Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

theprimeagen/skills/better-auth-social-login

Name: skills/better-auth-social-login
Author: theprimeagen

skills/better-auth-social-login/SKILL.md

npx skillsauth add theprimeagen/skills skills/better-auth-social-login

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

better-auth-social-login

Goal

Implement Better Auth social login (OAuth/OIDC) with Drizzle and drizzle-kit using a secure, migration-safe workflow, including cookie/JWT hardening and exact auth table expectations.

Rules

Configure providers under socialProviders with valid OAuth credentials and provider redirect URIs that exactly match your Better Auth callback route.
Set a correct baseURL (or BETTER_AUTH_URL) for each environment; callback mismatch is the most common social login failure.
For Drizzle projects, do not use @better-auth/cli migrate; use @better-auth/cli generate then drizzle-kit generate and drizzle-kit migrate.
Always run Better Auth schema generation with --output to a dedicated auth schema file.
Keep Better Auth config in a CLI-discoverable file path or pass --config explicitly.
Keep auth cookies httpOnly; keep sameSite at lax unless you have a specific cross-site requirement.
Keep CSRF and origin protections enabled (disableCSRFCheck: false, disableOriginCheck: false by default).
Use trustedOrigins as an explicit allowlist for browser origins that are allowed to use auth endpoints.
For shared-subdomain sessions, enable crossSubDomainCookies only when needed and scope domain as narrowly as possible.
If using JWT plugin, treat JWT as service token support, not a replacement for session-based browser auth.
Rotate provider secrets and revoke compromised refresh/access tokens through provider consoles.
Commit config, generated auth schema, and Drizzle migration artifacts together.

End-to-End Social Flow

User initiates sign-in via authClient.signIn.social({ provider }).
Better Auth redirects to provider authorize endpoint with callback URL, state, and PKCE values.
Provider redirects to /api/auth/callback/{provider}.
Better Auth validates OAuth state/PKCE and origin safeguards.
Better Auth resolves/creates user and account records.
Better Auth creates/updates session, sets signed cookie(s), and returns control to app callback path.

Canonical Server Config (Drizzle + Social + JWT)

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { jwt } from "better-auth/plugins";
import { db, schema } from "../db";

export const auth = betterAuth({
  baseURL: process.env.BETTER_AUTH_URL,
  database: drizzleAdapter(db, {
    provider: "pg",
    schema,
  }),
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID as string,
      clientSecret: process.env.GITHUB_CLIENT_SECRET as string,
    },
    google: {
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      accessType: "offline",
      prompt: "select_account consent",
    },
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://app.example.com",
  ],
  advanced: {
    useSecureCookies: true,
    // Keep origin and CSRF checks enabled by default.
    // disableOriginCheck: false,
    // disableCSRFCheck: false,
  },
  plugins: [
    jwt(),
  ],
});

Cookie and Security Baseline

Cookies are signed by Better Auth secret, httpOnly, and sameSite=lax by default.
secure is enabled in production mode; set advanced.useSecureCookies: true to force secure cookies.
Use trustedOrigins to allow only known origins and block CSRF/open redirect vectors.
Keep OAuth callback URLs exact by scheme/host/port/path.
Do not disable disableCSRFCheck or disableOriginCheck except in controlled debugging.
For Safari cross-domain setups, use reverse proxy or shared parent domain with careful cookie domain scoping.

JWT Plugin Guidance

Add jwt() server plugin and jwtClient() client plugin when downstream services need bearer-style JWT.
Use /api/auth/token to retrieve JWT and /api/auth/jwks for verifier keys.
Verify JWT in services using JWKS (kid-aware cache strategy).
Default issuer/audience are based on baseURL; set explicit values when required by consumers.
JWT plugin adds jwks table; include it in schema generation and migrations.

Exact Table Formation (Core + JWT)

Core Better Auth tables:

user
- id (pk)
- name
- email (unique)
- emailVerified
- image (nullable)
- createdAt
- updatedAt
session
- id (pk)
- userId (fk -> user.id)
- token (unique)
- expiresAt
- ipAddress (nullable)
- userAgent (nullable)
- createdAt
- updatedAt
account
- id (pk)
- userId (fk -> user.id)
- accountId (provider account id)
- providerId (google/github/etc)
- accessToken (nullable)
- refreshToken (nullable)
- idToken (nullable)
- accessTokenExpiresAt (nullable)
- refreshTokenExpiresAt (nullable)
- scope (nullable)
- password (nullable; credential auth)
- createdAt
- updatedAt
verification
- id (pk)
- identifier
- value
- expiresAt
- createdAt
- updatedAt

JWT plugin table:

jwks
- id (pk)
- publicKey
- privateKey
- createdAt
- expiresAt (nullable)

Notes:

Better Auth also manages OAuth state/PKCE protections as part of its OAuth flow; keep generated schema current whenever auth/plugins change.
Names can be customized (modelName, fields, plugin schema mapping), but mappings must remain consistent across auth config, Drizzle schema, and migrations.

Drizzle Schema and Config Pattern

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  dialect: "postgresql",
  schema: ["./src/db/schema.ts", "./src/db/auth-schema.ts"],
  out: "./drizzle",
  dbCredentials: {
    url: process.env.DATABASE_URL!,
  },
});

Required Scripts

{
  "scripts": {
    "auth:schema": "npx @better-auth/cli@latest generate --config ./src/lib/auth.ts --output ./src/db/auth-schema.ts --yes",
    "db:generate": "drizzle-kit generate",
    "db:migrate": "drizzle-kit migrate",
    "db:check": "drizzle-kit check",
    "db:sync": "npm run auth:schema && npm run db:generate",
    "db:sync:migrate": "npm run db:sync && npm run db:migrate"
  }
}

Migration Workflow (Auth + Social Changes)

Change social provider config, auth options, or plugins.
Run npm run auth:schema.
Run npm run db:generate.
Review SQL migration output in drizzle/*.
Run npm run db:migrate.
Validate sign-in callback and session persistence in browser.
Commit auth config + auth-schema.ts + drizzle/* artifacts together.

Provider Setup Checklist

GitHub redirect URI: http://localhost:3000/api/auth/callback/github (dev) and production equivalent.
Google redirect URI: http://localhost:3000/api/auth/callback/google (dev) and production equivalent.
Ensure BETTER_AUTH_URL/baseURL matches the deployed domain used by users.
For GitHub Apps, grant email read permission or expect email lookup failures.
For Google refresh tokens, prefer accessType: "offline" with consent prompt.

Common Failure Patterns

redirect_uri_mismatch
- Fix: align provider console redirect URI with Better Auth callback and baseURL.
Social callback succeeds but no session in browser
- Fix: check cookie secure/domain/SameSite settings and frontend credentials: "include" usage.
Safari only: session appears lost across domains
- Fix: proxy auth route under frontend domain or use shared parent domain cookie strategy.
JWT verifies locally but fails in service
- Fix: verify issuer/audience and refresh JWKS on unknown kid.
Drizzle migration missing plugin tables
- Fix: regenerate auth schema before Drizzle generation and ensure auth-schema.ts is listed in drizzle.config.ts.

Reference Docs

Better Auth OAuth: https://www.better-auth.com/docs/concepts/oauth
Better Auth cookies: https://www.better-auth.com/docs/concepts/cookies
Better Auth security: https://www.better-auth.com/docs/reference/security
Better Auth database concepts: https://www.better-auth.com/docs/concepts/database
Better Auth JWT plugin: https://www.better-auth.com/docs/plugins/jwt
Better Auth GitHub provider: https://www.better-auth.com/docs/authentication/github
Better Auth Google provider: https://www.better-auth.com/docs/authentication/google
Better Auth Drizzle adapter: https://www.better-auth.com/docs/adapters/drizzle
Drizzle Kit overview: https://orm.drizzle.team/docs/kit-overview
drizzle-kit generate: https://orm.drizzle.team/docs/drizzle-kit-generate
drizzle-kit migrate: https://orm.drizzle.team/docs/drizzle-kit-migrate

theprimeagen/skills/better-auth-social-login

skills/better-auth-social-login/SKILL.md

## better-auth-social-login ### Goal Implement Better Auth social login (OAuth/OIDC) with Drizzle and drizzle-kit using a secure, migration-safe workflow, including cookie/JWT hardening and exact auth table expectations. ### Rules 1. Configure providers under `socialProviders` with valid OAuth credentials and provider redirect URIs that exactly match your Better Auth callback route. 2. Set a correct `baseURL` (or `BETTER_AUTH_URL`) for each environment; callback mismatch is the most common soc

223 stars

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add theprimeagen/skills skills/better-auth-social-login

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:14 PM18.3s1 file scanned

SKILL.md

better-auth-social-login

Goal

Implement Better Auth social login (OAuth/OIDC) with Drizzle and drizzle-kit using a secure, migration-safe workflow, including cookie/JWT hardening and exact auth table expectations.

Rules

Configure providers under socialProviders with valid OAuth credentials and provider redirect URIs that exactly match your Better Auth callback route.
Set a correct baseURL (or BETTER_AUTH_URL) for each environment; callback mismatch is the most common social login failure.
For Drizzle projects, do not use @better-auth/cli migrate; use @better-auth/cli generate then drizzle-kit generate and drizzle-kit migrate.
Always run Better Auth schema generation with --output to a dedicated auth schema file.
Keep Better Auth config in a CLI-discoverable file path or pass --config explicitly.
Keep auth cookies httpOnly; keep sameSite at lax unless you have a specific cross-site requirement.
Keep CSRF and origin protections enabled (disableCSRFCheck: false, disableOriginCheck: false by default).
Use trustedOrigins as an explicit allowlist for browser origins that are allowed to use auth endpoints.
For shared-subdomain sessions, enable crossSubDomainCookies only when needed and scope domain as narrowly as possible.
If using JWT plugin, treat JWT as service token support, not a replacement for session-based browser auth.
Rotate provider secrets and revoke compromised refresh/access tokens through provider consoles.
Commit config, generated auth schema, and Drizzle migration artifacts together.

End-to-End Social Flow

User initiates sign-in via authClient.signIn.social({ provider }).
Better Auth redirects to provider authorize endpoint with callback URL, state, and PKCE values.
Provider redirects to /api/auth/callback/{provider}.
Better Auth validates OAuth state/PKCE and origin safeguards.
Better Auth resolves/creates user and account records.
Better Auth creates/updates session, sets signed cookie(s), and returns control to app callback path.

Canonical Server Config (Drizzle + Social + JWT)

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { jwt } from "better-auth/plugins";
import { db, schema } from "../db";

export const auth = betterAuth({
  baseURL: process.env.BETTER_AUTH_URL,
  database: drizzleAdapter(db, {
    provider: "pg",
    schema,
  }),
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID as string,
      clientSecret: process.env.GITHUB_CLIENT_SECRET as string,
    },
    google: {
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      accessType: "offline",
      prompt: "select_account consent",
    },
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://app.example.com",
  ],
  advanced: {
    useSecureCookies: true,
    // Keep origin and CSRF checks enabled by default.
    // disableOriginCheck: false,
    // disableCSRFCheck: false,
  },
  plugins: [
    jwt(),
  ],
});

Cookie and Security Baseline

Cookies are signed by Better Auth secret, httpOnly, and sameSite=lax by default.
secure is enabled in production mode; set advanced.useSecureCookies: true to force secure cookies.
Use trustedOrigins to allow only known origins and block CSRF/open redirect vectors.
Keep OAuth callback URLs exact by scheme/host/port/path.
Do not disable disableCSRFCheck or disableOriginCheck except in controlled debugging.
For Safari cross-domain setups, use reverse proxy or shared parent domain with careful cookie domain scoping.

JWT Plugin Guidance

Add jwt() server plugin and jwtClient() client plugin when downstream services need bearer-style JWT.
Use /api/auth/token to retrieve JWT and /api/auth/jwks for verifier keys.
Verify JWT in services using JWKS (kid-aware cache strategy).
Default issuer/audience are based on baseURL; set explicit values when required by consumers.
JWT plugin adds jwks table; include it in schema generation and migrations.

Exact Table Formation (Core + JWT)

Core Better Auth tables:

user
- id (pk)
- name
- email (unique)
- emailVerified
- image (nullable)
- createdAt
- updatedAt
session
- id (pk)
- userId (fk -> user.id)
- token (unique)
- expiresAt
- ipAddress (nullable)
- userAgent (nullable)
- createdAt
- updatedAt
account
- id (pk)
- userId (fk -> user.id)
- accountId (provider account id)
- providerId (google/github/etc)
- accessToken (nullable)
- refreshToken (nullable)
- idToken (nullable)
- accessTokenExpiresAt (nullable)
- refreshTokenExpiresAt (nullable)
- scope (nullable)
- password (nullable; credential auth)
- createdAt
- updatedAt
verification
- id (pk)
- identifier
- value
- expiresAt
- createdAt
- updatedAt

JWT plugin table:

jwks
- id (pk)
- publicKey
- privateKey
- createdAt
- expiresAt (nullable)

Notes:

Better Auth also manages OAuth state/PKCE protections as part of its OAuth flow; keep generated schema current whenever auth/plugins change.
Names can be customized (modelName, fields, plugin schema mapping), but mappings must remain consistent across auth config, Drizzle schema, and migrations.

Drizzle Schema and Config Pattern

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  dialect: "postgresql",
  schema: ["./src/db/schema.ts", "./src/db/auth-schema.ts"],
  out: "./drizzle",
  dbCredentials: {
    url: process.env.DATABASE_URL!,
  },
});

Required Scripts

{
  "scripts": {
    "auth:schema": "npx @better-auth/cli@latest generate --config ./src/lib/auth.ts --output ./src/db/auth-schema.ts --yes",
    "db:generate": "drizzle-kit generate",
    "db:migrate": "drizzle-kit migrate",
    "db:check": "drizzle-kit check",
    "db:sync": "npm run auth:schema && npm run db:generate",
    "db:sync:migrate": "npm run db:sync && npm run db:migrate"
  }
}

Migration Workflow (Auth + Social Changes)

Change social provider config, auth options, or plugins.
Run npm run auth:schema.
Run npm run db:generate.
Review SQL migration output in drizzle/*.
Run npm run db:migrate.
Validate sign-in callback and session persistence in browser.
Commit auth config + auth-schema.ts + drizzle/* artifacts together.

Provider Setup Checklist

GitHub redirect URI: http://localhost:3000/api/auth/callback/github (dev) and production equivalent.
Google redirect URI: http://localhost:3000/api/auth/callback/google (dev) and production equivalent.
Ensure BETTER_AUTH_URL/baseURL matches the deployed domain used by users.
For GitHub Apps, grant email read permission or expect email lookup failures.
For Google refresh tokens, prefer accessType: "offline" with consent prompt.

Common Failure Patterns

redirect_uri_mismatch
- Fix: align provider console redirect URI with Better Auth callback and baseURL.
Social callback succeeds but no session in browser
- Fix: check cookie secure/domain/SameSite settings and frontend credentials: "include" usage.
Safari only: session appears lost across domains
- Fix: proxy auth route under frontend domain or use shared parent domain cookie strategy.
JWT verifies locally but fails in service
- Fix: verify issuer/audience and refresh JWKS on unknown kid.
Drizzle migration missing plugin tables
- Fix: regenerate auth schema before Drizzle generation and ensure auth-schema.ts is listed in drizzle.config.ts.

Reference Docs

Better Auth OAuth: https://www.better-auth.com/docs/concepts/oauth
Better Auth cookies: https://www.better-auth.com/docs/concepts/cookies
Better Auth security: https://www.better-auth.com/docs/reference/security
Better Auth database concepts: https://www.better-auth.com/docs/concepts/database
Better Auth JWT plugin: https://www.better-auth.com/docs/plugins/jwt
Better Auth GitHub provider: https://www.better-auth.com/docs/authentication/github
Better Auth Google provider: https://www.better-auth.com/docs/authentication/google
Better Auth Drizzle adapter: https://www.better-auth.com/docs/adapters/drizzle
Drizzle Kit overview: https://orm.drizzle.team/docs/kit-overview
drizzle-kit generate: https://orm.drizzle.team/docs/drizzle-kit-generate
drizzle-kit migrate: https://orm.drizzle.team/docs/drizzle-kit-migrate

Related Skills

theprimeagen/skills/vim

tools

VerifiedTrustedCommunity

# Neovim Lua API Reference This document contains type stubs and API references for Neovim's Lua API. Use this as a reference when writing Neovim plugins or configurations in Lua. --- ## api The following are type stubs for all the functions available on `vim.api.*`. Prefer these functions where possible. ```lua vim.api = {} vim.api.nvim__buf_debug_extmarks(buffer, keys, dot) vim.api.nvim__buf_stats(buffer) vim.api.nvim__complete_set(index, opts) vim.api.nvim__get_lib_dir() vim.api.nvim

223SKILL.mdUpdated Apr 16, 2026

theprimeagen/skills/vim

theprimeagen/skills/vim.treesitter

development

VerifiedTrustedCommunity

# Neovim Treesitter API Reference This document contains type stubs and API references for Neovim's treesitter Lua API. Use this as a reference when working with treesitter in Neovim Lua. --- ## tsnode TSNode methods - represents a specific element in a parsed syntax tree. Use these methods to navigate and inspect nodes. ```lua function TSNode:parent() end function TSNode:next_sibling() end function TSNode:prev_sibling() end function TSNode:next_named_sibling() end function TSNode:prev_name

223SKILL.mdUpdated Apr 16, 2026

theprimeagen/skills/vim.treesitter

theprimeagen/skills/vim.lsp

tools

VerifiedTrustedCommunity

# Neovim LSP API Reference This document contains function definitions from Neovim's LSP help docs. Use this as a reference when working with LSP in Neovim Lua. --- ## lsp Functions extracted from `lsp.txt`. ```lua vim.lsp.buf_attach_client({bufnr}, {client_id}) vim.lsp.buf_detach_client({bufnr}, {client_id}) vim.lsp.buf_is_attached({bufnr}, {client_id}) vim.lsp.buf_notify({bufnr}, {method}, {params}) vim.lsp.buf_request_all({bufnr}, {method}, {params}, {handler}) vim.lsp.buf_request_sync({

223SKILL.mdUpdated Apr 16, 2026

theprimeagen/skills/vim.lsp

theprimeagen/skills/vim.diagnostics

tools

VerifiedTrustedCommunity

# Neovim Diagnostics API Reference This document contains function definitions for Neovim's diagnostics Lua API. Use this as a reference when working with diagnostics in Neovim Lua. --- ## diagnostic vim.diagnostic APIs, types, and helpers. ```lua function get_qf_id_for_title(title) function __newindex(t, name, handler) function __index(t, bufnr) function callback() function to_severity(severity) function severity_predicate(severity) function filter_by_severity(severity, diagnostics) functi

223SKILL.mdUpdated Apr 16, 2026

theprimeagen/skills/vim.diagnostics

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/theprimeagen/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/better-auth-social-login ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

theprimeagen/skills

223 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT