[GH-ISSUE #1766] ERROR [Better Auth] Couldn't read your auth config. Error: Cannot find module '$env/static/private' Error is the same for any $` imported library #8907

New Issue

GiteaMirror · 2026-04-13T04:09:19-05:00

GiteaMirror commented

2026-04-13 04:09:19 -05:00

Originally created by @maumercado on GitHub (Mar 11, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/1766

Is this suited for github?

Yes, this is suited for github

To Reproduce

Ex:

Create a sveltekit@5 project with TS
Create an auth.ts file inside lib using $env/dynamic|static/ or any other $lib/xxx
Call @better-auth/cli generate

Current vs. Expected behavior

Following the steps in the basic installation and sveltekit guide I get an error trying to execute @better-auth/cli generate -c ./src/lib/auth.ts

ERROR [Better Auth]: [#better-auth]: Couldn't read your auth config. Error: Cannot find module '$env/static/private'
This error is the same for any $ imported library

What version of Better Auth are you using?

1.2.3

Provide environment information

- OS MacOS Sequoia 15.3.1
- Sveltejs/kit@2.19 and svelte 5.22
- Node 22.14

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

// // auth.ts
import {
  POSTGRES_USER,
  POSTGRES_PASSWORD,
  POSTGRES_DB,
  POSTGRES_HOST,
  POSTGRES_PORT,
  EMAIL_FROM,
  EMAIL_REPLY_TO,
  RESEND_API_KEY,
  GOOGLE_CLIENT_ID,
  GOOGLE_CLIENT_SECRET,
  APPLE_CLIENT_ID,
  APPLE_CLIENT_SECRET,
  APPLE_APP_BUNDLE_ID,
  JWT_SECRET,
  SECRET_CF_TURNSTILE_SECRET
} from '$env/static/private';
import { PUBLIC_APP_NAME, PUBLIC_APP_URL, PUBLIC_DOMAIN } from '$env/static/public';
import pg from 'pg';
import { betterAuth } from 'better-auth';
import { passkey } from 'better-auth/plugins/passkey';
import { captcha, twoFactor } from 'better-auth/plugins';
import { bearer } from 'better-auth/plugins';
import { multiSession } from 'better-auth/plugins';
import { emailOTP } from 'better-auth/plugins';
import { magicLink } from 'better-auth/plugins';
import { setEmailFrom, sendEmail, EmailType } from '$lib/server/email';
import { EmailTemplateType, getEmailTemplate } from '$lib/server/email/templates';

const { Pool } = pg;

// Define types for plugin parameters
type OTPUser = { email: string };
type VerificationType = 'sign-in' | 'email-verification' | 'forget-password';

// Create a database pool for sharing with the auth modules
const pool = new Pool({
  host: POSTGRES_HOST,
  port: +POSTGRES_PORT,
  user: POSTGRES_USER,
  password: POSTGRES_PASSWORD,
  database: POSTGRES_DB
});

export const auth = betterAuth({
  // Base configuration
  database: 'postgres',
  schema: 'auth',
  usePluralizedTableNames: true,
  tablePrefix: '',
  adminRole: 'service_role',
  authenticatedRole: 'authenticated',
  anonRole: 'anon',
  jwtIssuer: 'reporter-app',
  sessionExpiryInSeconds: 604800,
  accessTokenExpiryInSeconds: 3600,
  refreshTokenExpiryInSeconds: 604800,
  minPasswordLength: 8,
  appName: 'Reporter App', // Used as issuer for 2FA
  advanced: {
    generateId: false
  },

  user: {
    additionalFields: {
      firstName: {
        type: 'string',
        required: true
      },
      lastName: {
        type: 'string',
        required: true
      },
      phone: {
        type: 'string',
        required: false
      },
      roles: {
        type: 'string[]',
        required: false,
        default: ['user']
      }
    }
  },

  // Email and password authentication
  emailAndPassword: {
    enabled: true,
    autoSignIn: false
  },

  // Email verification
  emailVerification: {
    sendOnSignUp: true,
    requireEmailVerification: true,
    autoSignInAfterVerification: true,
    expiresIn: 300, // 5 minutes
    sendVerificationEmail: async ({ user, url, token }) => {
      const subject = 'Your Reporter App verification code';
      const html = getEmailTemplate({
        type: EmailTemplateType.VERIFICATION,
        verificationUrl: url
      });

      await sendEmail({
        to: user.email,
        subject,
        html
      });
    }
  },

  // Password reset
  passwordReset: {
    enabled: true,
    expiresIn: 300 // 5 minutes
  },

  // OAuth providers
  socialProviders: {
    google: {
      clientId: GOOGLE_CLIENT_ID!,
      clientSecret: GOOGLE_CLIENT_SECRET!
    },
    apple: {
      clientId: APPLE_CLIENT_ID!,
      clientSecret: APPLE_CLIENT_SECRET!,
      appBundleIdentifier: APPLE_APP_BUNDLE_ID!
    }
  },

  // Email configuration
  email: {
    provider: 'resend',
    from: EMAIL_FROM!,
    replyTo: EMAIL_REPLY_TO,
    providerApiKey: RESEND_API_KEY!
  },

  // Plugins configuration with proper options based on documentation
  plugins: [
    bearer(),
    multiSession(),
    // Passkey plugin for passwordless WebAuthn
    passkey({
      rpID: PUBLIC_DOMAIN || 'localhost',
      rpName: PUBLIC_APP_NAME || 'Reporter',
      origin: PUBLIC_APP_URL || 'http://localhost:5173'
    }),

    // captcha({
    //   provider: 'cloudflare-turnstile', // or "google-recaptcha"
    //   secretKey: SECRET_CF_TURNSTILE_SECRET!
    // }),

    // Two-factor authentication (TOTP) with type assertion to fix compatibility issue
    twoFactor({
      skipVerificationOnEnable: false,
      totpOptions: {
        digits: 6,
        period: 30
      },
      otpOptions: {
        period: 30,
        // Implement sendOTP using the existing email service and templates
        async sendOTP({ user, otp }: { user: OTPUser; otp: string }) {
          const subject = 'Your Reporter App verification code';
          const html = getEmailTemplate({
            type: EmailTemplateType.TWO_FACTOR,
            otp,
            verificationType: 'sign-in',
            expiresIn: '30 seconds'
          });

          await sendEmail({
            to: user.email,
            subject,
            html,
            from: setEmailFrom(EmailType.Welcome)
          });

          // Return void as required by the type
        }
      }
    }),

    // Email OTP for verification codes
    emailOTP({
      async sendVerificationOTP({
        email,
        otp,
        type
      }: {
        email: string;
        otp: string;
        type: VerificationType;
      }) {
        // Get the appropriate email subject based on verification type
        const typeLabels = {
          'sign-in': 'Sign-in',
          'email-verification': 'Email Verification',
          'forget-password': 'Password Reset'
        };

        const subject = `Your Reporter App ${typeLabels[type] || type} code`;
        const html = getEmailTemplate({
          type: EmailTemplateType.TWO_FACTOR,
          otp,
          verificationType: type,
          expiresIn: type === 'forget-password' ? '5 minutes' : '5 minutes'
        });

        await sendEmail({
          to: email,
          subject,
          html,
          from: setEmailFrom(EmailType.Welcome)
        });

        // Return void as required by the type
      }
    }),

    // Magic link (passwordless email link) with required sendMagicLink property
    magicLink({
      // Required implementation of sendMagicLink as per documentation
      async sendMagicLink({ email, url }: { email: string; url: string }) {
        // Implementation uses the email service configured in the base auth
        const subject = 'Sign in to Reporter App';
        const html = getEmailTemplate({
          type: EmailTemplateType.MAGIC_LINK,
          url,
          appName: 'Reporter App'
        });

        await sendEmail({
          to: email,
          subject,
          html,
          from: setEmailFrom(EmailType.Welcome)
        });

        // Return void as required by the type
      }
    })
  ]
});

Additional context

No response

Originally created by @maumercado on GitHub (Mar 11, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/1766 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Ex: - Create a sveltekit@5 project with TS - Create an auth.ts file inside lib using $env/dynamic|static/ or any other $lib/xxx - Call @better-auth/cli generate ### Current vs. Expected behavior Following the steps in the basic installation and sveltekit guide I get an error trying to execute @better-auth/cli generate -c ./src/lib/auth.ts `ERROR [Better Auth]: [#better-auth]: Couldn't read your auth config. Error: Cannot find module '$env/static/private'` This error is the same for any `$` imported library ### What version of Better Auth are you using? 1.2.3 ### Provide environment information ```bash - OS MacOS Sequoia 15.3.1 - Sveltejs/kit@2.19 and svelte 5.22 - Node 22.14 ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript // // auth.ts import { POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, POSTGRES_HOST, POSTGRES_PORT, EMAIL_FROM, EMAIL_REPLY_TO, RESEND_API_KEY, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, APPLE_CLIENT_ID, APPLE_CLIENT_SECRET, APPLE_APP_BUNDLE_ID, JWT_SECRET, SECRET_CF_TURNSTILE_SECRET } from '$env/static/private'; import { PUBLIC_APP_NAME, PUBLIC_APP_URL, PUBLIC_DOMAIN } from '$env/static/public'; import pg from 'pg'; import { betterAuth } from 'better-auth'; import { passkey } from 'better-auth/plugins/passkey'; import { captcha, twoFactor } from 'better-auth/plugins'; import { bearer } from 'better-auth/plugins'; import { multiSession } from 'better-auth/plugins'; import { emailOTP } from 'better-auth/plugins'; import { magicLink } from 'better-auth/plugins'; import { setEmailFrom, sendEmail, EmailType } from '$lib/server/email'; import { EmailTemplateType, getEmailTemplate } from '$lib/server/email/templates'; const { Pool } = pg; // Define types for plugin parameters type OTPUser = { email: string }; type VerificationType = 'sign-in' | 'email-verification' | 'forget-password'; // Create a database pool for sharing with the auth modules const pool = new Pool({ host: POSTGRES_HOST, port: +POSTGRES_PORT, user: POSTGRES_USER, password: POSTGRES_PASSWORD, database: POSTGRES_DB }); export const auth = betterAuth({ // Base configuration database: 'postgres', schema: 'auth', usePluralizedTableNames: true, tablePrefix: '', adminRole: 'service_role', authenticatedRole: 'authenticated', anonRole: 'anon', jwtIssuer: 'reporter-app', sessionExpiryInSeconds: 604800, accessTokenExpiryInSeconds: 3600, refreshTokenExpiryInSeconds: 604800, minPasswordLength: 8, appName: 'Reporter App', // Used as issuer for 2FA advanced: { generateId: false }, user: { additionalFields: { firstName: { type: 'string', required: true }, lastName: { type: 'string', required: true }, phone: { type: 'string', required: false }, roles: { type: 'string[]', required: false, default: ['user'] } } }, // Email and password authentication emailAndPassword: { enabled: true, autoSignIn: false }, // Email verification emailVerification: { sendOnSignUp: true, requireEmailVerification: true, autoSignInAfterVerification: true, expiresIn: 300, // 5 minutes sendVerificationEmail: async ({ user, url, token }) => { const subject = 'Your Reporter App verification code'; const html = getEmailTemplate({ type: EmailTemplateType.VERIFICATION, verificationUrl: url }); await sendEmail({ to: user.email, subject, html }); } }, // Password reset passwordReset: { enabled: true, expiresIn: 300 // 5 minutes }, // OAuth providers socialProviders: { google: { clientId: GOOGLE_CLIENT_ID!, clientSecret: GOOGLE_CLIENT_SECRET! }, apple: { clientId: APPLE_CLIENT_ID!, clientSecret: APPLE_CLIENT_SECRET!, appBundleIdentifier: APPLE_APP_BUNDLE_ID! } }, // Email configuration email: { provider: 'resend', from: EMAIL_FROM!, replyTo: EMAIL_REPLY_TO, providerApiKey: RESEND_API_KEY! }, // Plugins configuration with proper options based on documentation plugins: [ bearer(), multiSession(), // Passkey plugin for passwordless WebAuthn passkey({ rpID: PUBLIC_DOMAIN || 'localhost', rpName: PUBLIC_APP_NAME || 'Reporter', origin: PUBLIC_APP_URL || 'http://localhost:5173' }), // captcha({ // provider: 'cloudflare-turnstile', // or "google-recaptcha" // secretKey: SECRET_CF_TURNSTILE_SECRET! // }), // Two-factor authentication (TOTP) with type assertion to fix compatibility issue twoFactor({ skipVerificationOnEnable: false, totpOptions: { digits: 6, period: 30 }, otpOptions: { period: 30, // Implement sendOTP using the existing email service and templates async sendOTP({ user, otp }: { user: OTPUser; otp: string }) { const subject = 'Your Reporter App verification code'; const html = getEmailTemplate({ type: EmailTemplateType.TWO_FACTOR, otp, verificationType: 'sign-in', expiresIn: '30 seconds' }); await sendEmail({ to: user.email, subject, html, from: setEmailFrom(EmailType.Welcome) }); // Return void as required by the type } } }), // Email OTP for verification codes emailOTP({ async sendVerificationOTP({ email, otp, type }: { email: string; otp: string; type: VerificationType; }) { // Get the appropriate email subject based on verification type const typeLabels = { 'sign-in': 'Sign-in', 'email-verification': 'Email Verification', 'forget-password': 'Password Reset' }; const subject = `Your Reporter App ${typeLabels[type] || type} code`; const html = getEmailTemplate({ type: EmailTemplateType.TWO_FACTOR, otp, verificationType: type, expiresIn: type === 'forget-password' ? '5 minutes' : '5 minutes' }); await sendEmail({ to: email, subject, html, from: setEmailFrom(EmailType.Welcome) }); // Return void as required by the type } }), // Magic link (passwordless email link) with required sendMagicLink property magicLink({ // Required implementation of sendMagicLink as per documentation async sendMagicLink({ email, url }: { email: string; url: string }) { // Implementation uses the email service configured in the base auth const subject = 'Sign in to Reporter App'; const html = getEmailTemplate({ type: EmailTemplateType.MAGIC_LINK, url, appName: 'Reporter App' }); await sendEmail({ to: email, subject, html, from: setEmailFrom(EmailType.Welcome) }); // Return void as required by the type } }) ] }); ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-13 04:09:19 -05:00

GiteaMirror closed this issue

2026-04-13 04:09:21 -05:00

GiteaMirror commented

2026-04-13 04:09:26 -05:00

@muskan-focusofthq commented on GitHub (Mar 12, 2025):

@muskan-focusofthq completely different error, my issue seems to be related to the build process that should occur when reading the auth.ts file which includes some modules that are automatically injected by vite, so mostly looking for pointers on how to handle that, as you see my error is not that it cannot read the auth.ts it can, it simply cannot find the module $env ... or $lib/ anything

Thanks tho'

????

@muskan-focusofthq commented on GitHub (Mar 12, 2025): > [@muskan-focusofthq](https://github.com/muskan-focusofthq) completely different error, my issue seems to be related to the build process that should occur when reading the auth.ts file which includes some modules that are automatically injected by vite, so mostly looking for pointers on how to handle that, as you see my error is not that it cannot read the auth.ts it can, it simply cannot find the module $env ... or $lib/ anything > > Thanks tho' ????

GiteaMirror commented

2026-04-13 04:09:26 -05:00

@moshetanzer commented on GitHub (Mar 24, 2025):

@maumercado am not proficient in svelte, however aren't those only available from build onwards? You probably should add env directly using procces.env (if that is possible in svelte) since generate is not running built app.

@moshetanzer commented on GitHub (Mar 24, 2025): @maumercado am not proficient in svelte, however aren't those only available from build onwards? You probably should add env directly using procces.env (if that is possible in svelte) since generate is not running built app.

GiteaMirror commented

2026-04-13 04:09:26 -05:00

@maumercado commented on GitHub (Mar 25, 2025):

@moshetanzer thank you, this gives me an idea, of course it has to do with the build step, so might as well just attempt to execute the script pointing to the built output of svelte, would probably have to modify the config just for this, but I'll see what I can do!

Thank you @moshetanzer that was helpful

@maumercado commented on GitHub (Mar 25, 2025): @moshetanzer thank you, this gives me an idea, of course it has to do with the build step, so might as well just attempt to execute the script pointing to the built output of svelte, would probably have to modify the config just for this, but I'll see what I can do! Thank you @moshetanzer that was helpful

GiteaMirror commented

2026-04-13 04:09:27 -05:00

@jerriclynsjohn commented on GitHub (Apr 13, 2025):

I think the ideal step is for the CLI to figure out the framework & aliases mentioned in the root of the project, and then do path resolution just the way the framework would do. Right now, I'm able to make this work without using the alias.

@jerriclynsjohn commented on GitHub (Apr 13, 2025): I think the ideal step is for the CLI to figure out the framework & aliases mentioned in the root of the project, and then do path resolution just the way the framework would do. Right now, I'm able to make this work without using the alias.

GiteaMirror referenced this issue

2026-04-13 10:33:52 -05:00

[PR #8907] [MERGED] chore(deps): bump mcp-handler from 1.0.7 to 1.1.0 in /demo/nextjs #16536

GiteaMirror referenced this issue

2026-04-15 22:45:30 -05:00

[PR #8907] [MERGED] chore(deps): bump mcp-handler from 1.0.7 to 1.1.0 in /demo/nextjs #25190

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#8907

[GH-ISSUE #1766] ERROR [Better Auth] Couldn't read your auth config. Error: Cannot find module '$env/static/private' Error is the same for any $` imported library #8907

Is this suited for github?

To Reproduce

Current vs. Expected behavior

What version of Better Auth are you using?

Provide environment information

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

[GH-ISSUE #1766] ERROR [Better Auth] Couldn't read your auth config. Error: Cannot find module '$env/static/private' `Error is the same for any` $` imported library #8907