Avanzar In Time Shop uses Better Auth for authentication. The backend enables email and password sign-up and sign-in, issuing session cookies that are verified on every protected request. Better Auth is configured inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ItsJhonAlex/Ecommerce/llms.txt
Use this file to discover all available pages before exploring further.
apps/backend/src/auth.ts using the Drizzle adapter, which points directly to the user, session, account, and verification tables defined in @avanzar/db. The BETTER_AUTH_SECRET environment variable is used to sign session tokens, and BETTER_AUTH_URL tells Better Auth the base URL of the API for constructing absolute links.
Auth Endpoints
Better Auth automatically mounts all of its routes under/api/auth/* via the Hono handler. You do not need to define these routes manually. The key endpoints used by both the storefront and admin panel are:
| Method | Path | Description |
|---|---|---|
POST | /api/auth/sign-up/email | Register a new user account. The role field is always set to customer server-side — the client cannot supply it. |
POST | /api/auth/sign-in/email | Authenticate with email and password. Returns a Set-Cookie header with the session token. |
POST | /api/auth/sign-out | Invalidate the current session cookie and end the session. |
User Roles
Theuser_role PostgreSQL enum defines three roles, enforced at the middleware layer on every protected route:
| Role | Access Level |
|---|---|
customer | Default role assigned at sign-up. Can access authenticated endpoints for their own data: orders, addresses, and payment history. |
staff | Can access all admin routes: product management, order management, payment confirmation, and user listing. |
admin | Full access, including user role management (PATCH /admin/users/:id/role). Can promote or demote any user’s role. |
isAdminRole helper from @avanzar/shared is the single source of truth for which roles constitute “admin access” across both frontend and backend:
Middleware
Two middleware functions inapps/backend/src/middlewares/auth.ts guard protected routes. Both inject the verified user and session objects into the Hono context variables, making them available to route handlers as c.get("user") and c.get("session").
requireSession to any route that requires a logged-in user (e.g., viewing your own orders). Apply requireAdmin to any route restricted to staff or admin roles (e.g., managing products or confirming payments).
Creating an Admin User
Theseed:admin script provides an interactive bootstrap flow to create the first admin account. It prompts for a name, email, and password, calls the Better Auth sign-up API, then immediately promotes the user’s role to admin via a direct database update. The script is idempotent — if the email already exists, it skips sign-up and only updates the role.
The script is defined in apps/backend/package.json. Run it from the apps/backend directory:
apps/backend/src/scripts/create-admin.ts with the monorepo .env file loaded via --env-file=../../.env. You will be prompted interactively:
prompt() in Bun does not mask the password input. The seed:admin script is intended for local bootstrapping only — do not run it in shared or production terminal sessions where the password could be visible to others.CORS Configuration
The Better Auth instance declares two trusted origins inapps/backend/src/auth.ts. Requests from these origins are permitted to send credentials (session cookies):
credentials: true behaviour implicitly, which is required for the browser to send and store the session cookie across the frontend-to-backend boundary.
Before deploying to production, update the
trustedOrigins array in apps/backend/src/auth.ts to include your live frontend URLs. Requests from unlisted origins will have their credentials rejected by Better Auth, causing all session-based calls to fail.