A production-ready REST API built with Hono , Better Auth , and Drizzle ORM on the Bun runtime. Features a generic CRUD factory, role-based access control (RBAC), image uploads, two-factor authentication, and auto-generated OpenAPI documentation.
Layer
Technology
Runtime
Bun
Framework
Hono
Database
PostgreSQL 16
ORM
Drizzle ORM
Auth
Better Auth (email/password, admin plugin, 2FA)
Validation
Zod + zod-openapi
API Docs
hono-openapi + Swagger UI
Linting
Biome
Testing
Bun test runner
Containers
Docker / Docker Compose
Bun >= 1.0Docker & Docker Compose (for the database)
git clone < repo-url> && cd hono-basics
bun install Edit .env if you need to change ports, secrets, or database credentials. The defaults work out of the box with the Docker Compose setup.
docker compose up db -d --wait 4. Run migrations and seed bun run db:migrate
bun run db:seed The API is now running at http://localhost:3000
Alternative: Full Docker setup # Development (hot-reload)# Productionsrc/
index.ts # Entry point - middleware, routes, docs
app.ts # Hono app instance
assets/ # Generic asset/file tracking system
asset.service.ts # DB + filesystem operations
asset.routes.ts # Upload, update, delete, list routes
asset.schemas.ts # Zod response schemas
serialization.ts # Date serialization
crud/ # Generic CRUD factory
base-service.ts # Base service (filter, sort, paginate)
route-factory.ts # Route generator with OpenAPI
types.ts # CrudService, ResourceConfig types
filters.ts # Query filter builder
serialization.ts # Date serialization helpers
db/
schema/ # Drizzle table definitions
asset-schema.ts # asset (polymorphic file tracking)
auth-schema.ts # user, session, account, verification, twoFactor
rbac-schema.ts # role, permission, rolePermission
seed/
role-permission.seed.ts # Seeds 3 roles + 17 permissions
migrate.ts # Migration runner
images/ # Image upload system
image.routes.ts # Upload, update, delete (single + bulk)
image.service.ts # File system operations
image.schemas.ts # Zod response schemas
lib/
auth/
auth.ts # Better Auth config (plugins, hooks)
middleware.ts # sessionMiddleware, requireAuth, requirePermission
permissions.ts # Access control statements + role definitions
rbac.ts # RBAC utility functions
schemas.ts # Shared Zod schemas
db/
db.ts # Drizzle instance
env/
env.ts # Zod-validated env config
resources/ # Resource configurations
roles/
role.config.ts # ResourceConfig for roles
role.service.ts # Role service (with permission expansion)
role.schemas.ts # Zod schemas for roles
permissions/
permission.config.ts # ResourceConfig for permissions
permission.service.ts # Permission service
permission.schemas.ts # Zod schemas for permissions
routes/
main-routes.ts # GET /, GET /me
auth-docs.ts # OpenAPI docs for Better Auth endpoints
crud-registration.ts # Registers CRUD + asset routes
rbac-routes.ts # GET /api/rbac/me/permissions
tests/
setup.ts # Drops schema, runs migrations before tests
auth/ # Auth, RBAC, role-sync tests
crud/ # CRUD operation tests
assets/ # Asset upload/tracking tests
db/ # Migration tests
env/ # Environment validation tests
drizzle/ # SQL migration files
uploads/ # Uploaded files (gitignored in production)
Authentication (Better Auth)
Method
Path
Description
Auth
POST
/api/auth/sign-up/emailRegister a new user
-
POST
/api/auth/sign-in/emailLog in
-
POST
/api/auth/sign-outLog out
Cookie
GET
/api/auth/sessionGet current session
Cookie
GET
/api/auth/admin/list-usersList all users
Admin
POST
/api/auth/admin/set-roleChange a user's role
Admin
Method
Path
Description
Permission
GET
/api/roles/allList all roles
list-roles
GET
/api/rolesPaginated list (supports sort/filter)
list-roles
GET
/api/roles/:idGet role with permissions expanded
view-roles
POST
/api/rolesCreate role (with permissions)
create-roles
PUT
/api/roles/:idUpdate role
update-roles
DELETE
/api/roles/:idDelete role
delete-roles
POST
/api/roles/bulkBulk create
create-roles
PUT
/api/roles/bulkBulk update
update-roles
DELETE
/api/roles/bulkBulk delete
delete-roles
Method
Path
Description
Permission
GET
/api/permissions/allList all permissions
view-permissions
GET
/api/permissionsPaginated list
view-permissions
GET
/api/permissions/:idGet single permission
view-permissions
POST
/api/permissionsCreate permission
create-roles
PUT
/api/permissions/:idUpdate permission
update-roles
DELETE
/api/permissions/:idDelete permission
delete-roles
All uploaded files are tracked in the asset table with metadata (original name, MIME type, size) and a polymorphic relation to the parent resource. Assets are included in the GET /api/roles/:id response automatically.
Method
Path
Description
Permission
GET
/api/roles/:id/assetsList all assets for a role
view-roles
POST
/api/roles/:id/assetsUpload single file
update-roles
POST
/api/roles/:id/assets/bulkUpload multiple files
update-roles
PUT
/api/roles/:id/assets/:assetIdReplace a file
update-roles
DELETE
/api/roles/:id/assets/:assetIdDelete a single asset
update-roles
DELETE
/api/roles/:id/assetsDelete all assets for a role
update-roles
Deleting a role automatically cleans up all its assets (both DB records and files on disk).
Method
Path
Description
Auth
GET
/api/rbac/me/permissionsGet current user's role and permissions
Cookie
Method
Path
Description
Auth
GET
/Welcome message
-
GET
/meCurrent user profile + session
Cookie
GET
/docSwagger UI
-
GET
/openapi.jsonOpenAPI spec
-
Paginated endpoints (GET /api/{resource}) support:
Param
Example
Description
page1Page number (default: 1)
pageSize20Items per page (default: 20, max: 100)
sortBynameColumn to sort by (must be in sortableColumns)
sortDirasc or descSort direction (default: asc)
{column}groupName=usersExact match filter
{column}_likename_like=viewCase-insensitive partial match
Role
Description
Permissions
admin Full system access
All 17 permissions
moderator Can manage users and view system data
list-users, view-users, view-roles, view-permissions, view-dashboard, update-profile
user Standard user
view-dashboard, update-profile
Group
Permissions
users
list-users, view-users, create-users, update-users, delete-users, ban-users
roles
list-roles, view-roles, create-roles, update-roles, delete-roles, assign-roles
permissions
view-permissions
general
view-dashboard, manage-settings, update-profile, reset-password
New users are assigned the user role automatically on sign-up. The roleId foreign key is synced via a Better Auth database hook.
Variable
Description
Default
DB_URLPostgreSQL connection string
postgresql://postgres:postgres123@localhost:5433/hono_db
POSTGRES_USERDB username
postgres
POSTGRES_PASSWORDDB password
postgres123
POSTGRES_DBDatabase name
hono_db
POSTGRES_PORTDB host port
5433
APP_PORTApplication port
3000
APP_KEYApplication secret key
-
NODE_ENVEnvironment
development
BETTER_AUTH_SECRETAuth signing secret
-
BETTER_AUTH_URLAuth base URL
http://localhost:3000
LOG_LEVELLogging level
info
CORS_ORIGINAllowed CORS origin
http://localhost:3000
Script
Description
bun run devStart dev server with hot reload
bun run dev:dockerStart dev environment in Docker
bun run prod:dockerStart production in Docker
bun run buildBuild to dist/
bun run testRun all tests
bun run test:dockerSpin up test DB + run tests
bun run checkTypeScript + Biome lint
bun run typecheckTypeScript type check only
bun run lintBiome lint
bun run lint:fixBiome lint with auto-fix
bun run formatBiome format
bun run db:generateGenerate Drizzle migrations
bun run db:migrateRun migrations
bun run db:pushPush schema directly to DB
bun run db:studioOpen Drizzle Studio
bun run db:seedSeed RBAC data
MIT