@lobehub/lobehub 2.0.0-next.124 → 2.0.0-next.125

package/docs/development/database-schema.dbml

@@ -137,6 +137,42 @@ table async_tasks {
   updated_at "timestamp with time zone" [not null, default: `now()`]
 }
 
+table accounts {
+  access_token text
+  access_token_expires_at timestamp
+  account_id text [not null]
+  created_at timestamp [not null, default: `now()`]
+  id text [pk, not null]
+  id_token text
+  password text
+  provider_id text [not null]
+  refresh_token text
+  refresh_token_expires_at timestamp
+  scope text
+  updated_at timestamp [not null]
+  user_id text [not null]
+}
+
+table auth_sessions {
+  created_at timestamp [not null, default: `now()`]
+  expires_at timestamp [not null]
+  id text [pk, not null]
+  ip_address text
+  token text [not null, unique]
+  updated_at timestamp [not null]
+  user_agent text
+  user_id text [not null]
+}
+
+table verifications {
+  created_at timestamp [not null, default: `now()`]
+  expires_at timestamp [not null]
+  id text [pk, not null]
+  identifier text [not null]
+  updated_at timestamp [not null, default: `now()`]
+  value text [not null]
+}
+
 table chat_groups {
   id text [pk, not null]
   title text
@@ -981,6 +1017,7 @@ table users {
   full_name text
   is_onboarded boolean [default: false]
   clerk_created_at "timestamp with time zone"
+  email_verified boolean [not null, default: false]
   email_verified_at "timestamp with time zone"
   preference jsonb
   accessed_at "timestamp with time zone" [not null, default: `now()`]

package/docs/self-hosting/advanced/auth.mdx

@@ -1,10 +1,11 @@
 ---
 title: LobeChat Authentication Service Configuration
 description: >-
-  Learn how to configure external authentication services using Clerk or Next Auth for centralized user authorization management. Supported authentication services include Auth0, Azure ID, etc.
+  Learn how to configure external authentication services using Better Auth, Clerk, or Next Auth for centralized user authorization management. Supported authentication services include Auth0, Azure ID, etc.
 
 tags:
   - Authentication Service
+  - Better Auth
   - Next Auth
   - SSO
   - Clerk
@@ -12,7 +13,7 @@ tags:
 
 # Authentication Service
 
-LobeChat supports the configuration of external authentication services using Clerk or Next Auth for internal use within enterprises/organizations to centrally manage user authorization.
+LobeChat supports the configuration of external authentication services using Better Auth, Clerk, or Next Auth for internal use within enterprises/organizations to centrally manage user authorization.
 
 ## Clerk
 
@@ -22,6 +23,78 @@ LobeChat has deeply integrated with Clerk to provide users with a more secure an
 
 By setting the environment variables `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` and `CLERK_SECRET_KEY` in LobeChat's environment, you can enable and use Clerk.
 
+## Better Auth
+
+[Better Auth](https://www.better-auth.com) is a modern, framework-agnostic authentication library designed to provide comprehensive, secure, and flexible authentication solutions. It supports various authentication methods including email/password, magic links, and multiple OAuth/SSO providers.
+
+### Key Features
+
+- **Email/Password Authentication**: Built-in support for traditional email and password login with secure password hashing
+- **Email Verification**: Optional email verification flow with customizable email templates
+- **Magic Link Login**: Passwordless authentication via email magic links
+- **OAuth/SSO Support**: Integration with popular identity providers including Google, GitHub, Microsoft, AWS Cognito, and more
+- **Generic OIDC/OAuth**: Support for any OpenID Connect or OAuth 2.0 compliant provider
+
+### Getting Started
+
+To enable Better Auth in LobeChat, set the following environment variables:
+
+| Environment Variable             | Type     | Description                                                                                                            |
+| -------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------- |
+| `NEXT_PUBLIC_ENABLE_BETTER_AUTH` | Required | Set to `1` to enable Better Auth service                                                                               |
+| `AUTH_SECRET`                    | Required | Key used to encrypt session tokens. Generate using: `openssl rand -base64 32`                                          |
+| `NEXT_PUBLIC_AUTH_URL`           | Optional | The URL accessible from the browser for Better Auth callbacks. Only set this if the default generated URL is incorrect |
+| `AUTH_SSO_PROVIDERS`             | Optional | Comma-separated list of enabled SSO providers, e.g., `google,github,microsoft`                                         |
+
+### Supported SSO Providers
+
+| Provider              | Value                   | Environment Variables                                                                                     |
+| --------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------- |
+| Google                | `google`                | `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET`                                                                    |
+| GitHub                | `github`                | `AUTH_GITHUB_ID`, `AUTH_GITHUB_SECRET`                                                                    |
+| Microsoft             | `microsoft`             | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET`                                                              |
+| AWS Cognito           | `cognito`               | `AUTH_COGNITO_ID`, `AUTH_COGNITO_SECRET`, `AUTH_COGNITO_ISSUER`                                           |
+| Auth0                 | `auth0`                 | `AUTH_AUTH0_ID`, `AUTH_AUTH0_SECRET`, `AUTH_AUTH0_ISSUER`                                                 |
+| Authelia              | `authelia`              | `AUTH_AUTHELIA_ID`, `AUTH_AUTHELIA_SECRET`, `AUTH_AUTHELIA_ISSUER`                                        |
+| Authentik             | `authentik`             | `AUTH_AUTHENTIK_ID`, `AUTH_AUTHENTIK_SECRET`, `AUTH_AUTHENTIK_ISSUER`                                     |
+| Casdoor               | `casdoor`               | `AUTH_CASDOOR_ID`, `AUTH_CASDOOR_SECRET`, `AUTH_CASDOOR_ISSUER`                                           |
+| Cloudflare Zero Trust | `cloudflare-zero-trust` | `AUTH_CLOUDFLARE_ZERO_TRUST_ID`, `AUTH_CLOUDFLARE_ZERO_TRUST_SECRET`, `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` |
+| Keycloak              | `keycloak`              | `AUTH_KEYCLOAK_ID`, `AUTH_KEYCLOAK_SECRET`, `AUTH_KEYCLOAK_ISSUER`                                        |
+| Logto                 | `logto`                 | `AUTH_LOGTO_ID`, `AUTH_LOGTO_SECRET`, `AUTH_LOGTO_ISSUER`                                                 |
+| Okta                  | `okta`                  | `AUTH_OKTA_ID`, `AUTH_OKTA_SECRET`, `AUTH_OKTA_ISSUER`                                                    |
+| ZITADEL               | `zitadel`               | `AUTH_ZITADEL_ID`, `AUTH_ZITADEL_SECRET`, `AUTH_ZITADEL_ISSUER`                                           |
+| Generic OIDC          | `generic-oidc`          | `AUTH_GENERIC_OIDC_ID`, `AUTH_GENERIC_OIDC_SECRET`, `AUTH_GENERIC_OIDC_ISSUER`                            |
+| Feishu                | `feishu`                | `AUTH_FEISHU_APP_ID`, `AUTH_FEISHU_APP_SECRET`                                                            |
+| WeChat                | `wechat`                | `AUTH_WECHAT_ID`, `AUTH_WECHAT_SECRET`                                                                    |
+
+### Callback URL Format
+
+When configuring OAuth providers, use the following callback URL format:
+
+- **Development**: `http://localhost:3210/api/auth/callback/{provider}`
+- **Production**: `https://yourdomain.com/api/auth/callback/{provider}`
+
+### Email Service Configuration
+
+If you want to enable email verification or password reset features, you need to configure SMTP settings:
+
+| Environment Variable                  | Type     | Description                                                       |
+| ------------------------------------- | -------- | ----------------------------------------------------------------- |
+| `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION` | Optional | Set to `1` to require email verification before users can sign in |
+| `SMTP_HOST`                           | Required | SMTP server hostname (e.g., `smtp.gmail.com`)                     |
+| `SMTP_PORT`                           | Required | SMTP server port (usually `587` for TLS, `465` for SSL)           |
+| `SMTP_SECURE`                         | Optional | Set to `true` for SSL (port 465), `false` for TLS (port 587)      |
+| `SMTP_USER`                           | Required | SMTP authentication username                                      |
+| `SMTP_PASS`                           | Required | SMTP authentication password                                      |
+
+<Callout type={'tip'}>
+  For detailed provider configuration, refer to the [Next Auth provider documentation](/docs/self-hosting/advanced/auth/next-auth) as most configurations are compatible, or visit the official [Better Auth documentation](https://www.better-auth.com/docs/introduction).
+</Callout>
+
+<Callout type={'tip'}>
+  Go to [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#better-auth) for detailed information on all Better Auth variables.
+</Callout>
+
 ## Next Auth
 
 Before using NextAuth, please set the following variables in LobeChat's environment variables:

package/docs/self-hosting/advanced/auth.zh-CN.mdx

@@ -1,8 +1,9 @@
 ---
 title: LobeChat 身份验证服务配置
-description: 了解如何使用 Clerk 或 Next Auth 配置外部身份验证服务，以统一管理用户授权。支持的身份验证服务包括 Auth0、 Azure ID 等。
+description: 了解如何使用 Better Auth、Clerk 或 Next Auth 配置外部身份验证服务，以统一管理用户授权。支持的身份验证服务包括 Auth0、 Azure ID 等。
 tags:
   - 身份验证服务
+  - Better Auth
   - LobeChat
   - SSO
   - Clerk
@@ -10,7 +11,7 @@ tags:
 
 # 身份验证服务
 
-LobeChat 支持使用 Clerk 或者 Next Auth 配置外部身份验证服务，供企业 / 组织内部使用，统一管理用户授权。
+LobeChat 支持使用 Better Auth、Clerk 或者 Next Auth 配置外部身份验证服务，供企业 / 组织内部使用，统一管理用户授权。
 
 ## Clerk
 
@@ -20,6 +21,78 @@ LobeChat 与 Clerk 做了深度集成，能够为用户提供一个更加安全
 
 在 LobeChat 的环境变量中设置 `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` 和 `CLERK_SECRET_KEY`，即可开启和使用 Clerk。
 
+## Better Auth
+
+[Better Auth](https://www.better-auth.com) 是一个现代化、框架无关的身份验证库，旨在提供全面、安全、灵活的身份验证解决方案。它支持多种认证方式，包括邮箱 / 密码登录、魔法链接登录以及多种 OAuth/SSO 提供商。
+
+### 主要特性
+
+- **邮箱 / 密码认证**：内置支持传统的邮箱和密码登录，采用安全的密码哈希算法
+- **邮箱验证**：可选的邮箱验证流程，支持自定义邮件模板
+- **魔法链接登录**：通过邮件魔法链接实现无密码认证
+- **OAuth/SSO 支持**：集成 Google、GitHub、Microsoft、AWS Cognito 等主流身份提供商
+- **通用 OIDC/OAuth**：支持任何符合 OpenID Connect 或 OAuth 2.0 标准的提供商
+
+### 快速开始
+
+要在 LobeChat 中启用 Better Auth，请设置以下环境变量：
+
+| 环境变量                             | 类型 | 描述                                               |
+| -------------------------------- | -- | ------------------------------------------------ |
+| `NEXT_PUBLIC_ENABLE_BETTER_AUTH` | 必选 | 设置为 `1` 以启用 Better Auth 服务                       |
+| `AUTH_SECRET`                    | 必选 | 用于加密会话令牌的密钥。使用以下命令生成：`openssl rand -base64 32`   |
+| `NEXT_PUBLIC_AUTH_URL`           | 可选 | 浏览器可访问的 Better Auth 回调 URL。仅在默认生成的 URL 不正确时设置    |
+| `AUTH_SSO_PROVIDERS`             | 可选 | 启用的 SSO 提供商列表，以逗号分隔，例如 `google,github,microsoft` |
+
+### 支持的 SSO 提供商
+
+| 提供商                   | 值                       | 环境变量                                                                                                      |
+| --------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------- |
+| Google                | `google`                | `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET`                                                                    |
+| GitHub                | `github`                | `AUTH_GITHUB_ID`, `AUTH_GITHUB_SECRET`                                                                    |
+| Microsoft             | `microsoft`             | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET`                                                              |
+| AWS Cognito           | `cognito`               | `AUTH_COGNITO_ID`, `AUTH_COGNITO_SECRET`, `AUTH_COGNITO_ISSUER`                                           |
+| Auth0                 | `auth0`                 | `AUTH_AUTH0_ID`, `AUTH_AUTH0_SECRET`, `AUTH_AUTH0_ISSUER`                                                 |
+| Authelia              | `authelia`              | `AUTH_AUTHELIA_ID`, `AUTH_AUTHELIA_SECRET`, `AUTH_AUTHELIA_ISSUER`                                        |
+| Authentik             | `authentik`             | `AUTH_AUTHENTIK_ID`, `AUTH_AUTHENTIK_SECRET`, `AUTH_AUTHENTIK_ISSUER`                                     |
+| Casdoor               | `casdoor`               | `AUTH_CASDOOR_ID`, `AUTH_CASDOOR_SECRET`, `AUTH_CASDOOR_ISSUER`                                           |
+| Cloudflare Zero Trust | `cloudflare-zero-trust` | `AUTH_CLOUDFLARE_ZERO_TRUST_ID`, `AUTH_CLOUDFLARE_ZERO_TRUST_SECRET`, `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` |
+| Keycloak              | `keycloak`              | `AUTH_KEYCLOAK_ID`, `AUTH_KEYCLOAK_SECRET`, `AUTH_KEYCLOAK_ISSUER`                                        |
+| Logto                 | `logto`                 | `AUTH_LOGTO_ID`, `AUTH_LOGTO_SECRET`, `AUTH_LOGTO_ISSUER`                                                 |
+| Okta                  | `okta`                  | `AUTH_OKTA_ID`, `AUTH_OKTA_SECRET`, `AUTH_OKTA_ISSUER`                                                    |
+| ZITADEL               | `zitadel`               | `AUTH_ZITADEL_ID`, `AUTH_ZITADEL_SECRET`, `AUTH_ZITADEL_ISSUER`                                           |
+| Generic OIDC          | `generic-oidc`          | `AUTH_GENERIC_OIDC_ID`, `AUTH_GENERIC_OIDC_SECRET`, `AUTH_GENERIC_OIDC_ISSUER`                            |
+| 飞书                    | `feishu`                | `AUTH_FEISHU_APP_ID`, `AUTH_FEISHU_APP_SECRET`                                                            |
+| 微信                    | `wechat`                | `AUTH_WECHAT_ID`, `AUTH_WECHAT_SECRET`                                                                    |
+
+### 回调 URL 格式
+
+配置 OAuth 提供商时，请使用以下回调 URL 格式：
+
+- **开发环境**：`http://localhost:3210/api/auth/callback/{provider}`
+- **生产环境**：`https://yourdomain.com/api/auth/callback/{provider}`
+
+### 邮件服务配置
+
+如果需要启用邮箱验证或密码重置功能，需要配置 SMTP 设置：
+
+| 环境变量                                  | 类型 | 描述                                             |
+| ------------------------------------- | -- | ---------------------------------------------- |
+| `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 以要求用户在登录前验证邮箱                          |
+| `SMTP_HOST`                           | 必选 | SMTP 服务器主机名（例如 `smtp.gmail.com`）               |
+| `SMTP_PORT`                           | 必选 | SMTP 服务器端口（TLS 通常为 `587`，SSL 为 `465`）          |
+| `SMTP_SECURE`                         | 可选 | SSL 设置为 `true`（端口 465），TLS 设置为 `false`（端口 587） |
+| `SMTP_USER`                           | 必选 | SMTP 认证用户名                                     |
+| `SMTP_PASS`                           | 必选 | SMTP 认证密码                                      |
+
+<Callout type={'tip'}>
+  详细的提供商配置可参考 [Next Auth 提供商文档](/zh/docs/self-hosting/advanced/auth/next-auth)（大部分配置兼容），或访问官方 [Better Auth 文档](https://www.better-auth.com/docs/introduction)。
+</Callout>
+
+<Callout type={'tip'}>
+  前往 [📘 环境变量](/zh/docs/self-hosting/environment-variables/auth#better-auth) 可查阅所有 Better Auth 相关变量详情。
+</Callout>
+
 ## Next Auth
 
 在使用 NextAuth 之前，请先在 LobeChat 的环境变量中设置以下变量：

package/docs/self-hosting/environment-variables/auth.mdx

@@ -1,11 +1,12 @@
 ---
 title: LobeChat Authentication Service Environment Variables
 description: >-
-  Explore the essential environment variables for configuring authentication services in LobeChat, including OAuth SSO, NextAuth settings, and provider-specific details.
+  Explore the essential environment variables for configuring authentication services in LobeChat, including Better Auth, OAuth SSO, NextAuth settings, and provider-specific details.
 
 
 tags:
   - Authentication Service
+  - Better Auth
   - OAuth SSO
   - Clerk
   - NextAuth
@@ -15,6 +16,191 @@ tags:
 
 LobeChat provides a complete authentication service capability when deployed. The following are the relevant environment variables. You can use these environment variables to easily define the identity verification services that need to be enabled in LobeChat.
 
+## Better Auth
+
+### General Settings
+
+#### `NEXT_PUBLIC_ENABLE_BETTER_AUTH`
+
+- Type: Required
+- Description: Set to `1` to enable Better Auth service. When enabled, Better Auth will be used for authentication instead of Next Auth or Clerk.
+- Default: `-`
+- Example: `1`
+
+#### `AUTH_SECRET`
+
+- Type: Required
+- Description: Key used to encrypt session tokens. Shared between Better Auth and Next Auth. You can generate the key using the command: `openssl rand -base64 32`.
+- Default: `-`
+- Example: `Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=`
+
+#### `NEXT_PUBLIC_AUTH_URL`
+
+- Type: Optional
+- Description: The URL accessible from the browser for Better Auth callbacks. Only set this if the default generated URL is incorrect.
+- Default: `-`
+- Example: `https://example.com`
+
+#### `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION`
+
+- Type: Optional
+- Description: Set to `1` to require email verification before users can sign in. Users must verify their email address after registration.
+- Default: `0`
+- Example: `1`
+
+#### `AUTH_SSO_PROVIDERS`
+
+- Type: Optional
+- Description: Comma-separated list of enabled SSO providers. The order determines the display order of providers on the login page.
+- Default: `-`
+- Example: `google,github,microsoft,cognito`
+
+### Email Service (SMTP)
+
+These settings are required for email verification and password reset features.
+
+#### `SMTP_HOST`
+
+- Type: Required (for email features)
+- Description: SMTP server hostname.
+- Default: `-`
+- Example: `smtp.gmail.com`
+
+#### `SMTP_PORT`
+
+- Type: Required (for email features)
+- Description: SMTP server port. Usually `587` for TLS or `465` for SSL.
+- Default: `-`
+- Example: `587`
+
+#### `SMTP_SECURE`
+
+- Type: Optional
+- Description: Use secure connection. Set to `true` for port 465 (SSL), `false` for port 587 (TLS).
+- Default: `false`
+- Example: `false`
+
+#### `SMTP_USER`
+
+- Type: Required (for email features)
+- Description: SMTP authentication username, usually your email address.
+- Default: `-`
+- Example: `your-email@example.com`
+
+#### `SMTP_PASS`
+
+- Type: Required (for email features)
+- Description: SMTP authentication password. For Gmail, use an app-specific password.
+- Default: `-`
+- Example: `your-app-specific-password`
+
+### Google
+
+#### `AUTH_GOOGLE_ID`
+
+- Type: Required
+- Description: Client ID of the Google OAuth application. Get it from [Google Cloud Console](https://console.cloud.google.com/apis/credentials).
+- Default: `-`
+- Example: `123456789.apps.googleusercontent.com`
+
+#### `AUTH_GOOGLE_SECRET`
+
+- Type: Required
+- Description: Client Secret of the Google OAuth application.
+- Default: `-`
+- Example: `GOCSPX-xxxxxxxxxxxxxxxxxxxx`
+
+### GitHub
+
+#### `AUTH_GITHUB_ID`
+
+- Type: Required
+- Description: Client ID of the GitHub OAuth application. Get it from [GitHub Developer Settings](https://github.com/settings/developers).
+- Default: `-`
+- Example: `Ov23xxxxxxxxxxxxx`
+
+#### `AUTH_GITHUB_SECRET`
+
+- Type: Required
+- Description: Client Secret of the GitHub OAuth application.
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### Microsoft
+
+#### `AUTH_MICROSOFT_ID`
+
+- Type: Required
+- Description: Client ID of the Microsoft Entra ID (Azure AD) application. Get it from [Azure Portal](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
+- Default: `-`
+- Example: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
+
+#### `AUTH_MICROSOFT_SECRET`
+
+- Type: Required
+- Description: Client Secret of the Microsoft Entra ID application.
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### AWS Cognito
+
+#### `AUTH_COGNITO_ID`
+
+- Type: Required
+- Description: Client ID of the AWS Cognito User Pool App Client. Get it from [AWS Cognito Console](https://console.aws.amazon.com/cognito).
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_COGNITO_SECRET`
+
+- Type: Required
+- Description: Client Secret of the AWS Cognito App Client.
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_COGNITO_ISSUER`
+
+- Type: Required
+- Description: The Cognito User Pool issuer URL. Format: `https://cognito-idp.{region}.amazonaws.com/{userPoolId}`
+- Default: `-`
+- Example: `https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx`
+
+### Feishu
+
+#### `AUTH_FEISHU_APP_ID`
+
+- Type: Required
+- Description: App ID of the Feishu application. Get it from [Feishu Open Platform](https://open.feishu.cn/app).
+- Default: `-`
+- Example: `cli_xxxxxxxxxxxxxxxx`
+
+#### `AUTH_FEISHU_APP_SECRET`
+
+- Type: Required
+- Description: App Secret of the Feishu application.
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### WeChat
+
+#### `AUTH_WECHAT_ID`
+
+- Type: Required
+- Description: App ID of the WeChat Open Platform application. Get it from [WeChat Open Platform](https://open.weixin.qq.com/).
+- Default: `-`
+- Example: `wxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_WECHAT_SECRET`
+
+- Type: Required
+- Description: App Secret of the WeChat application.
+- Default: `-`
+- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+<Callout type={'info'}>
+  For other OIDC-based providers (Auth0, Authelia, Authentik, Casdoor, Cloudflare Zero Trust, Keycloak, Logto, Okta, ZITADEL, Generic OIDC), the environment variables follow the same pattern as Next Auth. See the [Next Auth section](#next-auth) below for details.
+</Callout>
+
 ## Next Auth
 
 ### General Settings

package/docs/self-hosting/environment-variables/auth.zh-CN.mdx

@@ -1,9 +1,10 @@
 ---
 title: LobeChat 身份验证服务设置
-description: 了解如何配置 LobeChat 的身份验证服务环境变量。
+description: 了解如何配置 LobeChat 的身份验证服务环境变量，包括 Better Auth、OAuth SSO、NextAuth 设置等。
 tags:
   - LobeChat
   - 身份验证服务
+  - Better Auth
   - 单点登录
   - Next Auth
   - Clerk
@@ -13,6 +14,191 @@ tags:
 
 LobeChat 在部署时提供了完善的身份验证服务能力，以下是相关的环境变量，你可以使用这些环境变量轻松定义需要在 LobeChat 中开启的身份验证服务。
 
+## Better Auth
+
+### 通用设置
+
+#### `NEXT_PUBLIC_ENABLE_BETTER_AUTH`
+
+- 类型：必选
+- 描述：设置为 `1` 以启用 Better Auth 服务。启用后，将使用 Better Auth 进行身份验证，而非 Next Auth 或 Clerk。
+- 默认值：`-`
+- 示例：`1`
+
+#### `AUTH_SECRET`
+
+- 类型：必选
+- 描述：用于加密会话令牌的密钥，Better Auth 和 Next Auth 共享。使用以下命令生成：`openssl rand -base64 32`
+- 默认值：`-`
+- 示例：`Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=`
+
+#### `NEXT_PUBLIC_AUTH_URL`
+
+- 类型：可选
+- 描述：浏览器可访问的 Better Auth 回调 URL。仅在默认生成的 URL 不正确时设置。
+- 默认值：`-`
+- 示例：`https://example.com`
+
+#### `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION`
+
+- 类型：可选
+- 描述：设置为 `1` 以要求用户在登录前验证邮箱。用户注册后必须验证邮箱地址。
+- 默认值：`0`
+- 示例：`1`
+
+#### `AUTH_SSO_PROVIDERS`
+
+- 类型：可选
+- 描述：启用的 SSO 提供商列表，以逗号分隔。顺序决定了登录页面上提供商的显示顺序。
+- 默认值：`-`
+- 示例：`google,github,microsoft,cognito`
+
+### 邮件服务（SMTP）
+
+启用邮箱验证和密码重置功能需要配置以下设置。
+
+#### `SMTP_HOST`
+
+- 类型：必选（用于邮件功能）
+- 描述：SMTP 服务器主机名。
+- 默认值：`-`
+- 示例：`smtp.gmail.com`
+
+#### `SMTP_PORT`
+
+- 类型：必选（用于邮件功能）
+- 描述：SMTP 服务器端口。TLS 通常为 `587`，SSL 为 `465`。
+- 默认值：`-`
+- 示例：`587`
+
+#### `SMTP_SECURE`
+
+- 类型：可选
+- 描述：是否使用安全连接。端口 465（SSL）设置为 `true`，端口 587（TLS）设置为 `false`。
+- 默认值：`false`
+- 示例：`false`
+
+#### `SMTP_USER`
+
+- 类型：必选（用于邮件功能）
+- 描述：SMTP 认证用户名，通常是您的邮箱地址。
+- 默认值：`-`
+- 示例：`your-email@example.com`
+
+#### `SMTP_PASS`
+
+- 类型：必选（用于邮件功能）
+- 描述：SMTP 认证密码。Gmail 需使用应用专用密码。
+- 默认值：`-`
+- 示例：`your-app-specific-password`
+
+### Google
+
+#### `AUTH_GOOGLE_ID`
+
+- 类型：必选
+- 描述：Google OAuth 应用的 Client ID。在 [Google Cloud Console](https://console.cloud.google.com/apis/credentials) 获取。
+- 默认值：`-`
+- 示例：`123456789.apps.googleusercontent.com`
+
+#### `AUTH_GOOGLE_SECRET`
+
+- 类型：必选
+- 描述：Google OAuth 应用的 Client Secret。
+- 默认值：`-`
+- 示例：`GOCSPX-xxxxxxxxxxxxxxxxxxxx`
+
+### GitHub
+
+#### `AUTH_GITHUB_ID`
+
+- 类型：必选
+- 描述：GitHub OAuth 应用的 Client ID。在 [GitHub Developer Settings](https://github.com/settings/developers) 获取。
+- 默认值：`-`
+- 示例：`Ov23xxxxxxxxxxxxx`
+
+#### `AUTH_GITHUB_SECRET`
+
+- 类型：必选
+- 描述：GitHub OAuth 应用的 Client Secret。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### Microsoft
+
+#### `AUTH_MICROSOFT_ID`
+
+- 类型：必选
+- 描述：Microsoft Entra ID（Azure AD）应用的 Client ID。在 [Azure 门户](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) 获取。
+- 默认值：`-`
+- 示例：`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
+
+#### `AUTH_MICROSOFT_SECRET`
+
+- 类型：必选
+- 描述：Microsoft Entra ID 应用的 Client Secret。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### AWS Cognito
+
+#### `AUTH_COGNITO_ID`
+
+- 类型：必选
+- 描述：AWS Cognito 用户池应用客户端的 Client ID。在 [AWS Cognito 控制台](https://console.aws.amazon.com/cognito) 获取。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_COGNITO_SECRET`
+
+- 类型：必选
+- 描述：AWS Cognito 应用客户端的 Client Secret。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_COGNITO_ISSUER`
+
+- 类型：必选
+- 描述：Cognito 用户池的颁发者 URL。格式：`https://cognito-idp.{region}.amazonaws.com/{userPoolId}`
+- 默认值：`-`
+- 示例：`https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx`
+
+### 飞书
+
+#### `AUTH_FEISHU_APP_ID`
+
+- 类型：必选
+- 描述：飞书应用的 App ID。在 [飞书开放平台](https://open.feishu.cn/app) 获取。
+- 默认值：`-`
+- 示例：`cli_xxxxxxxxxxxxxxxx`
+
+#### `AUTH_FEISHU_APP_SECRET`
+
+- 类型：必选
+- 描述：飞书应用的 App Secret。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+### 微信
+
+#### `AUTH_WECHAT_ID`
+
+- 类型：必选
+- 描述：微信开放平台应用的 App ID。在 [微信开放平台](https://open.weixin.qq.com/) 获取。
+- 默认值：`-`
+- 示例：`wxxxxxxxxxxxxxxxxxxx`
+
+#### `AUTH_WECHAT_SECRET`
+
+- 类型：必选
+- 描述：微信应用的 App Secret。
+- 默认值：`-`
+- 示例：`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
+
+<Callout type={'info'}>
+  其他基于 OIDC 的提供商（Auth0、Authelia、Authentik、Casdoor、Cloudflare Zero Trust、Keycloak、Logto、Okta、ZITADEL、Generic OIDC）的环境变量配置与 Next Auth 相同。详情请参阅下方的 [Next Auth 章节](#next-auth)。
+</Callout>
+
 ## Next Auth
 
 ### 通用设置