Authentication
Better Auth setup across frontend and API.
Sessions, organizations, and OAuth are implemented with Better Auth on NestJS. The Next.js app never implements auth logic directly — it uses the generated client and cookie-based sessions.
Request flow
Server configuration
File: ragnarock-backend/libs/auth/src/auth.instance.ts
| Feature | Plugin / setting |
|---|---|
| Email + password | emailAndPassword — verification required |
| Email OTP | emailOTP |
| 2FA TOTP | twoFactor + backup codes |
| Organizations | organization — teams, invites |
| OAuth | Google, GitHub when env vars set |
| Admin / API tokens | admin, bearer |
| OpenAPI | openAPI plugin for auth routes |
HTTP mount: libs/auth/src/auth.controller.ts → /api/auth/*
Dynamic base URL
baseURL.allowedHosts includes localhost:8000, localhost:3000, and main.localhost for nginx-based local setups. OAuth redirect base uses BETTER_AUTH_URL (must match provider console URLs).
Session storage
- Primary: Postgres via Prisma adapter
- Secondary: Redis (
AuthSecondaryStorage) for fast session reads
Client configuration
File: ragnarock/src/lib/auth/auth-client.ts
Plugins should mirror the server (organization, twoFactor, etc.) so TypeScript types match available endpoints.
Project-level authorization
Organization membership ≠ project access.
| Layer | Guard / decorator | Scope |
|---|---|---|
| Authenticated user | @Auth() / AuthGuard | Global default |
| Project member | ProjectMemberGuard | projectId param |
| Project role | @ProjectRole(...) + ProjectRoleGuard | owner, admin, member, viewer |
Implemented under apps/main/src/project-auth/.
Environment variables
Prop
Type
User-facing docs
- Create account
- Security — 2FA and sessions
CLI
Better Auth CLI is available in backend devDependencies for schema generation:
cd ragnarock-backend
bunx @better-auth/cli