From ece03a9124b16c1acc51ed194b5d3e6bac66fd53 Mon Sep 17 00:00:00 2001
From: Dmytro Stanchiev <git@dmytros.dev>
Date: Mon, 6 Apr 2026 23:17:51 -0400
Subject: [PATCH] feat(auth): validate required env vars at startup

Add explicit validation for BETTER_AUTH_SECRET, BETTER_AUTH_URL, and
Authentik config variables. Set secret explicitly in better-auth config
to prevent silent session loss on restart.
---
 src/auth.ts | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/auth.ts b/src/auth.ts
index 801afea..b7a1d73 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -4,7 +4,25 @@ import { genericOAuth } from "better-auth/plugins";
 import { db } from "@/db/index";
 import * as schema from "@/db/schema";
 
+// Validate required environment variables
+if (!process.env.BETTER_AUTH_SECRET) {
+  throw new Error("BETTER_AUTH_SECRET is required");
+}
+if (!process.env.BETTER_AUTH_URL) {
+  throw new Error("BETTER_AUTH_URL is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
+}
+if (!process.env.AUTH_AUTHENTIK_ISSUER) {
+  throw new Error("AUTH_AUTHENTIK_ISSUER is required");
+}
+
 export const auth = betterAuth({
+  secret: process.env.BETTER_AUTH_SECRET,
 	baseURL: process.env.BETTER_AUTH_URL,
 	database: drizzleAdapter(db, {
 		provider: "pg",
@@ -15,8 +33,8 @@ export const auth = betterAuth({
 			config: [
 				{
 					providerId: "authentik",
-					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID!,
-					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET!,
+					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
+					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
 					discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
 					scopes: ["openid", "email", "profile"],
 				},