feat(api): add better-auth admin plugin + close public sign-up (migration 0002)

2026-06-17 17:36:26 +02:00
parent f6bd8eb036
commit c73fa0f898
7 changed files with 626 additions and 37 deletions
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -1,6 +1,6 @@
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { bearer } from 'better-auth/plugins';
+import { admin, bearer } from 'better-auth/plugins';
 import { db } from './db/client';
 import * as schema from './db/schema';
 import { env } from './env';
@@ -13,6 +13,7 @@ export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    requireEmailVerification: false,
+    disableSignUp: true, // admin creates users; see docs/plans/phase-2-accounts-roles.md
  },
-  plugins: [bearer()],
+  plugins: [bearer(), admin({ defaultRole: 'worker', adminRoles: ['admin'] })],
 });
--- a/apps/api/src/db/schema.ts
+++ b/apps/api/src/db/schema.ts
@@ -11,6 +11,10 @@ export const user = sqliteTable('user', {
  email: text('email').notNull().unique(),
  emailVerified: integer('email_verified', { mode: 'boolean' }).default(false).notNull(),
  image: text('image'),
+  role: text('role'),
+  banned: integer('banned', { mode: 'boolean' }),
+  banReason: text('ban_reason'),
+  banExpires: integer('ban_expires', { mode: 'timestamp_ms' }),
  createdAt: integer('created_at', { mode: 'timestamp_ms' })
    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
    .notNull(),
@@ -34,6 +38,7 @@ export const session = sqliteTable(
      .notNull(),
    ipAddress: text('ip_address'),
    userAgent: text('user_agent'),
+    impersonatedBy: text('impersonated_by'),
    userId: text('user_id')
      .notNull()
      .references(() => user.id, { onDelete: 'cascade' }),