Appearance
Email & password authentication
Users sign up and sign in with email and password. Passwords are hashed with bcryptjs at registration and verified on login (@/lib/password); they are never stored in plain text.
Password rules
| Step | Rules (@/lib/zod-schemas) |
|---|---|
Register (registerSchema) | Min 8 characters; uppercase, lowercase, number, special character; must match confirm password. |
Login (loginSchema) | Valid email; password min 6 characters. |
Registration
- UI:
src/app/(auth)/register/page.tsx,src/app/(auth)/register/register-form.tsx - Server:
authRegisterActioninsrc/actions/register-actions.ts— validates, hashes password, creates user in Prisma.
If a user already exists with Google only (no password), submitting registration with the same email can set a password and keep Google linked.
Sign-in flow
- User submits the form on
/login. signIn("credentials", { redirect: false, email, password })fromnext-auth/react(src/app/(auth)/login/login-form.tsx).- Handlers:
src/app/api/auth/[...nextauth]/route.ts→@/lib/auth. authorizeinsrc/lib/auth/auth.ts:loginSchema→ load user by email →verifyPassword→ JWT session (session: { strategy: "jwt" }).
If the account has no password but Google is linked, authorize rejects with guidance to use Google or complete password setup via registration.
Prerequisites
- Database: Prisma migrated; adapter uses
@auth/prisma-adapterwith@/lib/prisma. - Env:
AUTH_SECRET(viaappConfig.auth.secretinsrc/config.ts);AUTH_URL/NEXT_PUBLIC_APP_URL/VERCEL_URLas inappConfig.domainUrlresolution.
Google OAuth env vars are not required for credential-only sign-in.
File map (credentials)
| Role | Path |
|---|---|
| Login page | src/app/(auth)/login/page.tsx |
| Login form | src/app/(auth)/login/login-form.tsx |
| Register page | src/app/(auth)/register/page.tsx |
| Register form + action | src/app/(auth)/register/register-form.tsx, src/actions/register-actions.ts |
| Credentials provider | src/lib/auth/auth.ts |
| API route | src/app/api/auth/[...nextauth]/route.ts |
| Schemas | src/lib/zod-schemas.ts |
| Hashing | src/lib/password.ts |
| Config | src/config.ts |
WARNING
Failed credential login currently uses a generic toast in the login form; server authorize messages may not be shown unless you expose them in the UI.