From a9cb97727d83452f1759ed102f86afba92ccecb1 Mon Sep 17 00:00:00 2001
From: Matiss Jurevics <matissjurevics@gmail.com>
Date: Sat, 24 Jan 2026 10:10:00 +0000
Subject: [PATCH] refactor(env): centralize auth env handling and prefer
 BETTER_AUTH_BASE_URL

---
 Backend/.env.example          |  2 +-
 Backend/auth.ts               |  5 +++--
 Backend/utils/device-token.ts |  7 ++-----
 Backend/utils/env.ts          | 34 ++++++++++++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 Backend/utils/env.ts

diff --git a/Backend/.env.example b/Backend/.env.example
index 4f1c64b..22b3ec1 100644
--- a/Backend/.env.example
+++ b/Backend/.env.example
@@ -1,6 +1,6 @@
 DATABASE_URL=postgres://username:password@localhost:5432/database_name
 BETTER_AUTH_SECRET=replace_with_a_long_random_secret
-BETTER_AUTH_URL=http://localhost:3000
+BETTER_AUTH_BASE_URL=http://localhost:3000
 BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:5173
 PORT=3000
 MINIO_ENDPOINT=localhost
diff --git a/Backend/auth.ts b/Backend/auth.ts
index 5b4a01b..30f0142 100644
--- a/Backend/auth.ts
+++ b/Backend/auth.ts
@@ -3,6 +3,7 @@ import { drizzleAdapter } from 'better-auth/adapters/drizzle';
 
 import { db } from './db/client';
 import { schema } from './db/schema';
+import { getBetterAuthBaseUrl, getRequiredEnv } from './utils/env';
 import { hashPassword, verifyPassword } from './utils/password';
 
 const trustedOrigins = process.env.BETTER_AUTH_TRUSTED_ORIGINS
@@ -24,8 +25,8 @@ export const auth = betterAuth({
       verify: async ({ hash, password }) => verifyPassword(password, hash),
     },
   },
-  secret: process.env.BETTER_AUTH_SECRET,
-  baseURL: process.env.BETTER_AUTH_URL,
+  secret: getRequiredEnv('BETTER_AUTH_SECRET'),
+  baseURL: getBetterAuthBaseUrl(),
   trustedOrigins,
 });
 
diff --git a/Backend/utils/device-token.ts b/Backend/utils/device-token.ts
index 8d37f3b..90069ed 100644
--- a/Backend/utils/device-token.ts
+++ b/Backend/utils/device-token.ts
@@ -1,4 +1,5 @@
 import { createHmac, timingSafeEqual } from 'crypto';
+import { getRequiredEnv } from './env';
 
 type DeviceRole = 'camera' | 'client';
 
@@ -9,11 +10,7 @@ export type DeviceTokenPayload = {
   exp: number;
 };
 
-const secret = process.env.BETTER_AUTH_SECRET;
-
-if (!secret) {
-  throw new Error('BETTER_AUTH_SECRET is required for device token signing');
-}
+const secret = getRequiredEnv('BETTER_AUTH_SECRET');
 
 const base64UrlEncode = (input: string): string => Buffer.from(input, 'utf8').toString('base64url');
 const base64UrlDecode = (input: string): string => Buffer.from(input, 'base64url').toString('utf8');
diff --git a/Backend/utils/env.ts b/Backend/utils/env.ts
new file mode 100644
index 0000000..30b4492
--- /dev/null
+++ b/Backend/utils/env.ts
@@ -0,0 +1,34 @@
+const getEnvValue = (name: string): string | undefined => {
+  const value = process.env[name];
+  if (!value) {
+    return undefined;
+  }
+
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+};
+
+export const getFirstDefinedEnv = (...names: string[]): string | undefined => {
+  for (const name of names) {
+    const value = getEnvValue(name);
+    if (value) {
+      return value;
+    }
+  }
+
+  return undefined;
+};
+
+export const getRequiredEnv = (name: string): string => {
+  const value = getEnvValue(name);
+
+  if (!value) {
+    throw new Error(`${name} is required. Add it to your .env file.`);
+  }
+
+  return value;
+};
+
+export const getBetterAuthBaseUrl = (): string => {
+  return getFirstDefinedEnv('BETTER_AUTH_BASE_URL', 'BETTER_AUTH_URL') ?? `http://localhost:${process.env.PORT ?? '3000'}`;
+};