Set Up Auth (JWT + Email Whitelist + Sessions)
Add authentication with email magic links, per-app whitelists, and cross-subdomain SSO to the current project.
Requires the postgres service. If postgres is not set up, set it up first using the setup-postgres skill.
Steps
- •
Verify postgres is set up. Check
services.jsonfor"postgres". If not present, set up postgres first. - •
Copy all files from
/Users/scottzockoll/projects/workshop/services/auth/files/into the project root, preserving directory structure:- •
src/db/schema-auth.ts— Sessions table schema - •
src/lib/auth.ts— Auth utilities (createSession, verifyAuth, requireAuth, etc.) - •
src/app/login/page.tsx— Login page with email input - •
src/app/api/auth/login/route.ts— Magic link email sender - •
src/app/api/auth/verify/route.ts— Magic link verification + session creation - •
src/app/api/auth/logout/route.ts— Logout + session deletion - •
middleware.ts— Auth middleware (goes in project root) - •
scripts/provision-auth.sh— Provisioning script
- •
- •
Install dependencies:
bashnpm install jose resend
- •
Import the sessions table in the project's main schema file. Add this to
src/db/schema.ts:typescriptexport { sessions } from "./schema-auth"; - •
Add env vars to
.env.local(create if it doesn't exist):codeJWT_SECRET=<generate a random string: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"> ALLOWED_EMAILS=user@example.com RESEND_API_KEY=re_xxxxxxxxxxxx ADMIN_EMAIL=admin@example.com - •
Update
services.jsonto include"auth"in the services array. - •
Push the sessions table to the database:
bashnpx drizzle-kit push
- •
Tell the user:
- •Set
ALLOWED_EMAILSto a comma-separated list of authorized emails - •Get a Resend API key at https://resend.com and set
RESEND_API_KEY - •Set
ADMIN_EMAILto receive new login notifications - •Use
import { requireAuth } from '@/lib/auth'in API routes and server actions - •Sessions can be revoked by deleting the row in the Neon console
- •The auth cookie is set on
.scottzockoll.comso all subdomain apps share authentication
- •Set