Dmytro Stanchiev
4c6f880a3f
Add trustedOrigins to better-auth config to ensure proper origin validation behind reverse proxy.
46 lines
1.3 KiB
TypeScript
46 lines
1.3 KiB
TypeScript
import { betterAuth } from "better-auth";
|
|
import { drizzleAdapter } from "better-auth/adapters/drizzle";
|
|
import { genericOAuth } from "better-auth/plugins";
|
|
import { db } from "@/db/index";
|
|
import * as schema from "@/db/schema";
|
|
|
|
// Validate required environment variables
|
|
if (!process.env.BETTER_AUTH_SECRET) {
|
|
throw new Error("BETTER_AUTH_SECRET is required");
|
|
}
|
|
if (!process.env.BETTER_AUTH_URL) {
|
|
throw new Error("BETTER_AUTH_URL is required");
|
|
}
|
|
if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
|
|
throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
|
|
}
|
|
if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
|
|
throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
|
|
}
|
|
if (!process.env.AUTH_AUTHENTIK_ISSUER) {
|
|
throw new Error("AUTH_AUTHENTIK_ISSUER is required");
|
|
}
|
|
|
|
export const auth = betterAuth({
|
|
secret: process.env.BETTER_AUTH_SECRET,
|
|
baseURL: process.env.BETTER_AUTH_URL,
|
|
trustedOrigins: [process.env.BETTER_AUTH_URL],
|
|
database: drizzleAdapter(db, {
|
|
provider: "pg",
|
|
schema,
|
|
}),
|
|
plugins: [
|
|
genericOAuth({
|
|
config: [
|
|
{
|
|
providerId: "authentik",
|
|
clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
|
|
clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
|
|
discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
|
|
scopes: ["openid", "email", "profile"],
|
|
},
|
|
],
|
|
}),
|
|
],
|
|
});
|