Project management on Next.js 16 (App Router) + Postgres (Neon) + Better Auth

✓ Verified 2026-06-21 · next 16.2.9 · postgres 3.4.9 · better-auth 1.6.20

Type-checked against the real SDKs, migration applied to a live Postgres, pooling tested — then tracked for upstream drift and re-verified when it moves. How we verify →

What you're getting

Next.js 16 App Router — file-based routing, server components, and the Edge proxy (Next 16's renamed middleware).
Postgres on Neon via Drizzle ORM and the postgres-js driver.
Better Auth — self-hosted auth running inside your app against your Postgres (Drizzle adapter).
Project-management layer — user-owned projects, kanban tasks with status/priority, many-to-many assignees, per-project labels, and comment threads.

Setup

bun add next react react-dom drizzle-orm postgres better-auth

Environment variables:

DATABASE_URL — Neon pooled (-pooler) connection string
BETTER_AUTH_SECRET — generate with `openssl rand -base64 32`
BETTER_AUTH_URL — your app's base URL

Apply the schema: bunx drizzle-kit push

Initialization

src/lib/db.ts — Database client

import { drizzle } from "drizzle-orm/postgres-js";
import postgres from "postgres";

// Neon pooled endpoint = PgBouncer transaction mode → prepared statements off.
// ponytail: single module-level client; the serverless runtime + PgBouncer do
// the pooling, so no custom pool/globalThis singleton dance needed.
const client = postgres(process.env.DATABASE_URL!, { prepare: false });

export const db = drizzle({ client });

src/lib/auth.ts — Auth instance

// Better Auth instance (self-hosted, Next.js 16 (App Router)).
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
// Reuse the SAME postgres-js/Drizzle client the db slice exported in
// src/lib/db.ts — Better Auth shares the pooled `DATABASE_URL` connection.
import { db } from "./db";

export const auth = betterAuth({
  // Drizzle adapter over the shared client; provider "pg" => Postgres DDL
  // for Better Auth's own user/session/account/verification tables.
  database: drizzleAdapter(db, { provider: "pg" }),
  // ponytail: email+password is the shortest real auth that works out of
  // the box — add socialProviders / plugins here when the app needs them.
  emailAndPassword: { enabled: true },
  secret: process.env.BETTER_AUTH_SECRET,
  baseURL: process.env.BETTER_AUTH_URL,
});

export type Session = typeof auth.$Infer.Session;

app/api/auth/[...all]/route.ts — Route handler

// Mount Better Auth on Next's route layer.
import { toNextJsHandler } from "better-auth/next-js";
import { auth } from "@/lib/auth";

export const { GET, POST } = toNextJsHandler(auth);

proxy.ts — Route protection

// Session-protection proxy for Next.js 16 (App Router) (Next 16 renamed middleware.ts → proxy.ts).
// ponytail: getSessionCookie only checks the cookie EXISTS (no DB hit at
// the Edge runtime) — do the real auth.api.getSession() check inside
// protected Server Components / route handlers. This just bounces
// logged-out users before render.
import { NextResponse, type NextRequest } from "next/server";
import { getSessionCookie } from "better-auth/cookies";

export function proxy(request: NextRequest) {
  const sessionCookie = getSessionCookie(request);
  if (!sessionCookie) {
    return NextResponse.redirect(new URL("/sign-in", request.url));
  }
  return NextResponse.next();
}

export const config = {
  // ponytail: guard the SaaS app surface; widen the matcher per app-type.
  matcher: ["/dashboard/:path*", "/settings/:path*"],
};

Project-management schema: projects, tasks, assignees, labels & comments

Projects owned by a user — top-level containers keyed to a Better Auth user via owner_id FK, with active/archived status
Tasks with status, priority & due date — the unit of work scoped to a project, with a composite (project_id, status) index driving board-column queries
Task assignees & per-project labels — task↔user assignment join (unique per pair) and a project-scoped label catalog with a task↔label join table
Task comment threads — append-only comment rows keyed to a task and a Better Auth author, indexed on (task_id, created_at) for chronological feeds

import { relations, sql } from "drizzle-orm";
import {
  check,
  index,
  pgTable,
  text,
  timestamp,
  unique,
  uuid,
} from "drizzle-orm/pg-core";
// Better Auth owns identity; we only reference its `user` table by id.
import { user } from "./auth-schema";

export type ProjectStatus = "active" | "archived";
export type TaskStatus = "todo" | "in_progress" | "done";
export type TaskPriority = "low" | "medium" | "high" | "urgent";

/** Top-level container. Every task/label hangs off a project; the owner is a
 *  Better Auth user referenced by id (text), never redeclared here. */
export const projects = pgTable(
  "projects",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    // Better Auth's user.id is text — match it, don't recast.
    ownerId: text("owner_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    name: text("name").notNull(),
    status: text("status")
      .$type<ProjectStatus>()
      .notNull()
      .default("active"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    index("idx_project_owner").on(t.ownerId),
    check(
      "projects_status_check",
      sql`${t.status} in ('active','archived')`,
    ),
  ],
);

/** The unit of work. Scoped to a project; status/priority drive the board, and
 *  the project+status index backs the "tasks in this column" query. */
export const tasks = pgTable(
  "tasks",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    projectId: uuid("project_id")
      .notNull()
      .references(() => projects.id, { onDelete: "cascade" }),
    title: text("title").notNull(),
    status: text("status")
      .$type<TaskStatus>()
      .notNull()
      .default("todo"),
    priority: text("priority")
      .$type<TaskPriority>()
      .notNull()
      .default("medium"),
    dueDate: timestamp("due_date", { withTimezone: true }),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // Drives the board: tasks in a project, grouped by column/status.
    index("idx_task_project_status").on(t.projectId, t.status),
    check(
      "tasks_status_check",
      sql`${t.status} in ('todo','in_progress','done')`,
    ),
    check(
      "tasks_priority_check",
      sql`${t.priority} in ('low','medium','high','urgent')`,
    ),
  ],
);

/** task <-> user assignment. The composite unique is the assignment identity
 *  (a user is assigned to a task at most once); the user index backs "my tasks". */
export const taskAssignees = pgTable(
  "task_assignees",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    taskId: uuid("task_id")
      .notNull()
      .references(() => tasks.id, { onDelete: "cascade" }),
    assigneeId: text("assignee_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    unique("task_assignees_task_user_unique").on(t.taskId, t.assigneeId),
    // Drives the per-user "tasks assigned to me" feed.
    index("idx_assignee_user").on(t.assigneeId),
  ],
);

/** Per-project label catalog. color is an opaque CSS token (e.g. #ff0000). */
export const labels = pgTable(
  "labels",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    projectId: uuid("project_id")
      .notNull()
      .references(() => projects.id, { onDelete: "cascade" }),
    name: text("name").notNull(),
    color: text("color").notNull().default("#94a3b8"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [index("idx_label_project").on(t.projectId)],
);

/** task <-> label join. The composite unique keeps a label on a task once. */
export const taskLabels = pgTable(
  "task_labels",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    taskId: uuid("task_id")
      .notNull()
      .references(() => tasks.id, { onDelete: "cascade" }),
    labelId: uuid("label_id")
      .notNull()
      .references(() => labels.id, { onDelete: "cascade" }),
  },
  (t) => [
    unique("task_labels_task_label_unique").on(t.taskId, t.labelId),
    index("idx_task_label_label").on(t.labelId),
  ],
);

/** Comment thread per task. author is a Better Auth user referenced by id. */
export const taskComments = pgTable(
  "task_comments",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    taskId: uuid("task_id")
      .notNull()
      .references(() => tasks.id, { onDelete: "cascade" }),
    authorId: text("author_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    body: text("body").notNull(),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // Drives the per-task comment feed (most-recent-first).
    index("idx_comment_task_time").on(t.taskId, t.createdAt),
  ],
);

export const projectsRelations = relations(projects, ({ one, many }) => ({
  owner: one(user, { fields: [projects.ownerId], references: [user.id] }),
  tasks: many(tasks),
  labels: many(labels),
}));

export const tasksRelations = relations(tasks, ({ one, many }) => ({
  project: one(projects, {
    fields: [tasks.projectId],
    references: [projects.id],
  }),
  assignees: many(taskAssignees),
  labels: many(taskLabels),
  comments: many(taskComments),
}));

export const taskAssigneesRelations = relations(taskAssignees, ({ one }) => ({
  task: one(tasks, {
    fields: [taskAssignees.taskId],
    references: [tasks.id],
  }),
  assignee: one(user, {
    fields: [taskAssignees.assigneeId],
    references: [user.id],
  }),
}));

export const labelsRelations = relations(labels, ({ one, many }) => ({
  project: one(projects, {
    fields: [labels.projectId],
    references: [projects.id],
  }),
  tasks: many(taskLabels),
}));

export const taskLabelsRelations = relations(taskLabels, ({ one }) => ({
  task: one(tasks, {
    fields: [taskLabels.taskId],
    references: [tasks.id],
  }),
  label: one(labels, {
    fields: [taskLabels.labelId],
    references: [labels.id],
  }),
}));

export const taskCommentsRelations = relations(taskComments, ({ one }) => ({
  task: one(tasks, {
    fields: [taskComments.taskId],
    references: [tasks.id],
  }),
  author: one(user, {
    fields: [taskComments.authorId],
    references: [user.id],
  }),
}));

Connection & security

## Next.js 16 ↔ Postgres pooling (Neon pooled endpoint, PgBouncer transaction mode)

Connect through Neon's **pooled** endpoint (`-pooler` host) via `DATABASE_URL`. Serverless
functions are short-lived and concurrent, so PgBouncer in **transaction mode** is what keeps
Postgres' connection ceiling from being blown.

### `prepare: false` is mandatory
Transaction-mode PgBouncer hands each transaction a different backend, so server-side prepared
statements (postgres-js' default) silently break across the pool. Disable them on the client:
`postgres(url, { prepare: false })`. This is also why **Drizzle, not Prisma**, is paired here —
Prisma's prepared-statement reliance is a blocked intersection on this endpoint.

### Connection reuse
- Construct the postgres-js client at **module scope** (`src/lib/db.ts`) so warm function
  instances reuse one socket instead of opening one per request.
- Cap the driver pool small — `max: 1` per instance. The shared pool lives in PgBouncer, not in
  your function; a large per-instance `max` just multiplies idle connections across instances.
- Keep `idle_timeout` ~20s and `connect_timeout` ~10s so frozen instances release backends fast.

### No session-level features
Transaction mode forbids anything that spans transactions on one backend: `LISTEN/NOTIFY`,
session-scoped `SET`, advisory-lock sessions, server-side cursors, and `WITH HOLD`. Need any of
those? Use Neon's **direct** (non-pooled) endpoint for that path only.

### Thresholds
- Drizzle/postgres-js: `prepare: false`, `max: 1`, `idle_timeout: 20`, `connect_timeout: 10`.
- Neon Free pooled budget is ~10k client connections; keep concurrency well under the project's
  `max_connections` (often 100–900 by plan) by leaning on PgBouncer, never on driver pooling.

Decisions & compatibility

Auth runs in proxy.ts (Next 16's renamed middleware) on the Edge runtime: it gates on the session cookie's presence only — full session validation happens in Server Components and route handlers, not in the proxy.
prepare: false is mandatory — Neon's pooled endpoint is PgBouncer in transaction mode, where server-side prepared statements break across the pool.
Drizzle is paired here (not Prisma): Prisma's prepared-statement reliance is incompatible with transaction-mode pooling.
Self-hosted: Better Auth creates and owns the user/session/account tables in your database, so app-type schemas can foreign-key to `user` directly.
task_assignees carries a composite unique on (task_id, assignee_id) — a user can be assigned to a task at most once; the per-user index on assignee_id backs the 'tasks assigned to me' feed.
Status and priority are stored as text + CHECK (not pgEnum) so new values like 'blocked' or 'critical' ship without an ALTER TYPE migration dance.