Problem
All API endpoints, including GET /api/freshman, are currently publicly accessible without any authentication. This means anyone can query the recruitment data without authorization.
Proposed Solution
Integrate better-auth into the Cloudflare Workers backend to:
- Provide OIDC-based login via Logto (Authorization Code + PKCE flow)
- Protect
GET /api/freshman — only authenticated sessions may access it
- Keep
POST /api/freshman public for open recruitment form submissions
- Store sessions in the existing Cloudflare D1 database via the Kysely adapter
Implementation Notes
- Mount
better-auth handler at /api/auth/* (sign-in, callback, sign-out, session endpoints)
- Use the
genericOAuth plugin pointed at the Logto OIDC discovery endpoint
- Use the
bearer plugin so the frontend can authenticate via Authorization: Bearer <token>
- D1 migration adds four tables:
user, session, account, verification
- Requires three Wrangler secrets:
BETTER_AUTH_SECRET, LOGTO_CLIENT_ID, LOGTO_CLIENT_SECRET
Problem
All API endpoints, including
GET /api/freshman, are currently publicly accessible without any authentication. This means anyone can query the recruitment data without authorization.Proposed Solution
Integrate better-auth into the Cloudflare Workers backend to:
GET /api/freshman— only authenticated sessions may access itPOST /api/freshmanpublic for open recruitment form submissionsImplementation Notes
better-authhandler at/api/auth/*(sign-in, callback, sign-out, session endpoints)genericOAuthplugin pointed at the Logto OIDC discovery endpointbearerplugin so the frontend can authenticate viaAuthorization: Bearer <token>user,session,account,verificationBETTER_AUTH_SECRET,LOGTO_CLIENT_ID,LOGTO_CLIENT_SECRET