Frontend Authentication

Frontend Authentication

Source of truth:

  • Auth store: frontend/hooks/use-auth.ts
  • HTTP clients: frontend/lib/api-client.ts

Email/Password + MFA (Headless API)

The app uses allauth headless endpoints via authClient:

  • base: /_allauth/browser/v1
  • examples:
    • POST /auth/login
    • POST /auth/signup
    • GET /auth/session
    • POST /auth/2fa/authenticate

Session token handling:

  • token returned by allauth is stored in localStorage as sessionToken (frontend/lib/api-client.ts)
  • subsequent API calls include X-Session-Token

Social Login (Provider Redirects)

Social login uses the classic allauth provider flow:

  • GET /accounts/{provider}/login/?next=...

Implementation:

  • useAuthStore.socialLogin() builds that URL and assigns window.location.href.

Enabled providers list:

  • GET /api/v1/auth/enabled-providers/ (public Ninja endpoint)
  • used by frontend/components/auth/login-form.tsx

Callback handling:

  • The next parameter points back to the frontend route frontend/app/auth/callback/[provider]/page.tsx.
  • That page forwards query params to allauth headless: GET /_allauth/browser/v1/auth/provider/callback?....

CSRF Bootstrapping

The app calls getConfig() early to ensure CSRF cookie is set before login/signup. See useAuth() initialization in frontend/hooks/use-auth.ts.

Last updated June 21, 2026