1.7 KiB
1.7 KiB
name, description, type
| name | description | type |
|---|---|---|
| Auth Architecture | Multi-app auth system with unified login - employee JWT + Clerk + admin JWT | project |
Three-tier SaaS auth system (RentalDriveGo car management monorepo):
- Admins — JWT auth (
type: 'admin'), stored inlocalStorage.admin_tokenin admin app (port 3002) - Employees (Owner/Manager/Agent) — Clerk OAuth when configured, local JWT (
type: 'employee') when Clerk is not configured. Token stored inlocalStorage.employee_token+employee_tokencookie in dashboard app (port 3001) - Renters — JWT infrastructure exists but login is currently disabled (returns 403)
Unified login page: apps/dashboard/src/app/sign-in/[[...sign-in]]/page.tsx
- Shows Clerk component when
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEYis a real key - Otherwise shows local form that tries employee login, then admin login
- Admin users are redirected to admin app via
${ADMIN_URL}/auth-redirect#token=xxx
Key API endpoints:
POST /api/v1/auth/employee/login— local employee auth (email + password → JWT)POST /api/v1/admin/auth/login— admin auth (email + password + optional TOTP → JWT)POST /api/v1/auth/company/signup— company signup (accepts optionalpasswordfield)
requireCompanyAuth middleware — accepts local employee JWT OR Clerk session token.
Why: Clerk keys were placeholder values (pk_test_your_real_publishable_key_here), making the login page non-functional. Added local JWT auth as a fully working fallback.
How to apply: When working on auth or protected routes, check if Clerk is actually configured (real keys) vs local JWT mode. The clerkFrontendEnabled/clerkBackendEnabled flags in apps/dashboard/src/lib/clerk.ts detect this.