@lenne.tech/nest-server 11.6.1 → 11.7.0

package/src/core/common/interfaces/server-options.interface.ts

@@ -16,6 +16,357 @@ import { CronJobConfigWithTimeZone } from './cron-job-config-with-time-zone.inte
 import { CronJobConfigWithUtcOffset } from './cron-job-config-with-utc-offset.interface';
 import { MailjetOptions } from './mailjet-options.interface';
 
+/**
+ * Better-Auth field type definition
+ * Matches the DBFieldType from better-auth
+ */
+export type BetterAuthFieldType = 'boolean' | 'date' | 'json' | 'number' | 'number[]' | 'string' | 'string[]';
+
+/**
+ * Interface for better-auth configuration
+ */
+export interface IBetterAuth {
+  /**
+   * Additional user fields beyond the core fields (firstName, lastName, etc.)
+   * These fields will be merged with the default user fields.
+   * @see https://www.better-auth.com/docs/concepts/users-accounts#additional-fields
+   * @example
+   * ```typescript
+   * additionalUserFields: {
+   *   phoneNumber: { type: 'string', defaultValue: null },
+   *   department: { type: 'string', required: true },
+   *   preferences: { type: 'string', defaultValue: '{}' },
+   * }
+   * ```
+   */
+  additionalUserFields?: Record<string, IBetterAuthUserField>;
+
+  /**
+   * Whether BetterAuthModule should be auto-registered in CoreModule.
+   *
+   * When false (default), projects integrate BetterAuth via an extended module
+   * in their project (e.g., `src/server/modules/better-auth/better-auth.module.ts`).
+   * This follows the same pattern as Legacy Auth and allows for custom resolvers,
+   * controllers, and project-specific authentication logic.
+   *
+   * Set to true only for simple projects that don't need customization.
+   *
+   * @default false
+   *
+   * @example
+   * ```typescript
+   * // Recommended: Extend BetterAuthModule in your project
+   * // src/server/modules/better-auth/better-auth.module.ts
+   * import { BetterAuthModule as CoreBetterAuthModule } from '@lenne.tech/nest-server';
+   *
+   * @Module({})
+   * export class BetterAuthModule {
+   *   static forRoot(options) {
+   *     return {
+   *       imports: [CoreBetterAuthModule.forRoot(options)],
+   *       // Add custom providers, controllers, etc.
+   *     };
+   *   }
+   * }
+   *
+   * // Then import in ServerModule
+   * import { BetterAuthModule } from './modules/better-auth/better-auth.module';
+   * ```
+   */
+  autoRegister?: boolean;
+
+  /**
+   * Base path for better-auth endpoints
+   * default: '/iam'
+   */
+  basePath?: string;
+
+  /**
+   * Base URL of the application
+   * e.g. 'http://localhost:3000'
+   */
+  baseUrl?: string;
+
+  /**
+   * Email/password authentication configuration.
+   * Enabled by default.
+   * Set `enabled: false` to explicitly disable email/password auth.
+   */
+  emailAndPassword?: {
+    /**
+     * Whether email/password authentication is enabled.
+     * @default true
+     */
+    enabled?: boolean;
+  };
+
+  /**
+   * Whether better-auth is enabled.
+   * BetterAuth is enabled by default (zero-config philosophy).
+   * Set to false to explicitly disable it.
+   * @default true
+   */
+  enabled?: boolean;
+
+  /**
+   * JWT plugin configuration for API clients.
+   * Enabled by default when this config block is present.
+   * Set `enabled: false` to explicitly disable.
+   */
+  jwt?: {
+    /**
+     * Whether JWT plugin is enabled.
+     * @default true (when jwt config block is present)
+     */
+    enabled?: boolean;
+
+    /**
+     * JWT expiration time
+     * @default '15m'
+     */
+    expiresIn?: string;
+  };
+
+  /**
+   * Advanced Better-Auth options passthrough.
+   * These options are passed directly to Better-Auth, allowing full customization.
+   * Use this for any Better-Auth options not explicitly defined in this interface.
+   * @see https://www.better-auth.com/docs/reference/options
+   * @example
+   * ```typescript
+   * options: {
+   *   emailAndPassword: {
+   *     enabled: true,
+   *     requireEmailVerification: true,
+   *     sendResetPassword: async ({ user, url }) => { ... },
+   *   },
+   *   account: {
+   *     accountLinking: { enabled: true },
+   *   },
+   *   session: {
+   *     expiresIn: 60 * 60 * 24 * 7, // 7 days
+   *     updateAge: 60 * 60 * 24, // 1 day
+   *   },
+   *   advanced: {
+   *     cookiePrefix: 'my-app',
+   *     useSecureCookies: true,
+   *   },
+   * }
+   * ```
+   */
+  options?: Record<string, unknown>;
+
+  /**
+   * Passkey/WebAuthn configuration.
+   * Enabled by default when this config block is present.
+   * Set `enabled: false` to explicitly disable.
+   */
+  passkey?: {
+    /**
+     * Whether passkey authentication is enabled.
+     * @default true (when passkey config block is present)
+     */
+    enabled?: boolean;
+
+    /**
+     * Origin URL for WebAuthn
+     * e.g. 'http://localhost:3000'
+     */
+    origin?: string;
+
+    /**
+     * Relying Party ID (usually the domain)
+     * e.g. 'localhost' or 'example.com'
+     */
+    rpId?: string;
+
+    /**
+     * Relying Party Name (displayed to users)
+     * e.g. 'My Application'
+     */
+    rpName?: string;
+  };
+
+  /**
+   * Additional Better-Auth plugins to include.
+   * These will be merged with the built-in plugins (jwt, twoFactor, passkey).
+   * @see https://www.better-auth.com/docs/plugins
+   * @example
+   * ```typescript
+   * import { organization } from 'better-auth/plugins';
+   * import { magicLink } from 'better-auth/plugins';
+   *
+   * plugins: [
+   *   organization({ ... }),
+   *   magicLink({ ... }),
+   * ]
+   * ```
+   */
+  plugins?: unknown[];
+
+  /**
+   * Rate limiting configuration for Better-Auth endpoints
+   * Protects against brute-force attacks
+   */
+  rateLimit?: IBetterAuthRateLimit;
+
+  /**
+   * Secret for better-auth (min 32 characters)
+   * Used for session encryption
+   */
+  secret?: string;
+
+  /**
+   * Social login providers configuration
+   * Supports all Better-Auth providers dynamically (google, github, apple, discord, etc.)
+   *
+   * **Enabled by default:** Providers are automatically enabled when credentials
+   * are configured. Set `enabled: false` to explicitly disable a provider.
+   *
+   * @see https://www.better-auth.com/docs/authentication/social-sign-in
+   * @example
+   * ```typescript
+   * socialProviders: {
+   *   // These providers are enabled (no need for enabled: true)
+   *   google: { clientId: '...', clientSecret: '...' },
+   *   github: { clientId: '...', clientSecret: '...' },
+   *   // This provider is explicitly disabled
+   *   discord: { clientId: '...', clientSecret: '...', enabled: false },
+   * }
+   * ```
+   */
+  socialProviders?: Record<string, IBetterAuthSocialProvider>;
+
+  /**
+   * Trusted origins for CORS and OAuth callbacks
+   * If not specified, defaults to [baseUrl]
+   * e.g. ['https://example.com', 'https://app.example.com']
+   */
+  trustedOrigins?: string[];
+
+  /**
+   * Two-factor authentication configuration.
+   * Enabled by default when this config block is present.
+   * Set `enabled: false` to explicitly disable.
+   */
+  twoFactor?: {
+    /**
+     * App name shown in authenticator apps
+     * e.g. 'My Application'
+     */
+    appName?: string;
+
+    /**
+     * Whether 2FA is enabled.
+     * @default true (when twoFactor config block is present)
+     */
+    enabled?: boolean;
+  };
+}
+
+/**
+ * Interface for Better-Auth rate limiting configuration
+ */
+export interface IBetterAuthRateLimit {
+  /**
+   * Whether rate limiting is enabled
+   * default: false
+   */
+  enabled?: boolean;
+
+  /**
+   * Maximum number of requests within the time window
+   * default: 10
+   */
+  max?: number;
+
+  /**
+   * Custom message when rate limit is exceeded
+   * default: 'Too many requests, please try again later.'
+   */
+  message?: string;
+
+  /**
+   * Endpoints to skip rate limiting entirely
+   * e.g., ['/iam/session'] for session checks
+   */
+  skipEndpoints?: string[];
+
+  /**
+   * Endpoints to apply stricter rate limiting (e.g., sign-in, sign-up)
+   * These endpoints will have half the max requests
+   */
+  strictEndpoints?: string[];
+
+  /**
+   * Time window in seconds
+   * default: 60 (1 minute)
+   */
+  windowSeconds?: number;
+}
+
+/**
+ * Interface for better-auth social provider configuration
+ *
+ * **Enabled by default:** A social provider is automatically enabled when
+ * both `clientId` and `clientSecret` are provided. You only need to set
+ * `enabled: false` to explicitly disable a configured provider.
+ *
+ * @example
+ * ```typescript
+ * // Provider is enabled (has credentials, no explicit enabled flag needed)
+ * google: { clientId: '...', clientSecret: '...' }
+ *
+ * // Provider is explicitly disabled despite having credentials
+ * github: { clientId: '...', clientSecret: '...', enabled: false }
+ * ```
+ */
+export interface IBetterAuthSocialProvider {
+  /**
+   * OAuth client ID
+   */
+  clientId: string;
+
+  /**
+   * OAuth client secret
+   */
+  clientSecret: string;
+
+  /**
+   * Whether this provider is enabled.
+   * Defaults to true when clientId and clientSecret are provided.
+   * Set to false to explicitly disable this provider.
+   * @default true (when credentials are configured)
+   */
+  enabled?: boolean;
+}
+
+/**
+ * Interface for additional user fields in Better-Auth
+ * @see https://www.better-auth.com/docs/concepts/users-accounts#additional-fields
+ */
+export interface IBetterAuthUserField {
+  /**
+   * Default value for the field
+   */
+  defaultValue?: unknown;
+
+  /**
+   * Database field name (if different from key)
+   */
+  fieldName?: string;
+
+  /**
+   * Whether this field is required
+   */
+  required?: boolean;
+
+  /**
+   * Field type
+   */
+  type: BetterAuthFieldType;
+}
+
 /**
  * Interface for JWT configuration (main and refresh)
  */
@@ -71,6 +422,12 @@ export interface IServerOptions {
    */
   automaticObjectIdFiltering?: boolean;
 
+  /**
+   * Configuration for better-auth authentication framework
+   * See: https://better-auth.com
+   */
+  betterAuth?: IBetterAuth;
+
   /**
    * Configuration for Brevo
    * See: https://developers.brevo.com/
@@ -324,29 +681,29 @@ export interface IServerOptions {
    * Hint: The secrets of the different environments should be different, otherwise a JWT can be used in different
    * environments, which can lead to security vulnerabilities.
    */
-  jwt?: IJwt & JwtModuleOptions &
-    {
-    /**
-     * Configuration for refresh Token (JWT)
-     * Hint: The secret of the JWT and the Refresh Token should be different, otherwise a new RefreshToken can also be
-     * requested with the JWT, which can lead to a security vulnerability.
-     */
-    refresh?: IJwt & {
+  jwt?: IJwt &
+    JwtModuleOptions & {
       /**
-       * Whether renewal of the refresh token is permitted
-       * If falsy (default): during refresh only a new token, the refresh token retains its original term
-       * If true: during refresh not only a new token but also a new refresh token is created
+       * Configuration for refresh Token (JWT)
+       * Hint: The secret of the JWT and the Refresh Token should be different, otherwise a new RefreshToken can also be
+       * requested with the JWT, which can lead to a security vulnerability.
        */
-      renewal?: boolean;
-    };
+      refresh?: IJwt & {
+        /**
+         * Whether renewal of the refresh token is permitted
+         * If falsy (default): during refresh only a new token, the refresh token retains its original term
+         * If true: during refresh not only a new token but also a new refresh token is created
+         */
+        renewal?: boolean;
+      };
 
-    /**
-     * Time period in milliseconds
-     * in which the same token ID is used so that all parallel token refresh requests of a device can be generated.
-     * default: 0 (every token includes a new token ID, all parallel token refresh requests must be prevented by the client or processed accordingly)
-     */
-    sameTokenIdPeriod?: number;
-  };
+      /**
+       * Time period in milliseconds
+       * in which the same token ID is used so that all parallel token refresh requests of a device can be generated.
+       * default: 0 (every token includes a new token ID, all parallel token refresh requests must be prevented by the client or processed accordingly)
+       */
+      sameTokenIdPeriod?: number;
+    };
 
   /**
    * Load local configuration

package/src/core/common/services/crud.service.ts

@@ -2,10 +2,10 @@ import { NotFoundException } from '@nestjs/common';
 import {
   AggregateOptions,
   Document,
-  FilterQuery,
   Model as MongooseModel,
   PipelineStage,
   Query,
+  QueryFilter,
   QueryOptions,
 } from 'mongoose';
 
@@ -147,7 +147,7 @@ export abstract class CrudService<
    * Get items via filter
    */
   async find(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -191,7 +191,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
     serviceOptions = serviceOptions || {};
@@ -204,7 +204,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
     serviceOptions = serviceOptions || {};
@@ -216,7 +216,7 @@ export abstract class CrudService<
    * Get items and total count via filter
    */
   async findAndCount(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions?: ServiceOptions,
   ): Promise<{ items: Model[]; totalCount: number }> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -280,10 +280,10 @@ export abstract class CrudService<
 
         // Find and process db items
         const collation = serviceOptions?.collation || ConfigService.get('mongoose.collation');
-        const dbResult
-          = (await this.mainDbModel.aggregate(aggregation, collation ? { collation } : {}).exec())[0] || {};
+        const dbResult =
+          (await this.mainDbModel.aggregate(aggregation, collation ? { collation } : {}).exec())[0] || {};
         dbResult.totalCount = dbResult.totalCount?.[0]?.total || 0;
-        dbResult.items = dbResult.items?.map(item => this.mainDbModel.hydrate(item)) || [];
+        dbResult.items = dbResult.items?.map((item) => this.mainDbModel.hydrate(item)) || [];
         return dbResult;
       },
       { input: filter, outputPath: 'items', serviceOptions },
@@ -295,7 +295,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findAndCountForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<{ items: Model[]; totalCount: number }> {
     serviceOptions.raw = true;
@@ -307,7 +307,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findAndCountRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<{ items: Model[]; totalCount: number }> {
     serviceOptions = serviceOptions || {};
@@ -319,7 +319,7 @@ export abstract class CrudService<
    * Find and update
    */
   async findAndUpdate(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]> {
@@ -348,7 +348,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findAndUpdateForce(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
@@ -362,7 +362,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findAndUpdateRaw(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
@@ -375,7 +375,7 @@ export abstract class CrudService<
    * Find one item via filter
    */
   async findOne(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -414,7 +414,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findOneForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model> {
     serviceOptions = serviceOptions || {};
@@ -427,7 +427,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findOneRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model> {
     serviceOptions = serviceOptions || {};
@@ -452,7 +452,7 @@ export abstract class CrudService<
    * CRUD alias for find
    */
   async read(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
 
@@ -460,7 +460,7 @@ export abstract class CrudService<
    * CRUD alias for get or find
    */
   async read(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {
@@ -481,7 +481,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async readForce(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
 
@@ -490,7 +490,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async readForce(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {
@@ -511,7 +511,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async readRaw(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
 
@@ -520,7 +520,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async readRaw(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {

package/src/core/modules/auth/auth-guard-strategy.enum.ts

@@ -1,4 +1,5 @@
 export enum AuthGuardStrategy {
+  BETTER_AUTH = 'better-auth',
   JWT = 'jwt',
   JWT_REFRESH = 'jwt-refresh',
 }

package/src/core/modules/auth/guards/auth.guard.ts

@@ -13,9 +13,9 @@ import { InvalidTokenException } from '../exceptions/invalid-token.exception';
 /**
  * Missing strategy error
  */
-const NO_STRATEGY_ERROR
-  = 'In order to use "defaultStrategy", please, ensure to import PassportModule in each '
-  + 'place where AuthGuard() is being used. Otherwise, passport won\'t work correctly.';
+const NO_STRATEGY_ERROR =
+  'In order to use "defaultStrategy", please, ensure to import PassportModule in each ' +
+  "place where AuthGuard() is being used. Otherwise, passport won't work correctly.";
 
 /**
  * Interface for auth guard
@@ -38,7 +38,7 @@ const createPassportContext = (request, response) => (type, options, callback: (
       } catch (err) {
         reject(err);
       }
-    })(request, response, err => (err ? reject(err) : resolve)),
+    })(request, response, (err) => (err ? reject(err) : resolve)),
   );
 
 /**
@@ -70,8 +70,22 @@ function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAu
       }
 
       const options = { ...defaultOptions, ...this.options };
-      const response = context?.switchToHttp()?.getResponse();
       const request = this.getRequest(context);
+
+      // Check if user is already authenticated via Better-Auth middleware
+      // Only skip Passport for Better-Auth users (marked with _authenticatedViaBetterAuth)
+      // This ensures JWT_REFRESH guard still validates refresh tokens properly
+      const existingUser = request?.[options.property || defaultOptions.property];
+      if (existingUser && existingUser._authenticatedViaBetterAuth === true) {
+        // User is authenticated via Better-Auth - skip Passport authentication
+        // Validate through handleRequest to ensure role checks work
+        const validatedUser = this.handleRequest(null, existingUser, null, context);
+        request[options.property || defaultOptions.property] = validatedUser;
+        return true;
+      }
+
+      // Proceed with Passport authentication
+      const response = context?.switchToHttp()?.getResponse();
       const passportFn = createPassportContext(request, response);
       const user = await passportFn(type || this.options.defaultStrategy, options, (err, currentUser, info) =>
         this.handleRequest(err, currentUser, info, context),
@@ -101,7 +115,7 @@ function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAu
      */
     async logIn<TRequest extends { logIn: (...params) => any } = any>(request: TRequest) {
       const user = request[this.options.property || defaultOptions.property];
-      await new Promise<void>((resolve, reject) => request.logIn(user, err => (err ? reject(err) : resolve())));
+      await new Promise<void>((resolve, reject) => request.logIn(user, (err) => (err ? reject(err) : resolve())));
     }
 
     /**