@lobehub/lobehub 2.0.0-next.124 → 2.0.0-next.126

package/packages/database/migrations/meta/_journal.json

@@ -343,7 +343,14 @@
       "when": 1764215503726,
       "tag": "0048_add_editor_data",
       "breakpoints": true
+    },
+    {
+      "idx": 49,
+      "version": "7",
+      "when": 1764229953081,
+      "tag": "0049_better_auth",
+      "breakpoints": true
     }
   ],
   "version": "6"
-}
+}

package/packages/database/src/core/migrations.json

@@ -803,5 +803,18 @@
     "bps": true,
     "folderMillis": 1764215503726,
     "hash": "4188893a9083b3c7baebdbad0dd3f9d9400ede7584ca2394f5c64305dc9ec7b0"
+  },
+  {
+    "sql": [
+      "CREATE TABLE IF NOT EXISTS \"accounts\" (\n\t\"access_token\" text,\n\t\"access_token_expires_at\" timestamp,\n\t\"account_id\" text NOT NULL,\n\t\"created_at\" timestamp DEFAULT now() NOT NULL,\n\t\"id\" text PRIMARY KEY NOT NULL,\n\t\"id_token\" text,\n\t\"password\" text,\n\t\"provider_id\" text NOT NULL,\n\t\"refresh_token\" text,\n\t\"refresh_token_expires_at\" timestamp,\n\t\"scope\" text,\n\t\"updated_at\" timestamp NOT NULL,\n\t\"user_id\" text NOT NULL\n);\n",
+      "\nCREATE TABLE IF NOT EXISTS \"auth_sessions\" (\n\t\"created_at\" timestamp DEFAULT now() NOT NULL,\n\t\"expires_at\" timestamp NOT NULL,\n\t\"id\" text PRIMARY KEY NOT NULL,\n\t\"ip_address\" text,\n\t\"token\" text NOT NULL,\n\t\"updated_at\" timestamp NOT NULL,\n\t\"user_agent\" text,\n\t\"user_id\" text NOT NULL,\n\tCONSTRAINT \"auth_sessions_token_unique\" UNIQUE(\"token\")\n);\n",
+      "\nCREATE TABLE IF NOT EXISTS \"verifications\" (\n\t\"created_at\" timestamp DEFAULT now() NOT NULL,\n\t\"expires_at\" timestamp NOT NULL,\n\t\"id\" text PRIMARY KEY NOT NULL,\n\t\"identifier\" text NOT NULL,\n\t\"updated_at\" timestamp DEFAULT now() NOT NULL,\n\t\"value\" text NOT NULL\n);\n",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"email_verified\" boolean DEFAULT false NOT NULL;",
+      "\nDO $$ BEGIN\n ALTER TABLE \"accounts\" ADD CONSTRAINT \"accounts_user_id_users_id_fk\" FOREIGN KEY (\"user_id\") REFERENCES \"public\".\"users\"(\"id\") ON DELETE cascade ON UPDATE no action;\nEXCEPTION\n WHEN duplicate_object THEN null;\nEND $$;\n",
+      "\nDO $$ BEGIN\n ALTER TABLE \"auth_sessions\" ADD CONSTRAINT \"auth_sessions_user_id_users_id_fk\" FOREIGN KEY (\"user_id\") REFERENCES \"public\".\"users\"(\"id\") ON DELETE cascade ON UPDATE no action;\nEXCEPTION\n WHEN duplicate_object THEN null;\nEND $$;\n"
+    ],
+    "bps": true,
+    "folderMillis": 1764229953081,
+    "hash": "1532ebceae7b70550bc9c230fb0a65090aaa773bc7b873eefbc2ce2a815997e2"
   }
 ]

package/packages/database/src/index.ts

@@ -1 +1,2 @@
+export * from './core/db-adaptor';
 export * from './type';

package/packages/database/src/models/__tests__/session.test.ts

@@ -1,9 +1,8 @@
+import { DEFAULT_AGENT_CONFIG } from '@lobechat/const';
 import { and, eq, inArray } from 'drizzle-orm';
 import { LLMParams } from 'model-bank';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
-import { DEFAULT_AGENT_CONFIG } from '@/const/settings';
-
 import {
   NewSession,
   SessionItem,

package/packages/database/src/models/user.ts

@@ -1,8 +1,13 @@
-import { UserGuide, UserKeyVaults, UserPreference, UserSettings } from '@lobechat/types';
+import {
+  SSOProvider,
+  UserGuide,
+  UserKeyVaults,
+  UserPreference,
+  UserSettings,
+} from '@lobechat/types';
 import { TRPCError } from '@trpc/server';
 import dayjs from 'dayjs';
 import { eq } from 'drizzle-orm';
-import type { AdapterAccount } from 'next-auth/adapters';
 import type { PartialDeep } from 'type-fest';
 
 import { merge } from '@/utils/merge';
@@ -126,19 +131,15 @@ export class UserModel {
     };
   };
 
-  getUserSSOProviders = async () => {
-    const result = await this.db
+  getUserSSOProviders = async (): Promise<SSOProvider[]> => {
+    return this.db
       .select({
         expiresAt: nextauthAccounts.expires_at,
         provider: nextauthAccounts.provider,
         providerAccountId: nextauthAccounts.providerAccountId,
-        scope: nextauthAccounts.scope,
-        type: nextauthAccounts.type,
-        userId: nextauthAccounts.userId,
       })
       .from(nextauthAccounts)
       .where(eq(nextauthAccounts.userId, this.userId));
-    return result as unknown as AdapterAccount[];
   };
 
   getUserSettings = async () => {

package/packages/database/src/repositories/tableViewer/index.test.ts

@@ -23,8 +23,8 @@ describe('TableViewerRepo', () => {
     it('should return all tables with counts', async () => {
       const result = await repo.getAllTables();
 
-      expect(result.length).toEqual(68);
-      expect(result[0]).toEqual({ name: 'agents', count: 0, type: 'BASE TABLE' });
+      expect(result.length).toEqual(71);
+      expect(result[0]).toEqual({ name: 'accounts', count: 0, type: 'BASE TABLE' });
     });
 
     it('should handle custom schema', async () => {

package/packages/database/src/schemas/betterAuth.ts

@@ -0,0 +1,63 @@
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+
+import { users } from './user';
+
+// export const user = pgTable('betterauth_user', {
+//   createdAt: timestamp('created_at').defaultNow().notNull(),
+//   email: text('email').notNull().unique(),
+//   emailVerified: boolean('email_verified').default(false).notNull(),
+//   id: text('id').primaryKey(),
+//   image: text('image'),
+//   name: text('name').notNull(),
+//   updatedAt: timestamp('updated_at')
+//     .defaultNow()
+//     .$onUpdate(() => /* @__PURE__ */ new Date())
+//     .notNull(),
+// });
+
+export const session = pgTable('auth_sessions', {
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  expiresAt: timestamp('expires_at').notNull(),
+  id: text('id').primaryKey(),
+  ipAddress: text('ip_address'),
+  token: text('token').notNull().unique(),
+  updatedAt: timestamp('updated_at')
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  userAgent: text('user_agent'),
+  userId: text('user_id')
+    .notNull()
+    .references(() => users.id, { onDelete: 'cascade' }),
+});
+
+export const account = pgTable('accounts', {
+  accessToken: text('access_token'),
+  accessTokenExpiresAt: timestamp('access_token_expires_at'),
+  accountId: text('account_id').notNull(),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  id: text('id').primaryKey(),
+  idToken: text('id_token'),
+  password: text('password'),
+  providerId: text('provider_id').notNull(),
+  refreshToken: text('refresh_token'),
+  refreshTokenExpiresAt: timestamp('refresh_token_expires_at'),
+  scope: text('scope'),
+  updatedAt: timestamp('updated_at')
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => users.id, { onDelete: 'cascade' }),
+});
+
+export const verification = pgTable('verifications', {
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  expiresAt: timestamp('expires_at').notNull(),
+  id: text('id').primaryKey(),
+  identifier: text('identifier').notNull(),
+  updatedAt: timestamp('updated_at')
+    .defaultNow()
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  value: text('value').notNull(),
+});

package/packages/database/src/schemas/index.ts

@@ -2,6 +2,7 @@ export * from './agent';
 export * from './aiInfra';
 export * from './apiKey';
 export * from './asyncTask';
+export * from './betterAuth';
 export * from './chatGroup';
 export * from './file';
 export * from './generation';

package/packages/database/src/schemas/ragEvals.ts

@@ -1,9 +1,8 @@
 /* eslint-disable sort-keys-fix/sort-keys-fix  */
+import { DEFAULT_MODEL } from '@lobechat/const';
 import { EvalEvaluationStatus } from '@lobechat/types';
 import { integer, jsonb, pgTable, text, uuid } from 'drizzle-orm/pg-core';
 
-import { DEFAULT_MODEL } from '@/const/settings';
-
 import { timestamps } from './_helpers';
 import { knowledgeBases } from './file';
 import { embeddings } from './rag';

package/packages/database/src/schemas/user.ts

@@ -1,10 +1,9 @@
 /* eslint-disable sort-keys-fix/sort-keys-fix  */
+import { DEFAULT_PREFERENCE } from '@lobechat/const';
 import type { CustomPluginParams } from '@lobechat/types';
 import { LobeChatPluginManifest } from '@lobehub/chat-plugin-sdk';
 import { boolean, jsonb, pgTable, primaryKey, text } from 'drizzle-orm/pg-core';
 
-import { DEFAULT_PREFERENCE } from '@/const/user';
-
 import { timestamps, timestamptz } from './_helpers';
 
 export const users = pgTable('users', {
@@ -22,6 +21,8 @@ export const users = pgTable('users', {
   // Time user was created in Clerk
   clerkCreatedAt: timestamptz('clerk_created_at'),
 
+  // Required by better-auth
+  emailVerified: boolean('email_verified').default(false).notNull(),
   // Required by nextauth, all null allowed
   emailVerifiedAt: timestamptz('email_verified_at'),
 

package/packages/database/src/server/models/__tests__/user.test.ts

@@ -1,10 +1,10 @@
+import { INBOX_SESSION_ID } from '@lobechat/const';
 import type { UserGuide, UserPreference } from '@lobechat/types';
 import { TRPCError } from '@trpc/server';
 import dayjs from 'dayjs';
 import { count, eq } from 'drizzle-orm';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
-import { INBOX_SESSION_ID } from '@/const/session';
 import { KeyVaultsGateKeeper } from '@/server/modules/KeyVaultsEncrypt';
 
 import { getTestDBInstance } from '../../../core/dbForTest';
@@ -428,9 +428,6 @@ describe('UserModel', () => {
       expect(result[0]).toMatchObject({
         provider: 'github',
         providerAccountId: '123456',
-        type: 'oauth',
-        userId,
-        scope: 'user:email',
       });
       expect(result[0].expiresAt).toBeDefined();
     });

package/packages/types/src/user/preference.ts

@@ -89,6 +89,17 @@ export const NextAuthAccountSchame = z.object({
   providerAccountId: z.string(),
 });
 
+/**
+ * SSO Provider info displayed in profile page
+ */
+export interface SSOProvider {
+  email?: string;
+  /** Expiration time - Date for better-auth, number (Unix timestamp) for next-auth */
+  expiresAt?: Date | number | null;
+  provider: string;
+  providerAccountId: string;
+}
+
 export const UserPreferenceSchema = z
   .object({
     guide: UserGuideSchema.optional(),

package/packages/utils/src/server/__tests__/auth.test.ts

@@ -3,10 +3,14 @@ import { beforeEach, describe, expect, it, vi } from 'vitest';
 import { extractBearerToken, getUserAuth } from '../auth';
 
 // Mock auth constants
+let mockEnableBetterAuth = false;
 let mockEnableClerk = false;
 let mockEnableNextAuth = false;
 
 vi.mock('@/const/auth', () => ({
+  get enableBetterAuth() {
+    return mockEnableBetterAuth;
+  },
   get enableClerk() {
     return mockEnableClerk;
   },
@@ -38,9 +42,26 @@ vi.mock('@/libs/next-auth', () => ({
   },
 }));
 
+vi.mock('next/headers', () => ({
+  headers: vi.fn(() => new Headers()),
+}));
+
+vi.mock('@/auth', () => ({
+  auth: {
+    api: {
+      getSession: vi.fn().mockResolvedValue({
+        user: {
+          id: 'better-auth-user-id',
+        },
+      }),
+    },
+  },
+}));
+
 describe('getUserAuth', () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    mockEnableBetterAuth = false;
     mockEnableClerk = false;
     mockEnableNextAuth = false;
   });
@@ -92,6 +113,37 @@ describe('getUserAuth', () => {
       userId: 'clerk-user-id',
     });
   });
+
+  it('should return better auth when better auth is enabled', async () => {
+    mockEnableBetterAuth = true;
+
+    const auth = await getUserAuth();
+
+    expect(auth).toEqual({
+      betterAuth: {
+        user: {
+          id: 'better-auth-user-id',
+        },
+      },
+      userId: 'better-auth-user-id',
+    });
+  });
+
+  it('should prioritize better auth over next auth when both are enabled', async () => {
+    mockEnableBetterAuth = true;
+    mockEnableNextAuth = true;
+
+    const auth = await getUserAuth();
+
+    expect(auth).toEqual({
+      betterAuth: {
+        user: {
+          id: 'better-auth-user-id',
+        },
+      },
+      userId: 'better-auth-user-id',
+    });
+  });
 });
 
 describe('extractBearerToken', () => {

package/packages/utils/src/server/auth.ts

@@ -1,4 +1,6 @@
-import { enableClerk, enableNextAuth } from '@/const/auth';
+import { headers } from 'next/headers';
+
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
 import { DESKTOP_USER_ID } from '@/const/desktop';
 import { isDesktop } from '@/const/version';
 
@@ -11,6 +13,21 @@ export const getUserAuth = async () => {
     return await clerkAuth.getAuth();
   }
 
+  if (enableBetterAuth) {
+    const { auth: betterAuth } = await import('@/auth');
+
+    const currentHeaders = await headers();
+    const requestHeaders = Object.fromEntries(currentHeaders.entries());
+
+    const session = await betterAuth.api.getSession({
+      headers: requestHeaders,
+    });
+
+    const userId = session?.user?.id;
+
+    return { betterAuth: session, userId };
+  }
+
   if (enableNextAuth) {
     const { default: NextAuth } = await import('@/libs/next-auth');
 

package/src/app/(backend)/api/auth/[...all]/route.ts

@@ -0,0 +1,19 @@
+import { enableBetterAuth, enableNextAuth } from '@lobechat/const';
+import { toNextJsHandler } from 'better-auth/next-js';
+
+import { auth } from '@/auth';
+import NextAuthNode from '@/libs/next-auth';
+
+const betterAuthHandler = toNextJsHandler(auth);
+
+export const GET = enableBetterAuth
+  ? betterAuthHandler.GET
+  : enableNextAuth
+    ? NextAuthNode.handlers.GET
+    : undefined;
+
+export const POST = enableBetterAuth
+  ? betterAuthHandler.POST
+  : enableNextAuth
+    ? NextAuthNode.handlers.POST
+    : undefined;

package/src/app/(backend)/api/auth/check-user/route.ts

@@ -0,0 +1,62 @@
+import { and, eq } from 'drizzle-orm';
+import { NextRequest, NextResponse } from 'next/server';
+
+import { account } from '@/database/schemas/betterAuth';
+import { users } from '@/database/schemas/user';
+import { serverDB } from '@/database/server';
+
+/**
+ * Check if a user exists by email
+ * @param req - POST request with { email: string }
+ * @returns { exists: boolean, emailVerified?: boolean }
+ */
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json();
+    const { email } = body;
+
+    if (!email || typeof email !== 'string') {
+      return NextResponse.json({ error: 'Email is required', exists: false }, { status: 400 });
+    }
+
+    // Query database for user with this email
+    const [user] = await serverDB
+      .select({
+        emailVerified: users.emailVerified,
+        id: users.id,
+      })
+      .from(users)
+      .where(eq(users.email, email.toLowerCase().trim()))
+      .limit(1);
+
+    if (!user) {
+      return NextResponse.json({ exists: false });
+    }
+
+    const accounts = await serverDB
+      .select({
+        password: account.password,
+        providerId: account.providerId,
+      })
+      .from(account)
+      .where(and(eq(account.userId, user.id)));
+
+    const providers = Array.from(new Set(accounts.map((a) => a.providerId).filter(Boolean)));
+    const hasPassword = accounts.some(
+      (a) =>
+        a.providerId === 'credential' && typeof a.password === 'string' && a.password.length > 0,
+    );
+
+    return NextResponse.json({
+      emailVerified: user.emailVerified,
+      exists: true,
+      hasPassword,
+      providers,
+    });
+  } catch (error) {
+    console.error('Error checking user existence:', error);
+    return NextResponse.json({ error: 'Internal server error', exists: false }, { status: 500 });
+  }
+}
+
+export const runtime = 'nodejs';

package/src/app/(backend)/middleware/auth/index.ts

@@ -12,6 +12,7 @@ import {
   LOBE_CHAT_AUTH_HEADER,
   LOBE_CHAT_OIDC_AUTH_HEADER,
   OAUTH_AUTHORIZED,
+  enableBetterAuth,
   enableClerk,
 } from '@/const/auth';
 import { ClerkAuth } from '@/libs/clerk-auth';
@@ -49,6 +50,18 @@ export const checkAuth =
       // get Authorization from header
       const authorization = req.headers.get(LOBE_CHAT_AUTH_HEADER);
       const oauthAuthorized = !!req.headers.get(OAUTH_AUTHORIZED);
+      let betterAuthAuthorized = false;
+
+      // better auth handler
+      if (enableBetterAuth) {
+        const { auth: betterAuth } = await import('@/auth');
+
+        const session = await betterAuth.api.getSession({
+          headers: req.headers,
+        });
+
+        betterAuthAuthorized = !!session?.user?.id;
+      }
 
       if (!authorization) throw AgentRuntimeError.createError(ChatErrorType.Unauthorized);
 
@@ -81,6 +94,7 @@ export const checkAuth =
         checkAuthMethod({
           accessCode: jwtPayload.accessCode,
           apiKey: jwtPayload.apiKey,
+          betterAuthAuthorized,
           clerkAuth,
           nextAuthAuthorized: oauthAuthorized,
         });

package/src/app/(backend)/middleware/auth/utils.test.ts

@@ -7,6 +7,7 @@ import { checkAuthMethod } from './utils';
 
 let enableClerkMock = false;
 let enableNextAuthMock = false;
+let enableBetterAuthMock = false;
 
 vi.mock('@/const/auth', async (importOriginal) => {
   const data = await importOriginal();
@@ -16,6 +17,9 @@ vi.mock('@/const/auth', async (importOriginal) => {
     get enableClerk() {
       return enableClerkMock;
     },
+    get enableBetterAuth() {
+      return enableBetterAuthMock;
+    },
     get enableNextAuth() {
       return enableNextAuthMock;
     },
@@ -67,6 +71,18 @@ describe('checkAuthMethod', () => {
     enableNextAuthMock = false;
   });
 
+  it('should pass with valid Better Auth session', () => {
+    enableBetterAuthMock = true;
+
+    expect(() =>
+      checkAuthMethod({
+        betterAuthAuthorized: true,
+      }),
+    ).not.toThrow();
+
+    enableBetterAuthMock = false;
+  });
+
   it('should pass with valid API key', () => {
     expect(() =>
       checkAuthMethod({

package/src/app/(backend)/middleware/auth/utils.ts

@@ -2,29 +2,29 @@ import { type AuthObject } from '@clerk/backend';
 import { AgentRuntimeError } from '@lobechat/model-runtime';
 import { ChatErrorType } from '@lobechat/types';
 
-import { enableClerk, enableNextAuth } from '@/const/auth';
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
 import { getAppConfig } from '@/envs/app';
 
 interface CheckAuthParams {
   accessCode?: string;
   apiKey?: string;
+  betterAuthAuthorized?: boolean;
   clerkAuth?: AuthObject;
   nextAuthAuthorized?: boolean;
 }
 /**
  * Check if the provided access code is valid, a user API key should be used or the OAuth 2 header is provided.
  *
- * @param {string} accessCode - The access code to check.
- * @param {string} apiKey - The user API key.
- * @param {boolean} oauthAuthorized - Whether the OAuth 2 header is provided.
+ * @param {CheckAuthParams} params - Authentication parameters extracted from headers.
+ * @param {string} [params.accessCode] - The access code to check.
+ * @param {string} [params.apiKey] - The user API key.
+ * @param {boolean} [params.betterAuthAuthorized] - Whether the Better Auth session exists.
+ * @param {AuthObject} [params.clerkAuth] - Clerk authentication payload from middleware.
+ * @param {boolean} [params.nextAuthAuthorized] - Whether the OAuth 2 header is provided.
  * @throws {AgentRuntimeError} If the access code is invalid and no user API key is provided.
  */
-export const checkAuthMethod = ({
-  apiKey,
-  nextAuthAuthorized,
-  accessCode,
-  clerkAuth,
-}: CheckAuthParams) => {
+export const checkAuthMethod = (params: CheckAuthParams) => {
+  const { apiKey, betterAuthAuthorized, nextAuthAuthorized, accessCode, clerkAuth } = params;
   // clerk auth handler
   if (enableClerk) {
     // if there is no userId, means the use is not login, just throw error
@@ -34,6 +34,9 @@ export const checkAuthMethod = ({
     else return;
   }
 
+  // if better auth session exists
+  if (enableBetterAuth && betterAuthAuthorized) return;
+
   // if next auth handler is provided
   if (enableNextAuth && nextAuthAuthorized) return;
 

package/src/app/(backend)/webapi/chat/[provider]/route.test.ts

@@ -135,6 +135,7 @@ describe('POST handler', () => {
       expect(checkAuthMethod).toBeCalledWith({
         accessCode: 'test-access-code',
         apiKey: 'test-api-key',
+        betterAuthAuthorized: false,
         clerkAuth: {},
         nextAuthAuthorized: true,
       });

package/src/app/[variants]/(auth)/reset-password/layout.tsx

@@ -0,0 +1,12 @@
+import { notFound } from 'next/navigation';
+import { PropsWithChildren } from 'react';
+
+import { enableBetterAuth } from '@/const/auth';
+
+const Layout = ({ children }: PropsWithChildren) => {
+  if (!enableBetterAuth) return notFound();
+
+  return children;
+};
+
+export default Layout;