feat(api): add better-auth admin plugin + close public sign-up (migration 0002)

apps/api/test/auth.test.ts

@@ -1,28 +1,25 @@
 import { describe, it, expect } from 'vitest';
 import { createApp } from '../src/app';
-
-const json = { 'content-type': 'application/json' };
+import { authToken } from './helpers';
 
 describe('auth', () => {
-  it('signs a user up and signs them in, returning a bearer token', async () => {
+  it('signs in an admin-created user, returning a bearer token', async () => {
     const app = createApp();
-    const creds = { email: 'worker@example.com', password: 'sterk-wachtwoord-123', name: 'Worker' };
-
-    const signup = await app.request('/api/auth/sign-up/email', {
-      method: 'POST',
-      headers: json,
-      body: JSON.stringify(creds),
-    });
-    expect(signup.status).toBe(200);
-
-    const signin = await app.request('/api/auth/sign-in/email', {
-      method: 'POST',
-      headers: json,
-      body: JSON.stringify({ email: creds.email, password: creds.password }),
-    });
-    expect(signin.status).toBe(200);
-
-    const token = signin.headers.get('set-auth-token');
+    const token = await authToken(app, 'worker@example.com');
     expect(token).toBeTruthy();
   });
+
+  it('rejects public sign-up (admin creates users)', async () => {
+    const app = createApp();
+    const res = await app.request('/api/auth/sign-up/email', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        email: 'should-not-exist@example.com',
+        password: 'sterk-wachtwoord-123',
+        name: 'Nope',
+      }),
+    });
+    expect(res.status).toBeGreaterThanOrEqual(400);
+  });
 });