Migrate auth from hand-rolled Spring JWT to better-auth (Next.js IdP)…

AGENTS.md

@@ -14,28 +14,41 @@ Do not prematurely optimize code. Focus on clarity and correctness first. Especi
 
 **Core Framework & Runtime:**
 
-- Next.js: `16.0.10`
-- React: `19.2.3`
-- React DOM: `19.2.3`
+- Next.js: `16.2.2` (App Router, Turbopack)
+- React: `19.2.4`
+- React DOM: `19.2.4`
+- Package manager: pnpm `11.5.2` (settings live in `pnpm-workspace.yaml`, not the package.json `pnpm` field)
+
+**Auth & Data layer:**
+
+- better-auth: `1.6.14` (identity provider; Drizzle adapter; JWT plugin)
+- @daveyplate/better-auth-ui: `3.4.0`
+- Drizzle ORM: `0.45.2` / drizzle-kit: `0.31.10`
+- pg (node-postgres): `8.21.0`
+- dotenv: `17.4.2`
+- (Auth tables live in Postgres alongside the Spring backend; the Spring backend validates better-auth JWTs via JWKS.)
 
 **Key Libraries:**
 
-- React Query (@tanstack/react-query): `^5.90.12`
-- React Hook Form: `^7.68.0`
+- React Query (@tanstack/react-query): `5.101.0` (+ devtools `5.101.0`, react-virtual `3.14.2`)
+- React Hook Form: `7.77.0` (+ @hookform/resolvers `5.4.0`)
 - Recharts: `2.15.4`
-- Zod: `^4.1.13`
-- Axios: `^1.13.2`
-- Sonner (Toast): `^2.0.7`
-- Lucide React (Icons): `^0.561.0`
-- Tailwind CSS: `^4`
-- Radix UI: Latest component versions
-- Motion (Animations): `^12.23.26`
+- Zod: `4.4.3`
+- Axios: `1.17.0`
+- Sonner (Toast): `2.0.7`
+- Lucide React (Icons): `0.561.0`
+- Tailwind CSS: `4.3.0` (with @tailwindcss/postcss)
+- Radix UI: `radix-ui` `1.5.0` (+ individual `@radix-ui/react-*` primitives)
+- Motion (Animations): `12.40.0`
+- cmdk: `1.1.1`, @yudiel/react-qr-scanner: `2.6.0`
 
 **Development Tools:**
 
-- ESLint: Latest
-- TypeScript: Latest
-- Tailwind CSS with PostCSS: Latest
+- TypeScript: `5.9.3`
+- ESLint: `9.39.4` (eslint-config-next `16.2.2`)
+- Tailwind CSS with PostCSS
+
+**Backend (for context):** Spring Boot `3.1.0` on Java `21`, Spring Security OAuth2 Resource Server (validates better-auth JWTs via JWKS), Spring Data JPA + PostgreSQL.
 
 ## Guidelines
 
@@ -58,6 +71,30 @@ Add empty rows for better readability between logical blocks of code, my prettie
 
 If I tell you to refactor something into a separate component or function, make sure to check if there already exists a similar component or function in the codebase and reuse it instead of writing a new one. If there is no similar component or function, then create a new one in a separate file, instead of writing it in the same file.
 
+Never edit the package.json or packege-lock.json files directly, but instead use "pnpm add package-name@version" or "pnpm remove package-name" to manage dependencies.
+
+If you need docs about a library, always fetch the most recent documentation from the official website or repository, instead of searching in node modules or other places.
+
 # Backend Development Guidelines
 
 NEVER run "mvn spring-boot:run" or any other development server command, because I always already have my dev server running. Also never run build commands.
+
+# Commit message requirement
+
+At the end of every response that includes code changes, include a suggested Git commit message.
+
+Use this format:
+
+```text
+Short summary in imperative mood
+
+Brief explanation of why the change was needed.
+
+Changes:
+- Specific change 1
+- Specific change 2
+- Specific change 3
+
+Notes:
+- Optional important detail for reviewers or future maintenance
+```

backend/.env.example

@@ -2,4 +2,7 @@ SPRING_DATASOURCE_URL=jdbc:postgresql://localhost:5432/database_name
 SPRING_DATASOURCE_USERNAME=username
 SPRING_DATASOURCE_PASSWORD=password
 
-JWT_SECRET=your_very_long_jwt_secret_key_here_at_least_256_bits_long
+# URL of better-auth's JWKS endpoint, used to validate JWTs.
+# Optional locally (defaults to http://localhost:3000/api/auth/jwks).
+# In Docker, set to the internal frontend URL, e.g. http://frontend:3000/api/auth/jwks
+BETTER_AUTH_JWKS_URI=http://localhost:3000/api/auth/jwks

backend/pom.xml

@@ -66,11 +66,6 @@
 			<artifactId>spring-dotenv</artifactId>
 			<version>3.0.0</version>
 		</dependency>
-		<dependency>
-			<groupId>com.google.api-client</groupId>
-			<artifactId>google-api-client</artifactId>
-			<version>2.2.0</version>
-		</dependency>
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>
@@ -86,26 +81,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
+		<!-- Validates better-auth JWTs via JWKS (backend acts as a resource server) -->
 		<dependency>
-			<groupId>io.jsonwebtoken</groupId>
-			<artifactId>jjwt-api</artifactId>
-			<version>0.11.5</version>
-		</dependency>
-		<dependency>
-			<groupId>io.jsonwebtoken</groupId>
-			<artifactId>jjwt-impl</artifactId>
-			<version>0.11.5</version>
-			<scope>runtime</scope>
-		</dependency>
-		<dependency>
-			<groupId>io.jsonwebtoken</groupId>
-			<artifactId>jjwt-jackson</artifactId>
-			<version>0.11.5</version>
-			<scope>runtime</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-oauth2-client</artifactId>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>