ShopySeed

Authentication

Complete guide to authentication in ShopySeed — email/password, OAuth, email verification, password reset, and session management.

Authentication

ShopySeed provides a complete authentication system out of the box, including email/password login, Google OAuth, email verification, and password reset.

Authentication Flow

Registration

  1. User submits email and password at /auth/register
  2. Backend creates the user with a hashed password (bcrypt)
  3. A verification email is sent with a unique token
  4. User is logged in immediately with a JWT + refresh token

Login

  1. User submits email and password at /auth/login
  2. Backend validates credentials and returns JWT + refresh token
  3. Tokens are stored as HTTP-only cookies
  4. Frontend redirects to /dashboard

Session Management

  • Access token: Short-lived JWT (15 minutes)
  • Refresh token: Long-lived token stored in database (7 days)
  • Automatic token refresh on 401 responses via the fetchApi wrapper

Google OAuth

ShopySeed supports Google OAuth login out of the box.

Setup

  1. Create a Google OAuth app in the Google Cloud Console
  2. Set the redirect URI to: {API_URL}/auth/oauth/google/callback
  3. Add your credentials to .env:
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret

Flow

  1. User clicks "Continue with Google" on the login/register page
  2. Frontend redirects to /auth/oauth/google (a loading page)
  3. Browser redirects to the backend OAuth endpoint
  4. Backend handles the Google callback, creates/links the user
  5. User is redirected back to the frontend with tokens set

Email Verification

After registration, users receive a verification email with a unique token link.

  • Endpoint: POST /auth/resend-verification — resend the verification email
  • Rate limit: 1 email per hour
  • Token expiry: 24 hours
  • Verification page: /auth/verify-email/[token]

Unverified users see a banner on the dashboard with a "Resend email" button.

Password Reset

Forgot Password Flow

  1. User enters their email at /auth/forgot-password
  2. Backend sends a reset email with a unique token (1 hour expiry)
  3. User clicks the link → /auth/reset-password?token=...
  4. User sets a new password
  5. All existing refresh tokens are invalidated

Endpoints

  • POST /auth/forgot-password — request a reset email
  • POST /auth/reset-password — reset password with token

API Endpoints

MethodEndpointDescription
POST/auth/registerCreate a new account
POST/auth/loginLogin with email/password
POST/auth/refreshRefresh access token
POST/auth/logoutInvalidate refresh token
GET/auth/meGet current user profile
PATCH/auth/meUpdate profile (name)
POST/auth/avatarUpload profile picture
POST/auth/forgot-passwordRequest password reset
POST/auth/reset-passwordReset password with token
POST/auth/resend-verificationResend verification email
GET/auth/verify-email/:tokenVerify email address
GET/auth/oauth/googleInitiate Google OAuth

Security

  • Passwords are hashed with bcrypt (10 rounds)
  • JWT tokens use RS256 or HS256 signing
  • Refresh tokens are stored in database and invalidated on logout
  • Rate limiting on auth endpoints prevents brute force
  • HTTP-only cookies prevent XSS token theft

Architecture Overview

System design, data flow, multi-tenancy implementation, and architectural decisions behind ShopySeed.

Teams & Invitations

Manage organizations, team members, roles, and invitations in ShopySeed.

On this page

AuthenticationAuthentication FlowRegistrationLoginSession ManagementGoogle OAuthSetupFlowEmail VerificationPassword ResetForgot Password FlowEndpointsAPI EndpointsSecurity