Roadmap
Help Center
Changelog
Back to all posts

Auth: admin / cross-instance access

Objective

  • Align tools (web) login with Better Auth so staff-facing surfaces and mobile can rely on a shared session/token story instead of divergent stacks.
  • Support admin.attik.ai using the same tokens as the main app after sign-in, then applying access rules for admin (exact rule set is still TBD).
  • Ship a placeholder gate for admin (e.g. flag/role stub) so the admin subdomain can return 403 vs. continue without committing to the final access model.
  • Unblock thin admin shell work (e.g. ATT-1015) once the auth path is no longer “build on login we plan to replace.”

Background

  • The tools app today signs users in with NextAuth (src/auth.ts) and forwards authjs.session-token / __Secure-authjs.session-token to the API from server actions and the tools API proxy (callServerAction.ts, callServerActionNoError.ts, src/app/tools/api/[[...server]]/route.ts). Membership switching also reads those cookies (src/app/tools/notifications/switch-membership/actions.ts).
  • The backend accepts that web session via cookies authjs.session-token or authjs.session_token, resolves Session in Mongo (src/routes/login.ts), then loads user, membership, and company—this is the path most protected routes use today.
  • Better Auth is already mounted for inspector and contact flows at /auth/inspector and /auth/contact (src/routes/login.ts, src/util/functions/betterAuth/auth.ts), with session storage mapped onto the existing session shape (e.g. sessionToken / expires fields).
  • Product/engineering intent: do not grow admin on the current web-only login stack; Better Auth first for front-end login so all apps share token/session. Later decisions still pending: who may access admin and which instance sets they see (role, allowlist, table, etc.).

Scope

Frontend

  • Replace or bridge NextAuth-based sign-in and session so tools login and session handling align with the Better Auth contract the backend and mobile already use or will use for shared sessions. Touchpoints include src/auth.ts, auth route handlers under the app router, and any code that assumes NextAuth session shape or authjs.session-token for API calls.
  • Review membership/company switching and server-side fetch helpers that attach the session cookie so they still work after the auth migration.

Backend

  • Ensure the cookie/session resolution path in src/routes/login.ts (and related session/user loading) remains consistent with Better Auth sessions for staff/web users, in line with src/util/functions/betterAuth/auth.ts and existing Session / User / Membership models.
  • src/routes/authenticate.ts remains the legacy HTTP surface for user lookup, invites, and related flows; scope includes whatever coupling exists between that surface and the eventual web login stack.
  • Implement or wire admin subdomain checks so that, after authentication, a placeholder rule can deny or allow admin (exact product rule TBD).

Config / ops

  • Environment variables already used by Better Auth (e.g. BETTER_AUTH_URL, BETTER_AUTH_SECRET / AUTH_SECRET, SERVER_URL) in auth.ts may need to cover admin.attik.ai and cookie domains as part of rollout—decision needed on host and cookie policy.

References

  • Better Auth: better-auth.com
  • Backend entry: attik-backend/src/routes/login.ts, attik-backend/src/util/functions/betterAuth/auth.ts
  • Frontend entry: attik-frontend/src/auth.ts, attik-frontend/src/app/tools/api/[[...server]]/route.ts

Please authenticate to join the conversation.

Upvoters
Status

Completed

Board
🏠

Main App

Date

3 months ago

Author

Linear

Subscribe to post

Get notified by email when there are changes.