Files
carmanagement/memory/project_auth_architecture.md
2026-05-09 20:01:51 -04:00

1.7 KiB

name, description, type
name description type
Auth Architecture Multi-app auth system with unified login - employee JWT + Clerk + admin JWT project

Three-tier SaaS auth system (RentalDriveGo car management monorepo):

  1. Admins — JWT auth (type: 'admin'), stored in localStorage.admin_token in admin app (port 3002)
  2. Employees (Owner/Manager/Agent) — Clerk OAuth when configured, local JWT (type: 'employee') when Clerk is not configured. Token stored in localStorage.employee_token + employee_token cookie in dashboard app (port 3001)
  3. Renters — JWT infrastructure exists but login is currently disabled (returns 403)

Unified login page: apps/dashboard/src/app/sign-in/[[...sign-in]]/page.tsx

  • Shows Clerk component when NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY is a real key
  • Otherwise shows local form that tries employee login, then admin login
  • Admin users are redirected to admin app via ${ADMIN_URL}/auth-redirect#token=xxx

Key API endpoints:

  • POST /api/v1/auth/employee/login — local employee auth (email + password → JWT)
  • POST /api/v1/admin/auth/login — admin auth (email + password + optional TOTP → JWT)
  • POST /api/v1/auth/company/signup — company signup (accepts optional password field)

requireCompanyAuth middleware — accepts local employee JWT OR Clerk session token.

Why: Clerk keys were placeholder values (pk_test_your_real_publishable_key_here), making the login page non-functional. Added local JWT auth as a fully working fallback.

How to apply: When working on auth or protected routes, check if Clerk is actually configured (real keys) vs local JWT mode. The clerkFrontendEnabled/clerkBackendEnabled flags in apps/dashboard/src/lib/clerk.ts detect this.