Auth/RBAC
Authentication flow
The web app uses Better Auth 1.6 with its Prisma adapter and database-backed sessions. Email/password authentication is enabled for seeded internal accounts; public signup is disab
Use this when you need a quick orientation to Auth/RBAC.
Approach
The web app uses Better Auth 1.6 with its Prisma adapter and database-backed sessions. Email/password authentication is enabled for seeded internal accounts; public signup is disabled. Better Auth hashes passwords with scrypt and provides signed HTTP-only session cookies, CSRF/origin validation, and request rate limiting.
Sign in
- An unauthenticated visitor is redirected to
/loginby Next.js 16 Proxy. - The browser submits email and password to Better Auth's same-origin
/api/auth/*handler. - Better Auth finds the credential account and verifies the scrypt password hash.
- A pre-session hook rejects inactive users.
- Better Auth writes a database session and sets the signed HTTP-only cookie.
- The post-session hook records
auth.loginand updateslastLoginAt. - Protected server components validate the session again and load current RBAC grants.
Sign out
The dashboard logout control calls Better Auth's sign-out endpoint. The database session is deleted, the cookie is cleared, and an auth.logout activity event is recorded.
Defense in depth
Proxy provides centralized request protection, but it is not the authorization boundary. Protected server pages call requireCurrentPrincipal, and future server actions/data access must call assertPermission or an equivalent resource policy immediately before protected work.
Current limitations
There is no signup, invitation, password recovery, email delivery, MFA, SSO, device management, or session-administration UI. Those require separate security decisions. A production secret and HTTPS cookie configuration are required before deployment; deployment itself is out of scope.
Developer Details
- Source
- apps/docs/content/authentication-flow.md
- Owner
- Module Owner
- Status
- Needs Review
- Module
- Auth/RBAC
- Related route
- None