Frontend Authentication
Frontend Authentication
Source of truth:
- Auth store:
frontend/hooks/use-auth.ts - HTTP clients:
frontend/lib/api-client.ts
Email/Password + MFA (Headless API)
The app uses allauth headless endpoints via authClient:
- base:
/_allauth/browser/v1 - examples:
POST /auth/loginPOST /auth/signupGET /auth/sessionPOST /auth/2fa/authenticate
Session token handling:
- token returned by allauth is stored in localStorage as
sessionToken(frontend/lib/api-client.ts) - subsequent API calls include
X-Session-Token
Social Login (Provider Redirects)
Social login uses the classic allauth provider flow:
GET /accounts/{provider}/login/?next=...
Implementation:
useAuthStore.socialLogin()builds that URL and assignswindow.location.href.
Enabled providers list:
GET /api/v1/auth/enabled-providers/(public Ninja endpoint)- used by
frontend/components/auth/login-form.tsx
Callback handling:
- The
nextparameter points back to the frontend routefrontend/app/auth/callback/[provider]/page.tsx. - That page forwards query params to allauth headless:
GET /_allauth/browser/v1/auth/provider/callback?....
CSRF Bootstrapping
The app calls getConfig() early to ensure CSRF cookie is set before login/signup. See useAuth() initialization in frontend/hooks/use-auth.ts.
Last updated June 21, 2026