Akari Art uses NextAuth.js with the Google OAuth 2.0 provider to handle all authentication. There are no passwords to manage: users sign in with their existing Google account, and NextAuth issues a JWT that is verified on every subsequent request. On first sign-in, a user document is automatically created in MongoDB so that the session can be enriched with a stable databaseDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/nayalsaurav/Akari-Art/llms.txt
Use this file to discover all available pages before exploring further.
id. All protected pages and API routes check for a valid token before allowing access.
Sign-in flow
Unauthenticated user visits a protected route
A user without a session tries to access a protected page such as The middleware layer also provides a second line of defence (see Protected routes below).
/create or /community. The page performs a server-side session check:Middleware redirects to /signin
Next.js middleware intercepts the request before it reaches the page. The
authorized callback returns false for any unauthenticated request to a non-public path, which causes NextAuth’s withAuth wrapper to redirect the browser to /signin (configured via pages.signIn).User clicks Sign in with Google
The The browser is redirected to Google’s OAuth consent screen.
/signin page renders the SigninFormDemo component. Clicking the Google button calls NextAuth’s signIn function with the "google" provider:NextAuth handles the OAuth callback
After the user grants consent, Google redirects back to
/api/auth/callback/google. NextAuth validates the authorization code, exchanges it for tokens, and extracts the user’s profile (name, email, image) from the ID token.signIn callback checks MongoDB; creates user if new
The
signIn callback connects to MongoDB and looks up the user by email. If no document exists yet, a new one is created with name, email, image, and provider fields:JWT token is issued with user id and name
The
jwt callback runs after signIn. It fetches the MongoDB document again to obtain the stable _id and attaches it — along with the display name — to the token:Session data
The default NextAuthSession type is extended in next-auth.d.ts to expose session.user.id:
DefaultSession["user"] already includes name, email, and image, so the full shape available in any component or route is:
| Field | Type | Source |
|---|---|---|
session.user.id | string | MongoDB _id (stringified) |
session.user.name | string | null | MongoDB name field |
session.user.email | string | null | Google profile email |
session.user.image | string | null | Google profile avatar URL |
useSession hook:
Protected routes
Route protection is enforced by thewithAuth middleware in middleware.ts. The authorized callback is called for every request that matches the config.matcher pattern (everything except _next/static, _next/image, and favicon.ico).
Public paths — requests to these paths are always allowed through, regardless of token state:
/— landing page/signin— sign-in page/api/auth/*— NextAuth internal endpoints (OAuth callback, session, CSRF)
token is null, authorized returns false, triggering an automatic redirect to /signin:
User model
Each authenticated user is represented in MongoDB by a document conforming to theIUser interface:
| Field | Required | Description |
|---|---|---|
_id | Auto | MongoDB ObjectId, used as session.user.id |
name | No | Display name from Google profile |
email | Yes (unique) | Primary identifier used to look up existing users |
image | No | Google profile photo URL |
emailVerified | No | Date the email was verified (set by the provider) |
provider | No | "google" for all OAuth sign-ins |
createdAt and updatedAt timestamps automatically via { timestamps: true }.
authOptions callbacks
The completeauthOptions object used throughout the app: