跳转到内容
Product Factory Docs

Authentication

此内容尚不支持你的语言。

Product Factory uses Better Auth for authentication, running on the worker-auth service with a Drizzle ORM adapter backed by Cloudflare D1.

Authentication Flow

  1. User submits email and password to the gateway at /auth/sign-up/email or /auth/sign-in/email.
  2. The gateway proxies the request directly to worker-auth (no session check required for auth routes).
  3. Better Auth handles password hashing (scrypt), creates a user record, and issues a session cookie.
  4. Subsequent requests include the session cookie. The gateway calls /auth/get-session on worker-auth to verify the session.
  5. If valid, the gateway injects X-User-Id, X-User-Role, and X-App-Key headers before proxying to downstream workers.

Session Management

Sessions are stored in D1 via Better Auth’s Drizzle adapter. Key behaviors:

BehaviorDetail
Session storageD1 session table via Drizzle adapter
Session durationConfigurable, defaults to 7 days
Cookiebetter-auth.session_token, httpOnly, secure, sameSite=lax
Banned usersRejected in Better Auth after-hook with session cleanup

Password Migration

Legacy users with PBKDF2-hashed passwords are automatically migrated to scrypt on their next successful login. The migration happens transparently in the Better Auth verify hook.

Protected Routes

Frontend apps use the authMiddleware from @repo/app-utils to protect pages:

// In Astro middleware
import { createAuthMiddleware } from "@repo/app-utils";


export const onRequest = createAuthMiddleware({
  cookieName: "web_token",
  protectedPrefixes: ["/dashboard"],
  gatewayUrl: "http://localhost:8787",
});

The middleware calls the gateway’s /auth/get-session endpoint. If the session is invalid, it redirects to the login page.

User Roles

RoleAccess
userDashboard, tickets, orders, AI chat
adminFull admin console access

Role checks are performed in the gateway middleware and enforced by individual workers via the X-User-Role header.

OAuth / Social Login

Product Factory supports Google and GitHub OAuth login alongside email/password.

Configuration

  1. Set GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET and/or GITHUB_CLIENT_ID + GITHUB_CLIENT_SECRET on worker-auth.
  2. Providers are automatically enabled when both ID and secret are present.
  3. Configure OAuth app callback URLs to {AUTH_BASE_URL}/auth/callback/google and {AUTH_BASE_URL}/auth/callback/github.
  4. If you want the admin auth settings page to show providers as “configured”, mirror the same provider secrets on worker-admin as well.

Provider Toggles

Admins can enable or disable individual login methods (email/password, Google, GitHub) via the admin auth settings UI at /admin/auth-providers. Toggle state is stored in D1 and enforced by worker-auth before forwarding to Better Auth.

Account Linking

When a user signs in via OAuth with an email that matches an existing email/password account, Better Auth links the accounts automatically.

API Endpoints

See the Auth API Reference for the complete list of authentication endpoints.