@lobehub/lobehub 2.0.0-next.355 → 2.0.0-next.357

package/src/store/user/slices/auth/action.ts

@@ -1,9 +1,6 @@
 import { type SSOProvider } from '@lobechat/types';
 import { type StateCreator } from 'zustand/vanilla';
 
-import { enableBetterAuth, enableNextAuth } from '@/envs/auth';
-import { userService } from '@/services/user';
-
 import type { UserStore } from '../../store';
 
 interface AuthProvidersData {
@@ -31,32 +28,26 @@ export interface UserAuthAction {
 }
 
 const fetchAuthProvidersData = async (): Promise<AuthProvidersData> => {
-  if (enableBetterAuth) {
-    const { accountInfo, listAccounts } = await import('@/libs/better-auth/auth-client');
-    const result = await listAccounts();
-    const accounts = result.data || [];
-    const hasPasswordAccount = accounts.some((account) => account.providerId === 'credential');
-    const providers = await Promise.all(
-      accounts
-        .filter((account) => account.providerId !== 'credential')
-        .map(async (account) => {
-          // In theory, the id_token could be decrypted from the accounts table, but I found that better-auth on GitHub does not save the id_token
-          const info = await accountInfo({
-            query: { accountId: account.accountId },
-          });
-          return {
-            email: info.data?.user?.email ?? undefined,
-            provider: account.providerId,
-            providerAccountId: account.accountId,
-          };
-        }),
-    );
-    return { hasPasswordAccount, providers };
-  }
-
-  // Fallback for NextAuth
-  const providers = await userService.getUserSSOProviders();
-  return { hasPasswordAccount: false, providers };
+  const { accountInfo, listAccounts } = await import('@/libs/better-auth/auth-client');
+  const result = await listAccounts();
+  const accounts = result.data || [];
+  const hasPasswordAccount = accounts.some((account) => account.providerId === 'credential');
+  const providers = await Promise.all(
+    accounts
+      .filter((account) => account.providerId !== 'credential')
+      .map(async (account) => {
+        // In theory, the id_token could be decrypted from the accounts table, but I found that better-auth on GitHub does not save the id_token
+        const info = await accountInfo({
+          query: { accountId: account.accountId },
+        });
+        return {
+          email: info.data?.user?.email ?? undefined,
+          provider: account.providerId,
+          providerAccountId: account.accountId,
+        };
+      }),
+  );
+  return { hasPasswordAccount, providers };
 };
 
 export const createAuthSlice: StateCreator<
@@ -78,50 +69,26 @@ export const createAuthSlice: StateCreator<
     }
   },
   logout: async () => {
-    if (enableBetterAuth) {
-      const { signOut } = await import('@/libs/better-auth/auth-client');
-      await signOut({
-        fetchOptions: {
-          onSuccess: () => {
-            // Use window.location.href to trigger a full page reload
-            // This ensures all client-side state (React, Zustand, cache) is cleared
-            window.location.href = '/signin';
-          },
+    const { signOut } = await import('@/libs/better-auth/auth-client');
+    await signOut({
+      fetchOptions: {
+        onSuccess: () => {
+          // Use window.location.href to trigger a full page reload
+          // This ensures all client-side state (React, Zustand, cache) is cleared
+          window.location.href = '/signin';
         },
-      });
-
-      return;
-    }
-
-    if (enableNextAuth) {
-      const { signOut } = await import('next-auth/react');
-      signOut();
-    }
+      },
+    });
   },
   openLogin: async () => {
-    // Skip if already on a Better Auth login page (/signin, /signup)
+    // Skip if already on a login page (/signin, /signup)
     const pathname = location.pathname;
     if (pathname.startsWith('/signin') || pathname.startsWith('/signup')) {
       return;
     }
 
-    if (enableBetterAuth) {
-      const currentUrl = location.toString();
-      window.location.href = `/signin?callbackUrl=${encodeURIComponent(currentUrl)}`;
-
-      return;
-    }
-
-    if (enableNextAuth) {
-      const { signIn } = await import('next-auth/react');
-      // Check if only one provider is available
-      const providers = get()?.oAuthSSOProviders;
-      if (providers && providers.length === 1) {
-        signIn(providers[0]);
-        return;
-      }
-      signIn();
-    }
+    const currentUrl = location.toString();
+    window.location.href = `/signin?callbackUrl=${encodeURIComponent(currentUrl)}`;
   },
   refreshAuthProviders: async () => {
     try {

package/src/store/user/slices/auth/initialState.ts

@@ -1,4 +1,3 @@
-import { type Session, type User } from '@auth/core/types';
 import { type SSOProvider } from '@lobechat/types';
 
 import { type LobeUser } from '@/types/user';
@@ -13,8 +12,6 @@ export interface UserAuthState {
   isLoadedAuthProviders?: boolean;
 
   isSignedIn?: boolean;
-  nextSession?: Session;
-  nextUser?: User;
   oAuthSSOProviders?: string[];
   user?: LobeUser;
 }

package/src/store/user/slices/auth/selectors.ts

@@ -1,7 +1,6 @@
 import { type LobeUser, type SSOProvider } from '@lobechat/types';
 import { t } from 'i18next';
 
-import { enableBetterAuth, enableNextAuth } from '@/envs/auth';
 import type { UserStore } from '@/store/user';
 
 const nickName = (s: UserStore) => {
@@ -37,6 +36,4 @@ export const authSelectors = {
   isLoadedAuthProviders: (s: UserStore) => s.isLoadedAuthProviders ?? false,
   isLogin: (s: UserStore) => s.isSignedIn,
   isLoginWithAuth: (s: UserStore) => s.isSignedIn,
-  isLoginWithBetterAuth: (s: UserStore): boolean => (s.isSignedIn && enableBetterAuth) || false,
-  isLoginWithNextAuth: (s: UserStore): boolean => (s.isSignedIn && !!enableNextAuth) || false,
 };

package/tests/setup.ts

@@ -24,6 +24,16 @@ vi.mock('@lobehub/analytics/react', () => ({
   }),
 }));
 
+// Global mock for @/auth to avoid better-auth validator module issue in tests
+// The validator package has ESM resolution issues in Vitest environment
+vi.mock('@/auth', () => ({
+  auth: {
+    api: {
+      getSession: vi.fn().mockResolvedValue(null),
+    },
+  },
+}));
+
 // node runtime
 if (typeof window === 'undefined') {
   // test with polyfill crypto

package/scripts/_shared/checkDeprecatedClerkEnv.js

@@ -1,42 +0,0 @@
-/**
- * Shared utility to check for deprecated Clerk environment variables.
- * Used by both prebuild.mts (build time) and startServer.js (Docker runtime).
- *
- * IMPORTANT: Keep this file as CommonJS (.js) for compatibility with startServer.js
- */
-
-const CLERK_MIGRATION_DOC_URL =
-  'https://lobehub.com/docs/self-hosting/advanced/auth/clerk-to-betterauth';
-
-const CLERK_ENV_VARS = [
-  'NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY',
-  'CLERK_SECRET_KEY',
-  'CLERK_WEBHOOK_SECRET',
-];
-
-/**
- * Check for deprecated Clerk environment variables and exit if found
- * @param {object} options
- * @param {string} [options.action='redeploy'] - Action hint in error message ('redeploy' or 'restart')
- */
-function checkDeprecatedClerkEnv(options = {}) {
-  const { action = 'redeploy' } = options;
-  const foundClerkEnvVars = CLERK_ENV_VARS.filter((envVar) => process.env[envVar]);
-
-  if (foundClerkEnvVars.length > 0) {
-    console.error('\n' + '═'.repeat(70));
-    console.error('❌ ERROR: Clerk authentication is no longer supported!');
-    console.error('═'.repeat(70));
-    console.error('\nDetected deprecated Clerk environment variables:');
-    for (const envVar of foundClerkEnvVars) {
-      console.error(`  • ${envVar}`);
-    }
-    console.error('\nClerk has been removed from LobeChat. Please migrate to Better Auth.');
-    console.error(`\n📖 Migration guide: ${CLERK_MIGRATION_DOC_URL}`);
-    console.error(`\nAfter migration, remove the Clerk environment variables and ${action}.`);
-    console.error('═'.repeat(70) + '\n');
-    process.exit(1);
-  }
-}
-
-module.exports = { checkDeprecatedClerkEnv };

package/src/app/(backend)/api/auth/adapter/route.ts

@@ -1,137 +0,0 @@
-import debug from 'debug';
-import { type NextRequest, NextResponse } from 'next/server';
-
-import { serverDBEnv } from '@/config/db';
-import { serverDB } from '@/database/server';
-import { dateKeys } from '@/libs/next-auth/adapter';
-import { NextAuthUserService } from '@/server/services/nextAuthUser';
-
-const log = debug('lobe-next-auth:api:auth:adapter');
-
-/**
- * @description Process the db query for the NextAuth adapter.
- * Returns the db query result directly and let NextAuth handle the raw results.
- * @returns {
- *  success: boolean; // Only return false if the database query fails or the action is invalid.
- *  data?: any;
- *  error?: string;
- * }
- */
-export async function POST(req: NextRequest) {
-  try {
-    // try validate the request
-    if (
-      !req.headers.get('Authorization') ||
-      req.headers.get('Authorization')?.trim() !== `Bearer ${serverDBEnv.KEY_VAULTS_SECRET}`
-    ) {
-      log('Unauthorized request, missing or invalid Authorization header');
-      return NextResponse.json({ error: 'Unauthorized', success: false }, { status: 401 });
-    }
-
-    // Parse the request body
-    const data = await req.json();
-    log('Received request data:', data);
-    // Preprocess
-    if (data?.data) {
-      for (const key of dateKeys) {
-        if (data?.data && data.data[key]) {
-          data.data[key] = new Date(data.data[key]);
-          continue;
-        }
-      }
-    }
-    const service = new NextAuthUserService(serverDB);
-    let result;
-    switch (data.action) {
-      case 'createAuthenticator': {
-        result = await service.createAuthenticator(data.data);
-        break;
-      }
-      case 'createSession': {
-        result = await service.createSession(data.data);
-        break;
-      }
-      case 'createUser': {
-        result = await service.createUser(data.data);
-        break;
-      }
-      case 'createVerificationToken': {
-        result = await service.createVerificationToken(data.data);
-        break;
-      }
-      case 'deleteSession': {
-        result = await service.deleteSession(data.data);
-        break;
-      }
-      case 'deleteUser': {
-        result = await service.deleteUser(data.data);
-        break;
-      }
-      case 'getAccount': {
-        result = await service.getAccount(data.data.providerAccountId, data.data.provider);
-        break;
-      }
-      case 'getAuthenticator': {
-        result = await service.getAuthenticator(data.data);
-        break;
-      }
-      case 'getSessionAndUser': {
-        result = await service.getSessionAndUser(data.data);
-        break;
-      }
-      case 'getUser': {
-        result = await service.getUser(data.data);
-        break;
-      }
-      case 'getUserByAccount': {
-        result = await service.getUserByAccount(data.data);
-        break;
-      }
-      case 'getUserByEmail': {
-        result = await service.getUserByEmail(data.data);
-        break;
-      }
-      case 'linkAccount': {
-        result = await service.linkAccount(data.data);
-        break;
-      }
-      case 'listAuthenticatorsByUserId': {
-        result = await service.listAuthenticatorsByUserId(data.data);
-        break;
-      }
-      case 'unlinkAccount': {
-        result = await service.unlinkAccount(data.data);
-        break;
-      }
-      case 'updateAuthenticatorCounter': {
-        result = await service.updateAuthenticatorCounter(
-          data.data.credentialID,
-          data.data.counter,
-        );
-        break;
-      }
-      case 'updateSession': {
-        result = await service.updateSession(data.data);
-        break;
-      }
-      case 'updateUser': {
-        result = await service.updateUser(data.data);
-        break;
-      }
-      case 'useVerificationToken': {
-        result = await service.useVerificationToken(data.data);
-        break;
-      }
-      default: {
-        return NextResponse.json({ error: 'Invalid action', success: false }, { status: 400 });
-      }
-    }
-    return NextResponse.json({ data: result, success: true });
-  } catch (error) {
-    log('Error processing request:');
-    log(error);
-    return NextResponse.json({ error, success: false }, { status: 400 });
-  }
-}
-
-export const runtime = 'nodejs';

package/src/app/[variants]/(auth)/next-auth/error/AuthErrorPage.tsx

@@ -1,40 +0,0 @@
-'use client';
-
-import { signIn } from 'next-auth/react';
-import { useSearchParams } from '@/libs/next/navigation';
-import { memo } from 'react';
-
-import ErrorCapture from '@/components/Error';
-
-enum ErrorEnum {
-  AccessDenied = 'AccessDenied',
-  Configuration = 'Configuration',
-  Default = 'Default',
-  Verification = 'Verification',
-}
-
-const errorMap = {
-  [ErrorEnum.Configuration]:
-    'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
-  [ErrorEnum.AccessDenied]:
-    'Access was denied. Visit https://authjs.dev/reference/core/errors#accessdenied for more details. ',
-  [ErrorEnum.Verification]:
-    'Verification error, visit https://authjs.dev/reference/core/errors#verification for more details.',
-  [ErrorEnum.Default]:
-    'There was a problem when trying to authenticate. Visit https://authjs.dev/reference/core/errors for more details.',
-};
-
-export default memo(() => {
-  const search = useSearchParams();
-  const error = search.get('error') as ErrorEnum;
-  const props = {
-    error: {
-      cause: error,
-      message: errorMap[error] || 'Unknown error type.',
-      name: 'NextAuth Error',
-    },
-    reset: () => signIn(undefined, { callbackUrl: '/' }),
-  };
-  console.log('[NextAuth] Error:', props.error);
-  return <ErrorCapture {...props} />;
-});

package/src/app/[variants]/(auth)/next-auth/error/page.tsx

@@ -1,11 +0,0 @@
-import { Suspense } from 'react';
-
-import Loading from '@/components/Loading/BrandTextLoading';
-
-import AuthErrorPage from './AuthErrorPage';
-
-export default () => (
-  <Suspense fallback={<Loading debugId="Auth > Error" />}>
-    <AuthErrorPage />
-  </Suspense>
-);

package/src/app/[variants]/(auth)/next-auth/signin/AuthSignInBox.tsx

@@ -1,167 +0,0 @@
-'use client';
-
-import { BRANDING_NAME } from '@lobechat/business-const';
-import { DOCUMENTS_REFER_URL, PRIVACY_URL, TERMS_URL } from '@lobechat/const';
-import { Button, Skeleton, Text } from '@lobehub/ui';
-import { LobeHub } from '@lobehub/ui/brand';
-import { Col, Flex, Row } from 'antd';
-import { createStaticStyles } from 'antd-style';
-import { AuthError } from 'next-auth';
-import { signIn } from 'next-auth/react';
-import { useRouter, useSearchParams } from '@/libs/next/navigation';
-import { memo, useState } from 'react';
-import { useTranslation } from 'react-i18next';
-
-import BrandWatermark from '@/components/BrandWatermark';
-import AuthIcons from '@/components/NextAuth/AuthIcons';
-import { useUserStore } from '@/store/user';
-
-const styles = createStaticStyles(({ css, cssVar }) => ({
-  button: css`
-    text-transform: capitalize;
-  `,
-  container: css`
-    min-width: 360px;
-    border: 1px solid ${cssVar.colorBorder};
-    border-radius: ${cssVar.borderRadiusLG}px;
-    background: ${cssVar.colorBgContainer};
-  `,
-  contentCard: css`
-    padding-block: 2.5rem;
-    padding-inline: 2rem;
-  `,
-  description: css`
-    margin: 0;
-    color: ${cssVar.colorTextSecondary};
-  `,
-  footer: css`
-    padding: 1rem;
-    border-block-start: 1px solid ${cssVar.colorBorder};
-    border-radius: 0 0 8px 8px;
-
-    color: ${cssVar.colorTextDescription};
-
-    background: ${cssVar.colorBgElevated};
-  `,
-  text: css`
-    text-align: center;
-  `,
-  title: css`
-    margin: 0;
-    color: ${cssVar.colorTextHeading};
-  `,
-}));
-
-const BtnListLoading = memo(() => {
-  return (
-    <Flex gap={'small'} vertical>
-      <Skeleton.Button active style={{ minWidth: 300 }} />
-      <Skeleton.Button active style={{ minWidth: 300 }} />
-      <Skeleton.Button active style={{ minWidth: 300 }} />
-    </Flex>
-  );
-});
-
-/**
- * Follow the implementation from AuthJS official documentation,
- * but using client components.
- * ref: https://authjs.dev/guides/pages/signin
- */
-export default memo(() => {
-  const { t } = useTranslation('auth');
-  const { t: tCommon } = useTranslation('common');
-  const router = useRouter();
-  const [loadingProvider, setLoadingProvider] = useState<string | null>(null);
-
-  const oAuthSSOProviders = useUserStore((s) => s.oAuthSSOProviders);
-
-  const searchParams = useSearchParams();
-
-  // Redirect back to the page url, fallback to '/' if failed
-  const callbackUrl = searchParams.get('callbackUrl') ?? '/';
-
-  const handleSignIn = async (provider: string) => {
-    setLoadingProvider(provider);
-    try {
-      await signIn(provider, { redirectTo: callbackUrl });
-    } catch (error) {
-      setLoadingProvider(null);
-      // Signin can fail for a number of reasons, such as the user
-      // not existing, or the user not having the correct role.
-      // In some cases, you may want to redirect to a custom error
-      if (error instanceof AuthError) {
-        return router.push(`/next-auth/?error=${error.type}`);
-      }
-
-      // Otherwise if a redirects happens Next.js can handle it
-      // so you can just re-thrown the error and let Next.js handle it.
-      // Docs: https://nextjs.org/docs/app/api-reference/functions/redirect#server-component
-      throw error;
-    }
-  };
-
-  const footerBtns = [
-    { href: DOCUMENTS_REFER_URL, id: 0, label: tCommon('document') },
-    { href: PRIVACY_URL, id: 1, label: t('footer.privacy') },
-    { href: TERMS_URL, id: 2, label: t('footer.terms') },
-  ];
-
-  return (
-    <div className={styles.container}>
-      <div className={styles.contentCard}>
-        {/* Card Body */}
-        <Flex gap="large" vertical>
-          {/* Header */}
-          <div className={styles.text}>
-            <Text as={'h4'} className={styles.title}>
-              <div>
-                <LobeHub size={48} />
-              </div>
-              {t('signin.title')}
-            </Text>
-            <Text as={'p'} className={styles.description}>
-              {t('signin.subtitle', { appName: BRANDING_NAME })}
-            </Text>
-          </div>
-          {/* Content */}
-          <Flex gap="small" vertical>
-            {oAuthSSOProviders ? (
-              oAuthSSOProviders.map((provider) => (
-                <Button
-                  className={styles.button}
-                  icon={AuthIcons(provider, 16)}
-                  key={provider}
-                  loading={loadingProvider === provider}
-                  onClick={() => handleSignIn(provider)}
-                >
-                  {provider}
-                </Button>
-              ))
-            ) : (
-              <BtnListLoading />
-            )}
-          </Flex>
-        </Flex>
-      </div>
-      <div className={styles.footer}>
-        {/* Footer */}
-        <Row>
-          <Col span={12}>
-            <Flex justify="left" style={{ height: '100%' }}>
-              <BrandWatermark />
-            </Flex>
-          </Col>
-          <Col offset={4} span={8}>
-            <Flex justify="right">
-              {footerBtns.map((btn) => (
-                <Button key={btn.id} onClick={() => router.push(btn.href)} size="small" type="text">
-                  {btn.label}
-                </Button>
-              ))}
-            </Flex>
-          </Col>
-        </Row>
-      </div>
-    </div>
-  );
-});

package/src/app/[variants]/(auth)/next-auth/signin/page.tsx

@@ -1,11 +0,0 @@
-import { Suspense } from 'react';
-
-import Loading from '@/components/Loading/BrandTextLoading';
-
-import AuthSignInBox from './AuthSignInBox';
-
-export default () => (
-  <Suspense fallback={<Loading debugId="Auth > SignIn" />}>
-    <AuthSignInBox />
-  </Suspense>
-);

package/src/app/[variants]/(auth)/reset-password/layout.tsx

@@ -1,12 +0,0 @@
-import { notFound } from '@/libs/next/navigation';
-import { type PropsWithChildren } from 'react';
-
-import { enableBetterAuth } from '@/envs/auth';
-
-const Layout = ({ children }: PropsWithChildren) => {
-  if (!enableBetterAuth) return notFound();
-
-  return children;
-};
-
-export default Layout;

package/src/app/[variants]/(auth)/signin/layout.tsx

@@ -1,12 +0,0 @@
-import { notFound } from '@/libs/next/navigation';
-import { type PropsWithChildren } from 'react';
-
-import { enableBetterAuth } from '@/envs/auth';
-
-const Layout = ({ children }: PropsWithChildren) => {
-  if (!enableBetterAuth) return notFound();
-
-  return children;
-};
-
-export default Layout;

package/src/app/[variants]/(auth)/verify-email/layout.tsx

@@ -1,12 +0,0 @@
-import { notFound } from '@/libs/next/navigation';
-import { type PropsWithChildren } from 'react';
-
-import { enableBetterAuth } from '@/envs/auth';
-
-const Layout = ({ children }: PropsWithChildren) => {
-  if (!enableBetterAuth) return notFound();
-
-  return children;
-};
-
-export default Layout;

package/src/envs/auth.test.ts

@@ -1,47 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-
-import { getAuthConfig } from './auth';
-
-const ORIGINAL_ENV = { ...process.env };
-const ORIGINAL_WINDOW = globalThis.window;
-
-describe('getAuthConfig fallbacks', () => {
-  beforeEach(() => {
-    // reset env to a clean clone before each test
-    process.env = { ...ORIGINAL_ENV };
-    globalThis.window = ORIGINAL_WINDOW;
-  });
-
-  afterEach(() => {
-    process.env = { ...ORIGINAL_ENV };
-    globalThis.window = ORIGINAL_WINDOW;
-  });
-
-  it('should fall back to NEXT_AUTH_SSO_PROVIDERS when AUTH_SSO_PROVIDERS is empty string', () => {
-    process.env.AUTH_SSO_PROVIDERS = '';
-    process.env.NEXT_AUTH_SSO_PROVIDERS = 'logto,github';
-
-    // Simulate server runtime so @t3-oss/env treats this as server-side access
-    // (happy-dom sets window by default in Vitest)
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-expect-error - allow overriding for test
-    globalThis.window = undefined;
-
-    const config = getAuthConfig();
-
-    expect(config.AUTH_SSO_PROVIDERS).toBe('logto,github');
-  });
-
-  it('should fall back to NEXT_AUTH_SECRET when AUTH_SECRET is empty string', () => {
-    process.env.AUTH_SECRET = '';
-    process.env.NEXT_AUTH_SECRET = 'nextauth-secret';
-
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-expect-error - allow overriding for test
-    globalThis.window = undefined;
-
-    const config = getAuthConfig();
-
-    expect(config.AUTH_SECRET).toBe('nextauth-secret');
-  });
-});