Skip to content

feat: Implement Better Auth multi-user authentication system #51

Closed
Closed
feat: Implement Better Auth multi-user authentication system#51
@Delqhi

Description

@Delqhi
Delqhi
opened on Jun 12, 2026

Problem

Currently all settings, API keys, memories, skills, and workspace data are stored globally in .sin-webui/ without any user scoping. This means:

  • Anyone with access to the instance can read/modify all data
  • API keys are global, not per-user
  • Members page shows stubs instead of real user accounts
  • There is no login/session system

Goal

Implement a proper multi-user authentication system using Better Auth that scopes all data per user.

Acceptance Criteria

  • Users can register, login, logout, and reset passwords
  • Session-based auth protects all API routes (Settings, Workspace, Chat)
  • All file-based stores (.sin-webui/) are scoped per user ID
  • API keys are owned by a specific user and verified against sessions
  • Members feature invites real users (not just email stubs)
  • Role-based access: owner can manage workspace, members have limited access
  • Anonymous/guest mode still works when auth is not configured (backward compat)

Files to modify / create

New files

lib/auth/better-auth.ts           # Better Auth configuration (providers, schema)
lib/auth/schema.ts                # Drizzle/Prisma schema for users, sessions, accounts
lib/auth/middleware.ts            # Session verification middleware for API routes
app/login/page.tsx                # Login page (new design, not the current stub)
app/register/page.tsx             # Registration page
app/forgot-password/page.tsx      # Password reset flow

Files to modify

app/api/settings/preferences/route.ts   # Scope to userId
app/api/settings/files/route.ts         # Scope to userId
app/api/settings/api-keys/route.ts      # Scope to userId, verify session
app/api/settings/members/route.ts       # Real user accounts, not stubs
app/api/settings/activity/route.ts      # Scope to userId
app/api/settings/workspace/route.ts     # Scope to userId
app/api/settings/mcp/route.ts         # Scope to userId
app/api/workspace/files/route.ts        # Verify session
app/api/workspace/versions/route.ts     # Verify session
app/api/workspace/design-edit/route.ts  # Verify session
app/api/chat/route.ts                   # Inject user context into system prompt
app/api/sin/*                           # Verify session before executing CLI
lib/settings/store.ts                   # Add userId parameter to all functions
lib/settings/api-keys.ts                # Add userId to key storage
lib/settings/activity.ts                # Add userId to events
components/settings/account-menu.tsx    # Show real user name/email, logout
components/app-sidebar.tsx              # Show auth state (login/logout)
app/layout.tsx                          # Add AuthProvider (Better Auth session provider)

Files to potentially delete

app/api/auth/login/route.ts            # Replace with Better Auth handlers
app/api/auth/tokens/route.ts           # Replace with Better Auth session tokens

Technical Notes

  • Use Better Auth v1+ with the Next.js app router integration
  • Database: SQLite (via better-sqlite3) or PostgreSQL (existing pool from lib/db.ts)
  • Schema: users, sessions, accounts, verifications tables
  • Middleware: Check session in lib/auth/middleware.ts, apply to all API routes
  • The lib/auth.ts currently has isAuthConfigured() — extend this to check if Better Auth is initialized
  • Keep backward compatibility: if AUTH_SECRET is not set, allow anonymous access (current behavior)

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions