|
| 1 | +--- |
| 2 | +paths: src/core/modules/better-auth/** |
| 3 | +--- |
| 4 | + |
| 5 | +# Better-Auth Module Development Rules |
| 6 | + |
| 7 | +These rules apply when working in `src/core/modules/better-auth/`. |
| 8 | + |
| 9 | +## 1. Maximize Better-Auth Standard Compliance |
| 10 | + |
| 11 | +When making changes to the Better-Auth module: |
| 12 | + |
| 13 | +- **Stay as close as possible to Better-Auth's standard behavior** |
| 14 | +- **Minimize custom implementations** - use Better-Auth's built-in functionality wherever possible |
| 15 | +- **Never bypass or disable security mechanisms** provided by Better-Auth |
| 16 | +- **Maintain update compatibility** - changes must not break when Better-Auth releases updates |
| 17 | + |
| 18 | +### Rationale |
| 19 | + |
| 20 | +Better-Auth is a security-critical library. Custom implementations: |
| 21 | +- May introduce security vulnerabilities |
| 22 | +- Can break with Better-Auth updates |
| 23 | +- Add maintenance burden |
| 24 | +- May not benefit from Better-Auth's security audits |
| 25 | + |
| 26 | +### Example: Adapter Pattern |
| 27 | + |
| 28 | +When extending functionality (e.g., JWT mode for Passkey), prefer adapter patterns: |
| 29 | + |
| 30 | +```typescript |
| 31 | +// GOOD: Adapter that bridges to Better-Auth's mechanisms |
| 32 | +// - Uses Better-Auth's verificationToken |
| 33 | +// - Lets Better-Auth handle all WebAuthn logic |
| 34 | +// - Only bridges the cookie gap for JWT mode |
| 35 | + |
| 36 | +// BAD: Custom implementation that replaces Better-Auth logic |
| 37 | +// - Stores challenges separately |
| 38 | +// - Implements own verification |
| 39 | +// - Bypasses Better-Auth's security checks |
| 40 | +``` |
| 41 | + |
| 42 | +## 2. Security-First Implementation |
| 43 | + |
| 44 | +All Better-Auth code must be implemented with maximum security: |
| 45 | + |
| 46 | +### Mandatory Security Measures |
| 47 | + |
| 48 | +1. **Cryptographically secure IDs** - Use `crypto.randomBytes(32)` for tokens/IDs |
| 49 | +2. **TTL-based expiration** - All temporary data must have automatic cleanup |
| 50 | +3. **One-time use** - Tokens/challenges must be deleted after use |
| 51 | +4. **Secrets protection** - Never expose internal tokens to clients |
| 52 | +5. **Cookie signing** - Use proper HMAC signatures for cookies |
| 53 | + |
| 54 | +### Security Review Checklist |
| 55 | + |
| 56 | +Before completing any Better-Auth changes: |
| 57 | + |
| 58 | +- [ ] No secrets/tokens exposed to client (only opaque IDs) |
| 59 | +- [ ] All temporary data has TTL-based expiration |
| 60 | +- [ ] One-time tokens are deleted after use |
| 61 | +- [ ] Cryptographically secure random generation used |
| 62 | +- [ ] No OWASP Top 10 vulnerabilities introduced |
| 63 | +- [ ] Cookie signing uses proper HMAC with application secret |
| 64 | +- [ ] Rate limiting considered for authentication endpoints |
| 65 | +- [ ] Input validation on all user-supplied data |
| 66 | + |
| 67 | +### Example: Challenge Storage |
| 68 | + |
| 69 | +```typescript |
| 70 | +// Security measures applied: |
| 71 | +// 1. challengeId: 256-bit entropy (crypto.randomBytes(32)) |
| 72 | +// 2. verificationToken: never sent to client |
| 73 | +// 3. TTL index: automatic MongoDB cleanup |
| 74 | +// 4. One-time use: deleted after verification |
| 75 | +// 5. User binding: challenges tied to specific user |
| 76 | +``` |
| 77 | + |
| 78 | +## 3. Comprehensive Testing Requirements |
| 79 | + |
| 80 | +All Better-Auth changes require comprehensive tests: |
| 81 | + |
| 82 | +### Test Requirements |
| 83 | + |
| 84 | +1. **New functionality tests** - Cover all new features completely |
| 85 | +2. **Security tests** - Verify authentication/authorization works correctly |
| 86 | +3. **Edge case tests** - Token expiration, invalid input, race conditions |
| 87 | +4. **Regression tests** - Existing tests must pass (adapt if needed) |
| 88 | + |
| 89 | +### Pre-Commit Checklist |
| 90 | + |
| 91 | +Before completing any Better-Auth changes: |
| 92 | + |
| 93 | +```bash |
| 94 | +# All tests must pass |
| 95 | +npm test |
| 96 | + |
| 97 | +# Specific test file for targeted changes |
| 98 | +npm test -- tests/stories/better-auth-*.ts |
| 99 | +``` |
| 100 | + |
| 101 | +### Test Categories for Better-Auth |
| 102 | + |
| 103 | +| Category | Focus | Example Tests | |
| 104 | +|----------|-------|---------------| |
| 105 | +| Authentication | Login/logout flows | `better-auth-api.story.test.ts` | |
| 106 | +| Authorization | Role-based access | `better-auth-rest-security.e2e-spec.ts` | |
| 107 | +| Security | Token validation, rate limiting | `better-auth-rate-limit.story.test.ts` | |
| 108 | +| Integration | Module initialization | `better-auth-integration.story.test.ts` | |
| 109 | +| Plugins | 2FA, Passkey, Social Login | `better-auth-plugins.story.test.ts` | |
| 110 | + |
| 111 | +### Adapting Existing Tests |
| 112 | + |
| 113 | +When changes affect existing test expectations: |
| 114 | + |
| 115 | +1. **Understand why** the test was written that way |
| 116 | +2. **Verify the change is correct** - not breaking intended behavior |
| 117 | +3. **Update test** to match new correct behavior |
| 118 | +4. **Document** why the test was changed in commit message |
| 119 | + |
| 120 | +## Summary |
| 121 | + |
| 122 | +| Principle | Requirement | |
| 123 | +|-----------|-------------| |
| 124 | +| Standard Compliance | Stay close to Better-Auth, minimize custom code | |
| 125 | +| Security | Maximum security, thorough review before completion | |
| 126 | +| Testing | Full coverage, all tests pass, security tests included | |
0 commit comments