From 14df2cd9e2f7fe420d0eccd53e68f20e85bd43ba Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Tue, 31 Mar 2026 12:46:29 +0200
Subject: [PATCH] fix(auth): declare accessTier as additionalField so Better
 Auth includes it in user object

Without this, Better Auth's definePayload receives a user object
without the custom accessTier column, causing the JWT tier claim
to always default to 'public'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/mana-auth/src/auth/better-auth.config.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/services/mana-auth/src/auth/better-auth.config.ts b/services/mana-auth/src/auth/better-auth.config.ts
index 006e7a953..950da2542 100644
--- a/services/mana-auth/src/auth/better-auth.config.ts
+++ b/services/mana-auth/src/auth/better-auth.config.ts
@@ -112,6 +112,17 @@ export function createBetterAuth(databaseUrl: string) {
 			},
 		}),
 
+		// Custom user fields (must be declared so Better Auth includes them in the user object)
+		user: {
+			additionalFields: {
+				accessTier: {
+					type: 'string',
+					defaultValue: 'public',
+					input: false, // Not settable via sign-up
+				},
+			},
+		},
+
 		// Email/password authentication with password reset
 		emailAndPassword: {
 			enabled: true,