Simple Password Authentication

The app implements a very basic authentication mechanism with an optional PASSWORD stored in the .env file. Once the user enters the password, a session cookie is created that authorizes the user for further requests, making userId be a hashed version of the password. This allows to invalidate all sessions by changing the PASSWORD env variable in production.

The authentication is made by oversimplifying a solution provided at the official Next.js authentication documentation . It implements a /login page with a form that invokes login server action. Session is created at src/lib/session.ts  and Data Access Level file is defined at src/lib/dal.ts .

The DAL file, in its turn, exports verifySession function that is invoked at page.tsx  and redirects the user to the login page if the session is invalid.

import { verifySession } from "@/lib/dal";
 
export default async function Home() {
  await verifySession();
  // ...

but also exports isLoggedIn function that is created for sessionGuard decorator to check if the user is logged in when invoking controller methods.

import { createDecorator, HttpException, HttpStatus } from "vovk";
import { isLoggedIn } from "@/lib/dal";
 
export const sessionGuard = createDecorator(async (req, next) => {
  if (typeof req.url !== "undefined" && !(await isLoggedIn())) {
    throw new HttpException(HttpStatus.UNAUTHORIZED, "Unauthorized");
  }
  return next();
});

The code above is fetched from GitHub repository. 

The sessionGuard decorator applied to all controller methods. typeof req.url !== 'undefined' check is required to distinguish between HTTP requests and fn invocations used by PPR and Text Chat AI features.