Backend Authentication

Backend Authentication

This repo uses django-allauth for account management plus allauth.headless for API-first login/signup flows.

Endpoints

Mounted in backend/config/urls.py:

  • /_allauth/ -> allauth.headless.urls (headless auth API)
  • /accounts/ -> allauth.urls (provider redirects/callbacks; used for social login)

The frontend uses both:

  • Email/password + MFA: /_allauth/browser/v1/...
  • Social login: /accounts/{provider}/login/?next=...

Session Token Mode (Headless Clients)

The Ninja API supports header auth via X-Session-Token:

  • Implementation: backend/apps/common/api/auth.py (HeadlessXSessionTokenAuth)
  • Wired into Ninja API auth list: backend/config/api.py

How it works:

  • allauth issues a session token during headless auth flows
  • the frontend stores it and sends it as X-Session-Token
  • HeadlessXSessionTokenAuth validates it and sets request.user
  • it also calls user.set_session_tenant() and sets thread-local tenant id for tenant-scoped queries

CSRF

Browser cookie sessions require CSRF for unsafe methods. The frontend:

  • ensures the CSRF cookie is set by calling GET /_allauth/browser/v1/config early
  • sends X-CSRFToken on requests (Axios interceptor in frontend/lib/api-client.ts)

Enabled Social Providers (Frontend Gating)

Public Ninja endpoint:

  • GET /api/v1/auth/enabled-providers/
  • Implementation: backend/apps/accounts/api/__init__.py

The login page uses it to show/hide provider buttons.

Legacy Account Views (Migration Footnote)

There is a legacy accounts URL module at backend/apps/accounts/urls.py that documents an older Inertia-based flow. Current Next.js auth is via allauth headless (/_allauth/...) plus provider redirects (/accounts/...).

Last updated June 21, 2026