feat(backend): add admin plugin and create-admin script (#80)

* feat(backend): add admin plugin and create-admin script

Add Better Auth admin plugin for role-based user management.
Includes a CLI script to create admin accounts.

Co-authored-by: Ona <no-reply@ona.com>

* fix(backend): guard against missing BETTER_AUTH_SECRET

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

apps/aelis-backend/src/auth/index.ts

@@ -1,10 +1,16 @@
 import { betterAuth } from "better-auth"
 import { drizzleAdapter } from "better-auth/adapters/drizzle"
+import { admin } from "better-auth/plugins"
 
 import type { Database } from "../db/index.ts"
+
 import * as schema from "../db/schema.ts"
 
 export function createAuth(db: Database) {
+	if (!process.env.BETTER_AUTH_SECRET) {
+		throw new Error("BETTER_AUTH_SECRET is not set")
+	}
+
 	return betterAuth({
 		database: drizzleAdapter(db, {
 			provider: "pg",
@@ -13,6 +19,7 @@ export function createAuth(db: Database) {
 		emailAndPassword: {
 			enabled: true,
 		},
+		plugins: [admin()],
 	})
 }
 

apps/aelis-backend/src/auth/session-middleware.ts

@@ -57,9 +57,7 @@ export function createRequireSession(auth: Auth): AuthSessionMiddleware {
  * Creates a function to get session from headers. Useful for WebSocket upgrade validation.
  */
 export function createGetSessionFromHeaders(auth: Auth) {
-	return async (
-		headers: Headers,
-	): Promise<{ user: AuthUser; session: AuthSession } | null> => {
+	return async (headers: Headers): Promise<{ user: AuthUser; session: AuthSession } | null> => {
 		const session = await auth.api.getSession({ headers })
 		return session
 	}
@@ -86,6 +84,10 @@ export function mockAuthSessionMiddleware(userId?: string): AuthSessionMiddlewar
 			image: null,
 			createdAt: now,
 			updatedAt: now,
+			role: "admin",
+			banned: false,
+			banReason: null,
+			banExpires: null,
 		}
 
 		const session: AuthSession = {