Skip to content

Password-based auth flow for self-hosted distribution #299

Description

@hebo-agent

Context

Prerequisite for #298 (self-hosted Docker distribution). The self-hosted setup must be fully self-contained — no SMTP, OAuth, or any external dependency required to get started. Email OTP and social OAuth remain available as optional enhancements.

Background

The auth service (apps/auth) currently supports:

  • Email OTP via better-auth's emailOTP plugin (requires SMTP)
  • Social OAuth via Google, GitHub, Microsoft (requires client ID/secret)

Both methods require external service configuration, which is a barrier for quick self-hosted onboarding.

Scope

Add email + password sign-up/sign-in to apps/auth as a first-class method using better-auth's built-in credential-based auth.

Auth service (apps/auth)

  • Enable better-auth's emailAndPassword option in apps/auth/src/better-auth.ts (see better-auth docs)
  • Password hashing is handled by better-auth out of the box
  • Ensure account linking works correctly between password accounts and social/OTP accounts (the accountLinking config with trustedProviders already exists)

Console UI (apps/console)

  • Add email + password sign-up form (email, password, name fields)
  • Add email + password sign-in form (email, password fields)
  • Keep existing social OAuth buttons and email OTP as alternative methods
  • Handle sign-up/sign-in errors (invalid credentials, email already exists, etc.)

Existing behavior

  • Social OAuth (Google, GitHub, Microsoft) continues to work when configured
  • Email OTP continues to work when SMTP is configured
  • Password auth is always available regardless of external service configuration

Files likely affected

  • apps/auth/src/better-auth.ts — enable emailAndPassword in the betterAuth() config
  • apps/console/app/routes/ — sign-in and sign-up route components (add password form fields)
  • Auth Prisma schema may need migration if better-auth requires additional columns for password storage

Acceptance criteria

  • User can register with email + password (no SMTP or OAuth configured)
  • User can sign in with email + password
  • Password is securely hashed (handled by better-auth)
  • Account linking works: a user who signed up with password can later link a social account, and vice versa
  • Console UI shows password form alongside existing auth methods
  • Existing email OTP and social OAuth flows are unaffected

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions