🇺🇸English
Implementing Better Auth
Quick Start
// lib/auth.ts
import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
export const auth = betterAuth({
database: prismaAdapter(prisma, { provider: "postgresql" }),
emailAndPassword: { enabled: true, requireEmailVerification: true },
session: { expiresIn: 60 * 60 * 24 * 7 },
socialProviders: {
google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! },
},
});
Features
| Feature | Description | Reference |
|---|
| Email/Password Auth | Secure registration, login, password validation | Auth Guide |
| Social OAuth | Google, GitHub, Discord provider integration | Social Providers |
| Two-Factor Auth | TOTP-based MFA with backup codes | 2FA Plugin |
| Session Management | Secure cookie-based sessions with refresh | Sessions |
| Rate Limiting | Configurable limits per endpoint | Rate Limiting |
| Organizations | Multi-tenant support with roles | Organizations Plugin |
Common Patterns
Client Setup with Plugins
// lib/auth-client.ts
import { createAuthClient } from "better-auth/client";
import { twoFactorClient, organizationClient } from "better-auth/client/plugins";
export const authClient = createAuthClient({
baseURL: process.env.NEXT_PUBLIC_API_URL,
plugins: [twoFactorClient(), organizationClient()],
});
export const { signIn, signUp, signOut, useSession } = authClient;
Protected Routes Middleware
// middleware.ts
import { auth } from "@/lib/auth";
import { NextRequest, NextResponse } from "next/server";
export async function middleware(request: NextRequest) {
const session = await auth.api.getSession({ headers: request.headers });
if (!session && !request.nextUrl.pathname.startsWith("/login")) {
return NextResponse.redirect(new URL("/login", request.url));
}
return NextResponse.next();
}
Two-Factor Authentication Flow
// Handle 2FA during sign-in
const { data, error } = await authClient.signIn.email({ email, password });
if (error?.code === "TWO_FACTOR_REQUIRED") {
// Show 2FA input
const { data: verified } = await authClient.twoFactor.verify({ code: totpCode });
}
// Enable 2FA for user
const { data } = await authClient.twoFactor.enable();
// data.totpURI contains QR code data
// data.backupCodes contains recovery codes
Best Practices
| Do | Avoid |
|---|
| Require email verification for new accounts | Storing plain-text passwords |
| Enable rate limiting on auth endpoints | Exposing detailed error messages |
| Use httpOnly, secure cookies | Using predictable session tokens |
| Set strong password requirements (12+ chars) | Allowing unlimited login attempts |
| Implement proper session expiration | Storing sensitive data in JWT |
| Log authentication events for auditing | Skipping CSRF protection |
References
Weekly Installs
0
Repository
doanchienthangdev/omgkit
GitHub Stars
3
First Seen
Jan 1, 1970
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
