MVP authentication backend implementation#1121
Open
curty wants to merge 16 commits intojtleek:masterfrom
Open
Conversation
Added complete technical specification for CloudPeople project, including tech stack, database schema, API endpoints, page structure, UI components, real-time architecture, security measures, development phases, and deployment details.
Based on CP Build 1 specification: - users table: core authentication with role-based access - sessions table: token-based session management - candidates table: job-seeker profiles with auction floor (min_salary) - employers table: company profiles with verification workflow Includes enums, indexes, and detailed rationale document. Co-authored-by: eoghan <eoghan@cloudpeople.ai>
Changes: - Remove candidates and employers tables (marketplace-specific) - Replace with minimal user_profiles table (identity only) - Remove salary, skills, domains, visibility flags - Document auth strategy options instead of choosing one - Keep rationale comments throughout Co-authored-by: eoghan <eoghan@cloudpeople.ai>
…schema-060c User authentication profiles schema
- Document email/password authentication flow (registration, login, reset) - Document optional OAuth authentication flow with linking strategies - Analyze session management options (DB sessions, JWT, hybrid) - Document trade-offs for each approach - Recommend MVP configuration: email/password + bcrypt + DB sessions - No code, no vendor lock-in, standards-based approach Co-authored-by: eoghan <eoghan@cloudpeople.ai>
Authentication flows design
- Add package.json with pg, bcrypt, zod dependencies (no ORM) - Add TypeScript configuration - Add Next.js and ESLint configuration - Add environment example and gitignore - Add minimal app layout and page Co-authored-by: eoghan <eoghan@cloudpeople.ai>
Raw SQL migrations (no ORM): - 001: users table with role enum - 002: user_profiles table - 003: sessions table for DB-backed sessions - 004: email_verification_tokens table - 005: password_reset_tokens table (1-hour expiry) - 006: oauth_accounts table (scaffolding only) Includes simple migration runner script (scripts/migrate.js) Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Raw SQL query helpers using pg library - Connection pooling with singleton pattern - queryOne/queryAll convenience functions - generateId for unique IDs Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Password hashing with bcrypt (cost factor 12) - Token generation and hashing with crypto - Zod validation schemas for all auth inputs - Token duration constants per design doc Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Database-backed sessions with HttpOnly cookies - Session creation, validation, and deletion - Cookie helpers for secure session management - Standardized API response format - Common error responses Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Validates email, password, role, firstName, lastName - Checks for existing email (prevents enumeration) - Creates user + profile + verification token in transaction - Establishes session with HttpOnly cookie - Logs verification token in dev mode Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Validates email and password input - Generic error message prevents email enumeration - Verifies password with bcrypt - Updates last_login timestamp - Creates session with optional rememberMe (30 days) Co-authored-by: eoghan <eoghan@cloudpeople.ai>
logout: - Deletes session from database - Clears session cookie me: - Returns current user with profile data - Returns 401 if not authenticated - Includes session expiration info Co-authored-by: eoghan <eoghan@cloudpeople.ai>
verify-email: - POST: Verify with token, marks email_verified - GET: Resend verification email (requires auth) forgot-password: - Always returns success (prevents enumeration) - Creates 1-hour expiry token reset-password: - Validates token (1-hour expiry per design doc) - Updates password, invalidates all sessions Co-authored-by: eoghan <eoghan@cloudpeople.ai>
- Google and GitHub provider configurations - Providers only enabled when env vars are set - Helper functions to check OAuth status - Updated .env.example with OAuth vars (commented out) Co-authored-by: eoghan <eoghan@cloudpeople.ai>
curty
commented
Jan 23, 2026
Author
There was a problem hiding this comment.
Reviewed: backend-only MVP auth per AUTHENTICATION_FLOWS.md.
Session-based auth, email/password primary, OAuth scaffold only.
Looks good to merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the MVP authentication backend per schema/AUTHENTICATION_FLOWS.md.
Backend-only, session-based auth with PostgreSQL.