[ [0x20] Tutorials ] User Authentication

User Authentication

> Let users create accounts, log in, and securely access your application.

Overview

[ [0x20] STATUS ]

Complete authentication system with email/password, Google OAuth, email verification, password reset, two-factor auth, and protected routes. Session-based auth with 30-day expiry.

Features

[ [0x01] EMAIL/PASSWO ]

STATUS: READY

DESC: Traditional signup with bcrypt hashing.

[ [0x02] GOOGLE_OAUTH ]

STATUS: READY

DESC: One-click signup with Google accounts.

[ [0x03] EMAIL_VERIFY ]

STATUS: READY

DESC: Confirm email ownership before access.

[ [0x04] 2FA_SUPPORT ]

STATUS: READY

DESC: Optional authenticator app security.

Setup

[ [0x01] CONFIGURE ENVIRONMENT ]

DESC: Set these environment variables in .env.local

1$# .env.local
2
3$# Where your app runs
4$NEXTAUTH_URL="http://localhost:3000"
5
6$# A random secret for encrypting sessions (generate one below)
7$NEXTAUTH_SECRET="your-32-character-secret"

[ [0x02] GENERATE SECRET ]

DESC: Run this command to generate a secure secret

1$openssl rand -base64 32

Usage

[ [0xB5] API ROUTE AUTHENTICATION ]

Check if user is logged in and get their info

1// src/app/api/your-route/route.ts
2
3import { auth } from "@/lib/auth";
4import { NextResponse } from "next/server";
5
6export async function GET() {
7  // Get the current user's session
8  const session = await auth();
9
10  // Check if they're logged in
11  if (!session?.user) {
12    return NextResponse.json(
13      { error: "You must be logged in" },
14      { status: 401 }
15    );
16  }
17
18  // User is logged in - you can access their info
19  const userId = session.user.id;
20  const userEmail = session.user.email;
21
22  return NextResponse.json({
23    message: "Hello!",
24    userId
25  });
26}

[ [0x00] CLIENT COMPONENT AUTH ]

Show different content based on login status

1"use client";
2
3import { useSession, signIn, signOut } from "next-auth/react";
4
5export function UserStatus() {
6  // Get session data and loading state
7  const { data: session, status } = useSession();
8
9  // Show loading while checking auth
10  if (status === "loading") {
11    return <p>Loading...</p>;
12  }
13
14  // User is logged in
15  if (session) {
16    return (
17      <div>
18        <p>Welcome, {session.user?.email}!</p>
19        <button onClick={() => signOut()}>
20          Log out
21        </button>
22      </div>
23    );
24  }
25
26  // User is not logged in
27  return (
28    <button onClick={() => signIn()}>
29      Log in
30    </button>
31  );
32}

[ [0x88] SERVER COMPONENT AUTH ]

Check auth status in Next.js Server Components

1// No "use client" - this runs on the server
2
3import { auth } from "@/lib/auth";
4
5export default async function PrivatePage() {
6  const session = await auth();
7
8  if (!session) {
9    return <p>Please log in to view this page.</p>;
10  }
11
12  return (
13    <div>
14      <h1>Welcome, {session.user?.name}!</h1>
15      <p>This is your private dashboard.</p>
16    </div>
17  );
18}

What is Authentication?

[ [0x88] AUTHENTICATION ]

Authentication is how your app knows who someone is. When a user creates an account and logs in, your app gives them a "pass" (called a session) that proves their identity. This pass gets checked every time they access protected areas of your app.

Think of it like a hotel key card - you check in once (log in), get your key card (session), and use it to access your room (protected pages) without re-checking in every time.

How It Works

[ [0xCA] SIGNUP FLOW ]

├─ User enters email and password on the signup form

├─ Password is encrypted (never stored as plain text)

├─ Account is created in your database

├─ Verification email is sent (if enabled)

└─ User clicks the verification link to confirm their email

[ [0x5B] LOGIN FLOW ]

├─ User enters email and password

├─ System checks if the password matches

├─ If correct, a session token is created

├─ Token is stored in a secure cookie in their browser

└─ User is redirected to the dashboard

Add Google Login

[ [0x30] GOOGLE OAUTH ]

Let users sign in with their Google account. This is convenient for users and often increases signup rates.

Step 1: Go to Google Cloud Console and create a new project

Step 2: Go to "APIs & Services" → "OAuth consent screen" and configure

Step 3: Go to "Credentials" → "Create Credentials" → "OAuth client ID"

Step 4: Add redirect URI: http://localhost:3000/api/auth/callback/google

[ [0xD6] CONFIGURATION ]

GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="your-client-secret"

Protected Routes

[ [0x1C] PROTECTED ROUTES ]

Fabrk automatically protects these routes:

├─ /dashboard/* - Main user dashboard

├─ /settings/* - User settings pages

├─ /billing/* - Payment and subscription pages

└─ /admin/* - Admin-only pages

Common Questions

[ [0xF6] FAQ ]

├─ Session duration? 30 days by default. Change in src/lib/auth.ts

├─ Force logout? Increment user's sessionVersion in database

├─ Password security? bcrypt with 12 rounds - industry standard

└─ More providers? NextAuth supports 50+ at authjs.dev

Troubleshooting

[ [0xC0] COMMON ERRORS ]

[ERROR]: NEXTAUTH_SECRET missing

Solution: Generate a secure secret key

# Run in terminal
openssl rand -base64 32

# Add to .env.local
NEXTAUTH_SECRET="output-from-command-above"

[ERROR]: Callback URL mismatch

Solution: Verify NEXTAUTH_URL matches your deployed URL

# Development
NEXTAUTH_URL="http://localhost:3000"

# Production (in Vercel environment variables)
NEXTAUTH_URL="https://yourdomain.com"

[ERROR]: Session not persisting

Solution: Check DATABASE_URL is correct and database is accessible

# Test database connection
npm run db:studio

# Reset database if needed
npm run db:reset

[ERROR]: Google OAuth fails with redirect_uri_mismatch

Solution: Add correct redirect URI in Google Cloud Console

# Development
http://localhost:3000/api/auth/callback/google

# Production
https://yourdomain.com/api/auth/callback/google

# Add both in: Google Cloud Console > Credentials > OAuth 2.0 Client

Next Steps

[ [0x00] TWO-FACTOR AUTH ]

DESC: Add extra security with authenticator apps

[ [0x00] SET UP PAYMENTS ]

DESC: Accept payments from authenticated users

Features

[ [0x01] EMAIL/PASSWO ]

STATUS: READY

DESC: Traditional signup with bcrypt hashing.

[ [0x02] GOOGLE_OAUTH ]

STATUS: READY

DESC: One-click signup with Google accounts.

[ [0x03] EMAIL_VERIFY ]

STATUS: READY

DESC: Confirm email ownership before access.

[ [0x04] 2FA_SUPPORT ]

STATUS: READY

DESC: Optional authenticator app security.

Setup

[ [0x01] CONFIGURE ENVIRONMENT ]

DESC: Set these environment variables in .env.local

1$# .env.local
2
3$# Where your app runs
4$NEXTAUTH_URL="http://localhost:3000"
5
6$# A random secret for encrypting sessions (generate one below)
7$NEXTAUTH_SECRET="your-32-character-secret"

[ [0x02] GENERATE SECRET ]

DESC: Run this command to generate a secure secret

1$openssl rand -base64 32

Usage

[ [0xB5] API ROUTE AUTHENTICATION ]

Check if user is logged in and get their info

1// src/app/api/your-route/route.ts
2
3import { auth } from "@/lib/auth";
4import { NextResponse } from "next/server";
5
6export async function GET() {
7  // Get the current user's session
8  const session = await auth();
9
10  // Check if they're logged in
11  if (!session?.user) {
12    return NextResponse.json(
13      { error: "You must be logged in" },
14      { status: 401 }
15    );
16  }
17
18  // User is logged in - you can access their info
19  const userId = session.user.id;
20  const userEmail = session.user.email;
21
22  return NextResponse.json({
23    message: "Hello!",
24    userId
25  });
26}

[ [0x00] CLIENT COMPONENT AUTH ]

Show different content based on login status

1"use client";
2
3import { useSession, signIn, signOut } from "next-auth/react";
4
5export function UserStatus() {
6  // Get session data and loading state
7  const { data: session, status } = useSession();
8
9  // Show loading while checking auth
10  if (status === "loading") {
11    return <p>Loading...</p>;
12  }
13
14  // User is logged in
15  if (session) {
16    return (
17      <div>
18        <p>Welcome, {session.user?.email}!</p>
19        <button onClick={() => signOut()}>
20          Log out
21        </button>
22      </div>
23    );
24  }
25
26  // User is not logged in
27  return (
28    <button onClick={() => signIn()}>
29      Log in
30    </button>
31  );
32}

[ [0x88] SERVER COMPONENT AUTH ]

Check auth status in Next.js Server Components

1// No "use client" - this runs on the server
2
3import { auth } from "@/lib/auth";
4
5export default async function PrivatePage() {
6  const session = await auth();
7
8  if (!session) {
9    return <p>Please log in to view this page.</p>;
10  }
11
12  return (
13    <div>
14      <h1>Welcome, {session.user?.name}!</h1>
15      <p>This is your private dashboard.</p>
16    </div>
17  );
18}

What is Authentication?

[ [0x88] AUTHENTICATION ]

Think of it like a hotel key card - you check in once (log in), get your key card (session), and use it to access your room (protected pages) without re-checking in every time.

How It Works

[ [0xCA] SIGNUP FLOW ]

├─ User enters email and password on the signup form

├─ Password is encrypted (never stored as plain text)

├─ Account is created in your database

├─ Verification email is sent (if enabled)

└─ User clicks the verification link to confirm their email

[ [0x5B] LOGIN FLOW ]

├─ User enters email and password

├─ System checks if the password matches

├─ If correct, a session token is created

├─ Token is stored in a secure cookie in their browser

└─ User is redirected to the dashboard

Add Google Login

[ [0x30] GOOGLE OAUTH ]

Let users sign in with their Google account. This is convenient for users and often increases signup rates.

Step 1: Go to Google Cloud Console and create a new project

Step 2: Go to "APIs & Services" → "OAuth consent screen" and configure

Step 3: Go to "Credentials" → "Create Credentials" → "OAuth client ID"

Step 4: Add redirect URI: http://localhost:3000/api/auth/callback/google

[ [0xD6] CONFIGURATION ]

GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="your-client-secret"

Troubleshooting

[ [0xC0] COMMON ERRORS ]

[ERROR]: NEXTAUTH_SECRET missing

Solution: Generate a secure secret key

# Run in terminal
openssl rand -base64 32

# Add to .env.local
NEXTAUTH_SECRET="output-from-command-above"

[ERROR]: Callback URL mismatch

Solution: Verify NEXTAUTH_URL matches your deployed URL

# Development
NEXTAUTH_URL="http://localhost:3000"

# Production (in Vercel environment variables)
NEXTAUTH_URL="https://yourdomain.com"

[ERROR]: Session not persisting

Solution: Check DATABASE_URL is correct and database is accessible

# Test database connection
npm run db:studio

# Reset database if needed
npm run db:reset

[ERROR]: Google OAuth fails with redirect_uri_mismatch

Solution: Add correct redirect URI in Google Cloud Console

# Development
http://localhost:3000/api/auth/callback/google

# Production
https://yourdomain.com/api/auth/callback/google

# Add both in: Google Cloud Console > Credentials > OAuth 2.0 Client