@lobehub/lobehub 2.0.0-next.355 → 2.0.0-next.356

package/packages/utils/src/server/auth.ts

@@ -1,34 +1,18 @@
 import { headers } from 'next/headers';
 
-import { enableBetterAuth, enableNextAuth } from '@/envs/auth';
+import { auth } from '@/auth';
 
 export const getUserAuth = async () => {
-  if (enableBetterAuth) {
-    const { auth: betterAuth } = await import('@/auth');
+  const currentHeaders = await headers();
+  const requestHeaders = Object.fromEntries(currentHeaders.entries());
 
-    const currentHeaders = await headers();
-    const requestHeaders = Object.fromEntries(currentHeaders.entries());
+  const session = await auth.api.getSession({
+    headers: requestHeaders,
+  });
 
-    const session = await betterAuth.api.getSession({
-      headers: requestHeaders,
-    });
+  const userId = session?.user?.id;
 
-    const userId = session?.user?.id;
-
-    return { betterAuth: session, userId };
-  }
-
-  if (enableNextAuth) {
-    const { default: NextAuth } = await import('@/libs/next-auth');
-
-    const session = await NextAuth.auth();
-
-    const userId = session?.user.id;
-
-    return { nextAuth: session, userId };
-  }
-
-  throw new Error('Auth method is not enabled');
+  return { betterAuth: session, userId };
 };
 
 /**

package/scripts/_shared/checkDeprecatedAuth.js

@@ -0,0 +1,99 @@
+/**
+ * Shared utility to check for deprecated authentication environment variables.
+ * Used by both prebuild.mts (build time) and startServer.js (Docker runtime).
+ *
+ * IMPORTANT: Keep this file as CommonJS (.js) for compatibility with startServer.js
+ */
+
+const MIGRATION_DOC_BASE = 'https://lobehub.com/docs/self-hosting/advanced/auth';
+
+/**
+ * Deprecated environment variable checks configuration
+ * @type {Array<{
+ *   name: string;
+ *   getVars: () => string[];
+ *   message: string;
+ *   docUrl?: string;
+ *   formatVar?: (envVar: string) => string;
+ * }>}
+ */
+const DEPRECATED_CHECKS = [
+  {
+    docUrl: `${MIGRATION_DOC_BASE}/nextauth-to-betterauth`,
+    getVars: () =>
+      Object.keys(process.env).filter(
+        (key) => key.startsWith('NEXT_AUTH') || key.startsWith('NEXTAUTH'),
+      ),
+    message: 'NextAuth has been removed from LobeChat. Please migrate to Better Auth.',
+    name: 'NextAuth',
+  },
+  {
+    docUrl: `${MIGRATION_DOC_BASE}/clerk-to-betterauth`,
+    getVars: () =>
+      ['NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY', 'CLERK_SECRET_KEY', 'CLERK_WEBHOOK_SECRET'].filter(
+        (key) => process.env[key],
+      ),
+    message: 'Clerk has been removed from LobeChat. Please migrate to Better Auth.',
+    name: 'Clerk',
+  },
+  {
+    formatVar: (envVar) => {
+      const mapping = {
+        NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION: 'AUTH_EMAIL_VERIFICATION',
+        NEXT_PUBLIC_ENABLE_MAGIC_LINK: 'ENABLE_MAGIC_LINK',
+      };
+      return `${envVar} → Please use ${mapping[envVar]} instead`;
+    },
+    getVars: () =>
+      ['NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION', 'NEXT_PUBLIC_ENABLE_MAGIC_LINK'].filter(
+        (key) => process.env[key],
+      ),
+    message: 'Please update to the new environment variable names.',
+    name: 'Deprecated Auth',
+  },
+];
+
+/**
+ * Print error message and exit
+ */
+function printErrorAndExit(name, vars, message, action, docUrl, formatVar) {
+  console.error('\n' + '═'.repeat(70));
+  console.error(`❌ ERROR: ${name} environment variables are deprecated!`);
+  console.error('═'.repeat(70));
+  console.error('\nDetected deprecated environment variables:');
+  for (const envVar of vars) {
+    console.error(`  • ${formatVar ? formatVar(envVar) : envVar}`);
+  }
+  console.error(`\n${message}`);
+  if (docUrl) {
+    console.error(`\n📖 Migration guide: ${docUrl}`);
+  }
+  console.error(`\nPlease update your environment variables and ${action}.`);
+  console.error('═'.repeat(70) + '\n');
+  process.exit(1);
+}
+
+/**
+ * Check for deprecated authentication environment variables and exit if found
+ * @param {object} options
+ * @param {string} [options.action='redeploy'] - Action hint in error message ('redeploy' or 'restart')
+ */
+function checkDeprecatedAuth(options = {}) {
+  const { action = 'redeploy' } = options;
+
+  for (const check of DEPRECATED_CHECKS) {
+    const foundVars = check.getVars();
+    if (foundVars.length > 0) {
+      printErrorAndExit(
+        check.name,
+        foundVars,
+        check.message,
+        action,
+        check.docUrl,
+        check.formatVar,
+      );
+    }
+  }
+}
+
+module.exports = { checkDeprecatedAuth };

package/scripts/clerk-to-betterauth/index.ts

@@ -13,6 +13,11 @@ const IS_DRY_RUN =
   process.argv.includes('--dry-run') || process.env.CLERK_TO_BETTERAUTH_DRY_RUN === '1';
 const formatDuration = (ms: number) => `${(ms / 1000).toFixed(1)}s`;
 
+// ANSI color codes
+const GREEN_BOLD = '\u001B[1;32m';
+const RED_BOLD = '\u001B[1;31m';
+const RESET = '\u001B[0m';
+
 function chunk<T>(items: T[], size: number): T[][] {
   if (!Number.isFinite(size) || size <= 0) return [items];
   const result: T[][] = [];
@@ -241,7 +246,7 @@ async function migrateFromClerk() {
   }
 
   console.log(
-    `[clerk-to-betterauth] completed users=${processed}, skipped=${skipped}, accounts attempted=${accountAttempts}, 2fa attempted=${twoFactorAttempts}, dryRun=${IS_DRY_RUN}, elapsed=${formatDuration(Date.now() - startedAt)}`,
+    `[clerk-to-betterauth] completed users=${GREEN_BOLD}${processed}${RESET}, skipped=${skipped}, accounts attempted=${accountAttempts}, 2fa attempted=${twoFactorAttempts}, dryRun=${IS_DRY_RUN}, elapsed=${formatDuration(Date.now() - startedAt)}`,
   );
 
   const accountCountsText = Object.entries(accountCounts)
@@ -301,10 +306,10 @@ async function main() {
   try {
     await migrateFromClerk();
     console.log('');
-    console.log(`✅ Migration success! (${formatDuration(Date.now() - startedAt)})`);
+    console.log(`${GREEN_BOLD}✅ Migration success!${RESET} (${formatDuration(Date.now() - startedAt)})`);
   } catch (error) {
     console.log('');
-    console.error(`❌ Migration failed (${formatDuration(Date.now() - startedAt)}):`, error);
+    console.error(`${RED_BOLD}❌ Migration failed${RESET} (${formatDuration(Date.now() - startedAt)}):`, error);
     process.exitCode = 1;
   } finally {
     await pool.end();

package/scripts/nextauth-to-betterauth/_internal/config.ts

@@ -0,0 +1,41 @@
+import './env';
+
+export type MigrationMode = 'test' | 'prod';
+export type DatabaseDriver = 'neon' | 'node';
+
+const DEFAULT_MODE: MigrationMode = 'test';
+const DEFAULT_DATABASE_DRIVER: DatabaseDriver = 'neon';
+
+export function getMigrationMode(): MigrationMode {
+  const mode = process.env.NEXTAUTH_TO_BETTERAUTH_MODE;
+  if (mode === 'test' || mode === 'prod') return mode;
+  return DEFAULT_MODE;
+}
+
+export function getDatabaseUrl(mode = getMigrationMode()): string {
+  const key =
+    mode === 'test'
+      ? 'TEST_NEXTAUTH_TO_BETTERAUTH_DATABASE_URL'
+      : 'PROD_NEXTAUTH_TO_BETTERAUTH_DATABASE_URL';
+  const value = process.env[key];
+
+  if (!value) {
+    throw new Error(`${key} is not set`);
+  }
+
+  return value;
+}
+
+export function getDatabaseDriver(): DatabaseDriver {
+  const driver = process.env.NEXTAUTH_TO_BETTERAUTH_DATABASE_DRIVER;
+  if (driver === 'neon' || driver === 'node') return driver;
+  return DEFAULT_DATABASE_DRIVER;
+}
+
+export function getBatchSize(): number {
+  return Number(process.env.NEXTAUTH_TO_BETTERAUTH_BATCH_SIZE) || 300;
+}
+
+export function isDryRun(): boolean {
+  return process.argv.includes('--dry-run') || process.env.NEXTAUTH_TO_BETTERAUTH_DRY_RUN === '1';
+}

package/scripts/nextauth-to-betterauth/_internal/db.ts

@@ -0,0 +1,32 @@
+import { Pool as NeonPool, neonConfig } from '@neondatabase/serverless';
+import { drizzle as neonDrizzle } from 'drizzle-orm/neon-serverless';
+import { drizzle as nodeDrizzle } from 'drizzle-orm/node-postgres';
+import { Pool as NodePool } from 'pg';
+import ws from 'ws';
+
+// schema is the only dependency on project code, required for type-safe migrations
+import * as schemaModule from '../../../packages/database/src/schemas';
+import { getDatabaseDriver, getDatabaseUrl } from './config';
+
+function createDatabase() {
+  const databaseUrl = getDatabaseUrl();
+  const driver = getDatabaseDriver();
+
+  if (driver === 'node') {
+    const pool = new NodePool({ connectionString: databaseUrl });
+    const db = nodeDrizzle(pool, { schema: schemaModule });
+    return { db, pool };
+  }
+
+  // neon driver (default)
+  // https://github.com/neondatabase/serverless/blob/main/CONFIG.md#websocketconstructor-typeof-websocket--undefined
+  neonConfig.webSocketConstructor = ws;
+  const pool = new NeonPool({ connectionString: databaseUrl });
+  const db = neonDrizzle(pool, { schema: schemaModule });
+  return { db, pool };
+}
+
+const { db, pool } = createDatabase();
+
+export { db, pool };
+export * as schema from '../../../packages/database/src/schemas';

package/scripts/nextauth-to-betterauth/_internal/env.ts

@@ -0,0 +1,6 @@
+import { existsSync } from 'node:fs';
+import { loadEnvFile } from 'node:process';
+
+if (existsSync('.env')) {
+  loadEnvFile();
+}

package/scripts/nextauth-to-betterauth/index.ts

@@ -0,0 +1,226 @@
+/* eslint-disable unicorn/prefer-top-level-await */
+import { sql } from 'drizzle-orm';
+
+import { getBatchSize, getMigrationMode, isDryRun } from './_internal/config';
+import { db, pool, schema } from './_internal/db';
+
+const BATCH_SIZE = getBatchSize();
+const PROGRESS_TABLE = sql.identifier('nextauth_migration_progress');
+const IS_DRY_RUN = isDryRun();
+const formatDuration = (ms: number) => `${(ms / 1000).toFixed(1)}s`;
+
+// ANSI color codes
+const GREEN_BOLD = '\u001B[1;32m';
+const RED_BOLD = '\u001B[1;31m';
+const RESET = '\u001B[0m';
+
+function chunk<T>(items: T[], size: number): T[][] {
+  if (!Number.isFinite(size) || size <= 0) return [items];
+  const result: T[][] = [];
+  for (let i = 0; i < items.length; i += size) {
+    result.push(items.slice(i, i + size));
+  }
+  return result;
+}
+
+/**
+ * Convert expires_at (seconds since epoch) to Date
+ */
+function convertExpiresAt(expiresAt: number | null): Date | undefined {
+  if (expiresAt === null || expiresAt === undefined) return undefined;
+  return new Date(expiresAt * 1000);
+}
+
+/**
+ * Convert scope format from NextAuth (space-separated) to Better Auth (comma-separated)
+ * e.g., "openid profile email" -> "openid,profile,email"
+ */
+function convertScope(scope: string | null): string | undefined {
+  if (!scope) return undefined;
+  return scope.trim().split(/\s+/).join(',');
+}
+
+/**
+ * Create a composite key for nextauth_accounts (provider + providerAccountId)
+ */
+function createAccountKey(provider: string, providerAccountId: string): string {
+  return `${provider}__${providerAccountId}`;
+}
+
+async function loadNextAuthAccounts() {
+  const rows = await db.select().from(schema.nextauthAccounts);
+  return rows;
+}
+
+async function migrateFromNextAuth() {
+  const mode = getMigrationMode();
+  const nextauthAccounts = await loadNextAuthAccounts();
+
+  if (!IS_DRY_RUN) {
+    await db.execute(sql`
+      CREATE TABLE IF NOT EXISTS ${PROGRESS_TABLE} (
+        account_key TEXT PRIMARY KEY,
+        processed_at TIMESTAMPTZ DEFAULT NOW()
+      );
+    `);
+  }
+
+  const processedAccounts = new Set<string>();
+
+  if (!IS_DRY_RUN) {
+    try {
+      const processedResult = await db.execute<{ account_key: string }>(
+        sql`SELECT account_key FROM ${PROGRESS_TABLE};`,
+      );
+      const rows = (processedResult as { rows?: { account_key: string }[] }).rows ?? [];
+
+      for (const row of rows) {
+        const accountKey = row?.account_key;
+        if (typeof accountKey === 'string') {
+          processedAccounts.add(accountKey);
+        }
+      }
+    } catch (error) {
+      console.warn(
+        '[nextauth-to-betterauth] failed to read progress table, treating as empty',
+        error,
+      );
+    }
+  }
+
+  console.log(`[nextauth-to-betterauth] mode: ${mode} (dryRun=${IS_DRY_RUN})`);
+  console.log(`[nextauth-to-betterauth] nextauth accounts: ${nextauthAccounts.length}`);
+  console.log(`[nextauth-to-betterauth] already processed: ${processedAccounts.size}`);
+
+  const unprocessedAccounts = nextauthAccounts.filter(
+    (acc) => !processedAccounts.has(createAccountKey(acc.provider, acc.providerAccountId)),
+  );
+  const batches = chunk(unprocessedAccounts, BATCH_SIZE);
+  console.log(
+    `[nextauth-to-betterauth] batches: ${batches.length} (batchSize=${BATCH_SIZE}, toProcess=${unprocessedAccounts.length})`,
+  );
+
+  let processed = 0;
+  const skipped = nextauthAccounts.length - unprocessedAccounts.length;
+  const startedAt = Date.now();
+  const providerCounts: Record<string, number> = {};
+
+  const bumpProviderCount = (providerId: string) => {
+    providerCounts[providerId] = (providerCounts[providerId] ?? 0) + 1;
+  };
+
+  for (let batchIndex = 0; batchIndex < batches.length; batchIndex += 1) {
+    const batch = batches[batchIndex];
+    const accountRows: (typeof schema.account.$inferInsert)[] = [];
+    const accountKeys: string[] = [];
+
+    for (const nextauthAccount of batch) {
+      const accountKey = createAccountKey(
+        nextauthAccount.provider,
+        nextauthAccount.providerAccountId,
+      );
+
+      const accountRow: typeof schema.account.$inferInsert = {
+        accessToken: nextauthAccount.access_token ?? undefined,
+        accessTokenExpiresAt: convertExpiresAt(nextauthAccount.expires_at),
+        accountId: nextauthAccount.providerAccountId,
+        // id and createdAt/updatedAt use database defaults
+        id: accountKey, // deterministic id based on provider + providerAccountId
+        idToken: nextauthAccount.id_token ?? undefined,
+        providerId: nextauthAccount.provider,
+        refreshToken: nextauthAccount.refresh_token ?? undefined,
+        scope: convertScope(nextauthAccount.scope),
+        userId: nextauthAccount.userId,
+      };
+
+      accountRows.push(accountRow);
+      accountKeys.push(accountKey);
+      bumpProviderCount(nextauthAccount.provider);
+    }
+
+    if (!IS_DRY_RUN) {
+      await db.transaction(async (tx) => {
+        if (accountRows.length > 0) {
+          await tx.insert(schema.account).values(accountRows).onConflictDoNothing();
+        }
+
+        const accountKeyValues = accountKeys.map((key) => sql`(${key})`);
+        if (accountKeyValues.length > 0) {
+          await tx.execute(sql`
+            INSERT INTO ${PROGRESS_TABLE} (account_key)
+            VALUES ${sql.join(accountKeyValues, sql`, `)}
+            ON CONFLICT (account_key) DO NOTHING;
+          `);
+        }
+      });
+    }
+
+    processed += batch.length;
+    console.log(
+      `[nextauth-to-betterauth] batch ${batchIndex + 1}/${batches.length} done, accounts ${processed}/${unprocessedAccounts.length}, dryRun=${IS_DRY_RUN}`,
+    );
+  }
+
+  console.log(
+    `[nextauth-to-betterauth] completed accounts=${GREEN_BOLD}${processed}${RESET}, skipped=${skipped}, dryRun=${IS_DRY_RUN}, elapsed=${formatDuration(Date.now() - startedAt)}`,
+  );
+
+  const providerCountsText = Object.entries(providerCounts)
+    .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))
+    .map(([providerId, count]) => `${providerId}=${count}`)
+    .join(', ');
+
+  console.log(`[nextauth-to-betterauth] provider counts: ${providerCountsText || 'none recorded'}`);
+}
+
+async function main() {
+  const startedAt = Date.now();
+  const mode = getMigrationMode();
+
+  console.log('');
+  console.log('╔════════════════════════════════════════════════════════════╗');
+  console.log('║        NextAuth to Better Auth Migration Script            ║');
+  console.log('╠════════════════════════════════════════════════════════════╣');
+  console.log(`║  Mode:     ${mode.padEnd(48)}║`);
+  console.log(`║  Dry Run:  ${(IS_DRY_RUN ? 'YES (no changes will be made)' : 'NO').padEnd(48)}║`);
+  console.log(`║  Batch:    ${String(BATCH_SIZE).padEnd(48)}║`);
+  console.log('╚════════════════════════════════════════════════════════════╝');
+  console.log('');
+
+  if (mode === 'prod' && !IS_DRY_RUN) {
+    console.log('⚠️  WARNING: Running in PRODUCTION mode. Data will be modified!');
+    console.log('   Type "yes" to continue or press Ctrl+C to abort.');
+    console.log('');
+
+    const readline = await import('node:readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise<string>((resolve) => {
+      rl.question('   Confirm (yes/no): ', (ans) => {
+        resolve(ans);
+      });
+    });
+    rl.close();
+
+    if (answer.toLowerCase() !== 'yes') {
+      console.log('❌ Aborted by user.');
+      process.exitCode = 0;
+      await pool.end();
+      return;
+    }
+    console.log('');
+  }
+
+  try {
+    await migrateFromNextAuth();
+    console.log('');
+    console.log(`${GREEN_BOLD}✅ Migration success!${RESET} (${formatDuration(Date.now() - startedAt)})`);
+  } catch (error) {
+    console.log('');
+    console.error(`${RED_BOLD}❌ Migration failed${RESET} (${formatDuration(Date.now() - startedAt)}):`, error);
+    process.exitCode = 1;
+  } finally {
+    await pool.end();
+  }
+}
+
+void main();

package/scripts/nextauth-to-betterauth/verify.ts

@@ -0,0 +1,188 @@
+/* eslint-disable unicorn/prefer-top-level-await */
+import { getMigrationMode } from './_internal/config';
+import { db, pool, schema } from './_internal/db';
+
+type ExpectedAccount = {
+  accountId: string;
+  providerId: string;
+  scope?: string;
+  userId: string;
+};
+
+type ActualAccount = {
+  accountId: string;
+  providerId: string;
+  scope: string | null;
+  userId: string;
+};
+
+const MAX_SAMPLES = 5;
+
+const formatDuration = (ms: number) => `${(ms / 1000).toFixed(1)}s`;
+
+function buildAccountKey(account: { accountId: string; providerId: string; userId: string }) {
+  return `${account.userId}__${account.providerId}__${account.accountId}`;
+}
+
+async function loadNextAuthAccounts() {
+  const rows = await db.select().from(schema.nextauthAccounts);
+  return rows;
+}
+
+async function loadActualAccounts() {
+  const rows = await db
+    .select({
+      accountId: schema.account.accountId,
+      providerId: schema.account.providerId,
+      scope: schema.account.scope,
+      userId: schema.account.userId,
+    })
+    .from(schema.account);
+
+  return rows as ActualAccount[];
+}
+
+function buildExpectedAccounts(nextauthAccounts: Awaited<ReturnType<typeof loadNextAuthAccounts>>) {
+  const expectedAccounts: ExpectedAccount[] = [];
+
+  for (const nextauthAccount of nextauthAccounts) {
+    expectedAccounts.push({
+      accountId: nextauthAccount.providerAccountId,
+      providerId: nextauthAccount.provider,
+      scope: nextauthAccount.scope ?? undefined,
+      userId: nextauthAccount.userId,
+    });
+  }
+
+  return { expectedAccounts };
+}
+
+async function main() {
+  const startedAt = Date.now();
+  const mode = getMigrationMode();
+
+  console.log('');
+  console.log('╔════════════════════════════════════════════════════════════╗');
+  console.log('║     NextAuth to Better Auth Verification Script            ║');
+  console.log('╠════════════════════════════════════════════════════════════╣');
+  console.log(`║  Mode:     ${mode.padEnd(48)}║`);
+  console.log('╚════════════════════════════════════════════════════════════╝');
+  console.log('');
+
+  const [nextauthAccounts, actualAccounts] = await Promise.all([
+    loadNextAuthAccounts(),
+    loadActualAccounts(),
+  ]);
+
+  console.log(`📦 [verify] Loaded nextauth_accounts=${nextauthAccounts.length}`);
+
+  const { expectedAccounts } = buildExpectedAccounts(nextauthAccounts);
+
+  console.log(`🧮 [verify] Expected accounts=${expectedAccounts.length}`);
+  console.log(`🗄️ [verify] DB snapshot: accounts=${actualAccounts.length}`);
+
+  const expectedAccountSet = new Set(expectedAccounts.map(buildAccountKey));
+  const actualAccountSet = new Set(actualAccounts.map(buildAccountKey));
+
+  let missingAccounts = 0;
+  const missingAccountSamples: string[] = [];
+  for (const account of expectedAccounts) {
+    const key = buildAccountKey(account);
+    if (!actualAccountSet.has(key)) {
+      missingAccounts += 1;
+      if (missingAccountSamples.length < MAX_SAMPLES) {
+        missingAccountSamples.push(`${account.providerId}/${account.accountId}`);
+      }
+    }
+  }
+
+  let unexpectedAccounts = 0;
+  const unexpectedAccountSamples: string[] = [];
+  for (const account of actualAccounts) {
+    const key = buildAccountKey(account);
+    if (!expectedAccountSet.has(key)) {
+      unexpectedAccounts += 1;
+      if (unexpectedAccountSamples.length < MAX_SAMPLES) {
+        unexpectedAccountSamples.push(`${account.providerId}/${account.accountId}`);
+      }
+    }
+  }
+
+  // Provider counts
+  const expectedProviderCounts: Record<string, number> = {};
+  const actualProviderCounts: Record<string, number> = {};
+
+  for (const account of expectedAccounts) {
+    expectedProviderCounts[account.providerId] =
+      (expectedProviderCounts[account.providerId] ?? 0) + 1;
+  }
+
+  for (const account of actualAccounts) {
+    actualProviderCounts[account.providerId] = (actualProviderCounts[account.providerId] ?? 0) + 1;
+  }
+
+  const formatCounts = (counts: Record<string, number>) =>
+    Object.entries(counts)
+      .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))
+      .map(([providerId, count]) => `${providerId}=${count}`)
+      .join(', ');
+
+  console.log(
+    `📊 [verify] Expected provider counts: ${formatCounts(expectedProviderCounts) || 'n/a'}`,
+  );
+  console.log(
+    `📊 [verify] Actual provider counts:   ${formatCounts(actualProviderCounts) || 'n/a'}`,
+  );
+
+  // Check for missing scope in actual accounts
+  let missingScopeNonCredential = 0;
+  const sampleMissingScope: string[] = [];
+
+  for (const account of actualAccounts) {
+    if (account.providerId !== 'credential' && !account.scope) {
+      // Find corresponding nextauth account to check if it had scope
+      const nextauthAccount = nextauthAccounts.find(
+        (na) => na.provider === account.providerId && na.providerAccountId === account.accountId,
+      );
+      if (nextauthAccount?.scope) {
+        missingScopeNonCredential += 1;
+        if (sampleMissingScope.length < MAX_SAMPLES) {
+          sampleMissingScope.push(`${account.providerId}/${account.accountId}`);
+        }
+      }
+    }
+  }
+
+  console.log('');
+  console.log('📋 [verify] Summary:');
+  console.log(
+    `   - Missing accounts: ${missingAccounts} ${missingAccountSamples.length > 0 ? `(samples: ${missingAccountSamples.join(', ')})` : ''}`,
+  );
+  console.log(
+    `   - Unexpected accounts: ${unexpectedAccounts} ${unexpectedAccountSamples.length > 0 ? `(samples: ${unexpectedAccountSamples.join(', ')})` : '(accounts not from nextauth)'}`,
+  );
+  console.log(
+    `   - Missing scope (had in nextauth): ${missingScopeNonCredential} ${sampleMissingScope.length > 0 ? `(samples: ${sampleMissingScope.join(', ')})` : ''}`,
+  );
+
+  console.log('');
+  if (missingAccounts === 0) {
+    console.log(
+      `✅ Verification success! All nextauth accounts migrated. (${formatDuration(Date.now() - startedAt)})`,
+    );
+  } else {
+    console.log(
+      `⚠️ Verification completed with ${missingAccounts} missing accounts. (${formatDuration(Date.now() - startedAt)})`,
+    );
+  }
+}
+
+void main()
+  .catch((error) => {
+    console.log('');
+    console.error('❌ Verification failed:', error);
+    process.exitCode = 1;
+  })
+  .finally(async () => {
+    await pool.end();
+  });