Authentication & Sessions

Overview

Authentication is handled by NextAuth.js v5 (Auth.js) with two providers: Google OAuth and Credentials (email/username + password). Sessions use the JWT strategy for stateless auth.

Auth Providers

Google OAuth

1. User clicks "Sign in with Google"
2. OAuth flow with Google (consent screen, redirect)
3. On first login: User document created in MongoDB via the MongoDB adapter
4. JWT token issued with user ID, admin flag, and profile data

Credentials

1. User enters email/username and password
2. authorize() callback finds user by email or username
3. Password verified with bcrypt
4. If MFA is enabled, mfaPending: true is set on the JWT — user must verify before accessing protected routes

JWT Callback Pipeline

The jwt callback runs on every token refresh and handles:

• Initial sign-in: captures user data + MFA flags from the authorize result
• Session updates (trigger === "update"): refreshes DB data and checks for MFA verification via Redis

Admin System

• admin boolean on the User model (default false)
• JWT callback reads admin from DB and injects it into the token
• adminProcedure tRPC middleware checks the flag on every admin request

Route Protection

• Edge middleware — enforces MFA challenge redirect for users with mfaPending
• Server components — auth() + redirect in layout files
• tRPC — procedure-level middleware (protectedProcedure, adminProcedure)
• Client — useSession() for conditional UI rendering

Content coming soon — add your video and detailed writeup here.