LCMD db logoLCMD[db]

Authentication

User authentication and authorization system implementation

Overview

The web app authentication path uses:

  • django-allauth headless browser endpoints under /_allauth/browser/v1
  • Django session cookies and CSRF protection for browser requests
  • @lcmd/api/allauth generated clients
  • @lcmd/logic/auth session, login, and logout helpers
  • TanStack Router beforeLoad guards for protected route trees

User account management

Creating user accounts

Method 1: Superuser creation

# Interactive method
just manage createsuperuser

# Non-interactive (uses DJANGO_SUPERUSER_* from .env)
just manage createsuperuser --noinput

# Full database reset including superuser + sample data
just reset_db

See justfile for the underlying uv run invocations.

Method 2: Web app registration

  1. Users register through the web app registration form.
  2. The form calls the generated backend user API through @lcmd/logic/users.
  3. The app signs in the new user through the allauth login helper.

Route guards

Protected TanStack Router subtrees use beforeLoad to resolve the allauth session before rendering.

apps/webapp/src/routes/_app.tsx
import { createFileRoute, Outlet } from '@tanstack/react-router'
import { appLayoutBeforeLoad } from '@/guards'

export const Route = createFileRoute('/_app')({
  beforeLoad: appLayoutBeforeLoad,
  component: AppLayoutRoute
})

function AppLayoutRoute() {
  return <Outlet />
}

The guard fetches authSessionQueryOptions(context.clients.authClient). Anonymous sessions redirect to /auth/login with the target preserved in ?redirect=.

Session management

  • useAuthSession reads the current allauth session from the shared TanStack Query cache.
  • useLogin writes the authenticated session into that cache on success.
  • useLogout clears the session cache and invalidates it after the logout request settles.
  • Mutating allauth requests require a csrftoken cookie; the shared client adds X-CSRFToken and fails loudly if the token is missing.

On this page