Skill

better-auth

Integrates Better Auth with NestJS backends and Next.js App Router frontends using Drizzle ORM and PostgreSQL. Covers database setup, social logins, 2FA, organizations, passkeys, and protected routes.

Next.js

Typescript

Drizzle

PostgreSQL

authentication

From developer-kit-typescript

Install

Run in your terminal

npx claudepluginhub giuseppe-trisciuoglio/developer-kit --plugin developer-kit-typescript

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGlobGrepBash

Supporting Assets

View in Repository

assets/env.example

assets/nestjs/auth.controller.ts

assets/nestjs/auth.guard.ts

assets/nestjs/auth.module.ts

assets/nestjs/auth.schema.ts

assets/nestjs/auth.service.ts

assets/nestjs/database.module.ts

assets/nestjs/database.service.ts

assets/nextjs/auth-client.ts

assets/nextjs/auth-route.ts

assets/nextjs/dashboard-page.tsx

assets/nextjs/middleware.ts

assets/nextjs/sign-in-page.tsx

assets/nextjs/use-session.ts

references/best-practices.md

references/examples.md

references/mfa-2fa.md

references/nestjs-setup.md

references/nextjs-setup.md

references/passkey.md

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

Agent Development

6 files

Guides agent creation for Claude Code plugins with file templates, frontmatter specs (name, description, model), triggering examples, system prompts, and best practices.

plugin-dev

83.2k

Stats

Parent Repo Stars174

Parent Repo Forks17

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Better Auth Integration Guide

Overview

Better Auth is a type-safe authentication framework for TypeScript supporting multiple providers, 2FA, SSO, organizations, and passkeys. This skill covers integration patterns for NestJS backend with Drizzle ORM + PostgreSQL and Next.js App Router frontend.

When to Use

Setting up Better Auth with NestJS backend
Integrating Next.js App Router frontend
Configuring Drizzle ORM schema with PostgreSQL
Implementing social login (GitHub, Google, Facebook, Microsoft)
Adding MFA/2FA with TOTP, passkey passwordless auth, or magic links
Managing trusted devices and backup codes for account recovery
Building multi-tenant apps with organizations or SSO
Creating protected routes with session management

Quick Start

Installation

# Backend (NestJS)
npm install better-auth @auth/drizzle-adapter drizzle-orm pg
npm install -D drizzle-kit

# Frontend (Next.js)
npm install better-auth

4-Phase Setup

Database: Install Drizzle, configure schema, run migrations
Backend: Create Better Auth instance with NestJS module
Frontend: Configure auth client, create pages, add middleware
Plugins: Add 2FA, passkey, organizations as needed

See references/nestjs-setup.md for complete backend setup, references/plugins.md for plugin configuration.

Instructions

Phase 1: Database Setup

Install dependencies

npm install drizzle-orm pg @auth/drizzle-adapter better-auth
npm install -D drizzle-kit

Create Drizzle config (drizzle.config.ts)

import { defineConfig } from 'drizzle-kit';
export default defineConfig({
  schema: './src/auth/schema.ts',
  out: './drizzle',
  dialect: 'postgresql',
  dbCredentials: { url: process.env.DATABASE_URL! },
});

Generate and run migrations
```
npx drizzle-kit generate
npx drizzle-kit migrate
```
Checkpoint: Verify tables created: psql $DATABASE_URL -c "\dt" should show user, account, session, verification_token tables.

Phase 2: Backend Setup (NestJS)

Create database module - Set up Drizzle connection service

Configure Better Auth instance

// src/auth/auth.instance.ts
import { betterAuth } from 'better-auth';
import { drizzleAdapter } from '@auth/drizzle-adapter';
import * as schema from './schema';

export const auth = betterAuth({
  database: drizzleAdapter(schema, { provider: 'postgresql' }),
  emailAndPassword: { enabled: true },
  socialProviders: {
    github: {
      clientId: process.env.AUTH_GITHUB_CLIENT_ID!,
      clientSecret: process.env.AUTH_GITHUB_CLIENT_SECRET!,
    }
  }
});

Create auth controller

@Controller('auth')
export class AuthController {
  @All('*')
  async handleAuth(@Req() req: Request, @Res() res: Response) {
    return auth.handler(req);
  }
}

Checkpoint: Test endpoint GET /auth/get-session returns { session: null } when unauthenticated (no error).

Phase 3: Frontend Setup (Next.js)

Configure auth client (lib/auth.ts)

import { createAuthClient } from 'better-auth/client';
export const authClient = createAuthClient({
  baseURL: process.env.NEXT_PUBLIC_APP_URL!
});

Add middleware (middleware.ts)

import { auth } from '@/lib/auth';
export default auth((req) => {
  if (!req.auth && req.nextUrl.pathname.startsWith('/dashboard')) {
    return Response.redirect(new URL('/sign-in', req.nextUrl.origin));
  }
});
export const config = { matcher: ['/dashboard/:path*'] };

Create sign-in page with form or social buttons

Checkpoint: Navigating to /dashboard when logged out should redirect to /sign-in.

Phase 4: Advanced Features

Add plugins from references/plugins.md:

2FA: twoFactor({ issuer: 'AppName', otpOptions: { sendOTP } })
Passkey: passkey({ rpID: 'domain.com', rpName: 'App' })
Organizations: organization({ avatar: { enabled: true } })
Magic Link: magicLink({ sendMagicLink })
SSO: sso({ saml: { enabled: true } })

Checkpoint: After adding plugins, re-run migrations and verify new tables exist.

Examples

Example 1: Server Component with Session

Input: Display user data in a Next.js Server Component.

// app/dashboard/page.tsx
import { auth } from '@/lib/auth';
import { redirect } from 'next/navigation';

export default async function DashboardPage() {
  const session = await auth();

  if (!session) {
    redirect('/sign-in');
  }

  return (
    <div>
      <h1>Welcome, {session.user.name}</h1>
      <p>Email: {session.user.email}</p>
    </div>
  );
}

Output: Renders user info for authenticated users; redirects unauthenticated to sign-in.

Example 2: 2FA TOTP Verification with Trusted Device

Input: User has 2FA enabled and wants to sign in, marking device as trusted.

// Server: Configure 2FA with OTP sending
export const auth = betterAuth({
  plugins: [
    twoFactor({
      issuer: 'MyApp',
      otpOptions: {
        async sendOTP({ user, otp }, ctx) {
          await sendEmail({
            to: user.email,
            subject: 'Your verification code',
            body: `Code: ${otp}`
          });
        }
      }
    })
  ]
});

// Client: Verify TOTP and trust device
const verify2FA = async (code: string) => {
  const { data } = await authClient.twoFactor.verifyTotp({
    code,
    trustDevice: true  // Device trusted for 30 days
  });

  if (data) {
    router.push('/dashboard');
  }
};

Output: User authenticated; device trusted for 30 days without 2FA prompt.

Example 3: Passkey Registration and Login

Input: Enable passkey (WebAuthn) authentication for passwordless login.

// Server
import { passkey } from '@better-auth/passkey';
export const auth = betterAuth({
  plugins: [
    passkey({
      rpID: 'example.com',
      rpName: 'My App',
    })
  ]
});

// Client: Register passkey
const registerPasskey = async () => {
  const { data } = await authClient.passkey.register({
    name: 'My Device'
  });
};

// Client: Sign in with autofill
const signInWithPasskey = async () => {
  await authClient.signIn.passkey({
    autoFill: true,  // Browser suggests passkey
  });
};

Output: Users can register and authenticate with biometrics, PIN, or security keys.

For more examples (backup codes, organizations, magic link, conditional UI), see references/plugins.md and references/passkey.md.

Best Practices

Environment Variables: Store all secrets in .env, add to .gitignore
Secret Generation: Use openssl rand -base64 32 for BETTER_AUTH_SECRET
HTTPS Required: OAuth callbacks need HTTPS (use ngrok for local testing)
Session Expiration: Configure based on security requirements (7 days default)
Database Indexing: Add indexes on email, userId for performance
Error Handling: Return generic errors without exposing sensitive details
Rate Limiting: Add to auth endpoints to prevent brute force attacks
Type Safety: Use npx better-auth typegen for full TypeScript coverage

Constraints and Warnings

Security Notes

Never commit secrets: Add .env to .gitignore; never commit OAuth secrets or DB credentials
Validate redirect URLs: Always validate OAuth redirect URLs to prevent open redirects
Hash passwords: Better Auth handles password hashing automatically; never implement custom hashing
Session storage: For production, use Redis or another scalable session store
HTTPS Only: Always use HTTPS for authentication in production
Email Verification: Always implement email verification for password-based auth

Known Limitations

Better Auth requires Node.js 18+ for Next.js App Router support
Some OAuth providers require specific redirect URL formats
Passkeys require HTTPS and compatible browsers
Organization features require additional database tables

Resources

Documentation

Better Auth - Official documentation
Drizzle ORM - Database ORM
NestJS - Backend framework
Next.js - Frontend framework

Reference Implementations

references/nestjs-setup.md - Complete NestJS backend setup
references/nextjs-setup.md - Complete Next.js frontend setup
references/plugins.md - Plugin configuration (2FA, passkey, organizations, SSO, magic link)
references/mfa-2fa.md - Detailed MFA/2FA guide
references/passkey.md - Detailed passkey implementation
references/schema.md - Drizzle schema reference
references/social-providers.md - Social provider configuration