Authentication
User authentication and authorization system implementation
Overview
The web app authentication path uses:
- django-allauth headless browser endpoints under
/_allauth/browser/v1 - Django session cookies and CSRF protection for browser requests
@lcmd/api/allauthgenerated clients@lcmd/logic/authsession, login, and logout helpers- TanStack Router
beforeLoadguards for protected route trees
User account management
Creating user accounts
Method 1: Superuser creation
# Interactive method
just manage createsuperuser
# Non-interactive (uses DJANGO_SUPERUSER_* from .env)
just manage createsuperuser --noinput
# Full database reset including superuser + sample data
just reset_dbSee justfile for the underlying uv run invocations.
Method 2: Web app registration
- Users register through the web app registration form.
- The form calls the generated backend user API through
@lcmd/logic/users. - The app signs in the new user through the allauth login helper.
Route guards
Protected TanStack Router subtrees use beforeLoad to resolve the allauth session before rendering.
import { createFileRoute, Outlet } from '@tanstack/react-router'
import { appLayoutBeforeLoad } from '@/guards'
export const Route = createFileRoute('/_app')({
beforeLoad: appLayoutBeforeLoad,
component: AppLayoutRoute
})
function AppLayoutRoute() {
return <Outlet />
}The guard fetches authSessionQueryOptions(context.clients.authClient). Anonymous sessions redirect to /auth/login with the target preserved in ?redirect=.
Session management
useAuthSessionreads the current allauth session from the shared TanStack Query cache.useLoginwrites the authenticated session into that cache on success.useLogoutclears the session cache and invalidates it after the logout request settles.- Mutating allauth requests require a
csrftokencookie; the shared client addsX-CSRFTokenand fails loudly if the token is missing.