EasyStarter logoEasyStarter
Authentication

Authentication Service

Configure Better Auth, GitHub OAuth, and Google OAuth

Authentication Service

EasyStarter uses Better Auth as its authentication solution. It currently ships with:

  • Email and password sign-in
  • GitHub OAuth sign-in
  • Google OAuth sign-in

The server-side configuration lives in apps/server/src/lib/auth.ts. In that file:

  • GitHub callback URL: {SERVER_URL}/api/auth/callback/github
  • Google callback URL: {SERVER_URL}/api/auth/callback/google

If you enable email verification or forgot password, complete the Email Service setup first.

Required Environment Variables

BETTER_AUTH_SECRET=
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

Get BETTER_AUTH_SECRET

BETTER_AUTH_SECRET is used by Better Auth to sign and encrypt session data. It should be a sufficiently long random string.

You can generate one yourself, for example:

openssl rand -base64 32

Copy the generated value into:

apps/server/.dev.vars
BETTER_AUTH_SECRET=your-long-random-secret
apps/server/.env.production
BETTER_AUTH_SECRET=your-long-random-secret

Create a GitHub OAuth App

GitHub OAuth is used for GitHub sign-in on web and native clients.

GitHub developer console: GitHub Developer Settings

  1. Sign in to GitHub and open Settings
  2. Go to Developer settings
  3. Open OAuth Apps
  4. Click New OAuth App
  5. Fill in the application details

These fields should typically be set like this:

  • Application name: your product name
  • Homepage URL: your website URL, for example https://yourdomain.com
  • Authorization callback URL: {SERVER_URL}/api/auth/callback/github

For example, if your server URL is:

SERVER_URL=https://server.yourdomain.com

Then the callback URL should be:

https://server.yourdomain.com/api/auth/callback/github

In local development, easystarter uses http://localhost:3001 for the server by default, so this is usually:

http://localhost:3001/api/auth/callback/github

After creation, GitHub gives you:

  • Client ID -> maps to GITHUB_CLIENT_ID
  • Client Secret -> maps to GITHUB_CLIENT_SECRET

Create a Google OAuth Client

Google OAuth is used for Google sign-in on web and native clients.

Google Cloud Console: Google Cloud Console

  1. Sign in to Google Cloud Console
  2. Select or create a project
  3. Go to APIs & Services > Credentials
  4. Click Create Credentials
  5. Choose OAuth client ID
  6. If prompted, complete the OAuth consent screen first
  7. Set the application type to Web application
  8. Configure the allowed origins and callback URL

These fields should typically be set like this:

  • Authorized JavaScript origins: your website URL, for example https://yourdomain.com
  • Authorized redirect URIs: https://yourdomain.com/api/auth/callback/google

For example, if your server URL is:

SERVER_URL=https://server.yourdomain.com

Then these should be:

  • Authorized JavaScript origins: https://server.yourdomain.com
  • Authorized redirect URIs: https://server.yourdomain.com/api/auth/callback/google

In local development, easystarter uses http://localhost:3001 for the server by default, so this is usually:

  • Authorized JavaScript origins: http://localhost:3001
  • Authorized redirect URIs: http://localhost:3001/api/auth/callback/google

After creation, Google gives you:

  • Client ID -> maps to GOOGLE_CLIENT_ID
  • Client Secret -> maps to GOOGLE_CLIENT_SECRET

Set the environment variables

For local development, it is simplest to put everything into apps/server/.dev.vars:

apps/server/.dev.vars
BETTER_AUTH_SECRET=your-long-random-secret
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret

For production, keep the sensitive values in apps/server/.env.production:

apps/server/.env.production
BETTER_AUTH_SECRET=your-long-random-secret
GITHUB_CLIENT_SECRET=your-github-client-secret
GOOGLE_CLIENT_SECRET=your-google-client-secret

Then add the non-sensitive GITHUB_CLIENT_ID and GOOGLE_CLIENT_ID to the vars section in apps/server/wrangler.jsonc:

apps/server/wrangler.jsonc
"vars": {
  "GITHUB_CLIENT_ID": "your-github-client-id",
  "GOOGLE_CLIENT_ID": "your-google-client-id"
}

What Better Auth Handles In This Project

In EasyStarter, Better Auth currently handles:

  • Email/password sign-up and sign-in
  • Email verification
  • Forgot password
  • GitHub sign-in
  • Google sign-in
  • Cookie-based session management

Core config file:

apps/server/src/lib/auth.ts

If you later want to add more providers such as Apple, Discord, or GitLab, this is usually where you extend socialProviders.

Email Service

Configure Resend to enable sign-up verification and password reset emails

Alibaba Cloud Phone Sign-In (Recommended for China)

Configure Alibaba Cloud Dypnsapi SMS code sign-in