Add authentication to protect the admin API

## Problem

All API endpoints, including `GET /api/freshman`, are currently publicly accessible without any authentication. This means anyone can query the recruitment data without authorization.

## Proposed Solution

Integrate **better-auth** into the Cloudflare Workers backend to:

- Provide OIDC-based login via **Logto** (Authorization Code + PKCE flow)
- Protect `GET /api/freshman` — only authenticated sessions may access it
- Keep `POST /api/freshman` public for open recruitment form submissions
- Store sessions in the existing **Cloudflare D1** database via the Kysely adapter

## Implementation Notes

- Mount `better-auth` handler at `/api/auth/*` (sign-in, callback, sign-out, session endpoints)
- Use the `genericOAuth` plugin pointed at the Logto OIDC discovery endpoint
- Use the `bearer` plugin so the frontend can authenticate via `Authorization: Bearer <token>`
- D1 migration adds four tables: `user`, `session`, `account`, `verification`
- Requires three Wrangler secrets: `BETTER_AUTH_SECRET`, `LOGTO_CLIENT_ID`, `LOGTO_CLIENT_SECRET`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add authentication to protect the admin API #5

Problem

Proposed Solution

Implementation Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add authentication to protect the admin API #5

Description

Problem

Proposed Solution

Implementation Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions