integrations/better-auth

[giscus[bot]]

integrations/better-auth

We may use @better-auth/cli to generate auth schema and migrate our database as well.

https://elysiajs.com/integrations/better-auth

[lucass3na]

Remember, don’t forget to add the OpenAPI plugin before following these instructions:
https://elysiajs.com/integrations/better-auth#swagger-openapi

import { betterAuth } from "better-auth";
import { openAPI } from "better-auth/plugins";

export const auth = betterAuth({
plugins: [openAPI()]
}

[gokaybiz]

I'm using Elysia.js and have the following setup:

export const authRoutes = new Elysia({ prefix: "/auth" }).all(
  "/*",
  ({ request }) => auth.handler(request),
);

And let's say we have a structure like this.

const app = new Elysia()
  .use(elysiaLogger)
  .use(cors())
  .group("/api/v1", (app) => {
    return app.use(authRoutes);
  })
  .listen(3000);

How do I access the routes defined in authRoutes?
What would the full URL be for these endpoints?

My instinct was to access better auth endpoints at /api/v1/auth/* like /api/v1/auth/get-session, but it’s not working...

[lucass3na]

@gokaybiz check if this works for you.
http://localhost:3000/api/v1/auth/get-session

export const auth = betterAuth({
  basePath: "/auth",
})

const app = new Elysia()
  .use(elysiaLogger)
  .use(cors())
  .mount("/api/v1", auth.handler)
  .listen(3000);

[gokaybiz]

@gokaybiz check if this works for you. http://localhost:3000/api/v1/auth/get-session

export const auth = betterAuth({
  basePath: "/auth",
})

const app = new Elysia()
  .use(elysiaLogger)
  .use(cors())
  .mount("/api/v1", auth.handler)
  .listen(3000);

Hey!
Yeah, it worked that way, thanks!

export const auth = betterAuth({
  basePath: "/auth",
})

export const authRoutes = new Elysia().mount("/", auth.handler);

export const app = new Elysia()
  .use(elysiaLogger)
  .use(cors())
  .get("/", () => "Hello Elysia")
  .group("/api/v1", (app) => {
    return app.use(authRoutes);
  })
  .listen(3000);

But honestly, It feels a bit confusing for future maintenance 😅

[typed-sigterm]

.mount('/foo', auth.handler) is incorrect, I just opened #576 to fix the tutorial.

[Pastequee]

Using the given macro that checks for user authentication, it returns a status(401).
But when using Eden Treaty, the 401 does not appear in the possible error responses, do you know a way to make the types work ?

[dodiz]

I just return null from the resolve and handle the unauthorized at route level

[DEV-Thierry]

I am receiving an error in a route file when trying to use the auth macro.

I configured Better Auth.

// better-auth.ts
import { auth } from "@/auth";
import Elysia from "elysia";

export const betterAuthPlugin = new Elysia({ name: "better-auth" })
  .mount(auth.handler)
  .macro({
    auth: {
      async resolve({ status, request: { headers } }) {
        const session = await auth.api.getSession({
          headers,
        });
        if (!session) return status(401);
        return {
          user: session.user,
          session: session.session,
        };
      },
    },
  });

let _schema: ReturnType<typeof auth.api.generateOpenAPISchema>
const getSchema = async () => {
  if (!_schema) {
    _schema = auth.api.generateOpenAPISchema()
  }
  return _schema;
}

export const OpenAPI = {
  getPaths: (prefix = '/api') =>
    getSchema().then(({ paths }) => {
      const reference: typeof paths = Object.create(null)

      for (const path of Object.keys(paths)) {
        const key = prefix + path
        reference[key] = paths[path]

        for (const method of Object.keys(paths[path])) {
          const operation = (reference[key] as any)[method]

          operation.tags = ['Better Auth']
        }
      }

      return reference
    }) as Promise<any>,
  components: getSchema().then(({ components }) => components) as Promise<any>
} as const

I used the plugin in my index.ts

// index.ts
export const app = new Elysia()
  .use(openapi({
    documentation: {
      components: await OpenAPI.components,
      paths: await OpenAPI.getPaths()
    }
  }))
  .use(betterAuthPlugin)
  .use(todoRoute)
  .listen(3333);

but on my route I can't receive the typing when I put the auth macro

// todoRoute.ts
export const todoRoute = new Elysia()
  .get("/", () => {
    return [
      { id: 1, title: "Estudar Bun" },
      { id: 2, title: "Aprender Elysia" }
    ];
  }, {
    auth: true // error message 'Object literal may only specify known properties ...
  });

What am I doing wrong?

[mjjabarullah]

// todoRoute.ts
export const todoRoute = new Elysia()
  .use(betterAuthPlugin)
  .get("/", () => {
    return [
      { id: 1, title: "Estudar Bun" },
      { id: 2, title: "Aprender Elysia" }
    ];
  }, {
    auth: true // error message 'Object literal may only specify known properties ...
  });

try this, since elysia using method chaining to do type safety. So that you need to make use of auth plugin in every elysia instance. Duplication of plugin will be handled by elysia automaticlaly.

[Teyik0]

How to get type safety using Eden when mounting Better Auth ?
I don't get any auto completion when doing app.api.

[kevin-moechel]

The doc should mention that you need to configure the fetch when using treaty and better-auth. This took me two hours to figure out.

const server = treaty<App>(WEB_ENVS.VITE_SERVER_URL, {
    fetch: {
        credentials: "include",
        mode: "cors",
    }
});

[joaovpmamede]

But do you have access to auth on your server object?
Can you share your code please?

[KshSiaan]

auth.ts

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "./db";
import * as schema from "../db/schema"

export const auth = betterAuth({
    emailAndPassword: {
        enabled: true
        
    },
    database: drizzleAdapter(db, {
        provider: "pg",
        schema
    }),
});

index.ts

import { Elysia } from 'elysia'
import { auth } from './lib/auth'
import { userSet } from './user/main'


// user middleware (compute user and session and pass to routes)
const betterAuth = new Elysia({ name: 'better-auth' })
    .mount(auth.handler)
    .macro({
        auth: {
            async resolve({ status, request: { headers } }) {
                const session = await auth.api.getSession({
                    headers
                })

                if (!session) return status(401)

                return {
                    user: session.user,
                    session: session.session
                }
            }
        }
    })

const app = new Elysia()
    .use(betterAuth)
    .use(userSet)
    .get('/user', ({ user }) => user, {
        auth: true
    })
    .listen(3000)

console.log(
    `🦊 Elysia is running at ${app.server?.hostname}:${app.server?.port}`
)

well. the thing is im getting unauthorized whenever im trying to fetch the user using the token as bearer token

[vieyama]

Hi, I have a question.
I’ve already integrated Better Auth and it’s working well. However, I’m not sure why the schema validation runs before the authentication check. How can I make the authentication validation run first, before any other validation?

================================================

import { Elysia } from 'elysia'
import cors from '@elysiajs/cors'

import { openApiPlugin } from './plugins/openapi'
import { betterAuthPlugin } from './plugins/better-auth'

import { postRoutes } from './routes/post.route'

export const app = new Elysia()
.use(openApiPlugin)
.use(cors({
origin: true, // Allow all origins in development
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
allowedHeaders: ["Content-Type", "Authorization", "Origin"],
}))
.use(betterAuthPlugin)
.use(postRoutes)

================================================

import { Elysia } from 'elysia'
import {
createPostHandler,
createPostValidation,
getPostsHandler,
CreatePostInput
} from '../handlers/post'
import { betterAuthPlugin } from '../plugins/better-auth'

export const postRoutes = new Elysia({ name: 'posts', prefix: '/v1/api' })
.use(betterAuthPlugin)
.get('/posts', getPostsHandler, {
detail: {
tags: ['Posts'],
},
})
.post(
'/create-post',
({ body, user }) =>
createPostHandler(body as CreatePostInput, user.id),
{
auth: true,
detail: {
tags: ['Posts']
},
...createPostValidation(),
}
)

================================================

import { Elysia } from 'elysia'
import { auth } from '../lib/auth'

export const betterAuthPlugin = new Elysia({ name: 'better-auth' })
.mount(auth.handler)
.macro({
auth: {
async resolve({ status, request: { headers } }) {
const session = await auth.api.getSession({ headers })
if (!session) return status(401)

            return {
                user: session.user,
                session: session.session
            }
        }
    }
})

[darkmathew]

Guys, I’ve run into this issue in a few projects and it’s actually pretty simple to work around, although you should still add a few extra security validations afterward just to be safe.

What ends up fixing the problem is a combination of two things.

First, derive({ as: "scoped" }).

By default, derived context in Elysia does not propagate correctly to child routes. When your auth plugin is mounted at a higher level, nested routes may not receive user and session, which usually results in unexpected 401 Unauthorized responses. Marking the derive as scoped guarantees that the auth context is inherited by all child routes.

export const authPlugin = new Elysia({ name: "auth" })
  .derive({ as: "scoped" }, async ({ request }) => {
    const { user, session } = await resolveAuthUser(request.headers);
    return {
      user,
      session,
      isAuthenticated: Boolean(user),
    };
  });

The second point is resolving the session directly from the request headers.

Better Auth relies on cookies to read the session, so headers must be passed exactly as expected. Elysia sometimes provides headers as a plain object instead of a Headers instance, and if you pass that through without normalization, getSession may return null even when the user is authenticated.

Normalizing the headers before calling Better Auth fixes this.

async function getSessionFromHeaders(
  headers: Headers | Record<string, string>
) {
  const headersObj =
    headers instanceof Headers
      ? headers
      : new Headers(headers as Record<string, string>);

  return auth.api.getSession({
    headers: headersObj,
  });
}

Once these two pieces are in place, authentication becomes consistent across routes and child routes stop randomly failing with 401. From there, it’s just a matter of tightening security rules according to your application needs.