Authentication deep dive

Authentication in LaunchApp is handled by Better Auth, a framework-agnostic auth library that supports email/password, OAuth providers, and more. The server instance lives in @repo/auth and is shared across both the Hono API and the React Router frontend.

On the API side, the Better Auth handler is mounted under /api/auth/* in packages/api/src/app.ts. Every incoming request to that prefix is forwarded directly to Better Auth, which manages sessions via secure HTTP-only cookies.

The frontend uses the Better Auth client exported from @repo/auth. React Router loaders call auth.api.getSession({ headers: request.headers }) on the server to check whether the current user is authenticated before rendering a protected page.

Session data flows from the loader into the component via useLoaderData. Protected layouts like the dashboard redirect to /auth/login when no session is present, keeping the auth guard logic in one place rather than scattered across individual routes.

Adding a new OAuth provider (e.g. GitHub) requires registering the provider in the Better Auth config, adding the client ID and secret to .env, and updating the login page to show the new sign-in button. The rest of the session handling is automatic.