feat: Migrate from NextAuth to Better Auth since the future of Auth.js is clearly Better Auth

[nwp]

Summary

Given the recent announcement, I think the writing is on the wall for Auth.js (NextAuth) and we should, therefore, consider migrating to Better Auth.

This PR completes the comprehensive migration from Auth.js (NextAuth.js) to Better Auth, modernizing the authentication system while preserving all existing functionality. The migration brings improved type safety, better developer experience, and more flexible authentication patterns.

Key Changes

• Authentication Library: Replaced NextAuth.js v5 with BetterAuth v1.3.23
• ype Safety: Migrated to BetterAuth's fully type-safe authentication API
• Session Management: Removed SessionProvider dependency, leveraging BetterAuth's built-in session handling
• Security: Maintained existing bcrypt password hashing and guest user system
• Architecture: Updated 30+ files across auth flows, API routes, and React components

Other Changes

• Updated authentication imports from next-auth/react to custom auth client
• Changed authentication API calls to use BetterAuth's signInEmail() method
• Removed NextAuth configuration files (auth.config.ts, auth.ts)
• Updated middleware to use BetterAuth session API

Migration Details

• Auth Configuration: New lib/auth.ts with Drizzle adapter and email/password provider
• Client Setup: New lib/auth-client.ts with React hooks for session management
• API Routes: Updated to use BetterAuth's Next.js handler at /api/auth/[...all]
• Server Actions: Migrated to use BetterAuth's authentication API with proper header handling
• Components: Updated all authentication-related React components and hooks
• Middleware: Enhanced route protection using BetterAuth's session API

Preserved Functionality

✅ Email/password authentication
✅ Guest user system with automatic creation
✅ Route protection and redirects
✅ Session persistence and management
✅ Custom password hashing with bcrypt-ts
✅ User type identification (guest vs regular)

Testing Required (DO NOT CONSIDER MERGE UNTIL COMPLETE)

• Login flow with valid credentials
• Registration with new accounts
• Guest user automatic creation and identification
• Route protection for authenticated/unauthenticated users
• Session persistence across page reloads
• Sign-out functionality
• Error handling for invalid credentials

Dependencies

• Added: better-auth@^1.3.23
• Removed: next-auth@^5.0.0-beta.25
• Updated: Type definitions and imports across the codebase

Closes #1

[vercel]

@nwp is attempting to deploy a commit to the Vercel Team on Vercel.

A member of the Team first needs to authorize it.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	better-auth@​1.3.23

View full report

[lordsoffallen]

at GET (app/(auth)/api/auth/guest/route.ts:46:11)

44 | }
45 |

46 | throw new Error('Guest sign-in failed')
| ^
47 | } catch (error) {
48 | console.error('Guest authentication error:', error)
49 | return NextResponse.redirect(new URL("/login", request.url))
GET /api/auth/guest?redirectUrl=http%3A%2F%2Flocalhost%3A3000%2Flogin 307 in 357ms

Right now it does not work, creates infinite loop locally

[1qh]

@nwp Currently it doesn't work, can you take a look?

[nwp]

Yes, I will. I actually hadn’t intended to submit this to the definitive repo, but to work on it more in my fork. That being said, it’s a worthy effort and I’d like to get it merged in officially so I’d update this with additional changes.

[lordsoffallen]

#1171 -> This one mostly done and it works. I did some minor changes on top but it's good to go.

[nwp]

I’m okay with that. I just think the commit history of that should be cleaned up and the GitHub description should be updated to be much more comprehensive. I’ll close this one.