Authentication
MatchNest uses custom JWT-based authentication with HttpOnly cookies — no third-party auth providers required.
How It Works
- User submits email/password to
POST /api/auth/login - Server verifies credentials against the bcrypt hash in the database
- A signed JWT is created using
josewith the user ID, email, and role - The JWT is set as an HttpOnly cookie named
session-token(7-day expiry) - All protected API routes and pages verify the cookie on each request
Roles
| Role | Access |
|---|---|
user | Dashboard, profile, members, messages, billing |
admin | Everything + admin panel |
Protected Routes
Route protection is handled in src/middleware.ts:
// Routes requiring authentication
/dashboard* → must be logged in
/api/* → most API routes require auth
// Routes requiring admin role
/admin* → must be admin
/api/admin/* → must be admin
// Public routes (no auth)
/login, /register, /forgot-password
/api/auth/login, /api/auth/register
/api/auth/forgot-password, /api/auth/reset-passwordAuth Helpers
Import from src/lib/auth.ts:
import { getSession, requireAuth, requireAdmin } from "@/lib/auth";
// In a server component or API route:
const session = await getSession(); // Returns session or null
const session = await requireAuth(); // Throws if not authenticated
const session = await requireAdmin(); // Throws if not adminRegistration Flow
Registration is a 3-step form:
- Name + Email
- Phone + Password
- Gender selection
After registration, users are redirected to the dashboard. Email verification is optional and controlled via admin settings.
Password Reset
The forgot-password flow uses a 6-digit OTP sent to the user's email:
- User enters email at
/forgot-password - OTP is generated and emailed (valid for 15 minutes)
- User enters OTP to verify
- User sets new password