feat(auth): validate required env vars at startup

Add explicit validation for BETTER_AUTH_SECRET, BETTER_AUTH_URL, and
Authentik config variables. Set secret explicitly in better-auth config
to prevent silent session loss on restart.

src/auth.ts

@@ -4,7 +4,25 @@ import { genericOAuth } from "better-auth/plugins";
 import { db } from "@/db/index";
 import * as schema from "@/db/schema";
 
+// Validate required environment variables
+if (!process.env.BETTER_AUTH_SECRET) {
+  throw new Error("BETTER_AUTH_SECRET is required");
+}
+if (!process.env.BETTER_AUTH_URL) {
+  throw new Error("BETTER_AUTH_URL is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
+}
+if (!process.env.AUTH_AUTHENTIK_ISSUER) {
+  throw new Error("AUTH_AUTHENTIK_ISSUER is required");
+}
+
 export const auth = betterAuth({
+  secret: process.env.BETTER_AUTH_SECRET,
 	baseURL: process.env.BETTER_AUTH_URL,
 	database: drizzleAdapter(db, {
 		provider: "pg",
@@ -15,8 +33,8 @@ export const auth = betterAuth({
 			config: [
 				{
 					providerId: "authentik",
-					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID!,
+					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
-					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET!,
+					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
 					discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
 					scopes: ["openid", "email", "profile"],
 				},