migrate: replace NextAuth.js with Better Auth

- Install better-auth and @better-auth/drizzle-adapter
- Create src/lib/auth.ts with Better Auth configuration using bcrypt
- Update database schema: change auth table IDs from uuid to text
- Update route handler from /api/auth/[...nextauth] to /api/auth/[...all]
- Update tRPC context and middleware for Better Auth session handling
- Update client components to use Better Auth APIs (signIn, signOut)
- Update seed script with text-based IDs and correct account schema
- Fix type errors in wizard components (robotId, optional chaining)
- Fix API paths: api.robots.initialize -> api.robots.plugins.initialize
- Update auth router to use text IDs for Better Auth compatibility

Note: Auth tables were reset - users will need to re-register.

src/lib/auth-client.ts

@@ -1,68 +1,15 @@
-// Client-side role utilities without database imports
-import type { Session } from "next-auth";
+import { createAuthClient } from "better-auth/react";
+
+export const authClient = createAuthClient({
+  baseURL: process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000",
+});
+
+export const { signIn, signOut, useSession } = authClient;
 
 // Role types from schema
 export type SystemRole = "administrator" | "researcher" | "wizard" | "observer";
 export type StudyRole = "owner" | "researcher" | "wizard" | "observer";
 
-/**
- * Check if the current user has a specific system role
- */
-export function hasRole(session: Session | null, role: SystemRole): boolean {
-  if (!session?.user?.roles) return false;
-  return session.user.roles.some((userRole) => userRole.role === role);
-}
-
-/**
- * Check if the current user is an administrator
- */
-export function isAdmin(session: Session | null): boolean {
-  return hasRole(session, "administrator");
-}
-
-/**
- * Check if the current user is a researcher or admin
- */
-export function isResearcher(session: Session | null): boolean {
-  return hasRole(session, "researcher") || isAdmin(session);
-}
-
-/**
- * Check if the current user is a wizard or admin
- */
-export function isWizard(session: Session | null): boolean {
-  return hasRole(session, "wizard") || isAdmin(session);
-}
-
-/**
- * Check if the current user has any of the specified roles
- */
-export function hasAnyRole(
-  session: Session | null,
-  roles: SystemRole[],
-): boolean {
-  if (!session?.user?.roles) return false;
-  return session.user.roles.some((userRole) => roles.includes(userRole.role));
-}
-
-/**
- * Check if a user owns or has admin access to a resource
- */
-export function canAccessResource(
-  session: Session | null,
-  resourceOwnerId: string,
-): boolean {
-  if (!session?.user) return false;
-
-  // Admin can access anything
-  if (isAdmin(session)) return true;
-
-  // Owner can access their own resources
-  if (session.user.id === resourceOwnerId) return true;
-
-  return false;
-}
-
 /**
  * Format role for display
  */

src/lib/auth-error-handler.ts

@@ -1,6 +1,6 @@
 "use client";
 
-import { signOut } from "next-auth/react";
+import { signOut } from "~/lib/auth-client";
 import { toast } from "sonner";
 import { TRPCClientError } from "@trpc/client";
 
@@ -104,10 +104,8 @@ export async function handleAuthError(
   setTimeout(() => {
     void (async () => {
       try {
-        await signOut({
-          callbackUrl: "/",
-          redirect: true,
-        });
+        await signOut();
+        window.location.href = "/";
       } catch (signOutError) {
         console.error("Error during sign out:", signOutError);
         // Force redirect if signOut fails

src/lib/auth.ts

@@ -0,0 +1,79 @@
+import { betterAuth } from "better-auth";
+import { drizzleAdapter } from "@better-auth/drizzle-adapter";
+import { nextCookies } from "better-auth/next-js";
+import { db } from "~/server/db";
+import {
+  users,
+  accounts,
+  sessions,
+  verificationTokens,
+} from "~/server/db/schema";
+import bcrypt from "bcryptjs";
+
+const baseURL =
+  process.env.NEXTAUTH_URL ||
+  process.env.BETTER_AUTH_URL ||
+  "http://localhost:3000";
+
+export const auth = betterAuth({
+  baseURL,
+  database: drizzleAdapter(db, {
+    provider: "pg",
+    schema: {
+      user: users,
+      account: accounts,
+      session: sessions,
+      verification: verificationTokens,
+    },
+  }),
+  emailAndPassword: {
+    enabled: true,
+    password: {
+      hash: async (password: string) => {
+        return bcrypt.hash(password, 12);
+      },
+      verify: async ({
+        hash,
+        password,
+      }: {
+        hash: string;
+        password: string;
+      }) => {
+        return bcrypt.compare(password, hash);
+      },
+    },
+  },
+  session: {
+    expiresIn: 60 * 60 * 24 * 30,
+    updateAge: 60 * 60 * 24,
+    modelName: "session",
+    fields: {
+      id: "id",
+      token: "token",
+      userId: "userId",
+      expiresAt: "expiresAt",
+      ipAddress: "ipAddress",
+      userAgent: "userAgent",
+    },
+  },
+  account: {
+    modelName: "account",
+    fields: {
+      id: "id",
+      providerId: "providerId",
+      accountId: "accountId",
+      userId: "userId",
+      accessToken: "accessToken",
+      refreshToken: "refreshToken",
+      expiresAt: "expiresAt",
+      scope: "scope",
+    },
+  },
+  pages: {
+    signIn: "/auth/signin",
+    error: "/auth/error",
+  },
+  plugins: [nextCookies()],
+});
+
+export type Session = typeof auth.$Infer.Session;