Appearance
Authentication
Authentication is handled by Better Auth embedded directly in apps/app — there is no separate auth microservice. The @ce-sdr/auth package contains shared configuration, email templates, and RBAC definitions used by the app.
Supported Methods
| Method | Details |
|---|---|
| Email + Password | Registration, login, email verification via Resend |
| Two-Factor Auth (TOTP) | Setup and verification |
| Session tokens | Cookie-based, stored in Session collection |
Login Flow
All auth routes are mounted at /auth/* and handled by the Better-Auth handler integrated into the Express app.
@ce-sdr/auth Package
Located at packages/auth/, this package exports:
initAuth()— Better-Auth instance factory, called once at app startuproles.ts—UserRoleenum (ADMIN,USER)permissions.ts— RBAC access control via Better-Auth'sadminpluginemails.ts— Resend email templates for verification and password resetclient.ts— Client-side auth helpers
RBAC
The project uses Better-Auth's admin plugin with two roles:
| Role | Access |
|---|---|
USER | Default role for new registrations |
ADMIN | Full admin access (Better-Auth default admin statements) |
Role assignment is at the User level — brand-level access is enforced separately via brand membership checks in route handlers.
Data Models
| Model | Purpose |
|---|---|
User | Core user record |
Session | Active session tokens (cookie-based) |
Account | OAuth provider accounts (Google, Stripe) |
Verification | Email verification and password reset tokens |
TwoFactor | TOTP secret and backup codes |
See Database Schema for full field definitions.