feat: better auth

.env

@@ -38,6 +38,7 @@ POST_SCRAPER_ORIGIN=http://localhost:8000
 YGGDRASIL_SENTIMENT_ORIGIN=http://localhost:3002
 HEIMDALL_ORIGIN=http://localhost:7000
 KRATOS_ORIGIN=http://localhost:7000
+BETTER_AUTH_REDIRECT_URL=https://sso.local.fylla.dev/api
 MAGNI_ORIGIN=http://localhost:9000
 MEILI_ORIGIN=http://localhost:7700/
 SUBMIT_ARTICLE_THRESHOLD=250

.infra/Pulumi.adhoc.yaml

@@ -100,6 +100,27 @@ config:
     employmentAgreementBucketName: adhoc-daily-api
     brokkrOrigin: http://brokkr-grpc:50051
     mockExternalServices: true
+    betterAuthSecret:
+      secure: v1:OMJzrWkQe5M2bCPT:zjmHZhC/lKVS9Wgm+m3kCthxwFwh+Ux9pp1E2g+NnQFpsLkVyCRjKEQY8JGdY0IcTaKmhVw9bjo/gMx9N1G6qsUegCIwnQ==
+    betterAuthBaseUrl: https://api.local.fylla.dev
+    betterAuthTrustedOrigins: https://app.local.fylla.dev:5002
+    betterAuthRedirectUrl: https://sso.local.fylla.dev/api
+    googleClientId:
+      secure: v1:vxiz7DL3y7wJC3Xb:U998JBQzsUpSrJUAwshlu68xUvWq5zm6hXZNQ6Jeqd82+fZU5/WJJ4t2ti9tlJgUcvrI0Nz7/0dweGmTLp4is58i1k7d37/ZcNjtTOhO39sqa/9hNjQPsQ==
+    googleClientSecret:
+      secure: v1:DyvUCX4JxvjrYwOv:eSsStUriEPV2u895v2k0RROIv6fecftf6ZGmQEZfALLp5q3TzVrQrg==
+    githubClientId:
+      secure: v1:nTT76ELlqKxR4Auh:BQSLiFpXOZjpJ/lZQxuRxC2RNlf3w4t3VvpMxznldd1lofbS
+    githubClientSecret:
+      secure: v1:GhL76XX0Y/yzoYG8:6kARUQHVOxbIP/WXxH+2IX91ADp650ZrEG7H+6FXuakJuzhDHTpk+q37jUq1hzHzp8xNbNFlud4=
+    appleClientId:
+      secure: v1:pK4ks8kCNPZO/KJc:REutw/UeJumYLJWA8cPy5iL83yaVgOOZh9azOyo7zcyj
+    appleClientSecret:
+      secure: v1:8TOrQ25yzgkRxr2C:n6FB51tbRNAl5bujHFjsn6a7kxEWlirmhX4wj/iWGM5BSc7n+8AxQkxhiLhe6xE0aXvfTPMUurfvbRMBHfkzbrJi7sZkMX7ZsseUHZLbyphA6+L3VxwsVvehArNx5iVJ8MzZW/LxsXZ50AtUjuXzLvaJKQtImdU9MLSPKy/EEOClTBSIn0leHJuEuDI4l7uFUN845qb+R6buTvy26jzaBNxTM//zLvf+2LN+iIbCKXsm77NdRT76x+Zr3rBQSnEWMZJjo4SE3eW5PJ30ZD0XJxung1CcErhWtVeHOkOQjGs4p6OGO/5S3NXK+RS65qQnMPoYiYPhkKhcmd/2FJqruzV7J93FGyw5+LUJ/AqPKpdCRNi1gMS5RPg+SG6Q5YiqvcMWiNbKPCsLStL3bZ2DKyvfBJx9XFWWSDcCFfft
+    facebookClientId:
+      secure: v1:HK6y83jsUMlifn1s:lVkv/LDrS8XKQDZtux2UgCCDMU+nAq1W2b1PNngYWQ==
+    facebookClientSecret:
+      secure: v1:a/9PRJS0TIBFdMcn:LfxVew6M8ANQHkmK8IAmpnvW/EZ6MKDmH1k2+qihluVS3lYJ740Ui4jvbTZoz55h
   api:k8s:
     namespace: local
   api:temporal:

.infra/crons.ts

@@ -174,4 +174,8 @@ export const crons: Cron[] = [
     name: 'agents-digest',
     schedule: '17 4 * * *',
   },
+  {
+    name: 'clean-expired-better-auth-sessions',
+    schedule: '0 3 * * *',
+  },
 ];

__mocks__/better-auth-api.ts

@@ -0,0 +1,3 @@
+export const createAuthMiddleware = (
+  fn: (ctx: Record<string, unknown>) => unknown,
+) => fn;

__mocks__/better-auth-node.ts

@@ -0,0 +1,14 @@
+export const fromNodeHeaders = (
+  headers: Record<string, string | string[] | undefined>,
+): Headers => {
+  const h = new Headers();
+  for (const [key, value] of Object.entries(headers)) {
+    if (!value) continue;
+    if (Array.isArray(value)) {
+      value.forEach((v) => h.append(key, v));
+    } else {
+      h.set(key, value);
+    }
+  }
+  return h;
+};

__mocks__/better-auth-plugins-email-otp.ts

@@ -0,0 +1,7 @@
+export const emailOTP = () => ({
+  id: 'email-otp',
+  endpoints: {},
+  hooks: { after: [] },
+  rateLimit: [],
+  options: {},
+});

__mocks__/better-auth-plugins.ts

@@ -0,0 +1,12 @@
+export const captcha = () => ({
+  id: 'captcha',
+  options: {},
+});
+
+export const emailOTP = () => ({
+  id: 'email-otp',
+  endpoints: {},
+  hooks: { after: [] },
+  rateLimit: [],
+  options: {},
+});

__mocks__/better-auth.ts

@@ -0,0 +1,8 @@
+export const betterAuth = () => ({
+  handler: async () => new Response('{}', { status: 200 }),
+  api: {
+    getSession: async () => null,
+  },
+});
+
+export type BetterAuthOptions = Record<string, unknown>;

__tests__/cron/cleanExpiredBetterAuthSessions.ts

@@ -0,0 +1,87 @@
+import { cleanExpiredBetterAuthSessions as cron } from '../../src/cron/cleanExpiredBetterAuthSessions';
+import { expectSuccessfulCron, saveFixtures } from '../helpers';
+import { DataSource } from 'typeorm';
+import createOrGetConnection from '../../src/db';
+import { User } from '../../src/entity/user/User';
+import { usersFixture } from '../fixture';
+import { crons } from '../../src/cron/index';
+import { sub, add } from 'date-fns';
+
+let con: DataSource;
+
+beforeAll(async () => {
+  con = await createOrGetConnection();
+});
+
+beforeEach(async () => {
+  jest.clearAllMocks();
+  await saveFixtures(
+    con,
+    User,
+    usersFixture.map((user) => ({
+      ...user,
+      id: `${user.id}-bac`,
+      username: `${user.username}-bac`,
+    })),
+  );
+
+  const now = new Date();
+  await con.query(
+    `INSERT INTO ba_session (id, token, "userId", "expiresAt", "createdAt", "updatedAt")
+     VALUES ($1, $2, $3, $4, $5, $5),
+            ($6, $7, $8, $9, $10, $10),
+            ($11, $12, $13, $14, $15, $15)
+     ON CONFLICT (id) DO NOTHING`,
+    [
+      'expired-1',
+      'token-expired-1',
+      '1-bac',
+      sub(now, { days: 2 }),
+      sub(now, { days: 9 }),
+      'expired-2',
+      'token-expired-2',
+      '2-bac',
+      sub(now, { hours: 1 }),
+      sub(now, { days: 3 }),
+      'active-1',
+      'token-active-1',
+      '1-bac',
+      add(now, { days: 5 }),
+      now,
+    ],
+  );
+});
+
+describe('cleanExpiredBetterAuthSessions cron', () => {
+  it('should be registered', () => {
+    const registeredCron = crons.find((item) => item.name === cron.name);
+    expect(registeredCron).toBeDefined();
+  });
+
+  it('should delete expired sessions and keep active ones', async () => {
+    const before: { id: string }[] = await con.query(
+      `SELECT id FROM ba_session ORDER BY id`,
+    );
+    expect(before).toHaveLength(3);
+
+    await expectSuccessfulCron(cron);
+
+    const after: { id: string }[] = await con.query(
+      `SELECT id FROM ba_session ORDER BY id`,
+    );
+    expect(after).toEqual([{ id: 'active-1' }]);
+  });
+
+  it('should handle no expired sessions gracefully', async () => {
+    await con.query(
+      `DELETE FROM ba_session WHERE id IN ('expired-1', 'expired-2')`,
+    );
+
+    await expectSuccessfulCron(cron);
+
+    const after: { id: string }[] = await con.query(
+      `SELECT id FROM ba_session WHERE id = 'active-1'`,
+    );
+    expect(after).toHaveLength(1);
+  });
+});

__tests__/routes/betterAuth.ts

@@ -0,0 +1,49 @@
+import request from 'supertest';
+import { FastifyInstance } from 'fastify';
+import { DataSource } from 'typeorm';
+import createOrGetConnection from '../../src/db';
+import { saveFixtures } from '../helpers';
+import { User } from '../../src/entity/user/User';
+import { usersFixture } from '../fixture';
+import { ioRedisPool } from '../../src/redis';
+
+let app: FastifyInstance;
+let con: DataSource;
+
+beforeAll(async () => {
+  con = await createOrGetConnection();
+
+  process.env.BETTER_AUTH_SECRET = 'a]3Bv!k9Pz@mQ7wX#rL2sY&dN5fH8jT-test-only';
+  try {
+    const { initializeBetterAuth } = await import('../../src/betterAuth');
+    initializeBetterAuth();
+  } catch {
+    // BA initialization may fail in test with mocked module
+  }
+
+  const appFunc = (await import('../../src')).default;
+  app = await appFunc();
+  return app.ready();
+});
+
+afterAll(async () => {
+  if (app) {
+    await app.close();
+  }
+});
+
+beforeEach(async () => {
+  jest.clearAllMocks();
+  await ioRedisPool.execute((client) => client.flushall());
+  await saveFixtures(con, User, usersFixture);
+});
+
+describe('betterAuth routes', () => {
+  describe('native Better Auth routes', () => {
+    it('should return 200 for the health endpoint', async () => {
+      const res = await request(app.server).get('/auth/ok');
+
+      expect(res.status).toBe(200);
+    });
+  });
+});

jest.config.js

@@ -41,5 +41,11 @@ module.exports = {
   moduleNameMapper: {
     '^file-type$': '<rootDir>/node_modules/file-type/index.js',
     '^isomorphic-dompurify$': '<rootDir>/__mocks__/isomorphic-dompurify.ts',
+    '^better-auth$': '<rootDir>/__mocks__/better-auth.ts',
+    '^better-auth/api$': '<rootDir>/__mocks__/better-auth-api.ts',
+    '^better-auth/node$': '<rootDir>/__mocks__/better-auth-node.ts',
+    '^better-auth/plugins$': '<rootDir>/__mocks__/better-auth-plugins.ts',
+    '^better-auth/plugins/email-otp$':
+      '<rootDir>/__mocks__/better-auth-plugins-email-otp.ts',
   },
 };

package.json

@@ -94,6 +94,8 @@
     "@types/uuid": "^10.0.0",
     "apollo-server-errors": "^3.3.0",
     "apollo-server-types": "^3.8.0",
+    "argon2": "^0.44.0",
+    "better-auth": "^1.5.0",
     "close-with-grace": "^2.4.0",
     "cloudinary": "^2.8.0",
     "cockatiel": "^3.2.1",
@@ -166,6 +168,7 @@
     "@types/markdown-it": "14.1.2",
     "@types/node": "22.15.x",
     "@types/node-fetch": "^2.6.13",
+    "@types/pg": "^8.15.6",
     "@types/retry": "^0.12.5",
     "@types/rss": "0.0.32",
     "@types/supertest": "^6.0.3",