feat: Better auth

[twk3]

Commit Description

• Support multiple users in onPrem via username-password instead of trusted jwt
• Enable password creation for root user at setup time

Summary

Migrates authentication from JWT-based tokens to Better Auth, adding support for root user password configuration and new email settings.

Changes

• Authentication Migration: Replaced apiJwtToken configuration with betterAuth secret configuration

  • Removed JWT_SECRET and JWT_SECRET_EXPIRY environment variables
  • Added BETTER_AUTH_SECRET and BETTER_AUTH_ENABLED environment variables
  • Added BETTER_AUTH_URL pointing to the app host

• Root User Password: Added support for configuring root user password via Kubernetes secret

  • New currents.rootUser.password.secretName and currents.rootUser.password.key values
  • Injects ON_PREM_PASSWORD environment variable when configured

• Email Configuration: Added new optional email settings

  • inviteFrom - Custom sender address for invitation emails
  • inviteBcc - BCC address for invitation emails
  • reportsBcc - BCC address for automated report emails
  • inviteExpirationDays - Configurable invitation link expiration
  • linksBaseUrl - Custom base URL for email links

• Documentation: Updated developer guide and EKS quickstart with new secret creation commands

  • Increased recommended secret lengths from 32 to 64 characters for auth secrets

Breaking Changes

• currents.apiJwtToken.secretName → currents.betterAuth.secretName
• currents.apiJwtToken.key → currents.betterAuth.key (default changed from token to secret)
• Removed currents.apiJwtToken.expiry (no longer applicable)

Migration

Existing deployments need to:

1. Create a new currents-better-auth secret with a 64-character secret
2. Create a new currents-root-user secret with the admin password
3. Update Helm values to use betterAuth instead of apiJwtToken

[twk3]

Tested in local K8S cluster.

Still needs to be verified in EKS prior to release