Authentication Flows#

Frontend sends POST /auth/register with fullname, email, and password.

The Zod schema validates the input. If the email already exists, an error with code EMAIL_ALREADY_EXISTS is returned. Otherwise, the password is hashed with argon2 and a new User record is created.

A random 72-hex-character token is generated. Its SHA-256 hash is stored in the EmailVerification table. The plaintext token is passed to BullMQ, which sends the email asynchronously (non-blocking).

The link points to {FRONTEND_URL}/verify-email?token={token}. The frontend extracts the token and sends POST /auth/verify-email.

The server hashes the received token, looks it up in the database, checks it hasn't expired or been used, then flips emailVerified to true.

Frontend sends POST /auth/login with email and password.

Looks up user by email. Checks emailVerified (returns EMAIL_NOT_VERIFIED if false). Verifies password against stored argon2 hash using constant-time comparison.

A random 80-hex-char refresh token is generated. Its SHA-256 hash is stored in the Session table. A 15-minute JWT access token is signed with ACCESS_TOKEN_SECRET containing { userId, sessionId }.

The access token is in the JSON response body. The refresh token is set as an httpOnly, secure, SameSite=strict cookie (never exposed to JavaScript).

Same as above.

After password verification succeeds, the server checks user.mfaEnabled. Instead of creating a session, it generates a 5-minute MFA temp token signed with MFA_TEMP_TOKEN_SECRET.

Response: { mfaRequired: true, tempToken: "..." }. The frontend stores the tempToken in Zustand state and redirects to the /mfa challenge page.

Frontend sends POST /auth/mfa/challenge with tempToken and the 6-digit code (or 8-char backup code).

The temp token is decoded to extract userId. The TOTP code is verified against the decrypted secret. If using a backup code, the matching hash is compared with argon2 and deleted. On success, a full session is created and tokens are returned.

Frontend opens GET /auth/oauth/:provider (e.g., /auth/oauth/google). The server generates a random CSRF state, stores it in an httpOnly cookie, and redirects the user to the provider's consent screen.

The OAuth provider redirects back to GET /auth/oauth/callback/:provider?code=...&state=....

The CSRF state from the cookie is compared with the query parameter. The authorization code is exchanged for an access token with the provider, then the user's profile (email, name, provider ID) is fetched.

In a Prisma transaction: if an OAuthAccount exists, the linked user is returned. If a user with that email exists, the OAuth account is linked. Otherwise, a new User + OAuthAccount are created.

The server does NOT put tokens in the redirect URL (they would leak via browser history and Referer headers). Instead, tokens are stored in Redis behind a random one-time code. The user is redirected to {FRONTEND_URL}/auth/callback?code={oneTimeCode}.

The callback page sends POST /auth/oauth/exchange with the one-time code. The server looks it up in Redis, deletes it (one-time use), and returns the access token + sets the refresh cookie.

The Axios interceptor in the frontend detects a 401 response (access token expired or invalid).

The interceptor sends POST /auth/refresh-token with withCredentials: true (sends the httpOnly refresh cookie automatically).

The server hashes the received refresh token, looks up the session, verifies it's not revoked or expired. Then it generates a new refresh token, updates the session with the new hash, and returns a new access token.

If the old refresh token is reused after rotation (meaning someone stole it), the hash won't match. The server immediately revokes all sessions for that user and returns SESSION_REVOKED.

Frontend sends POST /auth/forgot-password with email. The response always says "If an account exists, a reset link has been sent." to prevent email enumeration.

A 72-hex-character token is generated. Its SHA-256 hash is stored in PasswordReset. The plaintext token is sent via BullMQ email worker. Link format: {FRONTEND_URL}/reset-password?token={token}.

Frontend sends POST /auth/reset-password with token and newPassword.

Validates the token (not expired, not used), hashes the new password with argon2, updates the user, marks the token as used, and revokes all existing sessions for security.