letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
2f9bcf00b111bf20fe4b3f7386953faf43a2e28c
pn-new-crm/src/lib/auth/index.ts

131 lines
4.5 KiB
TypeScript
Raw Normal View History

Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
import { betterAuth } from 'better-auth';
import { drizzleAdapter } from 'better-auth/adapters/drizzle';
import { db } from '@/lib/db';
/**
* Better Auth server configuration.
*
* Sessions are stored in PostgreSQL (not Redis) per SECURITY-GUIDELINES.md §1.2.
* The drizzle adapter handles session persistence via the existing `sessions` table.
*/
fix(auth/mobile): support LAN-IP access in dev + edge-to-edge auth bg - branded-auth-shell: split the background image into a separate fixed-positioned layer behind the layout. Previously the bg was on a min-h-screen container and iOS Safari left visible whitespace at the top/bottom when the URL bar showed/hid (the container's height didn't match the visual viewport). Now the bg pins to the actual visible viewport via `fixed inset-0`. min-h-[100dvh] also added so the layout layer matches. - auth client: derive baseURL from window.location.origin instead of NEXT_PUBLIC_APP_URL. Same dev build now works whether opened on localhost (Mac) or the LAN IP (iPhone on Wi-Fi). - auth server: dynamic trustedOrigins function that allows localhost / 127.x / 192.168.x / 10.x in dev (function form inspects the incoming request's Origin). Production stays locked to NEXT_PUBLIC_APP_URL. - new dev helper: scripts/dev-set-password.ts to set a user's better-auth password directly (bypasses the email-reset flow); used to bootstrap matt@letsbe.solutions for mobile testing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 16:21:59 +02:00
/**
* In dev, allow requests from any LAN IP so the same `pnpm dev` instance can
* serve both localhost (Mac) and the LAN IP (iPhone on Wi-Fi). In production,
* trustedOrigins is locked down to NEXT_PUBLIC_APP_URL only.
*/
/**
* In dev, allow localhost + any LAN-IP origin so the same `pnpm dev` instance
* can serve both Mac (localhost) and iPhone-on-Wi-Fi (192.168.x.x). The
* function form is preferred over a static list because the LAN IP can vary
* across networks. In production, lock down to NEXT_PUBLIC_APP_URL only.
*/
const isProd = process.env.NODE_ENV === 'production';
const DEV_ORIGIN_PATTERNS = [
/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/,
/^https?:\/\/192\.168\.\d+\.\d+(:\d+)?$/,
/^https?:\/\/10\.\d+\.\d+\.\d+(:\d+)?$/,
];
const trustedOrigins: (request?: Request) => Promise<string[]> = async (request) => {
if (isProd) {
const prodUrl = process.env.NEXT_PUBLIC_APP_URL;
return prodUrl ? [prodUrl] : [];
}
const origin = request?.headers.get('origin') ?? '';
if (origin && DEV_ORIGIN_PATTERNS.some((re) => re.test(origin))) {
return [origin];
}
return ['http://localhost:3000', 'http://localhost:3001'];
};
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
/**
* `betterAuth(...)` is wrapped in a lazy initializer so the auth singleton
* is constructed on first property access (i.e. first request) rather than
* at module import. This is required so that Next.js's "collect page data"
* phase during `pnpm build` doesn't trigger better-auth's "default secret"
* check against the unset BETTER_AUTH_SECRET at build time the auth
* config is never accessed, and at runtime the env is fully populated.
*
* Call sites continue to use `auth.api.foo(...)` unchanged; the Proxy
* intercepts the property access and resolves the real instance just-in-
* time. `typeof auth.$Infer.Session` is a type-only access and never
* triggers the Proxy at runtime.
*/
function buildAuth() {
return betterAuth({
database: drizzleAdapter(db, {
provider: 'pg',
}),
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
trustedOrigins,
fix(auth/mobile): support LAN-IP access in dev + edge-to-edge auth bg - branded-auth-shell: split the background image into a separate fixed-positioned layer behind the layout. Previously the bg was on a min-h-screen container and iOS Safari left visible whitespace at the top/bottom when the URL bar showed/hid (the container's height didn't match the visual viewport). Now the bg pins to the actual visible viewport via `fixed inset-0`. min-h-[100dvh] also added so the layout layer matches. - auth client: derive baseURL from window.location.origin instead of NEXT_PUBLIC_APP_URL. Same dev build now works whether opened on localhost (Mac) or the LAN IP (iPhone on Wi-Fi). - auth server: dynamic trustedOrigins function that allows localhost / 127.x / 192.168.x / 10.x in dev (function form inspects the incoming request's Origin). Production stays locked to NEXT_PUBLIC_APP_URL. - new dev helper: scripts/dev-set-password.ts to set a user's better-auth password directly (bypasses the email-reset flow); used to bootstrap matt@letsbe.solutions for mobile testing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 16:21:59 +02:00
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
emailAndPassword: {
enabled: true,
minPasswordLength: 9,
// Accounts are admin-created only - no self-service email verification flow.
requireEmailVerification: false,
// Self-service password reset for CRM users. The reset link lands
// on the existing /reset-password page (which already handles
// better-auth's token + new-password POST). The email send goes
// through the shared SMTP infra so EMAIL_REDIRECT_TO honours it
// in dev.
sendResetPassword: async ({ user, url }) => {
const { sendEmail } = await import('@/lib/email');
const subject = 'Reset your Port Nimara CRM password';
const html = `
feat: autonomous backlog push — admin UX overhaul + storage parity + residential parity + Documenso Phase 1 Massive multi-area push driven by docs/admin-ux-backlog.md. Every byte path now goes through getStorageBackend() so signed EOIs, contracts, brochures, berth PDFs, files, avatars, branding logos, and DB backups all work identically on S3 and filesystem backends. USER SETTINGS (rebuild) - Country + Timezone selectors with cross-defaulting - Browser-detected timezone banner ("Looks like you're in Europe/Paris…") - Email change with verification flow (user_email_changes table, OLD-address cancel link + NEW-address confirm link) + EMAIL_CHANGE_INSTANT=true dev shortcut - Password reset triggered via better-auth requestPasswordReset - Profile photo upload + crop (square 256×256) via shared <ImageCropperDialog> + /api/v1/me/avatar BRANDING - Shared <ImageCropperDialog> using react-easy-crop - Logo upload + crop in /admin/branding (writes via /api/v1/admin/settings/image -> storage backend) - Email header/footer HTML defaults injectable via "Insert default" - SettingsFormCard new field types: timezone (combobox), image-upload STORAGE ADMIN OVERHAUL - S3 config form FIRST, swap action SECOND - Test connection before any switch - Two-button switch: "Switch + migrate" vs "Switch only" with warning modals - runMigration() honours skipMigration flag - /api/ready + system-monitoring health check use the active storage backend instead of always probing MinIO - Filesystem backend already had full feature parity — verified BACKUP MANAGEMENT (real) - New backup_jobs table (id / status / trigger / size / storage_path) - runBackup() service spawns pg_dump --format=custom, streams to active storage backend via getStorageBackend().put() - /admin/backup page: trigger, history, download .dump for restore - Super-admin gated AI ADMIN PANEL - /admin/ai consolidates master switch + monthly token cap + provider credentials - Per-feature settings (OCR, berth-PDF parser, recommender) linked from the same page ONBOARDING WIZARD - /admin/onboarding now real with auto-checked steps - Reads each setting key + lists endpoint (roles/users/tags) to decide completion - Manual checkboxes for steps without an auto-detect signal - Progress bar + Mark done/Mark incomplete buttons - State persisted in system_settings.onboarding_manual_status RESIDENTIAL PARITY (full) - New residential_client_notes + residential_interest_notes tables (mirror marina-side shape) - Polymorphic notes.service.ts extended (verifyParent, listForEntity, create, update, delete) for residential_clients/_interests - <NotesList> component accepts the new entity types - 4 new note endpoints (GET/POST/PATCH/DELETE for clients + interests) - 2 new activity endpoints (residential clients + interests) - residential-client-tabs.tsx + residential-interest-tabs.tsx use DetailLayout (Overview / Interests / Notes / Activity) - residential-client-detail-header.tsx mirrors marina-side strip - useBreadcrumbHint wired into both detail components - Configurable Assigned-to dropdown (residential_interests.view perm) CONFIGURABLE RESIDENTIAL STAGES - residential-stages.service.ts with list / save / orphan-check - /api/v1/residential/stages GET/PUT - /admin/residential-stages admin UI with reassign-on-remove modal - Validators relaxed from z.enum to z.string DOCUMENSO PHASE 1 - Schema: document_signers.invited_at / opened_at / last_reminder_sent_at / signing_token (+ idx_ds_signing_token) - Schema: documents.completion_cc_emails (text[]) + auto_reminder_interval_days (int) - transformSigningUrl() now maps SignerRole -> URL segment via ROLE_TO_URL_SEGMENT (approver->cc, witness->witness) — fixes Risk #5 where approver invites landed on /sign/error - POST /api/v1/documents/[id]/send-invitation with auto-pick of next pending signer - Per-port settings: documenso_developer_label / _approver_label + documenso_developer_user_id / _approver_user_id (Phase 7 Project Director RBAC binding fields) ADMIN UX RAPID-FIRE - Sidebar collapse removed (always-expanded design) - Audit log: input sizes (h-9), date pickers w-44, action cell sub-label so single-row entries aren't blank - Sales email config: token list <details> + tooltips on threshold + body fields - Custom Settings card: long-form description - Reminder digest timezone uses TimezoneCombobox - Port form: currency dropdown (10 common currencies) + timezone combobox + brand color picker - Permissions count badge opens modal with granted/denied per resource - Role names display-normalized via prettifyRoleName - Tag form: native input type=color - Custom Fields page: amber heads-up about non-integration - Settings manager: select field type + fallthrough_policy as dropdown - Storage admin S3 fields ship as proper password + boolean LIST PAGES - Residential client list: clickable email/phone (mailto/tel/wa.me) - Residential interests + Documents Hub search inputs sized h-9 CURRENCY API - scripts/test-currency-api.ts verifies live Frankfurter fetch -> DB upsert -> getRate -> convert. Inverse-rate drift <=0.001 TESTS - 1185/1185 vitest passing - tsc clean - eslint 0 errors (16 pre-existing warnings) Note: WEBSITE_INTAKE_SECRET added to .env.example but committed separately due to pre-commit hook policy on .env* files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 21:02:12 +02:00
<p>Hi ${user.name || 'there'},</p>
<p>You requested a password reset for your Port Nimara CRM account.</p>
<p><a href="${url}">Click here to set a new password</a> the link expires in 1 hour.</p>
<p>If you didn't request this, you can safely ignore this email.</p>
`;
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
const text = `Reset your password: ${url}`;
await sendEmail(user.email, subject, html, undefined, text);
},
feat: autonomous backlog push — admin UX overhaul + storage parity + residential parity + Documenso Phase 1 Massive multi-area push driven by docs/admin-ux-backlog.md. Every byte path now goes through getStorageBackend() so signed EOIs, contracts, brochures, berth PDFs, files, avatars, branding logos, and DB backups all work identically on S3 and filesystem backends. USER SETTINGS (rebuild) - Country + Timezone selectors with cross-defaulting - Browser-detected timezone banner ("Looks like you're in Europe/Paris…") - Email change with verification flow (user_email_changes table, OLD-address cancel link + NEW-address confirm link) + EMAIL_CHANGE_INSTANT=true dev shortcut - Password reset triggered via better-auth requestPasswordReset - Profile photo upload + crop (square 256×256) via shared <ImageCropperDialog> + /api/v1/me/avatar BRANDING - Shared <ImageCropperDialog> using react-easy-crop - Logo upload + crop in /admin/branding (writes via /api/v1/admin/settings/image -> storage backend) - Email header/footer HTML defaults injectable via "Insert default" - SettingsFormCard new field types: timezone (combobox), image-upload STORAGE ADMIN OVERHAUL - S3 config form FIRST, swap action SECOND - Test connection before any switch - Two-button switch: "Switch + migrate" vs "Switch only" with warning modals - runMigration() honours skipMigration flag - /api/ready + system-monitoring health check use the active storage backend instead of always probing MinIO - Filesystem backend already had full feature parity — verified BACKUP MANAGEMENT (real) - New backup_jobs table (id / status / trigger / size / storage_path) - runBackup() service spawns pg_dump --format=custom, streams to active storage backend via getStorageBackend().put() - /admin/backup page: trigger, history, download .dump for restore - Super-admin gated AI ADMIN PANEL - /admin/ai consolidates master switch + monthly token cap + provider credentials - Per-feature settings (OCR, berth-PDF parser, recommender) linked from the same page ONBOARDING WIZARD - /admin/onboarding now real with auto-checked steps - Reads each setting key + lists endpoint (roles/users/tags) to decide completion - Manual checkboxes for steps without an auto-detect signal - Progress bar + Mark done/Mark incomplete buttons - State persisted in system_settings.onboarding_manual_status RESIDENTIAL PARITY (full) - New residential_client_notes + residential_interest_notes tables (mirror marina-side shape) - Polymorphic notes.service.ts extended (verifyParent, listForEntity, create, update, delete) for residential_clients/_interests - <NotesList> component accepts the new entity types - 4 new note endpoints (GET/POST/PATCH/DELETE for clients + interests) - 2 new activity endpoints (residential clients + interests) - residential-client-tabs.tsx + residential-interest-tabs.tsx use DetailLayout (Overview / Interests / Notes / Activity) - residential-client-detail-header.tsx mirrors marina-side strip - useBreadcrumbHint wired into both detail components - Configurable Assigned-to dropdown (residential_interests.view perm) CONFIGURABLE RESIDENTIAL STAGES - residential-stages.service.ts with list / save / orphan-check - /api/v1/residential/stages GET/PUT - /admin/residential-stages admin UI with reassign-on-remove modal - Validators relaxed from z.enum to z.string DOCUMENSO PHASE 1 - Schema: document_signers.invited_at / opened_at / last_reminder_sent_at / signing_token (+ idx_ds_signing_token) - Schema: documents.completion_cc_emails (text[]) + auto_reminder_interval_days (int) - transformSigningUrl() now maps SignerRole -> URL segment via ROLE_TO_URL_SEGMENT (approver->cc, witness->witness) — fixes Risk #5 where approver invites landed on /sign/error - POST /api/v1/documents/[id]/send-invitation with auto-pick of next pending signer - Per-port settings: documenso_developer_label / _approver_label + documenso_developer_user_id / _approver_user_id (Phase 7 Project Director RBAC binding fields) ADMIN UX RAPID-FIRE - Sidebar collapse removed (always-expanded design) - Audit log: input sizes (h-9), date pickers w-44, action cell sub-label so single-row entries aren't blank - Sales email config: token list <details> + tooltips on threshold + body fields - Custom Settings card: long-form description - Reminder digest timezone uses TimezoneCombobox - Port form: currency dropdown (10 common currencies) + timezone combobox + brand color picker - Permissions count badge opens modal with granted/denied per resource - Role names display-normalized via prettifyRoleName - Tag form: native input type=color - Custom Fields page: amber heads-up about non-integration - Settings manager: select field type + fallthrough_policy as dropdown - Storage admin S3 fields ship as proper password + boolean LIST PAGES - Residential client list: clickable email/phone (mailto/tel/wa.me) - Residential interests + Documents Hub search inputs sized h-9 CURRENCY API - scripts/test-currency-api.ts verifies live Frankfurter fetch -> DB upsert -> getRate -> convert. Inverse-rate drift <=0.001 TESTS - 1185/1185 vitest passing - tsc clean - eslint 0 errors (16 pre-existing warnings) Note: WEBSITE_INTAKE_SECRET added to .env.example but committed separately due to pre-commit hook policy on .env* files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 21:02:12 +02:00
},
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
session: {
// Enable cookie-level session caching to reduce DB reads (5-minute cache).
cookieCache: {
enabled: true,
maxAge: 5 * 60,
},
// Absolute session lifetime: 24 hours.
expiresIn: 60 * 60 * 24,
// Refresh the session whenever the user is active in the last 25% of its lifetime (6h).
updateAge: 60 * 60 * 6,
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
},
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
advanced: {
cookiePrefix: 'pn-crm',
defaultCookieAttributes: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict' as const,
},
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
},
fix(build): make auth + storage modules side-effect-free at import Two top-level eager initializers were breaking pnpm build during Next.js "collect page data" phase under SKIP_ENV_VALIDATION=1: - src/lib/auth/index.ts created the better-auth singleton at module load, triggering its "default secret" check against the unset BETTER_AUTH_SECRET. - src/lib/minio/index.ts constructed `new Client({...})` at module load with env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError. Storage config now lives in system_settings (read at runtime by getStorageBackend()), so the legacy @/lib/minio module's MinIO-client exports were already unused — only buildStoragePath had real consumers. Stripped the module to that single pure helper; deleted the dead minioClient / ensureBucket / getPresignedUrl exports. For better-auth, kept the existing call-site syntax (`auth.api.foo(...)` and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy that lazy-instantiates on first property access. Build-time import never touches env; first runtime request constructs as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:38:04 +02:00
logger: {
disabled: false,
level: 'error' as const,
},
});
}
type AuthInstance = ReturnType<typeof buildAuth>;
let _authInstance: AuthInstance | null = null;
function getAuth(): AuthInstance {
if (!_authInstance) _authInstance = buildAuth();
return _authInstance;
}
export const auth = new Proxy({} as AuthInstance, {
get(_target, prop) {
return Reflect.get(getAuth(), prop);
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
},
});
export type Session = typeof auth.$Infer.Session;
export type User = typeof auth.$Infer.Session.user;
Reference in New Issue Copy Permalink