Plataforma Social uses NextAuth.js for authentication. Rather than delegating to an OAuth provider, it implements a Credentials provider that calls the project’s own GraphQL API, verifies the user’s password withDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Avendaosander/Plataforma-social/llms.txt
Use this file to discover all available pages before exploring further.
bcrypt, and then issues a signed JWT session. The entire configuration is exported from a single file and wired into Next.js as a catch-all API route handler.
Configuration file
All NextAuth logic lives at:authOptions object typed as NextAuthOptions and a handler that is re-exported as both GET and POST to satisfy the Next.js 14 App Router convention:
authOptions object configures four areas: the credentials provider, JWT and session callbacks, custom page routes, and the signing secret.
Credentials provider
The provider accepts two fields —email and password — and its authorize function is responsible for validating them against the backend.
The user’s email address. Passed directly to the GraphQL
login query as a variable.The user’s plain-text password. Never sent to the server — it is compared locally against the hashed password returned by GraphQL using
bcrypt.compare.Authorization flow
Theauthorize function performs the following steps:
Call the GraphQL login query
The function serialises the Note that only the email is sent to the server at this stage — the password is never transmitted.
LOGIN GraphQL document (imported from app/lib/graphql/users) using graphql’s print helper and sends it via fetch to the URL stored in process.env.API_ROUTE:Handle GraphQL errors
If the response contains a GraphQL
errors array, it is formatted using formatGraphQLErrors from app/lib/logic.ts and thrown as a plain Error:Compare the password
The hashed password stored on the If the passwords do not match, an error is thrown and NextAuth rejects the sign-in attempt.
userFound object returned by GraphQL is compared against the plain-text password supplied by the user using bcrypt.compare:Callbacks
JWT callback
Thejwt callback fires whenever a JWT is created or updated. It enriches the token with the user’s id and username so those fields survive across requests:
if (user) guard ensures the fields are only written once — on the initial sign-in — and the existing token is returned unchanged on subsequent calls.
Session callback
Thesession callback fires whenever useSession() or getServerSession() is called. It copies id and username from the token into the publicly accessible session object:
session.user.id and session.user.username alongside the standard name and email fields.
Custom pages
NextAuth is directed to use the application’s own login page rather than its built-in UI:/login.
TypeScript type augmentation
The project extends the default NextAuth types viafrontend/next-auth.d.ts. This declaration file adds id and username to the User interface and replaces the Session’s user property with that extended User type. This is required to avoid TypeScript errors when reading session.user.id or session.user.username, since those fields are not part of the NextAuth defaults.
JWT interface is not augmented in this file. The jwt callback in route.ts writes id and username onto the token at runtime, but the declaration file only types User and Session.
Accessing the session in components
Client components
Use the
useSession hook from next-auth/react. The component must be wrapped in a SessionProvider.Server components
Use
getServerSession with the exported authOptions to avoid an extra network round-trip.Route protection
The Next.js middleware atfrontend/middleware.ts protects the main authenticated area of the app by re-exporting the NextAuth middleware directly:
/home/ will be intercepted by NextAuth’s middleware. Unauthenticated visitors are redirected to the signIn page (/login) automatically, without any additional code in individual page components.