From 626e98190afa6a9c283d1899775c4e7c1a1307fb Mon Sep 17 00:00:00 2001
From: DJ Mountney <dj@currents.dev>
Date: Tue, 13 Jan 2026 17:53:12 -0800
Subject: [PATCH] chore: Add better auth config

---
 on-prem/.env.example                   | 16 +++++++++-------
 on-prem/docker-compose.cache.yml       |  1 +
 on-prem/docker-compose.database.yml    |  1 +
 on-prem/docker-compose.full.yml        |  1 +
 on-prem/scripts/setup.sh               | 14 ++++++++++----
 on-prem/templates/compose.currents.yml |  1 +
 6 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/on-prem/.env.example b/on-prem/.env.example
index 01eda50..0f5e38e 100644
--- a/on-prem/.env.example
+++ b/on-prem/.env.example
@@ -6,7 +6,10 @@
 # or use the generate-secrets.sh commands below to generate them manually.
 
 # Initial Setup
-ON_PREM_EMAIL=admin@localhost
+ON_PREM_EMAIL=root@currents.local
+
+# Generate with: ./scripts/generate-secrets.sh token 32
+ON_PREM_PASSWORD=
 
 # SMTP information
 SMTP_HOST=localhost
@@ -15,7 +18,7 @@ SMTP_PASS=test
 
 # Authentication
 # Generate with: ./scripts/generate-secrets.sh token 64
-JWT_SECRET=
+BETTER_AUTH_SECRET=
 # Generate with: ./scripts/generate-secrets.sh token 64
 API_SECRET=
 
@@ -57,6 +60,9 @@ SMTP_PORT=587
 SMTP_SECURE=false
 AUTOMATED_REPORTS_EMAIL_FROM="Currents Report <report@example.com>"
 
+## RustFS (optional)
+RUSTFS_ACCESS_KEY=rustfs-access-key
+
 # Object Storage (endpoint for external access)
 FILE_STORAGE_ENDPOINT="http://localhost:9000"
 FILE_STORAGE_BUCKET="currents"
@@ -89,20 +95,16 @@ MONGODB_URI=mongodb://${MONGODB_USERNAME}:${MONGODB_PASSWORD}@mongodb:27017/${MO
 # Derived URLs (built from base URLs - usually don't need to change)
 API_URL=${APP_BASE_URL}/v1
 DASHBOARD_URL=${APP_BASE_URL}
+BETTER_AUTH_URL=${APP_BASE_URL}
 AUTOMATED_REPORTS_CURRENTS_DASHBOARD_HOSTNAME=${APP_BASE_URL}
 GITLAB_REDIRECT_URL=${APP_BASE_URL}/integrations/gitlab/callback
 
-# Authentication settings
-JWT_SECRET_EXPIRY=10m
 
 # Redis (default points to redis service in compose network)
 REDIS_URI=redis://redis:6379
 REDIS_URI_SLAVE=redis://redis:6379
 
 # Object Storage (addition configuration)
-## RustFS (optional)
-RUSTFS_ACCESS_KEY=rustfs-access-key
-
 FILE_STORAGE_INTERNAL_ENDPOINT="http://host.docker.internal:9000"
 # FILE_STORAGE_FORCE_PATH_STYLE=true  # Set automatically when using RustFS profile
 
diff --git a/on-prem/docker-compose.cache.yml b/on-prem/docker-compose.cache.yml
index 4cc463e..9554f28 100644
--- a/on-prem/docker-compose.cache.yml
+++ b/on-prem/docker-compose.cache.yml
@@ -42,6 +42,7 @@ services:
     environment:
       CURRENTS_ENV: onprem
       INCLUDE_DASHBOARD: onprem
+      BETTER_AUTH_ENABLED: "true"
       CLICKHOUSE_PASSWORD: ${CLICKHOUSE_CURRENTS_PASSWORD}
       EMAIL_TRANSPORTER: smtp
     depends_on:
diff --git a/on-prem/docker-compose.database.yml b/on-prem/docker-compose.database.yml
index 58486a6..91925ad 100644
--- a/on-prem/docker-compose.database.yml
+++ b/on-prem/docker-compose.database.yml
@@ -48,6 +48,7 @@ services:
     environment:
       CURRENTS_ENV: onprem
       INCLUDE_DASHBOARD: onprem
+      BETTER_AUTH_ENABLED: "true"
       CLICKHOUSE_PASSWORD: ${CLICKHOUSE_CURRENTS_PASSWORD}
       EMAIL_TRANSPORTER: smtp
     depends_on:
diff --git a/on-prem/docker-compose.full.yml b/on-prem/docker-compose.full.yml
index 688d3ab..7327ab9 100644
--- a/on-prem/docker-compose.full.yml
+++ b/on-prem/docker-compose.full.yml
@@ -49,6 +49,7 @@ services:
     environment:
       CURRENTS_ENV: onprem
       INCLUDE_DASHBOARD: onprem
+      BETTER_AUTH_ENABLED: "true"
       CLICKHOUSE_PASSWORD: ${CLICKHOUSE_CURRENTS_PASSWORD}
       EMAIL_TRANSPORTER: smtp
       FILE_STORAGE_FORCE_PATH_STYLE: "true"
diff --git a/on-prem/scripts/setup.sh b/on-prem/scripts/setup.sh
index 96dbdd6..8ccabb3 100755
--- a/on-prem/scripts/setup.sh
+++ b/on-prem/scripts/setup.sh
@@ -47,10 +47,10 @@ setup_env_file() {
     
     echo "Generating secrets..."
     
-    # Generate JWT_SECRET
-    JWT_SECRET=$("$SCRIPT_DIR/generate-secrets.sh" token 64)
-    if grep -q "^JWT_SECRET=" "$ENV_FILE"; then
-        sed -i.bak "s|^JWT_SECRET=.*|JWT_SECRET=$JWT_SECRET|" "$ENV_FILE"
+    # Generate BETTER_AUTH_SECRET
+    BETTER_AUTH_SECRET=$("$SCRIPT_DIR/generate-secrets.sh" token 64)
+    if grep -q "^BETTER_AUTH_SECRET=" "$ENV_FILE"; then
+        sed -i.bak "s|^BETTER_AUTH_SECRET=.*|BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET|" "$ENV_FILE"
     fi
     
     # Generate API_SECRET
@@ -59,6 +59,12 @@ setup_env_file() {
         sed -i.bak "s|^API_SECRET=.*|API_SECRET=$API_SECRET|" "$ENV_FILE"
     fi
     
+    # Generate ON_PREM_PASSWORD (initial admin user password)
+    ON_PREM_PASSWORD=$("$SCRIPT_DIR/generate-secrets.sh" token 32)
+    if grep -q "^ON_PREM_PASSWORD=" "$ENV_FILE"; then
+        sed -i.bak "s|^ON_PREM_PASSWORD=.*|ON_PREM_PASSWORD=$ON_PREM_PASSWORD|" "$ENV_FILE"
+    fi
+    
     # Generate RUSTFS_SECRET_KEY
     RUSTFS_SECRET=$("$SCRIPT_DIR/generate-secrets.sh" token 32)
     if grep -q "^RUSTFS_SECRET_KEY=" "$ENV_FILE"; then
diff --git a/on-prem/templates/compose.currents.yml b/on-prem/templates/compose.currents.yml
index 3960fa8..75d845f 100644
--- a/on-prem/templates/compose.currents.yml
+++ b/on-prem/templates/compose.currents.yml
@@ -28,6 +28,7 @@ services:
     environment:
       CURRENTS_ENV: onprem
       INCLUDE_DASHBOARD: onprem
+      BETTER_AUTH_ENABLED: "true"
       CLICKHOUSE_PASSWORD: ${CLICKHOUSE_CURRENTS_PASSWORD}
       EMAIL_TRANSPORTER: smtp