Context
Prerequisite for #298 (self-hosted Docker distribution). The self-hosted setup must be fully self-contained — no SMTP, OAuth, or any external dependency required to get started. Email OTP and social OAuth remain available as optional enhancements.
Background
The auth service (apps/auth) currently supports:
- Email OTP via
better-auth's emailOTP plugin (requires SMTP)
- Social OAuth via Google, GitHub, Microsoft (requires client ID/secret)
Both methods require external service configuration, which is a barrier for quick self-hosted onboarding.
Scope
Add email + password sign-up/sign-in to apps/auth as a first-class method using better-auth's built-in credential-based auth.
Auth service (apps/auth)
- Enable
better-auth's emailAndPassword option in apps/auth/src/better-auth.ts (see better-auth docs)
- Password hashing is handled by
better-auth out of the box
- Ensure account linking works correctly between password accounts and social/OTP accounts (the
accountLinking config with trustedProviders already exists)
Console UI (apps/console)
- Add email + password sign-up form (email, password, name fields)
- Add email + password sign-in form (email, password fields)
- Keep existing social OAuth buttons and email OTP as alternative methods
- Handle sign-up/sign-in errors (invalid credentials, email already exists, etc.)
Existing behavior
- Social OAuth (Google, GitHub, Microsoft) continues to work when configured
- Email OTP continues to work when SMTP is configured
- Password auth is always available regardless of external service configuration
Files likely affected
apps/auth/src/better-auth.ts — enable emailAndPassword in the betterAuth() config
apps/console/app/routes/ — sign-in and sign-up route components (add password form fields)
- Auth Prisma schema may need migration if
better-auth requires additional columns for password storage
Acceptance criteria
Related
Context
Prerequisite for #298 (self-hosted Docker distribution). The self-hosted setup must be fully self-contained — no SMTP, OAuth, or any external dependency required to get started. Email OTP and social OAuth remain available as optional enhancements.
Background
The auth service (
apps/auth) currently supports:better-auth'semailOTPplugin (requires SMTP)Both methods require external service configuration, which is a barrier for quick self-hosted onboarding.
Scope
Add email + password sign-up/sign-in to
apps/authas a first-class method usingbetter-auth's built-in credential-based auth.Auth service (
apps/auth)better-auth'semailAndPasswordoption inapps/auth/src/better-auth.ts(see better-auth docs)better-authout of the boxaccountLinkingconfig withtrustedProvidersalready exists)Console UI (
apps/console)Existing behavior
Files likely affected
apps/auth/src/better-auth.ts— enableemailAndPasswordin thebetterAuth()configapps/console/app/routes/— sign-in and sign-up route components (add password form fields)better-authrequires additional columns for password storageAcceptance criteria
better-auth)Related