-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.ts
More file actions
66 lines (65 loc) · 2.39 KB
/
Copy pathauth.ts
File metadata and controls
66 lines (65 loc) · 2.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { mcp, organization } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";
import { eq } from "drizzle-orm";
import { getDb } from "@/db";
import * as authSchema from "@/db/auth-schema";
export const auth = betterAuth({
secret: process.env.BETTER_AUTH_SECRET,
baseURL: process.env.BETTER_AUTH_URL,
// Trust the custom domain, the *.workers.dev domain, and localhost (dev) so
// requests from any of them pass better-auth's CSRF/origin check. (baseURL
// alone — currently the workers.dev URL — would reject internal.pathors.com.)
trustedOrigins: [
"https://internal.pathors.com",
"https://pathors-internal.pathors.workers.dev",
"http://localhost:3000",
],
database: drizzleAdapter(getDb(), {
provider: "pg",
schema: authSchema,
// neon-http has no interactive transactions; run ops sequentially.
transaction: false,
}),
emailAndPassword: { enabled: false },
socialProviders: {
google: {
clientId: process.env.GOOGLE_CLIENT_ID as string,
clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
// Always show Google's account chooser instead of silently reusing the
// browser's only signed-in session — users may have multiple accounts.
prompt: "select_account",
},
},
databaseHooks: {
session: {
create: {
// Default a new session's active org to the user's first membership,
// so server code always has an org to scope by right after login.
before: async (session) => {
const db = getDb();
const rows = await db
.select({ organizationId: authSchema.member.organizationId })
.from(authSchema.member)
.where(eq(authSchema.member.userId, session.userId))
.limit(1);
return {
data: {
...session,
activeOrganizationId: rows[0]?.organizationId ?? null,
},
};
},
},
},
},
plugins: [
organization(),
// OAuth 2.0 / OIDC provider for MCP clients. Adds /api/auth/mcp/* endpoints
// (authorize, token, register, get-session) + OAuth discovery. Unauthenticated
// authorize requests are sent to loginPage, which redirects back after sign-in.
mcp({ loginPage: "/login" }),
nextCookies(),
],
});