Back to Documentation

Authentication System

Comprehensive authentication system using NextAuth.js with multiple providers and custom registration flows.

Authentication Flow

Registration Process

User Registration → Database Creation → Auto-Login → Dashboard Redirect
  1. User fills registration form (name, email, password, confirm password)
  2. Client-side validation (password match, length requirements)
  3. API call to /api/auth/register with user data
  4. Server validation and password hashing (bcrypt with 12 rounds)
  5. User creation in database via Prisma
  6. Automatic sign-in using credentials provider
  7. Redirect to dashboard or specified callback URL

Sign-In Process

Sign-In Form → Credentials/OAuth Validation → Session Creation → Redirect

Authentication Methods:

  • Credentials: Email/password with bcrypt comparison
  • Google OAuth: OAuth 2.0 with consent prompt
  • GitHub OAuth: OAuth 2.0 with user profile access

NextAuth Configuration

Core Configuration

  • Session Strategy: JWT (30-day expiry)
  • Adapter: PrismaAdapter for database persistence
  • Pages: Custom sign-in, registration, and error pages

Providers

  • CredentialsProvider (email/password)
  • GoogleProvider (with offline access)
  • GitHubProvider (with profile access)

Security Implementation

Password Security

  • Hashing: bcrypt with 12 salt rounds
  • Validation: Minimum 6 characters
  • Storage: Hashed only, never plain text
  • Transmission: HTTPS required in production

Session Management

  • Strategy: JWT-based sessions
  • Duration: 30 days maximum
  • Storage: HTTP-only cookies
  • Renewal: Automatic on activity

OAuth Security

  • State Validation: CSRF protection
  • PKCE: For OAuth 2.0 providers
  • Account Linking: Prevents duplicate accounts
  • Scope Limitation: Minimal required permissions

Data Protection

  • Input Sanitization: All user inputs trimmed and validated
  • Error Messages: Generic messages to prevent information leakage
  • Rate Limiting: Implemented at API level
  • SQL Injection Prevention: Prisma ORM with parameterized queries

Database Schema

User Model

model User {
  id            String    @id @default(cuid())
  name          String?
  email         String    @unique
  emailVerified DateTime?
  image         String?
  password      String?   // Hashed for credential users
  accounts      Account[]
  sessions      Session[]
  favorites     UserFavorite[]
  visits        OpeningVisit[]
  practiceSessions PracticeSession[]
  
  // User Preferences
  preferredDepth    Int     @default(13)
  showBestMoveArrow Boolean @default(true)
  showPonderArrow   Boolean @default(true)
  defaultBoardOrientation String @default("white")
  
  createdAt     DateTime @default(now())
  updatedAt     DateTime @updatedAt
}