Dev/auth

[PunGrumpy]

This pull request includes multiple dependency updates across various packages to ensure compatibility and leverage the latest features and bug fixes. The most important changes include updating the next and typescript versions in multiple packages, adding new environment variables to the authentication package, and updating various @radix-ui dependencies in the UI package.

Dependency updates:

• Updated next to version 15.2.5 in apps/api/package.json, apps/web/package.json, packages/auth/package.json, and packages/next-config/package.json. [1] [2] [3] [4]
• Updated typescript to version 5.8.3 in apps/api/package.json, apps/web/package.json, package.json, packages/database/package.json, packages/observability/package.json, and packages/ui/package.json. [1] [2] [3] [4] [5] [6]

Environment variables:

• Added RESEND_FROM and RESEND_TOKEN environment variables to packages/auth/.env.example.

UI package updates:

• Updated various @radix-ui dependencies to their latest versions in packages/ui/package.json.

Other notable updates:

• Updated posthog-js to version 1.235.0 and posthog-node to version 4.11.3 in packages/analytics/package.json.
• Updated turbo to version 2.5.0 and bun to version 1.2.9 in package.json.

Summary by CodeRabbit

• New Features

  • Enhanced authentication with support for organization management.
  • Introduced new database structures to facilitate invitations, memberships, and organizational collaboration.
  • Expanded configuration options with additional environment settings for email and authentication.

• Chores

  • Upgraded various dependency versions and package manager settings to improve stability and performance.
  • Applied schema and migration updates to maintain data integrity.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
blackhead-api	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 22, 2025 6:31am
blackhead-web	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 22, 2025 6:31am

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This PR updates dependency versions across multiple package manifests in various applications and packages. It revises versions for packages such as Next, TypeScript, and several @types libraries. It also reintroduces and adds environment variables for authentication configuration while enhancing the auth client and server by integrating additional plugins for organization management and OpenAPI support. In addition, the PR introduces new database migration scripts and schema updates to create tables for organizations, members, and invitations, along with associated foreign key constraints and journal metadata.

Changes

File(s)	Change Summary
apps/api/package.json, apps/web/package.json	Updated dependency versions: next (^15.2.4 → ^15.2.5), @types/react-dom (19.1.1 → 19.1.2), and typescript (5.8.2 → 5.8.3).
package.json	Upgraded turbo (^2.4.4 → ^2.5.0), typescript (5.8.2 → 5.8.3), and updated packageManager (bun@1.2.8 → bun@1.2.9).
packages/analytics/package.json	Updated dependency versions: posthog-js (^1.234.9 → ^1.235.0), posthog-node (^4.11.1 → ^4.11.3), and @types/react-dom (19.1.1 → 19.1.2).
packages/auth/package.json	Bumped versions for better-auth (1.2.4 → 1.2.5) and next (^15.2.4 → ^15.2.5).
packages/email/package.json, packages/next-config/package.json, packages/observability/package.json	Minor dependency updates: next, @types/react-dom, react-email, and typescript versions adjusted.
packages/ui/package.json	Updated multiple dependencies including various @radix-ui/* packages, embla-carousel-react, tailwindcss, and tailwind-merge with minor version bumps.
packages/database/package.json	Updated typescript version (^5.8.2 → ^5.8.3).
packages/auth/.env.example	Reintroduced GITLAB_CLIENT_SECRET (uncommented) and added new variables: RESEND_FROM and RESEND_TOKEN.
packages/auth/client.ts, packages/auth/server.ts	Integrated new organization-related plugins: added organizationClient() in client and added organization() and openAPI() alongside nextCookies() on the server, with enhanced type definitions.
packages/auth/tsconfig.json	Added new path aliases ("@/*": "./*", "@repo/*": "../../packages/*") under compilerOptions for module resolution.
packages/database/migrations/0002_workable_goblin_queen.sql, packages/database/migrations/meta/0002_snapshot.json, packages/database/migrations/meta/_journal.json, packages/database/schema.ts	Introduced a new SQL migration creating invitation, member, and organization tables; updated the session table with active_organization_id; added foreign key constraints, a snapshot JSON, a journal entry, and extended the schema to support organizational structures.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Auth Client Caller
    participant AC as createAuthClient
    participant OrgPlugin as organizationClient()
    participant Infer as inferAdditionalFields()
    
    Client->>AC: Initialize auth client
    AC->>OrgPlugin: Load organization plugin
    OrgPlugin-->>AC: Plugin ready
    AC->>Infer: Load additional fields
    Infer-->>AC: Plugin ready
    AC-->>Client: Return configured auth client

Loading

sequenceDiagram
    participant Server as Auth Server
    participant BA as betterAuth
    participant Org as organization()
    participant API as openAPI()
    participant Cookies as nextCookies()

    Server->>BA: Configure auth with plugins
    BA->>Org: Initialize organization plugin
    Org-->>BA: Organization plugin ready
    BA->>API: Initialize openAPI plugin
    API-->>BA: openAPI plugin ready
    BA->>Cookies: Initialize nextCookies plugin
    Cookies-->>BA: Plugin ready
    BA-->>Server: Return configured auth instance

Loading

Possibly related PRs

• feat(api): initialize API service with Docker configuration, environment variables, middleware, and TypeScript setup #4: Involves similar dependency updates in package.json files, specifically the version bump for the next package, which aligns closely with changes introduced here.

Poem

I’m a bunny in the code,
Hopping through versions, light as a node.
With plugins and migrations in a rhythmic beat,
I nibble on changes, oh so neat.
Hop along, dear coder, our app’s now complete! 🐰✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[PunGrumpy]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/auth/.env.example (1)

9-11: Clarify Environment Variable Status

The file now includes two new variables, RESEND_FROM and RESEND_TOKEN, which is in line with the PR objectives. However, the PR summary mentioned the reintroduction of GITLAB_CLIENT_SECRET as an active (uncommented) variable, but line 9 still shows it commented. If the intention is to enable it by default, please remove the leading #; if not, a comment or clarification could be helpful.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23ead0a and 1946812.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• apps/api/package.json (2 hunks)
• apps/web/package.json (2 hunks)
• package.json (1 hunks)
• packages/analytics/package.json (1 hunks)
• packages/auth/.env.example (1 hunks)
• packages/auth/client.ts (2 hunks)
• packages/auth/package.json (1 hunks)
• packages/auth/server.ts (2 hunks)
• packages/auth/tsconfig.json (1 hunks)
• packages/database/migrations/0002_workable_goblin_queen.sql (1 hunks)
• packages/database/migrations/meta/0002_snapshot.json (1 hunks)
• packages/database/migrations/meta/_journal.json (1 hunks)
• packages/database/package.json (1 hunks)
• packages/database/schema.ts (2 hunks)
• packages/email/package.json (1 hunks)
• packages/next-config/package.json (1 hunks)
• packages/observability/package.json (1 hunks)
• packages/ui/package.json (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

packages/auth/client.ts (1)

packages/auth/server.ts (1)

• auth (11-74)

packages/auth/server.ts (1)

packages/database/schema.ts (1)

• organization (59-66)

🔇 Additional comments (28)

packages/database/package.json (1)

26-26: Update TS version in devDependencies

The TypeScript version was updated from "^5.8.2" to "^5.8.3", which meets the PR objective of keeping dependency versions consistent across the repository. Please confirm that this version bump has been validated against your build and test suites.

packages/auth/tsconfig.json (1)

4-8: Addition of Path Aliases

The addition of "baseUrl": "." and the new "paths" mappings:

• "@/*": ["./*"]
• "@repo/*": ["../../packages/*"]

enhances module resolution and simplifies import paths. Ensure that these aliases align with your project’s folder structure and that import statements across the codebase are updated accordingly.

packages/next-config/package.json (1)

16-16: Update Next.js Version

The next package version was updated to "^15.2.5", aligning with other dependency updates in the project. Double-check that this version upgrade is compatible with your custom Next.js configuration and any related plugins.

packages/observability/package.json (1)

23-24: Updated Dependency Versions

The updates to "@types/react-dom" (from ^19.1.1 to ^19.1.2) and "typescript" (from ^5.8.2 to ^5.8.3) in the devDependencies section are consistent with the changes across the repository. A quick validation to ensure that these minor version bumps do not introduce any breaking changes would be beneficial.

packages/email/package.json (1)

27-29: Dependency Version Updates Confirmed

The updates for @types/react-dom (from ^19.1.1 to ^19.1.2) and react-email (from ^4.0.5 to ^4.0.6) are straightforward and consistent with similar updates throughout the repo. Please verify that these minor version bumps do not introduce any unexpected breaking changes.

packages/auth/package.json (1)

20-24: Auth Module Dependency Enhancements

The dependency "better-auth" has been updated to "1.2.5" and the dev dependency "next" is now set to "^15.2.5". These changes are in line with updates in other parts of the system, which is great for overall consistency. It is recommended to test the auth workflows thoroughly to ensure the new versions integrate smoothly.

packages/database/migrations/meta/_journal.json (1)

18-25: New Migration Journal Entry Added

A new journal entry for "0002_workable_goblin_queen" has been introduced with idx 2. This appears to be correctly formatted and consistent with the existing entries. Please ensure that this journal entry accurately maps to the corresponding migration script and that the progression of indices and timestamps remains in sync with your database migration process.

apps/web/package.json (1)

20-30: Updated Web App Dependency Versions

The file now reflects updates for:

• "next" bumped to ^15.2.5
• "@types/react-dom" updated to 19.1.2
• "typescript" revised to 5.8.3

These changes align with similar updates in other modules, ensuring dependency consistency across the project. It would be beneficial to run a complete build and typecheck to confirm that these updates do not introduce any conflicts.

package.json (1)

25-33: Root Package Dependency and Engine Updates

The root package.json now shows:

• "turbo" updated from ^2.4.4 to ^2.5.0
• "typescript" updated from 5.8.2 to 5.8.3
• "packageManager" changed from bun@1.2.8 to bun@1.2.9

These updates are consistent with the rest of the repository. Please double-check that the new versions, especially the package manager change, do not require any adjustments to your build or deployment scripts.

packages/auth/client.ts (2)

1-4: Good addition of the organizationClient import

The addition of organizationClient from 'better-auth/client/plugins' aligns well with the server-side implementation which already includes the organization plugin.

---

16-16: Properly integrated organizationClient plugin

The organizationClient plugin is correctly added to the plugins array, creating a complete implementation of organization features between the client and server sides.

I recommend verifying that the organization features work as expected from both client and server perspectives after this integration.

apps/api/package.json (1)

15-15: Appropriate dependency updates

These dependency updates to Next.js, TypeScript, and React DOM types are all minor version increments that align with the PR objectives. These types of updates typically include bug fixes and minor improvements without introducing breaking changes.

Also applies to: 24-25

packages/analytics/package.json (1)

15-16: Analytics dependency updates look good

The updates to PostHog libraries (posthog-js, posthog-node) and React DOM types are minor version increments that should provide bug fixes and improvements while maintaining backward compatibility.

Also applies to: 24-24

packages/auth/server.ts (3)

8-8: Good addition of organization and OpenAPI plugins

The import of openAPI and organization plugins from 'better-auth/plugins' is appropriate and matches the needs described in the PR objectives.

---

11-11: Improved type safety with explicit return type

Adding the explicit return type ReturnType<typeof betterAuth> enhances the type safety of the codebase, making it more maintainable and reducing the chance of type-related errors.

---

73-73: Properly configured auth plugins

The updated plugins array correctly integrates organization and OpenAPI features while preserving the existing NextCookies functionality. This change aligns with the client-side changes and creates a complete implementation of these features.

I recommend verifying that the organization functionality works correctly with the existing database schema (from the database/schema.ts file that defines the organization table) and that the OpenAPI integration provides the expected documentation.

packages/database/migrations/meta/0002_snapshot.json (1)

1-559: Database migration snapshot looks well-structured

This snapshot properly captures the schema changes including new tables for organizations, members, and invitations with their respective relationships. The foreign key constraints are properly set up with cascade delete behavior where appropriate.

A few observations:

• Organization and membership data model enables multi-tenancy
• Session table now tracks active organization context
• Foreign key relationships maintain referential integrity

packages/database/schema.ts (4)

28-29: Session table properly extended with organization context

Adding activeOrganizationId to the session table enables users to switch between organizations in a multi-tenant setup.

---

59-66: Organization table structure is appropriate

The organization table includes all essential fields (id, name, slug) with appropriate constraints. The unique constraint on slug will ensure organization URLs remain distinct.

---

68-78: Member table correctly implements many-to-many relationship

The member table properly establishes the relationship between users and organizations with appropriate cascade delete behavior. This will ensure database integrity when deleting either users or organizations.

---

80-92: Invitation table structure is well-designed

The invitation table includes all necessary fields for managing organization invitations, including expiry and status tracking. Cascade delete behavior ensures no orphaned invitations when organizations or users are deleted.

packages/database/migrations/0002_workable_goblin_queen.sql (4)

1-9: Invitation table creation looks correct

The SQL for creating the invitation table matches the schema definition with appropriate constraints.

---

11-17: Member table creation looks correct

The SQL for creating the member table matches the schema definition with appropriate constraints.

---

19-27: Organization table creation looks correct

The SQL for creating the organization table matches the schema definition with appropriate constraints, including the unique constraint on the slug field.

---

29-33: Foreign key constraints are properly established

The migration script correctly adds the necessary foreign key constraints, ensuring referential integrity between the new tables and existing ones. The cascade delete behavior is appropriately set.

packages/ui/package.json (3)

20-25: Dev dependencies updated to newer versions

These dependency updates align with the PR objectives to update packages across the project.

---

29-54: Radix UI components updated to latest minor versions

The updates to Radix UI component dependencies will provide bug fixes and improvements. These are minor version updates, so they should maintain backward compatibility.

---

58-70: Other UI dependencies updated

Updates to embla-carousel-react and tailwind-merge should provide bug fixes and performance improvements.