Authentication and Authorization

Safe auth patterns you can extend.

Goal

Out of the box secure auth without additional third-party services.

Features

Auth provider overview

  • Complete, production-ready authentication system out of the box - no need for an external auth service like Supabase, Auth0, or Cognito
  • Better Auth configured for Cloudflare Workers.
  • OAuth and credential-ready flows are supported.

Social sign-in

  • Google OAuth callback: /api/auth/callback/google.
  • GitHub OAuth callback: /api/auth/callback/github.

Sessions and cookies

  • Sessions are created server-side and verified at the edge.
  • Cookie handling is centralized in the auth helpers.

Roles

There are two levels of roles:

  • platform - For permissions across organizations like 'super-admin'. This role is determined by user.role. There is a single platform role per user.
  • organization - For per-organization roles such as 'admin' or 'owner'. Organization roles are held in the members table. There may be multiple roles per user even within an organization.

super-admin

There is a page for managing all users and organizations gated by the 'super-admin' role. Enable it for specific users via:

npx wrangler d1 execute DATABASE --local -c workers/app/wrangler.jsonc --persist-to=./.wrangler/state --command="UPDATE users SET role = 'super-admin' WHERE email = 'you@email.com'"