feat: migrate auth stack and admin portal

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

web/src/lib/auth.ts

@@ -0,0 +1,72 @@
+import { betterAuth } from "better-auth"
+import { prismaAdapter } from "better-auth/adapters/prisma"
+import { customSession } from "better-auth/plugins"
+
+import { env } from "./env"
+import { prisma } from "./prisma"
+
+export const auth = betterAuth({
+  secret: env.BETTER_AUTH_SECRET,
+  baseURL: env.BETTER_AUTH_URL,
+  database: prismaAdapter(prisma, {
+    provider: "sqlite",
+  }),
+  user: {
+    modelName: "authUser",
+    additionalFields: {
+      role: {
+        type: "string",
+        required: false,
+        defaultValue: "agent",
+        input: false,
+      },
+      tenantId: {
+        type: "string",
+        required: false,
+      },
+      avatarUrl: {
+        type: "string",
+        required: false,
+      },
+    },
+  },
+  session: {
+    modelName: "authSession",
+    cookieCache: {
+      enabled: true,
+      maxAge: 60 * 5,
+    },
+  },
+  account: {
+    modelName: "authAccount",
+  },
+  verification: {
+    modelName: "authVerification",
+  },
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: false,
+  },
+  plugins: [
+    customSession(async ({ user, session }) => {
+      const expiresAt = session.expiresAt instanceof Date
+        ? session.expiresAt.getTime()
+        : new Date(session.expiresAt ?? Date.now()).getTime()
+
+      return {
+        session: {
+          id: session.id,
+          expiresAt,
+        },
+        user: {
+          id: user.id,
+          name: user.name,
+          email: user.email,
+          role: ((user as { role?: string }).role ?? "agent").toLowerCase(),
+          tenantId: (user as { tenantId?: string | null }).tenantId ?? null,
+          avatarUrl: (user as { avatarUrl?: string | null }).avatarUrl ?? null,
+        },
+      }
+    }),
+  ],
+})