feat(web,server): add email/password authentication

[leoisadev1]

Summary

• Enable email & password login alongside existing GitHub/Vercel OAuth
• Add sign-in/sign-up form with toggle on the auth page
• Email auth sessions are established inline (no redirect needed)

Changes

File	What
apps/server/convex/auth.ts	Enable emailAndPassword: { enabled: true } with 8-128 char password constraints
apps/web/src/lib/auth-client.tsx	Add signInWithEmail() and signUpWithEmail() helper functions
apps/web/src/routes/auth/sign-in.tsx	Email/password form with sign-in ↔ sign-up toggle, error handling, "or" divider above OAuth buttons

How it works

1. Users can now sign in or create an account with email + password
2. Sign-up mode adds a name field; defaults to email prefix if omitted
3. After successful email auth, session is refreshed inline and user is redirected to /
4. OAuth buttons (GitHub, Vercel) remain below an "or" divider
5. All buttons are disabled while any auth operation is in progress

Closes #562

[railway-app]

🚅 Deployed to the openchat-pr-571 environment in OpenChat

Service	Status	Web	Updated (UTC)
web	😴 Sleeping (View Logs)	Web	Feb 3, 2026 at 3:15 am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR successfully adds email/password authentication alongside the existing GitHub/Vercel OAuth, enabling users to sign up and sign in without requiring a third-party account.

Key Changes

• Backend: Enabled email/password authentication in Better Auth config with sensible password constraints (8-128 characters)
• Client helpers: Added signInWithEmail() and signUpWithEmail() wrapper functions in auth-client.tsx
• UI: Implemented sign-in/sign-up form with toggle, error handling, and seamless inline session refresh (no redirect needed)
• All auth buttons are properly disabled during any auth operation to prevent race conditions

Integration Notes

• Email auth flows through the same Better Auth → Convex user sync pipeline as OAuth
• The UserSyncProvider automatically syncs email-authenticated users to the Convex database via users.ensure mutation
• Session management uses the existing non-reactive StableAuthProvider to prevent infinite loops

Issues Found

• Missing analytics tracking (confidence 5/5): Email auth success does not call analytics.signedIn() unlike OAuth flows
• Minor improvements: Error logging, input validation (max password length), and defensive name fallback suggested

Confidence Score: 4/5

• Safe to merge with one critical fix needed - add analytics tracking for email auth
• The implementation is solid and integrates cleanly with the existing Better Auth + Convex architecture. The missing analytics.signedIn() call is the only critical issue that should be addressed before merging to maintain consistency with OAuth flows. The other suggestions are minor improvements around error handling and input validation that don't affect functionality.
• apps/web/src/routes/auth/sign-in.tsx needs the analytics call added on line 259-260

Important Files Changed

Filename	Overview
apps/server/convex/auth.ts	Enabled email/password auth with 8-128 character password constraints in Better Auth config
apps/web/src/lib/auth-client.tsx	Added signInWithEmail() and signUpWithEmail() helper functions for email authentication
apps/web/src/routes/auth/sign-in.tsx	Added email/password form with sign-in/sign-up toggle, error handling, and inline session refresh

Sequence Diagram

sequenceDiagram
    participant U as User
    participant SP as Sign In Page
    participant AC as Auth Client
    participant BA as Better Auth
    participant US as User Sync
    participant DB as Convex DB

    U->>SP: Enter form data
    
    alt Registration
        SP->>AC: signUpWithEmail()
        AC->>BA: POST sign up
        BA-->>AC: Response OK
    else Login
        SP->>AC: signInWithEmail()
        AC->>BA: POST sign in
        BA-->>AC: Response OK
    end
    
    SP->>AC: refetchSession()
    AC->>BA: GET session info
    BA-->>AC: Return data
    
    SP->>SP: Navigate home
    
    US->>DB: Sync user data
    DB-->>US: Confirm sync

Loading

[greptile-apps]

_{3 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

After successful email auth, analytics.signedIn() is not called, but it is called for OAuth flows in StableAuthProvider (line 169 in auth-client.tsx)

Suggested change

	const success = await refetchSession();
	if (success) {
	await refetchSession();
	analytics.signedIn();
	navigate({ to: "/" });

[greptile-apps]

Defaulting the name to email.split("@")[0] could fail if the email doesn't contain @ (though the browser's type="email" validation should prevent this)

Better to be defensive:

Suggested change

	const { error } = await signUpWithEmail(email, password, name || email.split("@")[0]);
	const { error } = await signUpWithEmail(email, password, name || email.split("@")[0] || "User");

[greptile-apps]

The catch block swallows the actual error, making debugging harder. Consider logging it:

Suggested change

	} else {
	} catch (err) {
	console.error("Email auth failed:", err);
	setEmailError(isSignUp ? "Sign up failed. Please try again." : "Sign in failed. Please try again.");

[greptile-apps]

HTML5 minLength provides client-side validation, but Better Auth config specifies maxPasswordLength: 128 (line 92 in auth.ts). Add maxLength for consistency:

Suggested change

	value={password}
	minLength={8}
	maxLength={128}

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[github-actions]

🚀 Preview Deployment Ready

Environment	URL
Frontend	https://web-openchat-pr-571.up.railway.app
Convex Dashboard	Dashboard

Convex Preview Backend

• Cloud URL: https://brave-labrador-160.convex.cloud
• Site URL: https://brave-labrador-160.convex.site

---

_{🤖 Deployed automatically by GitHub Actions}