feat(auth): migrate to better-auth admin plugin with unified Admin tab

apps/sim/app/api/user/super-user/route.ts

@@ -22,7 +22,7 @@ export async function GET(request: NextRequest) {
     }
 
     const currentUser = await db
-      .select({ isSuperUser: user.isSuperUser })
+      .select({ role: user.role })
       .from(user)
       .where(eq(user.id, session.user.id))
       .limit(1)
@@ -33,7 +33,7 @@ export async function GET(request: NextRequest) {
     }
 
     return NextResponse.json({
-      isSuperUser: currentUser[0].isSuperUser,
+      isSuperUser: currentUser[0].role === 'admin',
     })
   } catch (error) {
     logger.error(`[${requestId}] Error checking super user status`, error)

apps/sim/app/workspace/[workspaceId]/templates/page.tsx

@@ -44,9 +44,9 @@ export default async function TemplatesPage({ params }: TemplatesPageProps) {
     redirect(`/workspace/${workspaceId}`)
   }
 
-  // Determine effective super user (DB flag AND UI mode enabled)
+  // Determine effective super user (admin role AND UI mode enabled)
   const currentUser = await db
-    .select({ isSuperUser: user.isSuperUser })
+    .select({ role: user.role })
     .from(user)
     .where(eq(user.id, session.user.id))
     .limit(1)
@@ -56,7 +56,7 @@ export default async function TemplatesPage({ params }: TemplatesPageProps) {
     .where(eq(settings.userId, session.user.id))
     .limit(1)
 
-  const isSuperUser = currentUser[0]?.isSuperUser || false
+  const isSuperUser = currentUser[0]?.role === 'admin'
   const superUserModeEnabled = userSettings[0]?.superUserModeEnabled ?? true
   const effectiveSuperUser = isSuperUser && superUserModeEnabled
 

apps/sim/lib/auth/auth-client.ts

@@ -2,6 +2,7 @@ import { useContext } from 'react'
 import { ssoClient } from '@better-auth/sso/client'
 import { stripeClient } from '@better-auth/stripe/client'
 import {
+  adminClient,
   customSessionClient,
   emailOTPClient,
   genericOAuthClient,
@@ -17,6 +18,7 @@ import { SessionContext, type SessionHookResult } from '@/app/_shell/providers/s
 export const client = createAuthClient({
   baseURL: getBaseUrl(),
   plugins: [
+    adminClient(),
     emailOTPClient(),
     genericOAuthClient(),
     customSessionClient<typeof auth>(),

apps/sim/lib/auth/auth.ts

@@ -7,6 +7,7 @@ import { betterAuth } from 'better-auth'
 import { drizzleAdapter } from 'better-auth/adapters/drizzle'
 import { nextCookies } from 'better-auth/next-js'
 import {
+  admin,
   createAuthMiddleware,
   customSession,
   emailOTP,
@@ -625,6 +626,7 @@ export const auth = betterAuth({
   },
   plugins: [
     nextCookies(),
+    admin(),
     jwt({
       jwks: {
         keyPairConfig: { alg: 'RS256' },

apps/sim/lib/templates/permissions.ts

@@ -17,7 +17,7 @@ export async function verifyEffectiveSuperUser(userId: string): Promise<{
   superUserModeEnabled: boolean
 }> {
   const [currentUser] = await db
-    .select({ isSuperUser: user.isSuperUser })
+    .select({ role: user.role })
     .from(user)
     .where(eq(user.id, userId))
     .limit(1)
@@ -28,7 +28,7 @@ export async function verifyEffectiveSuperUser(userId: string): Promise<{
     .where(eq(settings.userId, userId))
     .limit(1)
 
-  const isSuperUser = currentUser?.isSuperUser || false
+  const isSuperUser = currentUser?.role === 'admin'
   const superUserModeEnabled = userSettings?.superUserModeEnabled ?? false
 
   return {

packages/db/migrations/0177_wise_puma.sql

@@ -0,0 +1,6 @@
+ALTER TABLE "session" ADD COLUMN "impersonated_by" text;--> statement-breakpoint
+ALTER TABLE "user" ADD COLUMN "role" text DEFAULT 'user';--> statement-breakpoint
+ALTER TABLE "user" ADD COLUMN "banned" boolean DEFAULT false;--> statement-breakpoint
+ALTER TABLE "user" ADD COLUMN "ban_reason" text;--> statement-breakpoint
+ALTER TABLE "user" ADD COLUMN "ban_expires" timestamp;--> statement-breakpoint
+ALTER TABLE "user" DROP COLUMN "is_super_user";