feat(website): replace auth-astro with better-auth

[fhennig]

resolves #1189, #682, #1188

Summary

• Replaces auth-astro + @auth/core with better-auth, running in stateless mode (no database required, JWT-based sessions)
• Removes the custom patch (patches/auth-astro+4.2.0.patch) that was needed to fix TypeScript issues in auth-astro

Changes

• src/auth.ts (new) — better-auth config with GitHub OAuth provider
• src/pages/api/auth/[...all].ts (new) — catch-all route handling all auth requests
• src/middleware/authMiddleware.ts (new) — runs on every request, calls getSession once and populates Astro.locals
• src/backendApi/backendProxy.ts — reads context.locals.user?.githubId via APIContext
• src/components/auth/LoginButton.tsx — signIn('github', ...) → authClient.signIn.social({ provider: 'github', ... })
• src/auth/logout.ts — custom @auth/core logout → auth.api.signOut({ headers, asResponse: true })
• All pages updated to read from Astro.locals instead of calling auth.api.getSession directly
• astro.config.mjs — removed auth() Astro integration

GitHub user ID handling

better-auth's session.user.id is a randomly generated internal ID, not the GitHub numeric user ID. The backend uses the GitHub numeric ID for ownership checks (e.g. who can edit a collection).

The solution: user.additionalFields + mapProfileToUser in auth.ts store the GitHub numeric ID directly on the user object as githubId at login time:

user: {
    additionalFields: {
        githubId: { type: 'string', input: false }
    }
},
socialProviders: {
    github: {
        mapProfileToUser: (profile) => ({ githubId: String(profile.id) })
    }
}

String() is needed because profile.id from GitHub is a number, but the backend stores and compares user IDs as strings. Without the coercion, ownership checks fail due to type mismatch.

This means session.user.githubId is the GitHub numeric ID (as a string) everywhere — no secondary lookups needed. The auth middleware sets it on Astro.locals.user once per request, and all pages and the backend proxy read it from there.

E2E test cookie helper

tests/helpers/auth.ts provides createAuthCookies(accountPayload, sessionPayload) and setupAuthCookie(page, name) to craft valid better-auth session cookies for Playwright tests without a real OAuth flow. The cookies are signed/encrypted using the same AUTH_SECRET the server uses. cookieCache (JWE, 1hr) is enabled so getSession can validate the crafted session_data cookie without an in-memory store lookup.

New Cookies

better-auth sets 3 cookies. A session_token, session_data and account_data. Session data and account data are JWE, encrypted data.

Test plan

• Sign in with GitHub works end-to-end
• Logout works
• Ownership checks work correctly (edit/delete only available for your own collections)
• Protected pages (/collections, /subscriptions) show the login prompt when logged out
• E2E tests pass: npm run e2e

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashboards	Ready	Preview, Comment	May 14, 2026 9:07am

[fengelniederhammer]

Found a few things, but looks good otherwise 👍