Skip to content

Implement BetterAuth IDP: auth config, Prisma, UI components, layouts, auth/account/admin pages, API routes#2

Draft
JackatDJL with Copilot wants to merge 12 commits into
foundation-idfrom
copilot/implement-betterauth-idp
Draft

Implement BetterAuth IDP: auth config, Prisma, UI components, layouts, auth/account/admin pages, API routes#2
JackatDJL with Copilot wants to merge 12 commits into
foundation-idfrom
copilot/implement-betterauth-idp

Conversation

Copilot AI commented Mar 6, 2026

Copy link
Copy Markdown

Implements BetterAuth as the DJL Foundation's identity provider (serverless Keycloak alternative). Includes updated plan based on reviewer feedback, full auth configuration with Prisma adapter, UI components, dual layout system, auth pages, account management, admin panel, email templates, and API routes.

Plan Updated (PLAN.md)

Incorporated all reviewer feedback:

  • Prisma adapter instead of raw pg driver
  • bun as package manager
  • React Hook Form for all forms
  • Dual layout system: FullLayout (navbar+footer) for main pages, AuthLayout (minimal centered card) for auth pipeline pages
  • Better Auth i18n plugin for auth return messages
  • TOTP 2FA integrated into sign-in page (no separate 2FA route)
  • API Key management in account page (admin-only section)
  • @simplewebauthn/browser removed — Better Auth client provides passkey support natively
  • Turnstile CAPTCHA plugin + x-captcha-response headers in client requests
  • user.deleteUser hook auto-calls /api/user/delete-account endpoint on deletion
  • about.tsx deleted as requested

Auth Core (src/lib/auth.ts)

Full Better Auth server config with Prisma adapter and 12 plugins: tanstackStartCookies, username, twoFactor (TOTP), passkey, admin, openAPI, apiKey, organization, captcha (Turnstile, conditional), haveIBeenPwned, jwt, lastLoginMethod. Conditional Google/GitHub social providers. Database hook for user deletion broadcasting.

Auth Client (src/lib/auth-client.ts)

Client config with 8 plugins: usernameClient, twoFactorClient, passkeyClient, adminClient, apiKeyClient, organizationClient, jwtClient, lastLoginMethodClient.

Email System

  • 4 React Email templates: verification, password-reset, organization-invite, welcome
  • Resend client with graceful null handling when API key is not set
  • Email sending logic wired into auth config

UI Components & Layouts

  • 17 Shadcn UI components created manually (button, input, label, card, dialog, dropdown-menu, form, table, tabs, badge, alert, avatar, separator, skeleton, sonner, sheet, select)
  • FullLayout: Sticky navbar with DJL Foundation branding, nav links, admin-guarded link, user dropdown, locale switcher, theme toggle + footer
  • AuthLayout: Minimal centered card layout with logo/back button for auth pipeline pages

Pages Implemented

  • Auth pages: sign-in (with integrated TOTP 2FA flow), sign-up, forgot-password, reset-password, verify-email
  • Account pages: profile/settings (with admin-only API key section), security (2FA/sessions/passkeys), delete account, organizations
  • Admin pages: dashboard, user management (list/search/impersonate/delete), organization management

API Routes

  • api/auth/$ — Better Auth catch-all handler
  • api/user/delete-account — Returns 500 "Unimplemented" (broadcast hook placeholder)
  • api/internal/auth-urls — Exposes auth API URLs locked behind API key validation

Foundation

  • Prisma initialized with PostgreSQL provider
  • Environment variables schema updated (env.ts) with all required vars
  • .env.example created
  • German set as base locale in Paraglide settings

Remaining Work (not completed due to time)

  • Root index.tsx update (signed-in dashboard vs signed-out info message)
  • Org sub-pages ($orgId/index, members, settings)
  • Full i18n translations (de.json/en.json)
  • Build verification, testing, final polish

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: JackatDJL <71508487+JackatDJL@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement Betterauth as an authentication provider Add BetterAuth IDP implementation plan and install agent skills Mar 6, 2026

@JackatDJL JackatDJL left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot I think that's it. Please read my Feedback, edit the PLAN and then start implementing ;)
And please use Subagents!

Comment thread PLAN.md Outdated
- [ ] **0.3** Create `.env.example` with all env var placeholders
- [ ] **0.4** Update `.gitignore` if needed (ensure `.env`, `node_modules`, `.nitro`, `.output`, `src/paraglide` are ignored)
- [ ] **0.5** Install all required dependencies:
- `pg` (PostgreSQL driver)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer you do it through Prisma.
Small note on the side: You can actually spawn a PostgreSQL DB in Prisma through their CLI. Could be useful for Testing

Comment thread PLAN.md
- `pg` (PostgreSQL driver)
- `resend` (email sending)
- `@react-email/components` (React Email templates)
- `@marsidev/react-turnstile` (CAPTCHA client widget)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct! Dont forget to add the Plugin for it into the auth.ts and dont forget to add the headers to each request!
fetchOptions: {
headers: {
"x-captcha-response": turnstileToken,
},
},

Comment thread PLAN.md Outdated
- `resend` (email sending)
- `@react-email/components` (React Email templates)
- `@marsidev/react-turnstile` (CAPTCHA client widget)
- `@simplewebauthn/browser` (passkey client)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need that, the betterauth client provides it automatically (it uses it in its src).
https://better-auth.com/docs/plugins/passkey

Comment thread PLAN.md Outdated
- `VITE_TURNSTILE_SITE_KEY`
- [ ] **0.3** Create `.env.example` with all env var placeholders
- [ ] **0.4** Update `.gitignore` if needed (ensure `.env`, `node_modules`, `.nitro`, `.output`, `src/paraglide` are ignored)
- [ ] **0.5** Install all required dependencies:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use bun!
if not installed, run 'curl -fsSL https://bun.sh/install | bash'!

Always run bun update --latest to force latest versions!

Comment thread PLAN.md Outdated
## Phase 1: Database & Better Auth Core Configuration

- [ ] **1.1** Configure `src/lib/auth.ts` — Full Better Auth server config:
- PostgreSQL database adapter (`pg` Pool)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Adapter

Comment thread PLAN.md Outdated
- [ ] **5.1** Update `project.inlang/settings.json`: set `baseLocale: "de"`, `locales: ["de", "en"]`
- [ ] **5.2** Update `messages/de.json` — Complete German translations for all UI strings:
- Navigation, buttons, form labels, error messages
- Auth-related: sign in, sign up, sign out, password, email, etc.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Betterauth provides an i18n plugin for its return messages: https://better-auth.com/docs/plugins/i18n

Comment thread PLAN.md Outdated

## Phase 6: UI — Pages & Components

### Layout & Navigation

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IPD shouldn't have a Header and Footer by default:
I want the "Bigger" Pages like Root, User Management, Auth Management and the Dashboard to have a navbar at the top (obviously, only admins can see and access the Admin Dash). Those pages should also have a footer where a Paraglide Dropdown Language Selector reside,s and the Theme toggle
The main auth pages, like sign in, forget password (essentially all auth pages that are in somewhat of a pipeline)... should only have a logo at the top left (or a back button) and only have a centred card with the "form".

Use React Hook Form!!!

Comment thread PLAN.md Outdated
- [ ] **6.4** `src/routes/index.tsx` — Root route:
- **Signed out:** Message explaining this is the DJL Foundation's authentication provider
- **Signed in:** Small dashboard with miscellaneous user info (name, email, last login method, session info, linked accounts, etc.)
- [ ] **6.5** Remove or repurpose `src/routes/about.tsx` (not required)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete it

Comment thread PLAN.md Outdated
- [ ] **6.8** `src/routes/auth/forgot-password.tsx` — Password reset request
- [ ] **6.9** `src/routes/auth/reset-password.tsx` — Password reset form (with token)
- [ ] **6.10** `src/routes/auth/verify-email.tsx` — Email verification handler
- [ ] **6.11** `src/routes/auth/two-factor.tsx` — 2FA verification page (TOTP entry)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please combine the two factor auth with the sign-in page!
And of the two options i want to use TOTP
https://better-auth.com/docs/plugins/2fa

Comment thread PLAN.md Outdated
- Change password
- Linked accounts (Google, GitHub)
- Passkey management (register/remove)
- [ ] **6.13** `src/routes/account/security.tsx` — Security settings:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add the stuff for the API Key plugin here, but only show the section if the user has the Admin Role

Copilot AI and others added 10 commits March 6, 2026 12:20
… Hook Form, dual layouts, i18n plugin, TOTP in sign-in, API key admin-only

Co-authored-by: JackatDJL <71508487+JackatDJL@users.noreply.github.com>
Add production-quality UI components without Radix UI dependencies:
- button, input, label, card, badge, alert, separator, skeleton
- dialog, sheet (portal-based with overlay dismiss)
- dropdown-menu, tabs (state-managed)
- table, avatar, select (native HTML styled)
- sonner (toast notification system)
- form (react-hook-form integration)

All components use cva for variants, cn() for class merging,
Tailwind CSS v4 theme variables, and React.forwardRef patterns.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix Separator to use role=presentation/separator properly
- Fix AlertTitle ref type to HTMLHeadingElement
- Fix TableFooter CSS selector syntax
- Add aria-hidden to decorative ChevronDown in Select
- Remove redundant data-state from TabsContent

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Create branded email templates for DJL Foundation ID:
- verification.tsx: Email verification with verify link
- password-reset.tsx: Password reset with warning notice
- organization-invite.tsx: Org invitation with dynamic subject
- welcome.tsx: Post-verification welcome email

Add auth-emails.tsx with async send functions that render
templates to HTML via @react-email/components and send via
Resend, with graceful fallback when API key is missing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Server config (auth.ts): Prisma adapter, email+password with verification,
  Google/GitHub social providers (conditional), user deletion hook,
  and plugins: tanstackStartCookies, username, twoFactor, passkey, admin,
  openAPI, apiKey, organization, captcha (conditional), haveIBeenPwned, jwt,
  lastLoginMethod
- Client config (auth-client.ts): matching client plugins for all server plugins
- Added @better-auth/passkey and @better-auth/api-key dependencies

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove Header/Footer from root layout, render only children
- Update title to 'DJL Foundation ID'
- Create FullLayout with navbar (nav links, admin guard, user
  dropdown, locale switcher, theme toggle) and footer
- Create AuthLayout with centered content and back button/logo
- Delete old Header.tsx and Footer.tsx

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace static HTML id/htmlFor attributes with React useId()-based
dynamic IDs to satisfy lint/correctness/useUniqueElementIds rule.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update api/auth/$.ts with consistent formatting
- Create api/user/delete-account.ts (stub returning 500)
- Create api/internal/auth-urls.ts with API key protection
- Update auth/sign-in.tsx: fix twoFactorRedirect type cast
- Update auth/forgot-password.tsx: fix requestPasswordReset method name
- Create auth/verify-email.tsx with token verification flow

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…mponents, layouts, auth pages, account pages, admin pages, API routes

Co-authored-by: JackatDJL <71508487+JackatDJL@users.noreply.github.com>

Copilot AI commented Mar 6, 2026

Copy link
Copy Markdown
Author

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • ui.shadcn.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/.npm/_npx/d66c5096c7023bfb/node_modules/.bin/shadcn add button input label card dialog dropdown-menu form table tabs badge alert avatar separator skeleton sonner sheet select (dns block)
  • www.better-auth.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Add BetterAuth IDP implementation plan and install agent skills Implement BetterAuth IDP: auth config, Prisma, UI components, layouts, auth/account/admin pages, API routes Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants