Authentication
User authentication and authorization system implementation
Overview
The authentication system uses:
- django-simplejwt for backend JWT authentication
- next-auth for frontend authentication management
- JWT token rotation pattern for security
User Account Management
Creating User Accounts
Method 1: Superuser Creation
# Interactive method
just manage createsuperuser
# Non-interactive (uses DJANGO_SUPERUSER_* from .env)
just manage createsuperuser --noinput
# Full database reset including superuser + sample data
just reset_dbSee justfile for the underlying uv run invocations.
Method 2: Frontend Registration
- Users register through the frontend registration form
- Accounts are created as inactive by default
- Superuser must activate accounts through Django admin
Frontend Authentication
Protected Routes
Use getServerSession to protect routes requiring authentication:
import { redirect } from "next/navigation";
import { getServerSession } from "@/lib/auth";
const ProtectedPage = async () => {
const session = await getServerSession();
if (session === null) {
return redirect("/");
}
return <>Protected Content</>;
};Protected Layouts
Protect multiple pages using layout authentication:
import { redirect } from "next/navigation";
import { getServerSession } from "@/lib/auth";
const AuthenticatedLayout = async ({
children,
}: {
children: React.ReactNode;
}) => {
const session = await getServerSession();
if (session === null) {
return redirect("/");
}
return <>{children}</>;
};
export default AuthenticatedLayout;Token Management
- Access Token: 15-minute lifetime
- Refresh Token: 7-day lifetime
- NextAuth Session: 30-day lifetime
- Tokens stored in httpOnly cookies
- Automatic token refresh through NextAuth callbacks