@lobehub/lobehub 2.0.0-next.123 → 2.0.0-next.125

package/src/layout/GlobalProvider/StoreInitialization.tsx

@@ -9,14 +9,14 @@ import { createStoreUpdater } from 'zustand-utils';
 import { useIsMobile } from '@/hooks/useIsMobile';
 import { useAgentStore } from '@/store/agent';
 import { useAiInfraStore } from '@/store/aiInfra';
+import { useElectronStore } from '@/store/electron';
+import { electronSyncSelectors } from '@/store/electron/selectors';
 import { useGlobalStore } from '@/store/global';
 import { useServerConfigStore } from '@/store/serverConfig';
 import { serverConfigSelectors } from '@/store/serverConfig/selectors';
 import { useUrlHydrationStore } from '@/store/urlHydration';
 import { useUserStore } from '@/store/user';
 import { authSelectors } from '@/store/user/selectors';
-import { electronSyncSelectors } from '@/store/electron/selectors';
-import { useElectronStore } from '@/store/electron';
 
 const StoreInitialization = memo(() => {
   // prefetch error ns to avoid don't show error content correctly
@@ -68,7 +68,7 @@ const StoreInitialization = memo(() => {
   const isSyncActive = useElectronStore((s) => electronSyncSelectors.isSyncActive(s));
 
   // init user provider key vaults
-  useInitAiProviderKeyVaults(isLoginOnInit,isSyncActive);
+  useInitAiProviderKeyVaults(isLoginOnInit, isSyncActive);
 
   // init user state
   useInitUserState(isLoginOnInit, serverConfig, {

package/src/libs/better-auth/auth-client.ts

@@ -0,0 +1,34 @@
+import {
+  genericOAuthClient,
+  inferAdditionalFields,
+  magicLinkClient,
+} from 'better-auth/client/plugins';
+import { createAuthClient } from 'better-auth/react';
+
+import type { auth } from '@/auth';
+import { getAuthConfig } from '@/envs/auth';
+
+const { NEXT_PUBLIC_AUTH_URL } = getAuthConfig();
+const enableMagicLink = getAuthConfig().NEXT_PUBLIC_ENABLE_MAGIC_LINK;
+
+export const {
+  linkSocial,
+  accountInfo,
+  listAccounts,
+  requestPasswordReset,
+  resetPassword,
+  sendVerificationEmail,
+  signIn,
+  signOut,
+  signUp,
+  unlinkAccount,
+  useSession,
+} = createAuthClient({
+  /** The base URL of the server (optional if you're using the same domain) */
+  baseURL: NEXT_PUBLIC_AUTH_URL,
+  plugins: [
+    inferAdditionalFields<typeof auth>(),
+    genericOAuthClient(),
+    ...(enableMagicLink ? [magicLinkClient()] : []),
+  ],
+});

package/src/libs/better-auth/constants.ts

@@ -0,0 +1,13 @@
+/**
+ * Canonical IDs of Better-Auth built-in social providers.
+ * Keep this list in sync with provider definitions in `src/libs/better-auth/sso/providers`.
+ */
+export const BUILTIN_BETTER_AUTH_PROVIDERS = ['google', 'github', 'cognito', 'microsoft'] as const;
+
+/**
+ * Provider alias → canonical ID mapping.
+ * This is used on the client to normalize configured provider keys.
+ */
+export const PROVIDER_ALIAS_MAP: Record<string, string> = {
+  'microsoft-entra-id': 'microsoft',
+};

package/src/libs/better-auth/email-templates/index.ts

@@ -0,0 +1,3 @@
+export { getMagicLinkEmailTemplate } from './magic-link';
+export { getResetPasswordEmailTemplate } from './reset-password';
+export { getVerificationEmailTemplate } from './verification';

package/src/libs/better-auth/email-templates/magic-link.ts

@@ -0,0 +1,98 @@
+/**
+ * Magic link sign-in email template
+ * Sent when user requests passwordless login
+ */
+export const getMagicLinkEmailTemplate = (params: { expiresInSeconds: number; url: string }) => {
+  const { url, expiresInSeconds } = params;
+
+  const expiresInMinutes = Math.round(expiresInSeconds / 60);
+  const expirationText =
+    expiresInMinutes >= 1
+      ? `${expiresInMinutes} minute${expiresInMinutes > 1 ? 's' : ''}`
+      : `${expiresInSeconds} seconds`;
+
+  return {
+    html: `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign in to LobeChat</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f5; color: #1a1a1a;">
+  <!-- Container -->
+  <div style="max-width: 600px; margin: 0 auto; padding: 40px 20px;">
+    
+    <!-- Logo -->
+    <div style="text-align: center; margin-bottom: 32px;">
+      <div style="display: inline-flex; align-items: center; justify-content: center; background-color: #ffffff; border-radius: 12px; padding: 8px 16px; box-shadow: 0 2px 8px rgba(0,0,0,0.04);">
+        <span style="font-size: 24px; line-height: 1; margin-right: 10px;">🤯</span>
+        <span style="font-size: 18px; font-weight: 700; color: #000000; letter-spacing: -0.5px;">LobeChat</span>
+      </div>
+    </div>
+
+    <!-- Card -->
+    <div style="background: #ffffff; border-radius: 20px; padding: 40px; box-shadow: 0 8px 30px rgba(0,0,0,0.04); border: 1px solid rgba(0,0,0,0.02);">
+      
+      <!-- Header -->
+      <div style="text-align: center; margin-bottom: 32px;">
+        <h1 style="color: #111827; font-size: 24px; font-weight: 700; margin: 0 0 12px 0; letter-spacing: -0.5px;">
+          Sign in to LobeChat
+        </h1>
+        <p style="color: #6b7280; font-size: 16px; margin: 0; line-height: 1.5;">
+          Click the link below to sign in to your account.
+        </p>
+      </div>
+
+      <!-- Content -->
+      <div style="color: #374151; font-size: 16px; line-height: 1.6;">
+        
+        <!-- Button -->
+        <div style="text-align: center; margin: 32px 0;">
+          <a href="${url}" target="_blank"
+             style="display: inline-block; background-color: #000000; color: #ffffff; text-decoration: none; padding: 16px 36px; border-radius: 14px; font-weight: 600; font-size: 16px; transition: all 0.2s ease; box-shadow: 0 4px 12px rgba(0,0,0,0.15);">
+            Sign In
+          </a>
+        </div>
+
+        <!-- Expiration Note -->
+        <div style="background-color: #f9fafb; border-radius: 12px; padding: 16px; margin-bottom: 24px; border: 1px solid #f3f4f6;">
+          <p style="color: #6b7280; font-size: 13px; margin: 0; text-align: center; line-height: 1.5;">
+            ⏰ This link will expire in <strong>${expirationText}</strong>.
+          </p>
+        </div>
+
+        <p style="color: #6b7280; font-size: 14px; margin: 0 0 8px 0; text-align: center;">
+          If you didn't request this email, you can safely ignore it.
+        </p>
+      </div>
+
+      <!-- Divider -->
+      <div style="border-top: 1px solid #e5e7eb; margin: 32px 0;"></div>
+
+      <!-- Fallback Link -->
+      <div style="text-align: center;">
+        <p style="color: #9ca3af; font-size: 13px; margin: 0 0 8px 0;">
+          Button not working? Copy and paste this link into your browser:
+        </p>
+        <a href="${url}" style="color: #2563eb; font-size: 13px; text-decoration: none; word-break: break-all; display: block; line-height: 1.4;">
+          ${url}
+        </a>
+      </div>
+    </div>
+
+    <!-- Footer -->
+    <div style="text-align: center; margin-top: 32px;">
+      <p style="color: #a1a1aa; font-size: 13px; margin: 0;">
+        © ${new Date().getFullYear()} LobeChat. All rights reserved.
+      </p>
+    </div>
+  </div>
+</body>
+</html>
+    `,
+    subject: 'Your LobeChat sign-in link',
+    text: `Use this link to sign in: ${url}\n\nThis link expires in ${expirationText}.`,
+  };
+};

package/src/libs/better-auth/email-templates/reset-password.ts

@@ -0,0 +1,91 @@
+/**
+ * Password reset email template
+ * Sent to users when they request a password reset
+ */
+export const getResetPasswordEmailTemplate = (params: { url: string }) => {
+  const { url } = params;
+
+  return {
+    html: `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Reset your password</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f5; color: #1a1a1a;">
+  <!-- Container -->
+  <div style="max-width: 600px; margin: 0 auto; padding: 40px 20px;">
+    
+    <!-- Logo -->
+    <div style="text-align: center; margin-bottom: 32px;">
+      <div style="display: inline-flex; align-items: center; justify-content: center; background-color: #ffffff; border-radius: 12px; padding: 8px 16px; box-shadow: 0 2px 8px rgba(0,0,0,0.04);">
+        <span style="font-size: 24px; line-height: 1; margin-right: 10px;">🤯</span>
+        <span style="font-size: 18px; font-weight: 700; color: #000000; letter-spacing: -0.5px;">LobeChat</span>
+      </div>
+    </div>
+
+    <!-- Card -->
+    <div style="background: #ffffff; border-radius: 20px; padding: 40px; box-shadow: 0 8px 30px rgba(0,0,0,0.04); border: 1px solid rgba(0,0,0,0.02);">
+      
+      <!-- Header -->
+      <div style="text-align: center; margin-bottom: 32px;">
+        <h1 style="color: #111827; font-size: 24px; font-weight: 700; margin: 0 0 12px 0; letter-spacing: -0.5px;">
+          Reset Your Password
+        </h1>
+        <p style="color: #6b7280; font-size: 16px; margin: 0; line-height: 1.5;">
+          No worries, we'll help you get back on track.
+        </p>
+      </div>
+
+      <!-- Content -->
+      <div style="color: #374151; font-size: 16px; line-height: 1.6;">
+        <p style="margin: 0 0 24px 0; text-align: center;">
+          You recently requested to reset your password for your LobeChat account. Click the button below to proceed.
+        </p>
+
+        <!-- Button -->
+        <div style="text-align: center; margin: 32px 0;">
+          <a href="${url}" target="_blank"
+             style="display: inline-block; background-color: #000000; color: #ffffff; text-decoration: none; padding: 16px 36px; border-radius: 14px; font-weight: 600; font-size: 16px; transition: all 0.2s ease; box-shadow: 0 4px 12px rgba(0,0,0,0.15);">
+            Reset Password
+          </a>
+        </div>
+
+        <!-- Security Note -->
+        <div style="background-color: #f9fafb; border-radius: 12px; padding: 16px; margin-bottom: 24px; border: 1px solid #f3f4f6;">
+          <p style="color: #6b7280; font-size: 13px; margin: 0; text-align: center; line-height: 1.5;">
+            🔒 If you did not request a password reset, please ignore this email or contact support if you have concerns.
+          </p>
+        </div>
+      </div>
+
+      <!-- Divider -->
+      <div style="border-top: 1px solid #e5e7eb; margin: 32px 0;"></div>
+
+      <!-- Fallback Link -->
+      <div style="text-align: center;">
+        <p style="color: #9ca3af; font-size: 13px; margin: 0 0 8px 0;">
+          Trouble clicking the button? Copy and paste the URL below:
+        </p>
+        <a href="${url}" style="color: #2563eb; font-size: 13px; text-decoration: none; word-break: break-all; display: block; line-height: 1.4;">
+          ${url}
+        </a>
+      </div>
+    </div>
+
+    <!-- Footer -->
+    <div style="text-align: center; margin-top: 32px;">
+      <p style="color: #a1a1aa; font-size: 13px; margin: 0;">
+        © ${new Date().getFullYear()} LobeChat. All rights reserved.
+      </p>
+    </div>
+  </div>
+</body>
+</html>
+    `,
+    subject: 'Reset Your Password - LobeChat',
+    text: `Reset your password by clicking this link: ${url}`,
+  };
+};

package/src/libs/better-auth/email-templates/verification.ts

@@ -0,0 +1,108 @@
+/**
+ * Email verification template
+ * Sent to users when they sign up to verify their email address
+ */
+export const getVerificationEmailTemplate = (params: {
+  expiresInSeconds: number;
+  url: string;
+  userName?: string | null;
+}) => {
+  const { url, userName, expiresInSeconds } = params;
+
+  // Format expiration time in a human-readable way
+  const expiresInHours = expiresInSeconds / 3600;
+  const expirationText =
+    expiresInHours >= 1
+      ? `${expiresInHours} hour${expiresInHours > 1 ? 's' : ''}`
+      : `${expiresInSeconds / 60} minutes`;
+
+  return {
+    html: `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Verify your email</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f5; color: #1a1a1a;">
+  <!-- Container -->
+  <div style="max-width: 600px; margin: 0 auto; padding: 40px 20px;">
+    
+    <!-- Logo -->
+    <div style="text-align: center; margin-bottom: 32px;">
+      <div style="display: inline-flex; align-items: center; justify-content: center; background-color: #ffffff; border-radius: 12px; padding: 8px 16px; box-shadow: 0 2px 8px rgba(0,0,0,0.04);">
+        <span style="font-size: 24px; line-height: 1; margin-right: 10px;">🤯</span>
+        <span style="font-size: 18px; font-weight: 700; color: #000000; letter-spacing: -0.5px;">LobeChat</span>
+      </div>
+    </div>
+
+    <!-- Card -->
+    <div style="background: #ffffff; border-radius: 20px; padding: 40px; box-shadow: 0 8px 30px rgba(0,0,0,0.04); border: 1px solid rgba(0,0,0,0.02);">
+      
+      <!-- Header -->
+      <div style="text-align: center; margin-bottom: 32px;">
+        <h1 style="color: #111827; font-size: 24px; font-weight: 700; margin: 0 0 12px 0; letter-spacing: -0.5px;">
+          Verify your email address
+        </h1>
+        <p style="color: #6b7280; font-size: 16px; margin: 0;">
+          Let's get you signed in.
+        </p>
+      </div>
+
+      <!-- Content -->
+      <div style="color: #374151; font-size: 16px; line-height: 1.6;">
+        ${userName ? `<p style="margin: 0 0 16px 0;">Hi <strong>${userName}</strong>,</p>` : ''}
+        
+        <p style="margin: 0 0 24px 0;">
+          Thanks for creating an account with LobeChat. To access your account, please verify your email address by clicking the button below.
+        </p>
+
+        <!-- Button -->
+        <div style="text-align: center; margin: 36px 0;">
+          <a href="${url}" target="_blank"
+             style="display: inline-block; background-color: #000000; color: #ffffff; text-decoration: none; padding: 16px 36px; border-radius: 14px; font-weight: 600; font-size: 16px; transition: transform 0.1s ease; box-shadow: 0 4px 12px rgba(0,0,0,0.15);">
+            Verify Email Address
+          </a>
+        </div>
+
+        <!-- Expiration Note -->
+        <div style="background-color: #f9fafb; border-radius: 12px; padding: 16px; margin-bottom: 24px; border: 1px solid #f3f4f6;">
+          <p style="color: #6b7280; font-size: 14px; margin: 0; text-align: center;">
+            ⏰ This link will expire in <strong>${expirationText}</strong>.
+          </p>
+        </div>
+        
+        <p style="color: #6b7280; font-size: 15px; margin: 0 0 8px 0;">
+          If you didn't create an account, you can safely ignore this email.
+        </p>
+      </div>
+
+      <!-- Divider -->
+      <div style="border-top: 1px solid #e5e7eb; margin: 32px 0;"></div>
+
+      <!-- Fallback Link -->
+      <div style="text-align: center;">
+        <p style="color: #9ca3af; font-size: 13px; margin: 0 0 8px 0;">
+          Button not working? Copy and paste this link into your browser:
+        </p>
+        <a href="${url}" style="color: #2563eb; font-size: 13px; text-decoration: none; word-break: break-all; display: block; line-height: 1.4;">
+          ${url}
+        </a>
+      </div>
+    </div>
+
+    <!-- Footer -->
+    <div style="text-align: center; margin-top: 32px;">
+      <p style="color: #a1a1aa; font-size: 13px; margin: 0;">
+        © 2025 LobeChat. All rights reserved.
+      </p>
+    </div>
+  </div>
+</body>
+</html>
+    `,
+    subject: 'Verify Your Email - LobeChat',
+    text: `Please verify your email by clicking this link: ${url}\n\nThis link will expire in ${expirationText}.`,
+  };
+};

package/src/libs/better-auth/sso/helpers.ts

@@ -0,0 +1,61 @@
+import type { GenericOAuthConfig } from 'better-auth/plugins';
+
+export const DEFAULT_OIDC_SCOPES = ['openid', 'email', 'profile'];
+
+export const pickEnv = (...values: (string | undefined | null)[]) => {
+  for (const value of values) {
+    const trimmed = value?.trim();
+    if (trimmed) {
+      return trimmed;
+    }
+  }
+
+  return undefined;
+};
+
+const createDiscoveryUrl = (issuer: string) => {
+  const normalized = issuer.replace(/\/$/, '');
+  return normalized.includes('/.well-known/')
+    ? normalized
+    : `${normalized}/.well-known/openid-configuration`;
+};
+
+type OIDCProviderInput = {
+  clientId?: string;
+  clientSecret?: string;
+  issuer?: string;
+  overrides?: Partial<GenericOAuthConfig>;
+  pkce?: boolean;
+  providerId: string;
+  scopes?: string[];
+};
+
+export const buildOidcConfig = ({
+  providerId,
+  clientId,
+  clientSecret,
+  issuer,
+  scopes = DEFAULT_OIDC_SCOPES,
+  pkce = true,
+  overrides,
+}: OIDCProviderInput): GenericOAuthConfig => {
+  const sanitizedIssuer = issuer?.trim();
+
+  if (!clientId || !clientSecret || !sanitizedIssuer) {
+    throw new Error(`[Better-Auth] ${providerId} OAuth enabled but missing credentials`);
+  }
+
+  const normalizedIssuer = sanitizedIssuer.replace(/\/$/, '');
+  const discoveryUrl = createDiscoveryUrl(normalizedIssuer);
+
+  return {
+    clientId,
+    clientSecret,
+    discoveryUrl,
+    pkce,
+    providerId,
+    scopes,
+    // ...fallbackEndpoints,
+    ...overrides,
+  } satisfies GenericOAuthConfig;
+};

package/src/libs/better-auth/sso/index.ts

@@ -0,0 +1,113 @@
+import type { GenericOAuthConfig } from 'better-auth/plugins';
+import type { SocialProviders } from 'better-auth/social-providers';
+
+import { authEnv } from '@/envs/auth';
+import { BUILTIN_BETTER_AUTH_PROVIDERS } from '@/libs/better-auth/constants';
+import { parseSSOProviders } from '@/libs/better-auth/utils/server';
+
+import Auth0 from './providers/auth0';
+import Authelia from './providers/authelia';
+import Authentik from './providers/authentik';
+import Casdoor from './providers/casdoor';
+import CloudflareZeroTrust from './providers/cloudflare-zero-trust';
+import Cognito from './providers/cognito';
+import Feishu from './providers/feishu';
+import GenericOIDC from './providers/generic-oidc';
+import Github from './providers/github';
+import Google from './providers/google';
+import Keycloak from './providers/keycloak';
+import Logto from './providers/logto';
+import Microsoft from './providers/microsoft';
+import Okta from './providers/okta';
+import Wechat from './providers/wechat';
+import Zitadel from './providers/zitadel';
+
+const providerDefinitions = [
+  Google,
+  Github,
+  Cognito,
+  Microsoft,
+  Auth0,
+  Authelia,
+  Authentik,
+  Casdoor,
+  CloudflareZeroTrust,
+  GenericOIDC,
+  Keycloak,
+  Logto,
+  Okta,
+  Zitadel,
+  Feishu,
+  Wechat,
+] as const;
+
+const builtInProviderIds = new Set(BUILTIN_BETTER_AUTH_PROVIDERS);
+
+for (const definition of providerDefinitions) {
+  if (definition.type === 'builtin' && !builtInProviderIds.has(definition.id)) {
+    throw new Error(
+      `[Better-Auth] Built-in provider "${definition.id}" is not registered in BUILTIN_BETTER_AUTH_PROVIDERS (src/libs/better-auth/constants.ts). Please update the constant to keep them in sync.`,
+    );
+  }
+}
+
+const providerRegistry = new Map<string, (typeof providerDefinitions)[number]>();
+
+for (const definition of providerDefinitions) {
+  providerRegistry.set(definition.id, definition);
+  definition.aliases?.forEach((alias) => providerRegistry.set(alias, definition));
+}
+
+export const initBetterAuthSSOProviders = () => {
+  const enabledProviders = parseSSOProviders(authEnv.AUTH_SSO_PROVIDERS);
+
+  const socialProviders: SocialProviders = {};
+  const genericOAuthProviders: GenericOAuthConfig[] = [];
+
+  for (const rawProvider of enabledProviders) {
+    const definition = providerRegistry.get(rawProvider);
+
+    if (!definition) {
+      throw new Error(`[Better-Auth] Unknown SSO provider: ${rawProvider}`);
+    }
+
+    /**
+     * Providers expose checkEnvs predicates so we can fail fast when credentials are missing instead
+     * of encountering harder-to-trace errors later in the Better-Auth pipeline.
+     */
+    const env = definition.checkEnvs();
+    if (!env) {
+      throw new Error(
+        `[Better-Auth] ${rawProvider} SSO provider environment variables are not set correctly!`,
+      );
+    }
+
+    if (definition.type === 'builtin') {
+      const providerId = definition.id;
+      if (socialProviders[providerId]) {
+        throw new Error(`[Better-Auth] Duplicate SSO provider: ${providerId}`);
+      }
+
+      // @ts-expect-error - build expects specific env type, but we use union definition type
+      const config = definition.build(env);
+      if (config) {
+        // @ts-expect-error hard to type
+        socialProviders[providerId] = config;
+      }
+
+      continue;
+    }
+
+    // @ts-expect-error - build expects specific env type, but we use union definition type
+    const config = definition.build(env);
+
+    if (config) {
+      genericOAuthProviders.push(config);
+    }
+  }
+
+  return {
+    genericOAuthProviders,
+    socialProviders: socialProviders,
+  };
+};

package/src/libs/better-auth/sso/providers/auth0.ts

@@ -0,0 +1,33 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_AUTH0_ID: string;
+  AUTH_AUTH0_ISSUER: string;
+  AUTH_AUTH0_SECRET: string;
+}> = {
+  build: (env) => {
+    const config = buildOidcConfig({
+      clientId: env.AUTH_AUTH0_ID,
+      clientSecret: env.AUTH_AUTH0_SECRET,
+      issuer: env.AUTH_AUTH0_ISSUER,
+      providerId: 'auth0',
+    });
+    return config;
+  },
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_AUTH0_ID && authEnv.AUTH_AUTH0_SECRET && authEnv.AUTH_AUTH0_ISSUER)
+      ? {
+          AUTH_AUTH0_ID: authEnv.AUTH_AUTH0_ID,
+          AUTH_AUTH0_ISSUER: authEnv.AUTH_AUTH0_ISSUER,
+          AUTH_AUTH0_SECRET: authEnv.AUTH_AUTH0_SECRET,
+        }
+      : false;
+  },
+  id: 'auth0',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/authelia.ts

@@ -0,0 +1,35 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_AUTHELIA_ID: string;
+  AUTH_AUTHELIA_ISSUER: string;
+  AUTH_AUTHELIA_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_AUTHELIA_ID,
+      clientSecret: env.AUTH_AUTHELIA_SECRET,
+      issuer: env.AUTH_AUTHELIA_ISSUER,
+      providerId: 'authelia',
+    }),
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_AUTHELIA_ID &&
+      authEnv.AUTH_AUTHELIA_SECRET &&
+      authEnv.AUTH_AUTHELIA_ISSUER
+    )
+      ? {
+          AUTH_AUTHELIA_ID: authEnv.AUTH_AUTHELIA_ID,
+          AUTH_AUTHELIA_ISSUER: authEnv.AUTH_AUTHELIA_ISSUER,
+          AUTH_AUTHELIA_SECRET: authEnv.AUTH_AUTHELIA_SECRET,
+        }
+      : false;
+  },
+  id: 'authelia',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/authentik.ts

@@ -0,0 +1,35 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_AUTHENTIK_ID: string;
+  AUTH_AUTHENTIK_ISSUER: string;
+  AUTH_AUTHENTIK_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_AUTHENTIK_ID,
+      clientSecret: env.AUTH_AUTHENTIK_SECRET,
+      issuer: env.AUTH_AUTHENTIK_ISSUER,
+      providerId: 'authentik',
+    }),
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_AUTHENTIK_ID &&
+      authEnv.AUTH_AUTHENTIK_SECRET &&
+      authEnv.AUTH_AUTHENTIK_ISSUER
+    )
+      ? {
+          AUTH_AUTHENTIK_ID: authEnv.AUTH_AUTHENTIK_ID,
+          AUTH_AUTHENTIK_ISSUER: authEnv.AUTH_AUTHENTIK_ISSUER,
+          AUTH_AUTHENTIK_SECRET: authEnv.AUTH_AUTHENTIK_SECRET,
+        }
+      : false;
+  },
+  id: 'authentik',
+  type: 'generic',
+};
+
+export default provider;