mihailnica10 stops rolling his own login security

The fork's homemade sign-in system, which shipped with a baked-in fallback password key, is gone, replaced by a maintained open-source library.

securityinfrastructure

The old setup was written in a hurry during a move to Cloudflare's hosting platform, and it had flaws you never want in legal software: a secret key with a hardcoded fallback and password protection that cut corners. This change rips all of that out and brings in better-auth, an open-source authentication toolkit, configured for email-and-password sign-in with week-long sessions.

The genuinely tricky part is that the app's front end and its data service live at two different web addresses, so the team had to set up browser cookies that survive crossing that boundary. Two caveats for anyone borrowing the pattern: the configuration is currently tied to the author's own test domains, and the cross-site cookie technique behaves differently in Firefox and Safari than in Chrome, so it needs testing before production use.

So what If you're evaluating any Mike fork for client work, homemade login code is a red flag, and this commit shows what fixing it properly looks like.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from mihailnica10/misu-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`0f42d59e`	better-auth: inlocuit JWT cu better-auth (cookie-based) - better-auth + drizzle-adapter pe backend - better-auth client pe frontend - cookies SameSite=None;Secure;Partitioned cross-origin - schema D1: integer cu mode: 'timestamp' + generateId - toate API calls cu credentials: include	Mihail Nica	2026-06-10	↗ GitHub

SHA

Subject

Author

Date

0f42d59e

better-auth: inlocuit JWT cu better-auth (cookie-based) - better-auth + drizzle-adapter pe backend - better-auth client pe frontend - cookies SameSite=None;Secure;Partitioned cross-origin - schema D1: integer cu mode: 'timestamp' + generateId - toate API calls cu credentials: include

Mihail Nica

2026-06-10

↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-648.md from inside the repo you want the changes in.