@lobehub/lobehub 2.0.0-next.139 → 2.0.0-next.140

package/packages/database/migrations/meta/_journal.json

@@ -371,6 +371,20 @@
       "when": 1764500630663,
       "tag": "0052_topic_and_messages",
       "breakpoints": true
+    },
+    {
+      "idx": 53,
+      "version": "7",
+      "when": 1764511006123,
+      "tag": "0053_better_auth_admin",
+      "breakpoints": true
+    },
+    {
+      "idx": 54,
+      "version": "7",
+      "when": 1764579351312,
+      "tag": "0054_better_auth_two_factor",
+      "breakpoints": true
     }
   ],
   "version": "6"

package/packages/database/src/core/migrations.json

@@ -859,5 +859,36 @@
     "bps": true,
     "folderMillis": 1764500630663,
     "hash": "94721bc06910a456a4756c9b0c27ef5d7ff55b7ea8c772acf58052c0155c693b"
+  },
+  {
+    "sql": [
+      "ALTER TABLE \"auth_sessions\" ADD COLUMN IF NOT EXISTS \"impersonated_by\" text;",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"role\" text;",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"banned\" boolean DEFAULT false;",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"ban_reason\" text;",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"ban_expires\" timestamp with time zone;\n"
+    ],
+    "bps": true,
+    "folderMillis": 1764511006123,
+    "hash": "523a8418ceeadbe80c34affee07cdfa2e8076e297473c55c73e74648a9be1e45"
+  },
+  {
+    "sql": [
+      "CREATE TABLE IF NOT EXISTS \"two_factor\" (\n  \"backup_codes\" text NOT NULL,\n  \"id\" text PRIMARY KEY NOT NULL,\n  \"secret\" text NOT NULL,\n  \"user_id\" text NOT NULL\n);\n",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"two_factor_enabled\" boolean DEFAULT false;\n",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"phone_number\" text;\n",
+      "\nALTER TABLE \"users\" ADD COLUMN IF NOT EXISTS \"phone_number_verified\" boolean;\n",
+      "\nDO $$\nBEGIN\n  IF NOT EXISTS (\n    SELECT 1 FROM pg_constraint WHERE conname = 'two_factor_user_id_users_id_fk'\n  ) THEN\n    ALTER TABLE \"two_factor\"\n      ADD CONSTRAINT \"two_factor_user_id_users_id_fk\"\n      FOREIGN KEY (\"user_id\") REFERENCES \"public\".\"users\"(\"id\") ON DELETE cascade ON UPDATE no action;\n  END IF;\nEND $$;\n",
+      "\nCREATE INDEX IF NOT EXISTS \"two_factor_secret_idx\" ON \"two_factor\" USING btree (\"secret\");\n",
+      "\nCREATE INDEX IF NOT EXISTS \"two_factor_user_id_idx\" ON \"two_factor\" USING btree (\"user_id\");\n",
+      "\nCREATE INDEX IF NOT EXISTS \"account_userId_idx\" ON \"accounts\" USING btree (\"user_id\");\n",
+      "\nCREATE INDEX IF NOT EXISTS \"auth_session_userId_idx\" ON \"auth_sessions\" USING btree (\"user_id\");\n",
+      "\nCREATE INDEX IF NOT EXISTS \"verification_identifier_idx\" ON \"verifications\" USING btree (\"identifier\");\n",
+      "\nDO $$\nBEGIN\n  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'users_email_unique') THEN\n    ALTER TABLE \"users\" ADD CONSTRAINT \"users_email_unique\" UNIQUE (\"email\");\n  END IF;\nEND $$;\n",
+      "\nDO $$\nBEGIN\n  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'users_phone_number_unique') THEN\n    ALTER TABLE \"users\" ADD CONSTRAINT \"users_phone_number_unique\" UNIQUE (\"phone_number\");\n  END IF;\nEND $$;\n"
+    ],
+    "bps": true,
+    "folderMillis": 1764579351312,
+    "hash": "22fb7a65764b1f3e3c1ae2ce95d448685e6a01d1fb2f8c3f925c655f0824c161"
   }
 ]

package/packages/database/src/index.ts

@@ -1,2 +1,3 @@
 export * from './core/db-adaptor';
 export * from './type';
+export * from './utils/idGenerator';

package/packages/database/src/repositories/tableViewer/index.test.ts

@@ -23,7 +23,7 @@ describe('TableViewerRepo', () => {
     it('should return all tables with counts', async () => {
       const result = await repo.getAllTables();
 
-      expect(result.length).toEqual(71);
+      expect(result.length).toEqual(72);
       expect(result[0]).toEqual({ name: 'accounts', count: 0, type: 'BASE TABLE' });
     });
 

package/packages/database/src/schemas/betterAuth.ts

@@ -1,4 +1,5 @@
-import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+import { relations } from 'drizzle-orm';
+import { index, pgTable, text, timestamp } from 'drizzle-orm/pg-core';
 
 import { users } from './user';
 
@@ -15,49 +16,105 @@ import { users } from './user';
 //     .notNull(),
 // });
 
-export const session = pgTable('auth_sessions', {
-  createdAt: timestamp('created_at').defaultNow().notNull(),
-  expiresAt: timestamp('expires_at').notNull(),
-  id: text('id').primaryKey(),
-  ipAddress: text('ip_address'),
-  token: text('token').notNull().unique(),
-  updatedAt: timestamp('updated_at')
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  userAgent: text('user_agent'),
-  userId: text('user_id')
-    .notNull()
-    .references(() => users.id, { onDelete: 'cascade' }),
-});
-
-export const account = pgTable('accounts', {
-  accessToken: text('access_token'),
-  accessTokenExpiresAt: timestamp('access_token_expires_at'),
-  accountId: text('account_id').notNull(),
-  createdAt: timestamp('created_at').defaultNow().notNull(),
-  id: text('id').primaryKey(),
-  idToken: text('id_token'),
-  password: text('password'),
-  providerId: text('provider_id').notNull(),
-  refreshToken: text('refresh_token'),
-  refreshTokenExpiresAt: timestamp('refresh_token_expires_at'),
-  scope: text('scope'),
-  updatedAt: timestamp('updated_at')
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  userId: text('user_id')
-    .notNull()
-    .references(() => users.id, { onDelete: 'cascade' }),
-});
-
-export const verification = pgTable('verifications', {
-  createdAt: timestamp('created_at').defaultNow().notNull(),
-  expiresAt: timestamp('expires_at').notNull(),
-  id: text('id').primaryKey(),
-  identifier: text('identifier').notNull(),
-  updatedAt: timestamp('updated_at')
-    .defaultNow()
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  value: text('value').notNull(),
-});
+export const session = pgTable(
+  'auth_sessions',
+  {
+    createdAt: timestamp('created_at').defaultNow().notNull(),
+    expiresAt: timestamp('expires_at').notNull(),
+    id: text('id').primaryKey(),
+    impersonatedBy: text('impersonated_by'),
+    ipAddress: text('ip_address'),
+    token: text('token').notNull().unique(),
+    updatedAt: timestamp('updated_at')
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    userAgent: text('user_agent'),
+    userId: text('user_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+  },
+  (table) => [index('auth_session_userId_idx').on(table.userId)],
+);
+
+export const account = pgTable(
+  'accounts',
+  {
+    accessToken: text('access_token'),
+    accessTokenExpiresAt: timestamp('access_token_expires_at'),
+    accountId: text('account_id').notNull(),
+    createdAt: timestamp('created_at').defaultNow().notNull(),
+    id: text('id').primaryKey(),
+    idToken: text('id_token'),
+    password: text('password'),
+    providerId: text('provider_id').notNull(),
+    refreshToken: text('refresh_token'),
+    refreshTokenExpiresAt: timestamp('refresh_token_expires_at'),
+    scope: text('scope'),
+    updatedAt: timestamp('updated_at')
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+  },
+  (table) => [index('account_userId_idx').on(table.userId)],
+);
+
+export const verification = pgTable(
+  'verifications',
+  {
+    createdAt: timestamp('created_at').defaultNow().notNull(),
+    expiresAt: timestamp('expires_at').notNull(),
+    id: text('id').primaryKey(),
+    identifier: text('identifier').notNull(),
+    updatedAt: timestamp('updated_at')
+      .defaultNow()
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    value: text('value').notNull(),
+  },
+  (table) => [index('verification_identifier_idx').on(table.identifier)],
+);
+
+export const twoFactor = pgTable(
+  'two_factor',
+  {
+    backupCodes: text('backup_codes').notNull(),
+    id: text('id').primaryKey(),
+    secret: text('secret').notNull(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+  },
+  (table) => [
+    index('two_factor_secret_idx').on(table.secret),
+    index('two_factor_user_id_idx').on(table.userId),
+  ],
+);
+
+export const usersRelations = relations(users, ({ many }) => ({
+  accounts: many(account),
+  sessions: many(session),
+  twoFactors: many(twoFactor),
+}));
+
+export const sessionRelations = relations(session, ({ one }) => ({
+  users: one(users, {
+    fields: [session.userId],
+    references: [users.id],
+  }),
+}));
+
+export const accountRelations = relations(account, ({ one }) => ({
+  users: one(users, {
+    fields: [account.userId],
+    references: [users.id],
+  }),
+}));
+
+export const twoFactorRelations = relations(twoFactor, ({ one }) => ({
+  users: one(users, {
+    fields: [twoFactor.userId],
+    references: [users.id],
+  }),
+}));

package/packages/database/src/schemas/user.ts

@@ -9,7 +9,7 @@ import { timestamps, timestamptz } from './_helpers';
 export const users = pgTable('users', {
   id: text('id').primaryKey().notNull(),
   username: text('username').unique(),
-  email: text('email'),
+  email: text('email').unique(),
 
   avatar: text('avatar'),
   phone: text('phone'),
@@ -28,6 +28,19 @@ export const users = pgTable('users', {
 
   preference: jsonb('preference').$defaultFn(() => DEFAULT_PREFERENCE),
 
+  // better-auth admin
+  role: text('role'),
+  banned: boolean('banned').default(false),
+  banReason: text('ban_reason'),
+  banExpires: timestamptz('ban_expires'),
+
+  // better-auth two-factor
+  twoFactorEnabled: boolean('two_factor_enabled').default(false),
+
+  // better-auth phone number
+  phoneNumber: text('phone_number').unique(),
+  phoneNumberVerified: boolean('phone_number_verified'),
+
   ...timestamps,
 });
 

package/src/auth.ts

@@ -1,8 +1,8 @@
 /* eslint-disable sort-keys-fix/sort-keys-fix, typescript-sort-keys/interface */
-import { serverDB } from '@lobechat/database';
+import { createNanoId, idGenerator, serverDB } from '@lobechat/database';
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { genericOAuth, magicLink } from 'better-auth/plugins';
+import { admin, genericOAuth, magicLink } from 'better-auth/plugins';
 
 import { authEnv } from '@/envs/auth';
 import {
@@ -51,6 +51,7 @@ const getTrustedOrigins = () => {
 
   const defaults = [
     authEnv.NEXT_PUBLIC_AUTH_URL,
+    normalizeOrigin(process.env.APP_URL),
     normalizeOrigin(process.env.VERCEL_BRANCH_URL),
     normalizeOrigin(process.env.VERCEL_URL),
   ].filter(Boolean) as string[];
@@ -72,10 +73,6 @@ export const auth = betterAuth({
   secret: authEnv.AUTH_SECRET,
   trustedOrigins: getTrustedOrigins(),
 
-  database: drizzleAdapter(serverDB, {
-    provider: 'pg',
-  }),
-
   emailAndPassword: {
     autoSignIn: true,
     enabled: true,
@@ -111,7 +108,44 @@ export const auth = betterAuth({
     },
   },
 
+  database: drizzleAdapter(serverDB, {
+    provider: 'pg',
+  }),
+  user: {
+    additionalFields: {
+      username: {
+        required: false,
+        type: 'string',
+      },
+    },
+    fields: {
+      image: 'avatar',
+      // NOTE: use drizzle filed instead of db field, so use fullName instead of full_name
+      name: 'fullName',
+    },
+    modelName: 'users',
+  },
+
+  socialProviders,
+  advanced: {
+    database: {
+      /**
+       * Align Better Auth user IDs with our shared idGenerator for consistency.
+       * Other models use the shared nanoid generator (12 chars) to keep IDs consistent project-wide.
+       */
+      generateId: ({ model }) => {
+        // Better Auth passes the model name; handle both singular and plural for safety.
+        if (model === 'user' || model === 'users') {
+          return idGenerator('user', 12);
+        }
+
+        // Other models: use shared nanoid generator (12 chars) to keep consistency.
+        return createNanoId(12)();
+      },
+    },
+  },
   plugins: [
+    admin(),
     ...(genericOAuthProviders.length > 0
       ? [
           genericOAuth({
@@ -139,20 +173,4 @@ export const auth = betterAuth({
         ]
       : []),
   ],
-  socialProviders,
-
-  user: {
-    additionalFields: {
-      username: {
-        required: false,
-        type: 'string',
-      },
-    },
-    fields: {
-      image: 'avatar',
-      // NOTE: use drizzle filed instead of db field, so use fullName instead of full_name
-      name: 'fullName',
-    },
-    modelName: 'users',
-  },
 });

package/src/envs/auth.ts

@@ -1,9 +1,8 @@
 /* eslint-disable sort-keys-fix/sort-keys-fix , typescript-sort-keys/interface */
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@lobechat/const';
 import { createEnv } from '@t3-oss/env-nextjs';
 import { z } from 'zod';
 
-import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
-
 /**
  * Resolve public auth URL with compatibility fallbacks for NextAuth and Vercel deployments.
  */
@@ -18,6 +17,14 @@ const resolvePublicAuthUrl = () => {
     }
   }
 
+  if (process.env.APP_URL) {
+    try {
+      return new URL(process.env.APP_URL).origin;
+    } catch {
+      // ignore invalid APP_URL
+    }
+  }
+
   if (process.env.VERCEL_URL) {
     try {
       const normalizedVercelUrl = process.env.VERCEL_URL.startsWith('http')

package/src/libs/better-auth/auth-client.ts

@@ -1,4 +1,5 @@
 import {
+  adminClient,
   genericOAuthClient,
   inferAdditionalFields,
   magicLinkClient,
@@ -27,6 +28,7 @@ export const {
   /** The base URL of the server (optional if you're using the same domain) */
   baseURL: NEXT_PUBLIC_AUTH_URL,
   plugins: [
+    adminClient(),
     inferAdditionalFields<typeof auth>(),
     genericOAuthClient(),
     ...(enableMagicLink ? [magicLinkClient()] : []),