playbooks

home / skills / doanchienthangdev / omgkit / better-auth

better-auth skill

/plugin/skills/security/better-auth

This skill helps you implement enterprise-grade authentication with Better Auth in TypeScript/Next.js projects, covering email/password, OAuth, MFA, and

npx playbooks add skill doanchienthangdev/omgkit --skill better-auth

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.7 KB
---
name: Implementing Better Auth
description: Claude implements enterprise TypeScript authentication with Better Auth. Use when building auth systems, adding OAuth providers, enabling MFA, or managing sessions in TypeScript/Next.js projects.
---

# Implementing Better Auth

## Quick Start

```typescript
// lib/auth.ts
import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";

export const auth = betterAuth({
  database: prismaAdapter(prisma, { provider: "postgresql" }),
  emailAndPassword: { enabled: true, requireEmailVerification: true },
  session: { expiresIn: 60 * 60 * 24 * 7 },
  socialProviders: {
    google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! },
  },
});
```

## Features

| Feature | Description | Reference |
|---------|-------------|-----------|
| Email/Password Auth | Secure registration, login, password validation | [Auth Guide](https://www.better-auth.com/docs/authentication/email-password) |
| Social OAuth | Google, GitHub, Discord provider integration | [Social Providers](https://www.better-auth.com/docs/authentication/social-providers) |
| Two-Factor Auth | TOTP-based MFA with backup codes | [2FA Plugin](https://www.better-auth.com/docs/plugins/two-factor) |
| Session Management | Secure cookie-based sessions with refresh | [Sessions](https://www.better-auth.com/docs/concepts/sessions) |
| Rate Limiting | Configurable limits per endpoint | [Rate Limiting](https://www.better-auth.com/docs/concepts/rate-limit) |
| Organizations | Multi-tenant support with roles | [Organizations Plugin](https://www.better-auth.com/docs/plugins/organization) |

## Common Patterns

### Client Setup with Plugins

```typescript
// lib/auth-client.ts
import { createAuthClient } from "better-auth/client";
import { twoFactorClient, organizationClient } from "better-auth/client/plugins";

export const authClient = createAuthClient({
  baseURL: process.env.NEXT_PUBLIC_API_URL,
  plugins: [twoFactorClient(), organizationClient()],
});

export const { signIn, signUp, signOut, useSession } = authClient;
```

### Protected Routes Middleware

```typescript
// middleware.ts
import { auth } from "@/lib/auth";
import { NextRequest, NextResponse } from "next/server";

export async function middleware(request: NextRequest) {
  const session = await auth.api.getSession({ headers: request.headers });

  if (!session && !request.nextUrl.pathname.startsWith("/login")) {
    return NextResponse.redirect(new URL("/login", request.url));
  }
  return NextResponse.next();
}
```

### Two-Factor Authentication Flow

```typescript
// Handle 2FA during sign-in
const { data, error } = await authClient.signIn.email({ email, password });

if (error?.code === "TWO_FACTOR_REQUIRED") {
  // Show 2FA input
  const { data: verified } = await authClient.twoFactor.verify({ code: totpCode });
}

// Enable 2FA for user
const { data } = await authClient.twoFactor.enable();
// data.totpURI contains QR code data
// data.backupCodes contains recovery codes
```

## Best Practices

| Do | Avoid |
|----|-------|
| Require email verification for new accounts | Storing plain-text passwords |
| Enable rate limiting on auth endpoints | Exposing detailed error messages |
| Use httpOnly, secure cookies | Using predictable session tokens |
| Set strong password requirements (12+ chars) | Allowing unlimited login attempts |
| Implement proper session expiration | Storing sensitive data in JWT |
| Log authentication events for auditing | Skipping CSRF protection |

## References

- [Better Auth Documentation](https://www.better-auth.com/docs)
- [Better Auth Plugins](https://www.better-auth.com/docs/plugins)
- [OWASP Authentication Guidelines](https://owasp.org/www-project-web-security-testing-guide/)

Overview

This skill implements enterprise-ready TypeScript authentication using Better Auth. It provides ready-made patterns for email/password, social OAuth, two-factor auth, session handling, and multi-tenant organization support. Use it to add secure, auditable authentication to Next.js and TypeScript projects with Prisma-backed storage and configurable plugins.

How this skill works

The skill exports a configured Better Auth instance for server use and a client wrapper for browser interactions. It wires a database adapter (Prisma), enables email/password and social providers, and optionally adds plugins such as two-factor and organizations. Middleware examples show session validation on requests and the client exposes signIn, signUp, signOut, and useSession helpers for UI flows.

When to use it

  • Building a Next.js or TypeScript app that needs secure authentication backed by Prisma or SQL.
  • Adding OAuth providers (Google, GitHub, Discord) alongside email/password logins.
  • Enabling TOTP two-factor authentication and recovery codes for high-risk accounts.
  • Implementing cookie-based sessions with refresh and server-side session checks.
  • Creating multi-tenant or role-based access using the organizations plugin.

Best practices

  • Require email verification and enforce strong password rules (12+ characters).
  • Enable rate limiting and log auth events for auditing and incident response.
  • Use httpOnly, secure cookies and set reasonable session expiration times.
  • Avoid storing plain-text passwords or sensitive data in JWTs; use adapters.
  • Do not expose detailed auth errors to end users; return generic messages.

Example use cases

  • Secure corporate portal with Google SSO and enforced TOTP for privileged users.
  • Consumer app with email/password onboarding, verification, and session refresh.
  • SaaS product with organizations plugin to manage tenants and role-based access.
  • API protected by middleware that redirects unauthenticated requests to /login.
  • Admin console that requires 2FA and logs authentication events for compliance.

FAQ

Can I use a different database than PostgreSQL?

Yes. The Prisma adapter supports multiple databases; configure the Prisma client for your provider and pass it to the adapter.

How do I enable two-factor authentication for users?

Enable the two-factor plugin on the client and server. During sign-in, handle TWO_FACTOR_REQUIRED responses and call the plugin's verify endpoint. Use the enable endpoint to generate a TOTP URI and recovery codes.