Add GitHub Authentication via Better Auth

[1sraeliteX]

This PR implements GitHub authentication using Better Auth, enabling users to sign in with their GitHub accounts.

What’s included

Integrated Better Auth GitHub provider following official documentation

Added GitHub OAuth sign-in flow

Connected auth flow to the staging API
https://staging-api.boundlessfi.xyz

Ensured secure handling of OAuth credentials and callbacks

Verified successful login and session creation with GitHub accounts

Why

This improves onboarding and authentication UX by allowing users to sign in quickly using their existing GitHub accounts.

Testing

Confirmed GitHub OAuth flow completes successfully

Verified user session is created after login

Tested login against staging environment

Notes

Uses Better Auth as the authentication provider

No breaking changes to existing auth flows

Summary by CodeRabbit

Release Notes

• New Features

  • Implemented GitHub authentication sign-in with real-time loading indicators
  • Added comprehensive error handling for authentication failures with user-friendly messaging
  • Integrated OAuth sign-in flow with error recovery mechanisms

• Documentation

  • Added architecture and specification documents outlining GitHub authentication design
  • Created requirements and implementation plan for authentication feature

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@0xdevcollins, hello! How can I assist you with this PR? I'm here to help with:

• Code review: Review specific files or changes
• Questions: Answer questions about the implementation
• Analysis: Analyze patterns, dependencies, or architecture
• Code generation: Help with tests, documentation, or refactoring
• Troubleshooting: Debug issues or investigate concerns

Just let me know what you need!

[0xdevcollins]

Tip

For best results, initiate chat on the files or code changes.

@0xdevcollins, hello! How can I assist you with this PR? I'm here to help with:

• Code review: Review specific files or changes
• Questions: Answer questions about the implementation
• Analysis: Analyze patterns, dependencies, or architecture
• Code generation: Help with tests, documentation, or refactoring
• Troubleshooting: Debug issues or investigate concerns

Just let me know what you need!

@coderabbitai Review the PR against the issue #1

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

I'll review this PR against issue #1. Let me first fetch the issue details to understand the requirements.

---

🏁 Script executed:

#!/bin/bash
# Fetch issue `#1` details
gh issue view 1 --json title,body,labels,assignees,state --repo boundlessfi/bounties

Length of output: 1713

---

Now let me fetch the PR files to review the implementation against the issue requirements.

---

🏁 Script executed:

#!/bin/bash
# Get the list of files changed in PR `#16`
gh pr view 16 --json files --jq '.files[] | {path: .path, additions: .additions, deletions: .deletions}' --repo boundlessfi/bounties

echo "---"

# Get the diff for the PR
gh pr diff 16 --repo boundlessfi/bounties

Length of output: 49057

---

@0xdevcollins, I've reviewed PR #16 against issue #1. Here's my detailed analysis:

✅ Requirements Coverage

Scope Requirements

All three core scope items from issue #1 are fully implemented:

1. ✅ Implement GitHub OAuth via Better Auth

   • Auth client configured with GitHub provider support
   • Button triggers authClient.signIn.social({ provider: "github" })

2. ✅ Wire it up to staging API

   • baseURL changed to "https://staging-api.boundlessfi.xyz"
   • No production URLs or environment variables

3. ✅ End-to-end login flow works

   • OAuth initiation implemented
   • Session management handled by Better Auth
   • Loading and error states properly managed

File Updates

lib/auth-client.ts:

• ✅ Configured with staging API base URL
• ✅ No hardcoded secrets
• ✅ Error message utility present

components/login/sign-in.tsx:

• ✅ "Sign in with GitHub" button added with GitHub icon
• ✅ Loading states implemented (button disables, shows spinner)
• ✅ Comprehensive error handling:
  • Popup blocked errors
  • OAuth failures
  • Network errors
  • Generic fallback errors
• ✅ Error messages display to users
• ✅ Button re-enables for retry

Acceptance Criteria

1. ✅ Users can sign in using GitHub on staging - Implementation complete
2. ✅ Auth flow redirects correctly - Better Auth handles this
3. ✅ Session persistence - Better Auth manages automatically
4. ✅ Error handling - Comprehensive coverage with specific messages
5. ✅ No hardcoded secrets - None found in client code
6. ✅ Matches Better Auth setup - Follows official documentation patterns

🎯 Strengths

1. Excellent error UX - Specific, user-friendly error messages for different failure scenarios
2. Clean state management - Loading states prevent duplicate submissions
3. Great documentation - Detailed design doc, requirements, and task breakdown added
4. Best practices - Proper try-catch-finally pattern, TypeScript usage

💡 Observations

1. Spec files added - The .kiro/specs/github-auth/ directory contains thorough planning documents (design.md, requirements.md, tasks.md). This is excellent for maintainability but wasn't required by the issue.

2. Package updates - TypeScript type packages updated to specific versions (@types/react to 19.2.9, @types/react-dom to 19.2.3)

3. Testing status - The tasks.md shows unit tests are marked as optional and not yet implemented. While not required by issue #1, consider adding tests for production readiness.

✅ Verdict

This PR fully satisfies all requirements from issue #1. The implementation is production-ready with excellent error handling and user experience. The developer has exceeded expectations by providing comprehensive documentation and going beyond the minimum requirements.

The only recommendation would be to add unit tests before deploying to production, as outlined in the tasks.md file.

[0xdevcollins]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This PR adds GitHub OAuth authentication using Better Auth. It includes design and implementation specifications, updates the auth client to use the staging API endpoint, implements the GitHub sign-in flow with loading and error state management in the sign-in component, and updates React type definitions.

Changes

Cohort / File(s)	Summary
GitHub Auth Specifications .kiro/specs/github-auth/design.md, .kiro/specs/github-auth/requirements.md, .kiro/specs/github-auth/tasks.md	Added comprehensive documentation for GitHub OAuth feature: design document with OAuth 2.0 flow and client-side architecture, requirements document with acceptance criteria and user stories, and implementation plan with phased tasks, error handling strategies, and testing approach.
Sign-In Component Implementation components/login/sign-in.tsx	Implemented GitHub OAuth sign-in flow with handleGitHubSignIn function, added loading state indicator (Loader2 spinner), error state management with specialized error messages for popup blocks and OAuth failures, and wired onClick handler to the GitHub button.
Authentication Client lib/auth-client.ts	Updated authClient baseURL from environment variable NEXT_PUBLIC_APP_URL to hard-coded staging API endpoint https://staging-api.boundlessfi.xyz.
Dependencies package.json	Bumped @types/react from ^19 to ^19.2.9 and @types/react-dom from ^19 to ^19.2.3 (patch-level updates).
IDE Configuration .vscode/settings.json	Added empty VSCode settings file.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant SignInComponent as Sign-In Component
    participant AuthClient as Auth Client
    participant StagingAPI as Staging API
    participant GitHub as GitHub OAuth

    User->>SignInComponent: Click "Sign in with GitHub"
    activate SignInComponent
    SignInComponent->>SignInComponent: Set loading = true
    SignInComponent->>SignInComponent: Show Loader2 spinner
    SignInComponent->>AuthClient: authClient.signIn.social({ provider: "github" })
    deactivate SignInComponent
    
    activate AuthClient
    AuthClient->>StagingAPI: Redirect to OAuth initialization
    deactivate AuthClient
    
    activate StagingAPI
    StagingAPI->>GitHub: Initiate OAuth code flow
    deactivate StagingAPI
    
    activate GitHub
    GitHub->>User: Present login & consent screen
    User->>GitHub: Authorize application
    GitHub->>StagingAPI: Return authorization code
    deactivate GitHub
    
    activate StagingAPI
    StagingAPI->>StagingAPI: Exchange code for session token
    StagingAPI->>AuthClient: Redirect with session
    deactivate StagingAPI
    
    activate SignInComponent
    SignInComponent->>SignInComponent: Session established
    SignInComponent->>SignInComponent: Set loading = false
    SignInComponent->>User: Navigate to authenticated route
    deactivate SignInComponent

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Implement github auth with better-auth #1: Directly implements the GitHub OAuth authentication feature using Better Auth with staging API integration, including sign-in button wiring, loading/error state management, and comprehensive design specifications.

Poem

🐰 A GitHub door swings open wide,
With OAuth's gentle guiding tide,
Loading states and errors clear,
The bunny hops with Easter cheer!
Authentication's done just right, 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add GitHub Authentication via Better Auth' accurately summarizes the main change: implementing GitHub OAuth authentication using the Better Auth library.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.kiro/specs/github-auth/design.md:
- Around line 19-20: The design doc triggers markdownlint MD040/MD034 because
fenced code blocks lack language tags and bare URLs are not wrapped; update each
affected fenced block (the blocks containing the example snippet and the other
occurrences referenced) by adding an explicit language tag like "text" after the
opening ``` and wrap the URL https://staging-api.boundlessfi.xyz in inline code
ticks (`https://staging-api.boundlessfi.xyz`) inside the block so the fenced
block becomes ```text and the URL is not bare; apply the same change to the
other occurrences noted in the review.

In @.kiro/specs/github-auth/requirements.md:
- Line 5: The markdown contains a bare URL "https://staging-api.boundlessfi.xyz"
which triggers MD034; update the text in the requirements document to wrap that
URL in angle brackets (<https://staging-api.boundlessfi.xyz>) or convert it to a
proper markdown link (e.g., [staging API](https://staging-api.boundlessfi.xyz))
so the URL is no longer bare; ensure the visible text still conveys the staging
API endpoint.

In @.kiro/specs/github-auth/tasks.md:
- Around line 9-12: Wrap the bare URL in the task list by surrounding the URL
string "https://staging-api.boundlessfi.xyz" with angle brackets (i.e.
<https://staging-api.boundlessfi.xyz>) so the list line "- Set baseURL to
"https://staging-api.boundlessfi.xyz"" becomes "- Set baseURL to
<https://staging-api.boundlessfi.xyz>" to satisfy markdownlint MD034; also scan
other task lines for any other bare URLs and wrap them similarly.

♻️ Duplicate comments (2)

.vscode/settings.json (1)

1-2: Empty workspace settings file adds noise.

If there are no workspace settings to enforce, consider removing this file; otherwise add the intended settings.

lib/auth-client.ts (1)

3-5: Prefer env-configured base URL with staging fallback.

Hardcoding staging makes it harder to deploy the same build to different environments. Consider sourcing from a public env var with a staging default.

♻️ Suggested adjustment

 export const authClient = createAuthClient({
-  baseURL: "https://staging-api.boundlessfi.xyz",
+  baseURL:
+    process.env.NEXT_PUBLIC_AUTH_BASE_URL ??
+    "https://staging-api.boundlessfi.xyz",
 });

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdownlint MD040/MD034 in design doc.

Add language tags to fenced blocks and wrap the bare URL to avoid lint failures.

📝 Suggested edits

-```
+```text
 ...
-For the auth client instance, the baseURL should be set to "https://staging-api.boundlessfi.xyz" and should not contain any production domain references.
+For the auth client instance, the baseURL should be set to "`https://staging-api.boundlessfi.xyz`" and should not contain any production domain references.
 ...
-```
+```text

Also applies to: 239-239, 433-434

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In @.kiro/specs/github-auth/design.md around lines 19 - 20, The design doc
triggers markdownlint MD040/MD034 because fenced code blocks lack language tags
and bare URLs are not wrapped; update each affected fenced block (the blocks
containing the example snippet and the other occurrences referenced) by adding
an explicit language tag like "text" after the opening ``` and wrap the URL
https://staging-api.boundlessfi.xyz in inline code ticks
(`https://staging-api.boundlessfi.xyz`) inside the block so the fenced block
becomes ```text and the URL is not bare; apply the same change to the other
occurrences noted in the review.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Wrap bare URL to satisfy markdownlint.

If markdownlint is enforced, this will flag MD034.

📝 Suggested edit

-This document specifies the requirements for implementing GitHub OAuth authentication using Better Auth, connected to the staging API at https://staging-api.boundlessfi.xyz. The system will allow users to sign in with their GitHub accounts, with proper session management, loading states, and error handling.
+This document specifies the requirements for implementing GitHub OAuth authentication using Better Auth, connected to the staging API at `https://staging-api.boundlessfi.xyz`. The system will allow users to sign in with their GitHub accounts, with proper session management, loading states, and error handling.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	This document specifies the requirements for implementing GitHub OAuth authentication using Better Auth, connected to the staging API at https://staging-api.boundlessfi.xyz. The system will allow users to sign in with their GitHub accounts, with proper session management, loading states, and error handling.
	This document specifies the requirements for implementing GitHub OAuth authentication using Better Auth, connected to the staging API at `https://staging-api.boundlessfi.xyz`. The system will allow users to sign in with their GitHub accounts, with proper session management, loading states, and error handling.

🤖 Prompt for AI Agents

In @.kiro/specs/github-auth/requirements.md at line 5, The markdown contains a
bare URL "https://staging-api.boundlessfi.xyz" which triggers MD034; update the
text in the requirements document to wrap that URL in angle brackets
(<https://staging-api.boundlessfi.xyz>) or convert it to a proper markdown link
(e.g., [staging API](https://staging-api.boundlessfi.xyz)) so the URL is no
longer bare; ensure the visible text still conveys the staging API endpoint.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Wrap bare URL in tasks list.

This prevents markdownlint MD034 if it runs in CI.

📝 Suggested edit

-  - Set baseURL to "https://staging-api.boundlessfi.xyz"
+  - Set baseURL to "`https://staging-api.boundlessfi.xyz`"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- [x] 1. Configure Better Auth client for staging API
	- Update `lib/auth-client.ts` to use staging API base URL
	- Set baseURL to "https://staging-api.boundlessfi.xyz"
	- Ensure no production URLs or hardcoded secrets
	- [x] 1. Configure Better Auth client for staging API
	- Update `lib/auth-client.ts` to use staging API base URL
	- Set baseURL to "`https://staging-api.boundlessfi.xyz`"
	- Ensure no production URLs or hardcoded secrets

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

11-11: Bare URL used

(MD034, no-bare-urls)

🤖 Prompt for AI Agents

In @.kiro/specs/github-auth/tasks.md around lines 9 - 12, Wrap the bare URL in
the task list by surrounding the URL string
"https://staging-api.boundlessfi.xyz" with angle brackets (i.e.
<https://staging-api.boundlessfi.xyz>) so the list line "- Set baseURL to
"https://staging-api.boundlessfi.xyz"" becomes "- Set baseURL to
<https://staging-api.boundlessfi.xyz>" to satisfy markdownlint MD034; also scan
other task lines for any other bare URLs and wrap them similarly.