Authentication Core

Overview

Nomey’s authentication system provides secure user authentication through NextAuth.js with multiple OAuth providers and credential-based authentication. The system handles session management across protected and public routes with JWT strategy.

Key Components

  • NextAuth.js Integration: JWT strategy with Google/Apple OAuth and credentials provider
  • Session Management: Context providers for protected and public routes
  • Password Security: zxcvbn-based strength validation with bcrypt hashing
  • Route Protection: Automatic authentication checks for protected areas

Architecture Summary

  1. Provider Configuration
    • Google OAuth for social authentication
    • Apple OAuth for iOS ecosystem integration
    • Credentials provider for email/password authentication
    • Prisma adapter for database integration
  2. Session Strategy
    • JWT tokens with secure signing
    • Automatic session refresh
    • Route-based session contexts (protected vs public)
  3. Password Security
    • zxcvbn strength validation (minimum score 3/4)
    • bcrypt hashing with salt rounds
    • Secure reset tokens with 30-minute expiration

Provider Configuration

Supported Providers

  • Google OAuth: Full profile integration with Google accounts
  • Apple OAuth: Native iOS authentication experience
  • Credentials: Email/password with custom validation logic

Environment Requirements

AUTH_GOOGLE_CLIENT_ID=your_google_client_id
AUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret
AUTH_APPLE_CLIENT_ID=your_apple_client_id
AUTH_APPLE_CLIENT_SECRET=your_apple_client_secret
NEXTAUTH_SECRET=your_nextauth_secret
NEXTAUTH_URL=http://localhost:3000

Session Management

Protected Routes

Routes in src/app/(protected)/ automatically enforce authentication:
  • Redirects unauthenticated users to landing page
  • Provides guaranteed user session context
  • Handles automatic session refresh

Public Routes

Routes in src/app/(public)/ allow optional authentication:
  • Redirects authenticated users to home page
  • Provides optional session context
  • Includes authentication modal flow provider

Password Security

Strength Requirements

  • Minimum zxcvbn score of 3 out of 4
  • Protection against common patterns and dictionary words
  • Specific feedback for password improvement

Reset Flow

  1. Request Reset: User enters email, system validates account exists
  2. Token Generation: Secure UUID token with 30-minute expiration
  3. Email Delivery: Template-based email with reset link
  4. Password Update: User sets new password, token marked as used

Security Features

  • Single-use reset tokens
  • Protection for OAuth-only accounts
  • Secure token storage and validation
  • Automatic cleanup of expired tokens

Trade-Offs

AreaDecisionBenefitCost or Risk
Session StrategyJWT tokensStateless, scalableCannot revoke individual sessions
Password ValidationClient + serverEarly feedback, securityDuplicate validation logic
OAuth IntegrationMultiple providersUser choice, convenienceAdditional configuration complexity
Route ProtectionLayout-basedAutomatic enforcementLess granular control

Why It Works for Nomey

  • Creator-focused platform → OAuth providers align with creator workflows
  • Subscription model → Strong authentication prevents revenue leakage
  • Simple user flows → JWT strategy reduces infrastructure complexity
  • Security-first approach → Password strength requirements protect user accounts
The authentication core provides a secure, scalable foundation that balances user experience with security requirements while maintaining simplicity for developers.