Simplify auth to server-side only

[Copilot]

Remove duplicate client-side auth state management. Previously, auth state was synced from server (hooks.server.ts → +layout.server.ts) into a client-side authStore class, creating potential sync bugs and unnecessary code.

Changes

• Deleted src/lib/auth-store.svelte.ts - Remove the AuthStore class and singleton
• Simplified +layout.svelte - No longer initializes auth store with server data
• Updated +page.svelte - Use page.data.user directly, call auth client methods inline
• Updated READMEs - Remove auth-store.svelte.ts from project structure docs

Applied same changes to packages/create-remote-app/template/.

New Pattern

<script>
  import { page } from "$app/state";
  import { invalidateAll } from "$app/navigation";
  import { signIn, signOut } from "$lib/auth-client";

  async function handleSignIn() {
    await signIn.email({ email, password });
    await invalidateAll(); // Refetch server data
  }
</script>

{#if page.data.user}
  <p>Welcome, {page.data.user.email}</p>
{/if}

~155 lines removed. Server remains single source of truth.

Original prompt

for the create-remote-app package...

PR: Simplify auth to server-side only
Changes
Deleted src/lib/auth-store.svelte.ts - removed client-side auth state management
Simplified +layout.svelte - no longer initializes auth store
Updated +page.svelte - uses $page.data.user directly instead of authStore
Why
The previous implementation maintained duplicate auth state:
Server validated session in hooks.server.ts
Server passed user/session via +layout.server.ts
Client synced that data into authStore class
This created potential sync bugs and unnecessary code.
New approach
Server is single source of truth
$page.data.user provides reactive access to auth state
invalidateAll() after auth actions refetches server data
~60 lines of code removed

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Note

Removes client auth store in favor of server-driven $page data with per-origin init, updates routes/layout and API, adds PR preview/prod Cloudflare deploy and cleanup, and bumps key dependencies with minor config/SEO tweaks.

• Auth & Server:
  • Remove client authStore; make server the single source of truth via $page.data.user.
  • Update initAuth to require baseURL and guard per-origin; drop getAuth usage.
  • Adjust handlers in src/routes/api/auth/[...all]/+server.ts and template equivalents to call initAuth(db, env, event.url.origin).
• UI & Routes:
  • Simplify +layout.svelte (no store init).
  • Update +page.svelte to call signIn/signUp/signOut directly and invalidateAll(); gate actions on page.data.user.
• CI/CD:
  • Split Cloudflare deploy into deploy_prod (push to main) and deploy_preview (PR) with stage pr-${{ github.event.pull_request.number }}; update cleanup to destroy matching stage.
• Alchemy/Infra:
  • Simplify alchemy.run.ts: remove script/name fields; use default CloudflareStateStore; streamline D1/Worker/App setup (app + template).
• Config & Meta:
  • svelte.config.js: use alchemy() adapter in dev, Cloudflare adapter otherwise.
  • Add basic SEO/OpenGraph meta in src/app.html.
  • Minor CSS: set body colors; add template app.css.
  • .gitignore: ignore package-lock.json.
• Docs:
  • Remove auth-store.svelte.ts from READMEs and project structure.
• Dependencies:
  • Bump core tooling and libs (@sveltejs/kit, svelte, tailwindcss, alchemy, better-auth, drizzle-*, vite, wrangler).

^{Written by Cursor Bugbot for commit dcca06a. This will update automatically on new commits. Configure here.}

[acoyfellow]

@copilot -- you need to write svelte5 syntax; import { page } from "$app/stores"; is depreciated. $syntax is depciated for runes.

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[Copilot]

@copilot -- you need to write svelte5 syntax; import { page } from "$app/stores"; is depreciated. $syntax is depciated for runes.

Updated in 54c545a. Changed import { page } from "$app/stores" to import { page } from "$app/state" and removed the $ prefix from all page.data.user references to use proper Svelte 5 runes syntax.

[cursor]

Bug: Auth singleton fails silently for multi-domain deployments

The auth singleton stores the baseURL from the first request's event.url.origin and throws an error if subsequent requests come from a different origin. In Cloudflare Workers, a single isolate can handle requests from multiple domains (e.g., custom domain AND workers.dev URL). When this happens, users accessing via the second domain will have their auth silently fail—the error is caught in hooks.server.ts and users are served as unauthenticated even if they have valid session cookies. The previous implementation used a fixed env.BETTER_AUTH_URL which avoided this issue. Consider using the environment variable as a fallback or making the baseURL check more permissive for configured trusted origins.

Additional Locations (1)

• packages/create-remote-app/template/src/lib/auth.ts#L41-L47