@lenne.tech/nest-server 11.11.1 → 11.13.0

package/src/core/modules/better-auth/better-auth.config.ts

@@ -4,6 +4,8 @@ import { betterAuth, BetterAuthPlugin } from 'better-auth';
 import { mongodbAdapter } from 'better-auth/adapters/mongodb';
 import { jwt, twoFactor } from 'better-auth/plugins';
 import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as path from 'path';
 
 import { IBetterAuth } from '../../common/interfaces/server-options.interface';
 
@@ -27,13 +29,16 @@ function generateSecureSecret(): string {
 
 /**
  * Cached auto-generated secret for the current server instance.
- * Generated once at module load to ensure consistency within a single run.
+ * Generated once at a module load to ensure consistency within a single run.
  */
 let cachedAutoGeneratedSecret: null | string = null;
 
 /**
- * Options for creating a better-auth instance
+ * Cached project app name for the current server instance.
+ * Read once from package.json to avoid repeated file reads.
  */
+let cachedProjectAppName: null | string = null;
+
 export interface CreateBetterAuthOptions {
   /**
    * Better-auth configuration from server options
@@ -63,6 +68,18 @@ export interface CreateBetterAuthOptions {
    */
   fallbackSecrets?: (string | undefined)[];
 
+  /**
+   * Callback for when email is verified (to sync verifiedAt)
+   * Injected from CoreBetterAuthModule
+   */
+  onEmailVerified?: OnEmailVerifiedCallback;
+
+  /**
+   * Callback for sending verification email
+   * Injected from CoreBetterAuthModule to use NestJS services
+   */
+  sendVerificationEmail?: SendVerificationEmailCallback;
+
   /**
    * Server-level app/frontend URL (from IServerOptions.appUrl).
    * Used for Passkey origin and CORS trustedOrigins.
@@ -82,6 +99,25 @@ export interface CreateBetterAuthOptions {
   serverEnv?: string;
 }
 
+/**
+ * Callback for when email is verified
+ * Injected from CoreBetterAuthModule to sync verifiedAt
+ */
+export type OnEmailVerifiedCallback = (userId: string) => Promise<void>;
+
+/**
+ * Options for creating a better-auth instance
+ */
+/**
+ * Callback for sending verification email
+ * Injected from CoreBetterAuthModule to use NestJS services
+ */
+export type SendVerificationEmailCallback = (options: {
+  token: string;
+  url: string;
+  user: { email: string; id: string; name?: null | string };
+}) => Promise<void>;
+
 /**
  * Better-Auth field type definition
  * Matches the DBFieldType from better-auth
@@ -152,6 +188,7 @@ interface UserFieldConfig {
  */
 interface ValidationResult {
   errors: string[];
+  resolvedSecret?: string;
   valid: boolean;
   warnings: string[];
 }
@@ -165,7 +202,7 @@ interface ValidationResult {
  */
 export function createBetterAuthInstance(options: CreateBetterAuthOptions): BetterAuthInstance | null {
   const logger = new Logger('BetterAuthConfig');
-  const { config, db, fallbackSecrets } = options;
+  const { config, db, fallbackSecrets, onEmailVerified, sendVerificationEmail, serverEnv } = options;
 
   // Return null only if better-auth is explicitly disabled
   // BetterAuth is enabled by default (zero-config)
@@ -184,7 +221,7 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
   // Normalize Passkey configuration with auto-detection from resolved URLs
   // This must happen BEFORE validation to allow graceful degradation
   // Passkey is now AUTO-ACTIVATED by default (not opt-in)
-  const passkeyNormalization = normalizePasskeyConfig(config, resolvedUrls);
+  const passkeyNormalization = normalizePasskeyConfig(config, { resolvedUrls, serverEnv });
 
   // Log passkey normalization warnings (info about auto-detection or disabled status)
   for (const warning of passkeyNormalization.warnings) {
@@ -192,7 +229,7 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
   }
 
   // Validate configuration (with fallback secrets for backwards compatibility)
-  const validation = validateConfig(config, fallbackSecrets, passkeyNormalization);
+  const validation = validateConfig(config, { fallbackSecrets, passkeyNormalization });
 
   // Log warnings
   for (const warning of validation.warnings) {
@@ -205,15 +242,26 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
   }
 
   // Build configuration components (pass normalized passkey config and resolved URLs)
-  const plugins = buildPlugins(config, passkeyNormalization);
+  const plugins = buildPlugins(config, { passkeyNormalization, serverEnv });
   const socialProviders = buildSocialProviders(config);
-  const trustedOrigins = buildTrustedOrigins(config, passkeyNormalization, resolvedUrls);
+  const trustedOrigins = buildTrustedOrigins(config, { passkeyNormalization, resolvedUrls });
   const additionalFields = buildUserFields(config);
 
+  // Build email verification configuration
+  const emailVerificationConfig = buildEmailVerificationConfig(config, { onEmailVerified, sendVerificationEmail });
+
   // Build the base Better-Auth configuration
   // Use resolved baseUrl (with local defaults) or fallback
+  const basePath = config.basePath || '/iam';
+  // Cookie prefix derived from basePath (e.g., '/iam' → 'iam')
+  // This ensures Better-Auth looks for cookies like 'iam.session_token' instead of 'better-auth.session_token'
+  const cookiePrefix = basePath.replace(/^\//, '').replace(/\//g, '.');
+
   const betterAuthConfig: Record<string, unknown> = {
-    basePath: config.basePath || '/iam',
+    advanced: {
+      cookiePrefix,
+    },
+    basePath,
     baseURL: resolvedUrls.baseUrl || config.baseUrl || 'http://localhost:3000',
     database: mongodbAdapter(db),
     // Enable email/password authentication by default (required by Better-Auth 1.x)
@@ -222,7 +270,7 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
       enabled: config.emailAndPassword?.enabled !== false,
     },
     plugins,
-    secret: config.secret,
+    secret: validation.resolvedSecret || config.secret,
     socialProviders,
     user: {
       additionalFields,
@@ -230,6 +278,11 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
     },
   };
 
+  // Add email verification config if enabled
+  if (emailVerificationConfig) {
+    betterAuthConfig.emailVerification = emailVerificationConfig;
+  }
+
   // Only add trustedOrigins if explicitly configured
   // When undefined, Better-Auth uses its default CORS behavior (allows all origins)
   if (trustedOrigins) {
@@ -246,6 +299,99 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
   return betterAuth(finalConfig as any);
 }
 
+/**
+ * Formats a package name to a human-readable display name.
+ * Converts kebab-case and snake_case to Title Case.
+ *
+ * @example
+ * formatProjectName('my-awesome-app')     // → 'My Awesome App'
+ * formatProjectName('@org/my-app')        // → 'My App'
+ * formatProjectName('nest_server_starter') // → 'Nest Server Starter'
+ */
+export function formatProjectName(name: string): string {
+  // Remove scope (e.g., '@org/my-app' → 'my-app')
+  let formatted = name.replace(/^@[^/]+\//, '');
+
+  // Split by hyphens and underscores, capitalize each word
+  formatted = formatted
+    .split(/[-_]/)
+    .map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase())
+    .join(' ');
+
+  return formatted;
+}
+
+/**
+ * Builds the email verification configuration for Better-Auth.
+ *
+ * Email verification is enabled by default unless explicitly disabled.
+ * Uses the sendVerificationEmail callback to send emails via NestJS services.
+ *
+ * @param config - Better-auth configuration
+ * @param callbacks - Optional callbacks for email verification lifecycle
+ * @returns Email verification config for Better-Auth or null if disabled
+ */
+function buildEmailVerificationConfig(
+  config: IBetterAuth,
+  callbacks?: {
+    onEmailVerified?: OnEmailVerifiedCallback;
+    sendVerificationEmail?: SendVerificationEmailCallback;
+  },
+): null | Record<string, unknown> {
+  const { onEmailVerified, sendVerificationEmail } = callbacks ?? {};
+  // Email verification is enabled by default (zero-config):
+  // - undefined/null: enabled with defaults
+  // - true: enabled with defaults
+  // - false: explicitly disabled
+  // - { ... }: enabled with custom settings (unless enabled: false)
+  const emailVerificationConfig = config.emailVerification;
+
+  if (emailVerificationConfig === false) {
+    return null;
+  }
+
+  if (typeof emailVerificationConfig === 'object' && emailVerificationConfig.enabled === false) {
+    return null;
+  }
+
+  // Get configuration values (with defaults)
+  const configObj = typeof emailVerificationConfig === 'object' ? emailVerificationConfig : {};
+  const expiresIn = configObj.expiresIn ?? 86400; // 24 hours
+  const autoSignInAfterVerification = configObj.autoSignInAfterVerification ?? true;
+
+  const result: Record<string, unknown> = {
+    autoSignInAfterVerification,
+    expiresIn,
+    // Also send on sign-in if user is not verified
+    sendOnSignIn: true,
+    // Send verification email on sign-up by default
+    sendOnSignUp: true,
+  };
+
+  // Add sendVerificationEmail callback if provided
+  if (sendVerificationEmail) {
+    result.sendVerificationEmail = async (
+      data: { token: string; url: string; user: { email: string; id: string; name?: null | string } },
+      _request?: Request,
+    ) => {
+      // Don't await to prevent timing attacks (as recommended by Better-Auth docs)
+       
+      sendVerificationEmail(data);
+    };
+  }
+
+  // Add callback for when email is verified (to sync verifiedAt)
+  if (onEmailVerified) {
+    result.afterEmailVerification = async (user: string | { id: string }, _request?: Request) => {
+      // Better-Auth passes a user object { id: string } to afterEmailVerification
+      const userId = typeof user === 'string' ? user : user.id;
+      await onEmailVerified(userId);
+    };
+  }
+
+  return result;
+}
+
 /**
  * Builds the plugins array based on configuration.
  * Merges built-in plugins (jwt, twoFactor, passkey) with custom plugins from config.
@@ -257,9 +403,15 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
  * - `undefined`: Disabled (default)
  *
  * @param config - Better-auth configuration
- * @param passkeyNormalization - Normalized passkey configuration from normalizePasskeyConfig()
+ * @param options - Additional options
+ * @param options.passkeyNormalization - Normalized passkey configuration from normalizePasskeyConfig()
+ * @param options.serverEnv - Server environment for auto-detected app name suffix
  */
-function buildPlugins(config: IBetterAuth, passkeyNormalization: PasskeyNormalizationResult): BetterAuthPlugin[] {
+function buildPlugins(
+  config: IBetterAuth,
+  options: { passkeyNormalization: PasskeyNormalizationResult; serverEnv?: string },
+): BetterAuthPlugin[] {
+  const { passkeyNormalization, serverEnv } = options;
   const plugins: BetterAuthPlugin[] = [];
 
   // JWT Plugin for API client compatibility
@@ -285,7 +437,8 @@ function buildPlugins(config: IBetterAuth, passkeyNormalization: PasskeyNormaliz
     const twoFactorConfig = typeof config.twoFactor === 'object' ? config.twoFactor : {};
     plugins.push(
       twoFactor({
-        issuer: twoFactorConfig.appName || 'Nest Server',
+        // issuer: Use explicit config, or auto-detect from package.json with environment suffix
+        issuer: twoFactorConfig.appName || getProjectAppName(serverEnv),
       }),
     );
   }
@@ -363,14 +516,16 @@ function buildSocialProviders(config: IBetterAuth): Record<string, SocialProvide
  * - Otherwise → return undefined (allows all origins via Better-Auth's default)
  *
  * @param config - Better-auth configuration
- * @param passkeyNormalization - Normalized passkey configuration from normalizePasskeyConfig()
- * @param resolvedUrls - Resolved URLs from resolveUrls()
+ * @param options - Passkey normalization and resolved URLs context
  */
 function buildTrustedOrigins(
   config: IBetterAuth,
-  passkeyNormalization: PasskeyNormalizationResult,
-  resolvedUrls: ResolvedUrls,
+  options: {
+    passkeyNormalization: PasskeyNormalizationResult;
+    resolvedUrls: ResolvedUrls;
+  },
 ): string[] | undefined {
+  const { passkeyNormalization, resolvedUrls } = options;
   // If trustedOrigins is explicitly configured, use it
   if (config.trustedOrigins?.length) {
     return config.trustedOrigins;
@@ -419,6 +574,12 @@ function buildUserFields(config: IBetterAuth): Record<string, UserFieldConfig> {
       fieldName: 'roles',
       type: 'string[]',
     },
+    // Track when terms and privacy policy were accepted (for sign-up checks)
+    termsAndPrivacyAcceptedAt: {
+      defaultValue: null,
+      fieldName: 'termsAndPrivacyAcceptedAt',
+      type: 'date',
+    },
     twoFactorEnabled: {
       defaultValue: false,
       fieldName: 'twoFactorEnabled',
@@ -429,6 +590,12 @@ function buildUserFields(config: IBetterAuth): Record<string, UserFieldConfig> {
       fieldName: 'verified',
       type: 'boolean',
     },
+    // Track when email was verified (synced from Better-Auth)
+    verifiedAt: {
+      defaultValue: null,
+      fieldName: 'verifiedAt',
+      type: 'date',
+    },
   };
 
   // Merge with custom additional fields from configuration
@@ -447,6 +614,28 @@ function buildUserFields(config: IBetterAuth): Record<string, UserFieldConfig> {
   return coreFields;
 }
 
+/**
+ * Formats the environment name as a suffix.
+ * Only adds suffix for development/test environments.
+ *
+ * @example
+ * formatEnvSuffix('local')      // → '(Local)'
+ * formatEnvSuffix('development') // → '(Development)'
+ * formatEnvSuffix('test')       // → '(Test)'
+ * formatEnvSuffix('production') // → '' (no suffix for production)
+ * formatEnvSuffix(undefined)    // → ''
+ */
+function formatEnvSuffix(env?: string): string {
+  if (!env) return '';
+
+  // Don't add suffix for production
+  if (env === 'production' || env === 'prod') return '';
+
+  // Capitalize first letter
+  const formatted = env.charAt(0).toUpperCase() + env.slice(1).toLowerCase();
+  return `(${formatted})`;
+}
+
 /**
  * Gets or generates the fallback secret for development.
  * The secret is cached to ensure consistency during the server's lifetime.
@@ -458,6 +647,37 @@ function getAutoGeneratedSecret(): string {
   return cachedAutoGeneratedSecret;
 }
 
+/**
+ * Gets the project's app name from package.json.
+ *
+ * This function reads the `name` field from the project's package.json
+ * and formats it for display (converts a kebab-case to Title Case).
+ *
+ * Used as default for:
+ * - `betterAuth.passkey.rpName` (displayed in browser Passkey prompts)
+ * - `betterAuth.twoFactor.appName` (displayed in authenticator apps)
+ *
+ * @param serverEnv - Optional server environment to append as suffix (e.g., 'local' → '(Local)')
+ * @returns The formatted project name, or 'Nest Server' as fallback
+ *
+ * @example
+ * // package.json: { "name": "my-awesome-app" }
+ * getProjectAppName()           // → 'My Awesome App'
+ * getProjectAppName('local')    // → 'My Awesome App (Local)'
+ * getProjectAppName('test')     // → 'My Awesome App (Test)'
+ */
+function getProjectAppName(serverEnv?: string): string {
+  // Return cached value if available (without env suffix, will be added after)
+  if (cachedProjectAppName === null) {
+    cachedProjectAppName = readProjectNameFromPackageJson();
+  }
+
+  // Add environment suffix for non-production environments
+  // This helps developers distinguish Passkeys when running multiple projects locally
+  const envSuffix = formatEnvSuffix(serverEnv);
+  return envSuffix ? `${cachedProjectAppName} ${envSuffix}` : cachedProjectAppName;
+}
+
 /**
  * Checks if a secret has valid minimum length (32 characters)
  */
@@ -477,6 +697,28 @@ function isValidUrl(url: string): boolean {
   }
 }
 
+/**
+ * Reads the project name from package.json in the current working directory.
+ * Falls back to 'Nest Server' if package.json cannot be read or has no name.
+ */
+function readProjectNameFromPackageJson(): string {
+  const fallback = 'Nest Server';
+
+  try {
+    const packageJsonPath = path.join(process.cwd(), 'package.json');
+    const packageJsonContent = fs.readFileSync(packageJsonPath, 'utf-8');
+    const packageJson = JSON.parse(packageJsonContent);
+
+    if (packageJson.name && typeof packageJson.name === 'string') {
+      return formatProjectName(packageJson.name);
+    }
+  } catch {
+    // Ignore errors - use fallback
+  }
+
+  return fallback;
+}
+
 /**
  * Default URLs for local/test environments (local, ci, e2e)
  * These environments typically run on localhost and don't have a deployed domain.
@@ -598,10 +840,16 @@ function extractRpIdFromUrl(url: string): string {
  * - `trustedOrigins`: from config.trustedOrigins > [resolvedUrls.appUrl]
  *
  * @param config - Better-auth configuration
- * @param resolvedUrls - Resolved URLs from resolveUrls()
+ * @param options - Additional options
+ * @param options.resolvedUrls - Resolved URLs from resolveUrls()
+ * @param options.serverEnv - Server environment for auto-detected app name suffix
  * @returns Normalization result with enabled status, config, and warnings
  */
-function normalizePasskeyConfig(config: IBetterAuth, resolvedUrls: ResolvedUrls): PasskeyNormalizationResult {
+function normalizePasskeyConfig(
+  config: IBetterAuth,
+  options: { resolvedUrls: ResolvedUrls; serverEnv?: string },
+): PasskeyNormalizationResult {
+  const { resolvedUrls, serverEnv } = options;
   const warnings: string[] = [];
 
   // Check if Passkey is explicitly DISABLED
@@ -657,10 +905,11 @@ function normalizePasskeyConfig(config: IBetterAuth, resolvedUrls: ResolvedUrls)
   }
 
   // Build normalized config
+  // rpName: Use explicit config, or auto-detect from package.json with environment suffix
   const normalizedConfig: NormalizedPasskeyConfig = {
     origin: finalOrigin,
     rpId: finalRpId,
-    rpName: rawConfig.rpName || 'Nest Server',
+    rpName: rawConfig.rpName || getProjectAppName(serverEnv),
   };
 
   // Copy optional fields from explicit config
@@ -744,37 +993,40 @@ function resolveUrls(options: CreateBetterAuthOptions): ResolvedUrls {
  * 3. Auto-generated secure secret (with warning)
  *
  * @param config - Better-auth configuration
- * @param fallbackSecrets - Optional array of fallback secrets to try
- * @param passkeyNormalization - Result of passkey normalization (handles graceful degradation)
+ * @param options - Optional validation context (fallback secrets, passkey normalization)
  */
 function validateConfig(
   config: IBetterAuth,
-  fallbackSecrets?: (string | undefined)[],
-  passkeyNormalization?: PasskeyNormalizationResult,
+  options?: {
+    fallbackSecrets?: (string | undefined)[];
+    passkeyNormalization?: PasskeyNormalizationResult;
+  },
 ): ValidationResult {
+  const { fallbackSecrets, passkeyNormalization } = options ?? {};
   const errors: string[] = [];
   const warnings: string[] = [];
 
   // Track secret source for appropriate messaging
   let secretSource: 'auto-generated' | 'explicit' | 'fallback' = 'explicit';
+  let resolvedSecret = config.secret;
 
-  // Resolve secret with fallback chain
-  if (!config.secret || config.secret.trim() === '') {
+  // Resolve secret with fallback chain (without mutating the config object)
+  if (!resolvedSecret || resolvedSecret.trim() === '') {
     // Try fallback secrets in order
     const validFallback = fallbackSecrets?.find((secret) => secret && isValidSecretLength(secret));
 
     if (validFallback) {
-      config.secret = validFallback;
+      resolvedSecret = validFallback;
       secretSource = 'fallback';
     } else {
       // Last resort: auto-generate
-      config.secret = getAutoGeneratedSecret();
+      resolvedSecret = getAutoGeneratedSecret();
       secretSource = 'auto-generated';
     }
   }
 
   // Validate the resolved secret
-  const secretValidation = validateSecret(config.secret);
+  const secretValidation = validateSecret(resolvedSecret);
   if (!secretValidation.valid) {
     errors.push(secretValidation.message!);
   } else if (secretValidation.message) {
@@ -853,7 +1105,7 @@ function validateConfig(
             errors.push(`Social provider '${name}' is missing clientSecret`);
           }
         } else {
-          // No credentials provided but provider is configured and not disabled
+          // No credentials provided, but the provider is configured and not disabled
           // This is likely a configuration mistake - warn the user
           warnings.push(
             `Social provider '${name}' is configured but missing both clientId and clientSecret. ` +
@@ -866,6 +1118,7 @@ function validateConfig(
 
   return {
     errors,
+    resolvedSecret,
     valid: errors.length === 0,
     warnings,
   };

package/src/core/modules/better-auth/better-auth.resolver.ts

@@ -1,9 +1,11 @@
+import { Optional } from '@nestjs/common';
 import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
 import { Request, Response } from 'express';
 
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
 import { CoreBetterAuthAuthModel } from './core-better-auth-auth.model';
+import { CoreBetterAuthEmailVerificationService } from './core-better-auth-email-verification.service';
 import {
   CoreBetterAuth2FASetupModel,
   CoreBetterAuthFeaturesModel,
@@ -11,6 +13,7 @@ import {
   CoreBetterAuthPasskeyModel,
   CoreBetterAuthSessionModel,
 } from './core-better-auth-models';
+import { CoreBetterAuthSignUpValidatorService } from './core-better-auth-signup-validator.service';
 import { CoreBetterAuthUserMapper } from './core-better-auth-user.mapper';
 import { CoreBetterAuthResolver } from './core-better-auth.resolver';
 import { CoreBetterAuthService } from './core-better-auth.service';
@@ -38,8 +41,13 @@ import { CoreBetterAuthService } from './core-better-auth.service';
  *     super(betterAuthService, userMapper);
  *   }
  *
- *   override async betterAuthSignUp(email: string, password: string, name?: string) {
- *     const result = await super.betterAuthSignUp(email, password, name);
+ *   override async betterAuthSignUp(
+ *     email: string,
+ *     password: string,
+ *     name?: string,
+ *     termsAndPrivacyAccepted?: boolean,
+ *   ) {
+ *     const result = await super.betterAuthSignUp(email, password, name, termsAndPrivacyAccepted);
  *
  *     // Send welcome email after successful sign-up
  *     if (result.success && result.user) {
@@ -57,8 +65,10 @@ export class DefaultBetterAuthResolver extends CoreBetterAuthResolver {
   constructor(
     protected override readonly betterAuthService: CoreBetterAuthService,
     protected override readonly userMapper: CoreBetterAuthUserMapper,
+    @Optional() protected override readonly signUpValidator?: CoreBetterAuthSignUpValidatorService,
+    @Optional() protected override readonly emailVerificationService?: CoreBetterAuthEmailVerificationService,
   ) {
-    super(betterAuthService, userMapper);
+    super(betterAuthService, userMapper, signUpValidator, emailVerificationService);
   }
 
   // ===========================================================================
@@ -106,7 +116,7 @@ export class DefaultBetterAuthResolver extends CoreBetterAuthResolver {
   override async betterAuthSignIn(
     @Args('email') email: string,
     @Args('password') password: string,
-    @Context() ctx: { req: Request; res: Response },
+    @Context() ctx?: { req: Request; res: Response },
   ): Promise<CoreBetterAuthAuthModel> {
     return super.betterAuthSignIn(email, password, ctx);
   }
@@ -119,8 +129,9 @@ export class DefaultBetterAuthResolver extends CoreBetterAuthResolver {
     @Args('email') email: string,
     @Args('password') password: string,
     @Args('name', { nullable: true }) name?: string,
+    @Args('termsAndPrivacyAccepted', { nullable: true }) termsAndPrivacyAccepted?: boolean,
   ): Promise<CoreBetterAuthAuthModel> {
-    return super.betterAuthSignUp(email, password, name);
+    return super.betterAuthSignUp(email, password, name, termsAndPrivacyAccepted);
   }
 
   @Mutation(() => Boolean, { description: 'Sign out via Better-Auth' })