Skip to content

feat: migrate from NextAuth v5 to Better Auth#44

Merged
chriskehayias merged 2 commits intomainfrom
feature/migrate-better-auth
Feb 20, 2026
Merged

feat: migrate from NextAuth v5 to Better Auth#44
chriskehayias merged 2 commits intomainfrom
feature/migrate-better-auth

Conversation

@chriskehayias
Copy link
Contributor

@chriskehayias chriskehayias commented Feb 20, 2026

Summary

  • Replace NextAuth v5 (beta) with Better Auth for OAuth authentication against Ministry Platform's OIDC endpoints. NextAuth v5 never reached stable release and is now in maintenance mode; Better Auth is the canonical successor.
  • Stateless JWT sessions with cookie cache — no database required. OAuth sub claim (MP User_GUID) stored as user.userGuid via additionalFields + mapProfileToUser, since Better Auth generates its own internal user.id.
  • Improved error propagation in server actions and HTTP client — real MP API error messages now surface instead of generic "Failed to fetch" messages.

Changes by area

New files:

  • src/lib/auth.ts — Better Auth server config (genericOAuth, customSession, nextCookies plugins)
  • src/lib/auth-client.ts — Client-side auth client
  • src/app/api/auth/[...all]/route.ts — Better Auth route handler
  • .claude/references/auth.md — Detailed auth reference documentation

Modified (auth migration):

  • src/proxy.tsgetSessionCookie() replaces getToken() from next-auth/jwt
  • src/app/providers.tsx — Removed SessionProvider, simplified to UserProvider only
  • src/app/signin/page.tsx — Uses authClient.signIn.oauth2() / authClient.getSession()
  • src/contexts/user-context.tsx — Uses authClient.useSession(), reads userGuid for profile loading
  • src/contexts/session-context.tsx — Simplified to useAppSession() wrapper
  • src/components/layout/auth-wrapper.tsx — Uses auth.api.getSession()
  • src/components/user-menu/actions.ts — Custom OIDC logout via auth.api.signOut()
  • Server actions (contact-logs, contact-lookup-details, user-tools-debug) — Use userGuid for MP lookups, improved error propagation
  • src/lib/providers/ministry-platform/utils/http-client.ts — GET errors now include response body
  • .env.example, CLAUDE.md, README.md — Updated for Better Auth

Deleted:

  • src/auth.ts (NextAuth config)
  • src/types/next-auth.d.ts (NextAuth type augmentation)
  • src/lib/providers/ministry-platform/auth/auth-provider.ts (NextAuth-specific provider)

Tests rewritten:

  • src/auth.test.ts — Tests customSession name splitting, userGuid mapping, OAuth config
  • src/proxy.test.ts — Mocks better-auth/cookies instead of next-auth/jwt

Test plan

  • Build passes (npm run build)
  • All tests pass (npm run test:run) — 137 tests across 6 files
  • OAuth login flow: visit app → redirect to signin → MP OAuth → callback → authenticated
  • Verify user.userGuid is populated after login (check session in browser devtools)
  • User profile loads in header (name, avatar via UserProvider)
  • Session persists across page refresh
  • OIDC logout: sign out → MP endsession → redirect back → signed out
  • Route protection: unauthenticated access to protected route → redirect to signin
  • Server actions work (e.g., create/edit contact log) — auth checks + userGuid lookups
  • OAuth callback URL configured in MP: /api/auth/oauth2/callback/ministry-platform

Generated with Claude Code

chriskehayias and others added 2 commits February 20, 2026 17:13
@chriskehayias @claude
feat: migrate from NextAuth v5 to Better Auth
bf0bd13 
Replace NextAuth v5 (beta) with Better Auth for OAuth authentication
against Ministry Platform's OIDC endpoints.

Key changes:
- New auth config (src/lib/auth.ts) with genericOAuth, customSession,
  and nextCookies plugins
- New auth client (src/lib/auth-client.ts) for client-side hooks
- Route handler renamed from [...nextauth] to [...all]
- Proxy uses getSessionCookie() instead of getToken() from next-auth/jwt
- Session uses JWT cookie cache (stateless, no database)
- OAuth sub claim stored as user.userGuid via additionalFields +
  mapProfileToUser (Better Auth generates its own internal user.id)
- customSession only does lightweight name splitting (no API calls)
- User profile loading moved to client-side UserProvider
- Server actions use userGuid for MP API lookups
- Custom RP-initiated OIDC logout preserved
- Auth reference doc added at .claude/references/auth.md
- Error propagation improved in server actions and HTTP client
- Pre-existing const reassignment bug fixed in generate-types.ts

Removed:
- src/auth.ts (NextAuth config)
- src/types/next-auth.d.ts (NextAuth type augmentation)
- src/lib/providers/ministry-platform/auth/auth-provider.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@chriskehayias
discarding snyk
10abdb2
@chriskehayias chriskehayias merged commit 0c8b11a into main Feb 20, 2026
@chriskehayias chriskehayias deleted the feature/migrate-better-auth branch February 20, 2026 22:32
@Jonny-TMC Jonny-TMC mentioned this pull request Feb 21, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chriskehayias