refactor(better-auth): login/signup

[jog1t]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4592 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-cloud	❌ Build Failed (View Logs)	Web	Apr 9, 2026 at 9:06 pm
frontend-inspector	❌ Build Failed (View Logs)	Web	Apr 9, 2026 at 9:06 pm
ladle	❌ Build Failed (View Logs)	Web	Apr 9, 2026 at 9:06 pm
kitchen-sink	❌ Build Failed (View Logs)	Web	Apr 9, 2026 at 9:06 pm
website	❌ Build Failed (View Logs)	Web	Apr 9, 2026 at 8:37 pm
mcp-hub	✅ Success (View Logs)	Web	Apr 8, 2026 at 6:46 pm

[jog1t]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• refactor(better-auth): login/signup #4592 👈 (View in Graphite)
• chore: migrate frontend auth from Clerk to Better Auth #4568
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: Better-Auth Login/Signup Refactor

Overview

This PR implements a comprehensive refactor of authentication flows from Clerk to better-auth, adding email verification, password reset, organization member management, and invitation acceptance across 114 files.

---

Positive Observations

Architecture & Form Patterns

• Well-structured component organization: forms in /frontend/src/components/forms/, pages in /frontend/src/app/, routes in /frontend/src/routes/
• Consistent use of react-hook-form + Zod across all auth flows with type-safe handlers
• Lazy loading pattern via useDialog is a good performance choice

Error Handling

• isAuthError / isDate type guards in frontend/src/lib/utils.ts are well-typed
• Rate-limit awareness in VerifyEmailPending with retry-after countdown is a nice UX touch
• RootError component is used consistently across forms

Organization Features

• Invite/revoke/resend invitation flows look complete and well-handled

---

Issues

Critical

Weak password validation on sign-up (frontend/src/components/forms/sign-up-form.tsx)

Sign-up uses .min(1, "Password is required") while reset-password-form.tsx correctly uses .min(8, ...). This allows single-character passwords at registration. The sign-up schema should use .min(8, "Password must be at least 8 characters") to match.

High

Open redirect via unvalidated from parameter (frontend/src/app/sign-up.tsx)

The from search parameter is read without URL validation. This can redirect users to arbitrary URLs after signup. Validate that from starts with / or is in an allowlist of safe paths before using it in navigation.

E2E test coverage gap

frontend/e2e/auth.setup.ts and playwright.config.ts were deleted along with snapshot files. New tests for the auth flows should be added before merging, or existing coverage confirmed elsewhere.

Medium

Type safety lost with double casting (frontend/src/app/dialogs/org-members-frame.tsx)

as unknown as InvitationDetails suppresses type errors instead of fixing them. Import the correct type from better-auth client types and remove the cast.

Turnstile race condition (multiple auth forms)

The submit handler bails with an error when turnstileToken is missing. The submit button should be disabled while Turnstile is still initializing to prevent users from hitting this path. Verify whether the Submit component already handles this via form validity state.

Non-null assertion without guard (frontend/src/app/accept-invitation.tsx)

resolvedInvitationId! is used in mutationFn even though the enabled: !!resolvedInvitationId guard only prevents auto-running. If mutate() is called manually the assertion can still throw. Add an explicit early return inside mutationFn.

Low

Session state race in email pending (frontend/src/app/verify-email-pending.tsx)

const email = session?.user.email ?? searchEmail can be undefined while the session is still loading. The resend button relies on this value, so add a loading check or ensure searchEmail is always populated from search params as a fallback.

Throwing a plain object instead of an Error instance (frontend/src/app/verify-email-pending.tsx)

throw { ...result.error, retryAfter } produces a plain object. Error boundaries and React Query expect Error instances. Use a typed error class or a Result pattern instead.

---

Security Notes

• Password reset and email verification tokens travel in URL query params. Confirm that HTTPS enforcement and short token expiry are configured server-side.
• Invitation links are world-accessible. Confirm that expiry and single-use enforcement are handled by the better-auth backend.
• CSRF protection should be verified in the better-auth client configuration.

---

Summary

Priority	Issue	Location
Critical	Weak password min-length on sign-up	sign-up-form.tsx
High	Open redirect via from param	sign-up.tsx
High	E2E test coverage removed	e2e/ directory
Medium	as unknown as type cast	org-members-frame.tsx
Medium	Turnstile submit race	Multiple auth forms
Medium	Non-null assertion in mutation	accept-invitation.tsx
Low	Email undefined during session load	verify-email-pending.tsx
Low	Throwing plain object instead of Error	verify-email-pending.tsx