library/api/AUTH_FLOW.md

Authentication Flow

Overview

This API uses Discord OAuth for authentication and JWT tokens for session management. Only the admin user can perform create/update/delete operations, while public read access is available to everyone.

Environment Variables

Set up your prod.env file with 1Password references:

• DATABASE_URL - MongoDB connection string
• JWT_SECRET - Secret for signing JWT tokens
• DISCORD_CLIENT_ID - Discord OAuth app client ID
• DISCORD_CLIENT_SECRET - Discord OAuth app client secret
• ADMIN_DISCORD_ID - Your Discord user ID for admin access
• API_URL - API base URL (e.g., http://localhost:3000)
• FRONTEND_URL - Frontend URL to redirect after login

Running the API

# Start with 1Password secrets
op run --env-file=prod.env -- nx serve api

Auth Endpoints

1. Login

GET /api/auth/login - Redirects to Discord OAuth

2. Callback

GET /api/auth/callback - Discord redirects here after auth

• Creates/updates user in database
• Generates JWT token
• Sets httpOnly cookie auth-token
• Redirects to frontend

3. Get Current User

GET /api/auth/me - Returns authenticated user (requires auth)

4. Logout

POST /api/auth/logout - Clears auth cookie

Protected Routes

Example: Games API

• GET /api/games - Public (list all games)
• GET /api/games/:id - Public (get single game)
• POST /api/games - Admin only (create game)
• PUT /api/games/:id - Admin only (update game)
• DELETE /api/games/:id - Admin only (delete game)

Testing

1. Set up Discord OAuth app at https://discord.com/developers/applications
2. Add redirect URI: http://localhost:3000/api/auth/callback
3. Copy client ID and secret to 1Password
4. Run the API and visit http://localhost:3000/api/auth/login
5. After Discord auth, you'll be redirected to frontend with auth cookie set