feat(server): with api server, service-lize

[luoling8192]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @luoling8192, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application by introducing a complete and robust authentication system. It involves setting up a new Hono-based API server with Drizzle ORM and better-auth for backend authentication logic, alongside comprehensive frontend integration in the Vue.js application. The changes cover everything from environment configuration and Dockerization to database schemas and user interface components for login and session management, aiming to provide a secure and scalable authentication solution.

Highlights

• New API Server Introduction: A dedicated API server has been added under apps/server, built using Hono, Drizzle ORM, and the better-auth library to manage authentication.
• Comprehensive Authentication System: Implemented a robust authentication flow supporting email/password, Google, and GitHub social logins, fully managed by the better-auth library.
• Dockerization and Deployment Configuration: Included Dockerfile, Docker Compose, and Railway configuration files to streamline the setup, deployment, and management of the new API server and its PostgreSQL database.
• Frontend Authentication Integration: The apps/stage-web frontend now seamlessly integrates with the new authentication system, featuring a dedicated login page, a user avatar dropdown for authenticated users, and enhanced session management.
• Database Schema Definition: Drizzle ORM schemas for users, sessions, accounts, verification, and JWKS have been defined, providing a structured and type-safe approach to storing authentication-related data.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new authentication system using better-auth for both the server and client applications, including social logins with Google and GitHub. It sets up the necessary server-side infrastructure with Docker, a database schema, and API endpoints. The client-side is updated with a new login page and UI elements to reflect the authentication state. While the overall structure is sound, there are several critical and high-severity issues related to security, correctness, and configuration that need to be addressed. These include hardcoded secrets and URLs, lack of environment variable validation, and incorrect implementation of some authentication flows on the client side.

[gemini-code-assist]

Hardcoding secrets, even placeholder ones like changeme, is a security risk. These values could accidentally be deployed to production. It's better to use environment variable substitution and load them from a .env file that is not committed to version control.

      - AUTH_GOOGLE_CLIENT_ID=${AUTH_GOOGLE_CLIENT_ID}
      - AUTH_GOOGLE_CLIENT_SECRET=${AUTH_GOOGLE_CLIENT_SECRET}
      - AUTH_GITHUB_CLIENT_ID=${AUTH_GITHUB_CLIENT_ID}
      - AUTH_GITHUB_CLIENT_SECRET=${AUTH_GITHUB_CLIENT_SECRET}

[gemini-code-assist]

The baseURL and trustedOrigins are hardcoded. This will not work in staging or production environments and will cause authentication to fail. They should be configured via environment variables. You will need to add corresponding variables (e.g., BASE_URL, TRUSTED_ORIGINS) to your environment parsing in src/services/env.ts.

Suggested change

	baseURL: 'http://localhost:3000',
	trustedOrigins: ['http://localhost:5173'],
	baseURL: env.BASE_URL,
	trustedOrigins: (env.TRUSTED_ORIGINS || '').split(','),

[gemini-code-assist]

The parseEnv function doesn't validate the environment variables. If a required variable is missing, it will be undefined, leading to runtime errors that are hard to debug. You should add validation to ensure all required variables are present on startup. Using a library like zod is highly recommended for this. You would need to add zod as a dependency.

Suggested change

	export function parseEnv(env: any): Env {
	return {
	DATABASE_URL: env.DATABASE_URL,
	AUTH_GOOGLE_CLIENT_ID: env.AUTH_GOOGLE_CLIENT_ID,
	AUTH_GOOGLE_CLIENT_SECRET: env.AUTH_GOOGLE_CLIENT_SECRET,
	AUTH_GITHUB_CLIENT_ID: env.AUTH_GITHUB_CLIENT_ID,
	AUTH_GITHUB_CLIENT_SECRET: env.AUTH_GITHUB_CLIENT_SECRET,
	}
	}
	import { z } from 'zod'
	const envSchema = z.object({
	DATABASE_URL: z.string().url(),
	AUTH_GOOGLE_CLIENT_ID: z.string().min(1),
	AUTH_GOOGLE_CLIENT_SECRET: z.string().min(1),
	AUTH_GITHUB_CLIENT_ID: z.string().min(1),
	AUTH_GITHUB_CLIENT_SECRET: z.string().min(1),
	// Add other required env vars like BASE_URL, CORS_ORIGINS, etc.
	})
	export function parseEnv(env: any): Env {
	return envSchema.parse(env)
	}

[nekomeowww]

Follow this.

[gemini-code-assist]

The CORS origins are hardcoded. This makes it difficult to manage different environments (development, staging, production). These should be configured via an environment variable. You would also need to add the corresponding variable (e.g., CORS_ORIGINS) to your environment parsing in src/services/env.ts.

      origin: (env.CORS_ORIGINS || '').split(','), // Example: load from a comma-separated string in env

[gemini-code-assist]

The updatedAt column in the session table is missing .defaultNow(). This is inconsistent with the user and verification tables, and means the updatedAt field will be NOT NULL but have no default value on creation. The same issue exists for the account table on lines 53-55.

Suggested change

	updatedAt: timestamp('updated_at')
	.$onUpdate(() => /* @__PURE__ */ new Date())
	.notNull(),
	updatedAt: timestamp('updated_at')
	.defaultNow()
	.$onUpdate(() => /* @__PURE__ */ new Date())
	.notNull(),

[gemini-code-assist]

The onSuccess, onError callbacks and the catch block use any for their parameters. This sacrifices type safety. You should provide proper types for ctx and error to leverage TypeScript's benefits and prevent potential runtime errors. You can likely import the context types from better-auth or define them based on the library's API.

[gemini-code-assist]

The links for "Terms", "Privacy", and "Help" are placeholders pointing to "#". These should either be implemented with links to the correct pages or removed if not applicable.