Authentication
ShockStack uses a server-backed, cookie-based authentication model. The goal is simple UX for users and secure defaults for the app.
Authentication Model
- Email/password sign-in is supported out of the box
- Session state is stored in secure, httpOnly cookies
- Request-time middleware resolves the current user session
- Protected routes are enforced on the server
Request Flow
- User submits credentials to the auth endpoint
- Credentials are validated and a session is created
- Session cookie is set in the browser
- Middleware reads the cookie on each request
- Protected routes allow or redirect based on session validity
Protected Areas
Protected pages should rely on server-side session checks, not only client UI state.
If a session is missing or expired, the user is redirected to sign in.
Data Shape
The auth subsystem typically includes:
- user records
- active sessions
- provider/account links
- verification or one-time token records
Extending Auth
You can add additional providers or flows without changing route architecture:
- social login providers
- email verification
- password reset
- account linking
Keep the session model consistent so middleware and protected routes continue to work unchanged.