feat: set up better-auth (#23)

Author: kantord

__tests__/page.test.tsx

@@ -2,12 +2,12 @@ import { render, screen } from "@testing-library/react";
 import { expect, test } from "vitest";
 import Home from "../src/app/page";
 
-test("Home page", () => {
+test("Home page renders welcome heading", () => {
   render(<Home />);
   expect(
     screen.getByRole("heading", {
       level: 1,
-      name: /To get started, edit the page.tsx file./i,
+      name: /Welcome to ToolHive Cloud UI/i,
     }),
   ).toBeDefined();
 });

dev-auth/README.md

@@ -0,0 +1,40 @@
+# Local Development OIDC Provider
+
+This directory contains a simple OIDC provider for local development and testing.
+
+## What is it?
+
+A minimal OIDC-compliant identity provider built with `oidc-provider` that:
+- Automatically logs in a test user (`[email protected]`)
+- Auto-approves all consent requests
+- Supports standard OAuth 2.0 / OIDC flows
+
+## How to use
+
+Start the provider:
+```bash
+pnpm oidc
+```
+
+Or run it alongside the Next.js app:
+```bash
+pnpm dev
+```
+
+The provider runs on `http://localhost:4000` and is already configured in `.env.local`.
+
+## Configuration
+
+The provider is pre-configured with:
+- **Client ID**: `better-auth-dev`
+- **Client Secret**: `dev-secret-change-in-production`
+- **Test User**: `[email protected]` (Test User)
+- **Supported Scopes**: openid, email, profile
+- **Redirect URIs**: Ports 3000-3003 supported
+
+## For Production
+
+Replace this with a real OIDC provider (Okta, Keycloak, Auth0, etc.) by updating the environment variables in `.env.local`:
+- `OIDC_ISSUER_URL`
+- `OIDC_CLIENT_ID`
+- `OIDC_CLIENT_SECRET`

dev-auth/oidc-provider.mjs

@@ -0,0 +1,135 @@
+import Provider from "oidc-provider";
+
+const ISSUER = "http://localhost:4000";
+const PORT = 4000;
+
+// Simple in-memory account storage
+const accounts = {
+  "test-user": {
+    accountId: "test-user",
+    email: "[email protected]",
+    email_verified: true,
+    name: "Test User",
+  },
+};
+
+// Configuration
+const configuration = {
+  clients: [
+    {
+      client_id: "better-auth-dev",
+      client_secret: "dev-secret-change-in-production",
+      redirect_uris: [
+        // Better Auth genericOAuth uses /oauth2/callback/:providerId
+        "http://localhost:3000/api/auth/oauth2/callback/oidc",
+        "http://localhost:3001/api/auth/oauth2/callback/oidc",
+        "http://localhost:3002/api/auth/oauth2/callback/oidc",
+        "http://localhost:3003/api/auth/oauth2/callback/oidc",
+      ],
+      response_types: ["code"],
+      grant_types: ["authorization_code", "refresh_token"],
+      token_endpoint_auth_method: "client_secret_post",
+    },
+  ],
+  cookies: {
+    keys: ["some-secret-key-for-dev"],
+  },
+  findAccount: async (_ctx, id) => {
+    const account = accounts[id];
+    if (!account) return undefined;
+
+    return {
+      accountId: id,
+      async claims() {
+        return {
+          sub: id,
+          email: account.email,
+          email_verified: account.email_verified,
+          name: account.name,
+        };
+      },
+    };
+  },
+  // Simple interaction - auto-login for dev
+  interactions: {
+    url(_ctx, interaction) {
+      return `/interaction/${interaction.uid}`;
+    },
+  },
+  features: {
+    devInteractions: { enabled: true }, // Enable dev interactions for easy testing
+  },
+  claims: {
+    email: ["email", "email_verified"],
+    profile: ["name"],
+  },
+  ttl: {
+    AccessToken: 3600, // 1 hour
+    RefreshToken: 86400 * 30, // 30 days
+  },
+};
+
+const oidc = new Provider(ISSUER, configuration);
+
+// Simple interaction endpoint for dev - auto-login as test-user
+oidc.use(async (ctx, next) => {
+  if (ctx.path.startsWith("/interaction/")) {
+    const _uid = ctx.path.split("/")[2];
+    const interaction = await oidc.interactionDetails(ctx.req, ctx.res);
+
+    if (interaction.prompt.name === "login") {
+      // Auto-login as test-user for dev
+      await oidc.interactionFinished(
+        ctx.req,
+        ctx.res,
+        {
+          login: {
+            accountId: "test-user",
+          },
+        },
+        { mergeWithLastSubmission: false },
+      );
+      return;
+    }
+
+    if (interaction.prompt.name === "consent") {
+      // Auto-consent for dev
+      const grant = new oidc.Grant({
+        accountId: interaction.session.accountId,
+        clientId: interaction.params.client_id,
+      });
+
+      grant.addOIDCScope(
+        interaction.params.scope
+          ?.split(" ")
+          .filter((scope) => ["openid", "email", "profile"].includes(scope))
+          .join(" ") || "openid email profile",
+      );
+
+      await grant.save();
+
+      await oidc.interactionFinished(
+        ctx.req,
+        ctx.res,
+        {
+          consent: {
+            grantId: grant.jti,
+          },
+        },
+        { mergeWithLastSubmission: true },
+      );
+      return;
+    }
+  }
+  await next();
+});
+
+oidc.listen(PORT, () => {
+  console.log(`🔐 OIDC Provider running at ${ISSUER}`);
+  console.log(`📝 Client ID: better-auth-dev`);
+  console.log(`🔑 Client Secret: dev-secret-change-in-production`);
+  console.log(`👤 Test user: [email protected]`);
+  console.log(
+    `\n⚙️  Update your .env.local with:\nOIDC_CLIENT_ID=better-auth-dev\nOIDC_CLIENT_SECRET=dev-secret-change-in-production\nOIDC_ISSUER_URL=${ISSUER}`,
+  );
+});

package.json

@@ -4,16 +4,19 @@
   "private": true,
   "packageManager": "[email protected]",
   "scripts": {
-    "dev": "next dev",
+    "dev": "concurrently -n \"OIDC,Next\" -c \"blue,green\" \"pnpm oidc\" \"pnpm dev:next\"",
+    "dev:next": "next dev",
     "build": "next build",
     "start": "next start",
     "lint": "biome check",
     "format": "biome format --write",
     "test": "vitest",
     "type-check": "tsc --noEmit",
-    "prepare": "husky"
+    "prepare": "husky",
+    "oidc": "node dev-auth/oidc-provider.mjs"
   },
   "dependencies": {
+    "better-auth": "1.4.0-beta.20",
     "next": "16.0.3",
     "react": "19.2.0",
     "react-dom": "19.2.0"
@@ -28,9 +31,11 @@
     "@types/react-dom": "^19",
     "@vitejs/plugin-react": "^5.1.1",
     "babel-plugin-react-compiler": "1.0.0",
+    "concurrently": "^9.2.1",
     "husky": "^9.1.7",
     "jsdom": "^27.2.0",
     "lint-staged": "^16.0.0",
+    "oidc-provider": "^9.5.2",
     "tailwindcss": "^4",
     "typescript": "^5",
     "vite-tsconfig-paths": "^5.1.4",