Backend Authentication
Backend Authentication
This repo uses django-allauth for account management plus allauth.headless for API-first login/signup flows.
Endpoints
Mounted in backend/config/urls.py:
/_allauth/->allauth.headless.urls(headless auth API)/accounts/->allauth.urls(provider redirects/callbacks; used for social login)
The frontend uses both:
- Email/password + MFA:
/_allauth/browser/v1/... - Social login:
/accounts/{provider}/login/?next=...
Session Token Mode (Headless Clients)
The Ninja API supports header auth via X-Session-Token:
- Implementation:
backend/apps/common/api/auth.py(HeadlessXSessionTokenAuth) - Wired into Ninja API auth list:
backend/config/api.py
How it works:
- allauth issues a session token during headless auth flows
- the frontend stores it and sends it as
X-Session-Token HeadlessXSessionTokenAuthvalidates it and setsrequest.user- it also calls
user.set_session_tenant()and sets thread-local tenant id for tenant-scoped queries
CSRF
Browser cookie sessions require CSRF for unsafe methods. The frontend:
- ensures the CSRF cookie is set by calling
GET /_allauth/browser/v1/configearly - sends
X-CSRFTokenon requests (Axios interceptor infrontend/lib/api-client.ts)
Enabled Social Providers (Frontend Gating)
Public Ninja endpoint:
GET /api/v1/auth/enabled-providers/- Implementation:
backend/apps/accounts/api/__init__.py
The login page uses it to show/hide provider buttons.
Legacy Account Views (Migration Footnote)
There is a legacy accounts URL module at backend/apps/accounts/urls.py that documents an older Inertia-based flow. Current Next.js auth is via allauth headless (/_allauth/...) plus provider redirects (/accounts/...).
Last updated June 21, 2026