KeyanVakil/add-auth

Wire up auth without breaking anything.

Steps

1. Detect the existing stack and any auth library already present (check package.json, existing middleware, session usage).
2. If no provider is set up yet, recommend the best fit based on the stack:
   • Next.js → Auth0 or NextAuth (now Auth.js)
   • React SPA → Auth0
   • Node/Express API → JWT + passport or Auth0 machine-to-machine
   • Supabase project → Supabase Auth
   • Everything else → ask the user
3. Implement the following in order:

a) Provider setup

Install packages, configure the provider with env vars. Add env vars to .env.example.

b) Session / token handling

Set up session storage or JWT verification. Follow the provider's recommended pattern exactly.

c) Login & signup UI

Create or wire up login/signup pages. Use the provider's hosted UI if available — don't build a custom form unless asked.

d) Protected routes / middleware

Add route protection:

• Next.js: middleware.ts matcher
• Express: auth middleware function applied to router
• React SPA: <PrivateRoute> wrapper or router guards

e) User context

Expose the current user via context/hook so any component can access user.id, user.email, etc.

f) Logout

Wire up a logout button/route that clears the session and redirects.

Auth0-specific notes

• Set AUTH0_SECRET, AUTH0_BASE_URL, AUTH0_ISSUER_BASE_URL, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET
• Use @auth0/nextjs-auth0 for Next.js — wrap _app with UserProvider, use withPageAuthRequired for protected pages
• Callback URL: {BASE_URL}/api/auth/callback
• Always set allowed callback + logout URLs in the Auth0 dashboard

Rules

• Never store passwords in your own database — delegate entirely to the auth provider
• Never put auth secrets in NEXT_PUBLIC_* vars
• Don't build custom session management when the provider has one
• Add a user_id foreign key to any table that stores user-owned data