',
+                input: false,
+            },
+        },
+    },
+    socialProviders: {
+        github: {
+            clientId: getGitHubClientId(),
+            clientSecret: getGitHubClientSecret(),
+            // store the GitHub user ID (i.e. 45882389) in the 'user' object,
+            // which is easy to access from context later on.
+            // the 'id' property cannot be overwritten.
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-conversion -- profile.id is typed as string but GitHub returns a number at runtime; String() ensures it's always stored as a string for consistent ownership checks
+            mapProfileToUser: (profile) => ({ githubId: String(profile.id) }),
+        },
+    },
+    advanced: {
+        trustedProxyHeaders: true,
+        cookiePrefix: 'gen-spectrum',
+    },
+});

website/src/auth/logout.ts

@@ -1,11 +1,5 @@
-import { Auth, raw, skipCSRFCheck } from '@auth/core';
-import type { ResponseInternal } from '@auth/core/types';
-import authConfig from 'auth:config';
-
-export type LogoutResponse = Required<Pick<ResponseInternal, 'redirect' | 'cookies'>>;
+import { auth } from '../auth';
 
 export async function logout(request: Request) {
-    const url = new URL(`${authConfig.prefix}/signout`, request.url);
-    const authRequest = new Request(url, { headers: request.headers, method: 'POST' });
-    return (await Auth(authRequest, { ...authConfig, raw, skipCSRFCheck })) as LogoutResponse;
+    return auth.api.signOut({ headers: request.headers, asResponse: true });
 }

website/src/backendApi/backendProxy.ts

@@ -1,4 +1,4 @@
-import { getSession } from 'auth-astro/server';
+import type { APIContext } from 'astro';
 
 import { getBackendHost } from '../config.ts';
 import { getInstanceLogger } from '../logger.ts';
@@ -14,21 +14,21 @@ const API_PATHNAME_LENGTH = '/api'.length;
  * This proxying through the frontend server is used, so we do the user login handling
  * in here, instead of in the backend.
  */
-export async function proxyToBackend({ request }: { request: Request }): Promise<Response> {
-    const session = await getSession(request);
+export async function proxyToBackend(context: APIContext): Promise<Response> {
+    const userId = context.locals.user?.githubId;
 
-    if (session?.user?.id === undefined) {
-        return getUnauthorizedResponse(request.url);
+    if (userId === undefined) {
+        return getUnauthorizedResponse(context.request.url);
     }
 
-    return proxyRequest(request, session.user.id);
+    return proxyRequest(context.request, userId);
 }
 
 /**
  * Proxies the request to the backend without any user ID, regardless of login state.
  */
-export async function proxyToBackendNoAuth({ request }: { request: Request }): Promise<Response> {
-    return proxyRequest(request, undefined);
+export async function proxyToBackendNoAuth(context: APIContext): Promise<Response> {
+    return proxyRequest(context.request, undefined);
 }
 
 async function proxyRequest(request: Request, userId: string | undefined): Promise<Response> {

website/src/components/auth/LoginButton.tsx

@@ -1,10 +1,11 @@
-import { signIn } from 'auth-astro/client';
+import { createAuthClient } from 'better-auth/client';
 
 import { getClientLogger } from '../../clientLogger.ts';
 import { getErrorLogMessage } from '../../util/getErrorLogMessage.ts';
 import { useErrorToast } from '../ErrorReportInstruction.tsx';
 
 const logger = getClientLogger('LoginButton');
+const authClient = createAuthClient();
 
 export function LoginButton() {
     const { showErrorToast } = useErrorToast(logger);
@@ -13,13 +14,18 @@ export function LoginButton() {
         const callbackUrlThatDoesNotImmediatelyLogoutAgain = new URL(window.location.href).pathname.endsWith('/logout')
             ? new URL('/', window.location.href).toString()
             : undefined;
-        signIn('github', { callbackUrl: callbackUrlThatDoesNotImmediatelyLogoutAgain }).catch((error: unknown) => {
-            showErrorToast({
-                error: error instanceof Error ? error : new Error(String(error)),
-                logMessage: `Login failed: ${getErrorLogMessage(error)}`,
-                errorToastMessages: ['Login failed. Please try again.'],
+        authClient.signIn
+            .social({
+                provider: 'github',
+                callbackURL: callbackUrlThatDoesNotImmediatelyLogoutAgain,
+            })
+            .catch((error: unknown) => {
+                showErrorToast({
+                    error: error instanceof Error ? error : new Error(String(error)),
+                    logMessage: `Login failed: ${getErrorLogMessage(error)}`,
+                    errorToastMessages: ['Login failed. Please try again.'],
+                });
             });
-        });
     };
 
     return (

website/src/components/auth/LoginState.astro

@@ -1,6 +1,4 @@
 ---
-import { getSession } from 'auth-astro/server';
-
 import { LoginButton } from './LoginButton';
 import UserDropdown from './UserDropdown.astro';
 
@@ -10,13 +8,13 @@ interface Props {
 
 const { forceLoggedOutState = false } = Astro.props;
 
-const session = await getSession(Astro.request);
-const showLoggedInState = !forceLoggedOutState && session?.user !== undefined;
+const user = Astro.locals.user;
+const showLoggedInState = !forceLoggedOutState && user !== null;
 ---
 
 {
-    showLoggedInState ? (
-        <UserDropdown session={session} />
+    showLoggedInState && user ? (
+        <UserDropdown session={{ user }} />
     ) : (
         <div class='mr-2 font-bold'>
             <LoginButton client:load />

website/src/components/auth/UserDropdown.astro

@@ -1,10 +1,8 @@
 ---
-import type { Session } from '@auth/core/types';
-
 import { isStaging } from '../../config';
 
 interface Props {
-    session: Session;
+    session: { user: { name: string | null } };
 }
 
 const { session } = Astro.props;

website/src/env.d.ts

@@ -1,8 +1,16 @@
 /// <reference path="../.astro/types.d.ts" />
 /// <reference types="astro/client" />
-// declare module 'set-cookie-parser' is added, because tsc checks our dependency auth-astro/server,
-// which uses set-cookie-parser, and it doesn't have types.
-declare module 'set-cookie-parser';
+
+declare namespace App {
+    // Note: 'import {} from ""' syntax does not work in .d.ts files.
+    // We derive the User type from the auth config so that additionalFields (e.g. githubId) are included.
+    type AuthUser = NonNullable<Awaited<ReturnType<(typeof import('./auth').auth)['api']['getSession']>>>['user'];
+
+    interface Locals {
+        user: AuthUser | null;
+        session: import('better-auth').Session | null;
+    }
+}
 
 interface ImportMetaEnv {
     // eslint-disable-next-line @typescript-eslint/naming-convention

website/src/layouts/base/header/HamburgerMenu.astro

@@ -1,6 +1,4 @@
 ---
-import { getSession } from 'auth-astro/server';
-
 import HamburgerMenuItem from './HamburgerMenuItem.astro';
 import HamburgerMenuSection from './HamburgerMenuSection.astro';
 import { getPathogenMegaMenuSections } from './getPathogenMegaMenuSections';
@@ -16,8 +14,7 @@ const { forceLoggedOutState } = Astro.props;
 
 const pathogenMegaMenuSections = Object.values(getPathogenMegaMenuSections());
 
-const session = await getSession(Astro.request);
-const showLoggedInState = !forceLoggedOutState && session?.user !== undefined;
+const showLoggedInState = !forceLoggedOutState && Astro.locals.user !== null;
 const showSubscriptions = isStaging();
 ---
 
@@ -44,7 +41,7 @@ const showSubscriptions = isStaging();
             showLoggedInState ? (
                 <HamburgerMenuSection
                     navigationEntries={[
-                        { label: session.user?.name ?? 'My Account' },
+                        { label: Astro.locals.user?.name ?? 'My Account' },
                         ...(showSubscriptions ? [{ label: 'Subscriptions', href: '/subscriptions' }] : []),
                         { label: 'Logout', href: '/logout' },
                     ]}

website/src/middleware.ts

@@ -1,11 +1,11 @@
 import { sequence } from 'astro:middleware';
 
+import { authMiddleware } from './middleware/authMiddleware.ts';
 import { errorMiddleware } from './middleware/errorMiddleware.ts';
 import { loggingMiddleware } from './middleware/loggingMiddleware.ts';
 import setupDayjs from './util/setupDayjs.ts';
 
 // Workaround since Astro doesn't seem to support a global startup script for stuff that needs to be done exactly once
 setupDayjs();
 
-// Astro middleware
-export const onRequest = sequence(errorMiddleware, loggingMiddleware);
+export const onRequest = sequence(errorMiddleware, loggingMiddleware, authMiddleware);