fix: Add users with Better Auth deployment

this PR fixes an issue that prevented adding users to orgs when using
Better Auth for authentication

Author: tomharmon

bifrost/lib/clients/jawnTypes/private.ts

@@ -757,6 +757,14 @@ Json: JsonObject;
     UpdateOrganizationParams: components["schemas"]["Pick_NewOrganizationParams.name-or-color-or-icon-or-org_provider_key-or-limits-or-organization_type-or-onboarding_status_"] & {
       variant?: string;
     };
+    "ResultSuccess__temporaryPassword_63_-string_-or-null_": {
+      data: {
+        temporaryPassword?: string;
+      } | null;
+      /** @enum {number|null} */
+      error: null;
+    };
+    "Result__temporaryPassword_63_-string_-or-null.string_": components["schemas"]["ResultSuccess__temporaryPassword_63_-string_-or-null_"] | components["schemas"]["ResultError_string_"];
     UIFilterRowTree: components["schemas"]["UIFilterRowNode"] | components["schemas"]["FilterRow"];
     UIFilterRowNode: {
       /** @enum {string} */
@@ -16115,7 +16123,7 @@ export interface operations {
       /** @description Ok */
       200: {
         content: {
-          "application/json": components["schemas"]["Result_null.string_"];
+          "application/json": components["schemas"]["Result__temporaryPassword_63_-string_-or-null.string_"];
         };
       };
     };

valhalla/jawn/src/controllers/private/organizationController.ts

@@ -224,7 +224,7 @@ export class OrganizationController extends Controller {
     requestBody: { email: string },
     @Path() organizationId: string,
     @Request() request: JawnAuthenticatedRequest
-  ): Promise<Result<null, string>> {
+  ): Promise<Result<{ temporaryPassword?: string } | null, string>> {
     const organizationManager = new OrganizationManager(request.authParams);
     const org = await organizationManager.getOrg();
     if (org.error || !org.data) {
@@ -240,7 +240,7 @@ export class OrganizationController extends Controller {
     }
 
     const isExistingMember = members.data?.some(
-      (member) => member.email.toLowerCase() === requestBody.email.toLowerCase()
+      (member) => member.email?.toLowerCase() === requestBody.email.toLowerCase()
     );
 
     if (isExistingMember) {
@@ -300,7 +300,7 @@ export class OrganizationController extends Controller {
       return err(result.error ?? "Error adding member to organization");
     } else {
       this.setStatus(201);
-      return ok(null);
+      return ok(result.data);
     }
   }
 

valhalla/jawn/src/lib/stores/OrganizationStore.ts

@@ -202,7 +202,6 @@ export class OrganizationStore extends BaseStore {
       const result = await dbExecute<{ member: string }>(
         `INSERT INTO organization_member (organization, member)
          VALUES ($1, $2)
-         ON CONFLICT (organization, member) DO NOTHING
          RETURNING member`,
         [organizationId, userId]
       );
@@ -332,8 +331,9 @@ export class OrganizationStore extends BaseStore {
     organizationId: string
   ): Promise<Result<OrganizationMember[], string>> {
     const query = `
-      select email, member, org_role from organization_member om 
+      select pu.email, member, org_role from organization_member om 
         left join auth.users u on u.id = om.member
+        left join public.user pu on pu.auth_user_id = u.id
         where om.organization = $1
     `;
 

valhalla/jawn/src/managers/organization/OrganizationManager.ts

@@ -6,6 +6,7 @@ import { dbExecute } from "../../lib/shared/db/dbExecute";
 import { err, ok, Result } from "../../packages/common/result";
 import { OrganizationStore } from "../../lib/stores/OrganizationStore";
 import { BaseManager } from "../BaseManager";
+import crypto from "crypto";
 
 export type NewOrganizationParams =
   Database["public"]["Tables"]["organization"]["Insert"];
@@ -175,19 +176,23 @@ export class OrganizationManager extends BaseManager {
   async addMember(
     organizationId: string,
     email: string
-  ): Promise<Result<string, string>> {
+  ): Promise<Result<{ userId: string, temporaryPassword?: string }, string>> {
     if (!this.authParams.userId) return err("Unauthorized");
     let { data: userId, error: userIdError } =
       await this.organizationStore.getUserByEmail(email);
 
     if (userIdError) {
       return err(userIdError);
     }
+    let temporaryPassword: string | undefined;
     if (!userId || userId.length === 0) {
       try {
         // We still need to use the auth API for this specific function
         const authClient = getHeliconeAuthClient();
-        const userResult = await authClient.createUser({ email, otp: true });
+        if (process.env.NEXT_PUBLIC_BETTER_AUTH === "true") {
+          temporaryPassword = crypto.randomBytes(18).toString("base64url");
+        }
+        const userResult = await authClient.createUser({ email, password: temporaryPassword, otp: true });
         if (userResult.error) {
           return err(userResult.error);
         }
@@ -196,7 +201,8 @@ export class OrganizationManager extends BaseManager {
           return err("Failed to create user");
         }
 
-        userId = userResult.data?.id;
+        // we refetch the id since createUser can return a better auth format id (not a UUID)
+        userId = userResult.data?.id ?? "";
         userIdError = null;
       } catch (error) {
         return err(`Failed to send OTP: ${error}`);
@@ -225,7 +231,7 @@ export class OrganizationManager extends BaseManager {
       return err(insertError);
     }
 
-    return ok(userId!);
+    return ok({ userId: userId!, temporaryPassword });
   }
 
   async updateMember(

valhalla/jawn/src/packages/common/toImplement/server/BetterAuthWrapper.ts

@@ -1,8 +1,10 @@
 import { betterAuth } from "better-auth";
+import { customSession } from "better-auth/plugins";
 import { fromNodeHeaders } from "better-auth/node";
 import { Pool } from "pg";
 import { Database } from "../../../../lib/db/database.types";
 import { dbExecute } from "../../../../lib/shared/db/dbExecute";
+import crypto from "crypto";
 import {
   GenericHeaders,
   HeliconeAuthClient,
@@ -23,12 +25,38 @@ export const betterAuthClient = betterAuth({
   database: new Pool({
     connectionString: process.env.SUPABASE_DATABASE_URL,
   }),
+  emailAndPassword: {
+    enabled: true,
+    autoSignIn: false,
+  },
   logger: {
     log: (message: string) => {
       console.log(message);
     },
   },
+  trustedOrigins: [process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3008"],
+  plugins: [
+    customSession(async ({ user, session }) => {
+      const dbUser = await getUserByBetterAuthId(user.id);
+      if (dbUser.error || !dbUser.data) {
+        console.warn("could not fetch authUserId from db");
+        return {
+          user,
+          session,
+        };
+      }
+
+      return {
+        user: {
+          authUserId: dbUser.data.id,
+          ...user,
+        },
+        session,
+      };
+    }),
+  ],
 });
+
 export class BetterAuthWrapper implements HeliconeAuthClient {
   constructor() {}
 
@@ -70,8 +98,28 @@ export class BetterAuthWrapper implements HeliconeAuthClient {
   async getUserById(userId: string): HeliconeUserResult {
     throw new Error("Not implemented");
   }
+
   async getUserByEmail(email: string): HeliconeUserResult {
-    throw new Error("Not implemented");
+    const user = await dbExecute<{
+      user_id: string;
+      email: string;
+    }>(
+      `SELECT 
+        public.user.auth_user_id as user_id, 
+        public.user.email
+      FROM public.user
+      LEFT JOIN auth.users on public.user.auth_user_id = auth.users.id
+      WHERE public.user.email = $1`,
+      [email],
+    );
+    if (!user || !user.data?.[0]) {
+      return err("User not found");
+    }
+
+    return ok({
+      id: user.data?.[0]?.user_id,
+      email: user.data?.[0]?.email,
+    });
   }
 
   async authenticate(
@@ -160,6 +208,50 @@ limit 1
     password?: string;
     otp?: boolean;
   }): HeliconeUserResult {
-    throw new Error("Not implemented");
+    try {
+      const result = await betterAuthClient.api.signUpEmail({
+        body: {
+          email: email,
+          password: password ?? "",
+          name: "",
+        },
+      });
+      if (result.user) {
+        // the ID returned from signUpEmail is not a UUID, so we need to get the user by email
+        const getUserResult = await this.getUserByEmail(email);
+        return ok({
+          id: getUserResult.data?.id ?? "",
+          email: getUserResult.data?.email ?? "",
+        });
+      }
+
+      return err("Signup process outcome unclear. Check verification steps.");
+    } catch (error: any) {
+      console.error(error.message || "Better Auth sign up error");
+      return err(error.message || "Sign up failed");
+    }
   }
 }
+
+async function getUserByBetterAuthId(userId: string): HeliconeUserResult {
+  const user = await dbExecute<{
+    user_id: string;
+    email: string;
+  }>(
+    `SELECT 
+      public.user.auth_user_id as user_id, 
+      public.user.email
+    FROM public.user
+    LEFT JOIN auth.users on public.user.auth_user_id = auth.users.id
+    WHERE public.user.id = $1`,
+    [userId],
+  );
+  if (!user || !user.data?.[0]) {
+    return err("User not found");
+  }
+
+  return ok({
+    id: user.data?.[0]?.user_id,
+    email: user.data?.[0]?.email,
+  });
+}

valhalla/jawn/src/tsoa-build/private/routes.ts

@@ -279,6 +279,20 @@ const models: TsoaRoute.Models = {
         "type": {"dataType":"intersection","subSchemas":[{"ref":"Pick_NewOrganizationParams.name-or-color-or-icon-or-org_provider_key-or-limits-or-organization_type-or-onboarding_status_"},{"dataType":"nestedObjectLiteral","nestedProperties":{"variant":{"dataType":"string"}}}],"validators":{}},
     },
     // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
+    "ResultSuccess__temporaryPassword_63_-string_-or-null_": {
+        "dataType": "refObject",
+        "properties": {
+            "data": {"dataType":"union","subSchemas":[{"dataType":"nestedObjectLiteral","nestedProperties":{"temporaryPassword":{"dataType":"string"}}},{"dataType":"enum","enums":[null]}],"required":true},
+            "error": {"dataType":"enum","enums":[null],"required":true},
+        },
+        "additionalProperties": false,
+    },
+    // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
+    "Result__temporaryPassword_63_-string_-or-null.string_": {
+        "dataType": "refAlias",
+        "type": {"dataType":"union","subSchemas":[{"ref":"ResultSuccess__temporaryPassword_63_-string_-or-null_"},{"ref":"ResultError_string_"}],"validators":{}},
+    },
+    // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
     "UIFilterRowTree": {
         "dataType": "refAlias",
         "type": {"dataType":"union","subSchemas":[{"ref":"UIFilterRowNode"},{"ref":"FilterRow"}],"validators":{}},

valhalla/jawn/src/tsoa-build/private/swagger.json

@@ -1111,6 +1111,42 @@
 					}
 				]
 			},
+			"ResultSuccess__temporaryPassword_63_-string_-or-null_": {
+				"properties": {
+					"data": {
+						"properties": {
+							"temporaryPassword": {
+								"type": "string"
+							}
+						},
+						"type": "object",
+						"nullable": true
+					},
+					"error": {
+						"type": "number",
+						"enum": [
+							null
+						],
+						"nullable": true
+					}
+				},
+				"required": [
+					"data",
+					"error"
+				],
+				"type": "object",
+				"additionalProperties": false
+			},
+			"Result__temporaryPassword_63_-string_-or-null.string_": {
+				"anyOf": [
+					{
+						"$ref": "#/components/schemas/ResultSuccess__temporaryPassword_63_-string_-or-null_"
+					},
+					{
+						"$ref": "#/components/schemas/ResultError_string_"
+					}
+				]
+			},
 			"UIFilterRowTree": {
 				"anyOf": [
 					{
@@ -47777,7 +47813,7 @@
 						"content": {
 							"application/json": {
 								"schema": {
-									"$ref": "#/components/schemas/Result_null.string_"
+									"$ref": "#/components/schemas/Result__temporaryPassword_63_-string_-or-null.string_"
 								}
 							}
 						}