This guide explains how to set up the authentication system using AWS Cognito.
Note: For infrastructure setup, see Infrastructure Setup.
- Node.js (>= 18.x)
- AWS CDK CLI - Install via npm:
npm install -g aws-cdk - AWS CLI
- AWS Account with appropriate permissions
For detailed infrastructure setup instructions, see Infrastructure Setup.
-
Install dependencies:
cd infrastructure npm install -
Configure AWS:
aws configure
Enter the following information:
- AWS Access Key ID
- AWS Secret Access Key
- Default region (e.g.,
eu-central-1) - Default output format:
json
-
Bootstrap CDK (First time only):
cdk bootstrap aws://ACCOUNT-ID/REGION
Replace
ACCOUNT-IDwith your AWS account ID andREGIONwith your region (e.g.,eu-central-1). -
Deploy Infrastructure:
Development:
npm run build npm run diff:dev npm run deploy:dev
Production:
npm run build npm run diff:prod npm run deploy:prod
After successful deployment, get the outputs:
aws cloudformation describe-stacks \ --stack-name StudioStack-dev \ --query 'Stacks[0].Outputs' \ --output tableThe following outputs will be displayed:
UserPoolId: User Pool identifierUserPoolClientId: Client identifierUserPoolRegion: AWS region
Important: Development and production have separate User Pools:
- Development:
mostage-studio-users-dev - Production:
mostage-studio-users-prod
cd frontend
npm installAfter deploying the infrastructure, you need to configure the frontend with the stack outputs.
-
Get stack outputs (if you haven't already):
aws cloudformation describe-stacks \ --stack-name StudioStack-dev \ --query 'Stacks[0].Outputs' \ --output table -
Create
.env.localfile in thefrontend/directory:
NEXT_PUBLIC_COGNITO_USER_POOL_ID=eu-central-1_xxxxxxxxx
NEXT_PUBLIC_COGNITO_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxx
NEXT_PUBLIC_AWS_REGION=eu-central-1
NEXT_PUBLIC_API_URL=https://xxxxxxxxxx.execute-api.eu-central-1.amazonaws.com/dev-
Copy values from stack outputs:
Copy the following values:
UserPoolId→NEXT_PUBLIC_COGNITO_USER_POOL_IDUserPoolClientId→NEXT_PUBLIC_COGNITO_CLIENT_IDUserPoolRegion→NEXT_PUBLIC_AWS_REGIONApiUrl→NEXT_PUBLIC_API_URL
Example:
If the stack outputs show:
UserPoolId: eu-central-1_AbCdEf123
UserPoolClientId: 1a2b3c4d5e6f7g8h9i0j
UserPoolRegion: eu-central-1
Then your .env.local should be:
NEXT_PUBLIC_COGNITO_USER_POOL_ID=eu-central-1_AbCdEf123
NEXT_PUBLIC_COGNITO_CLIENT_ID=1a2b3c4d5e6f7g8h9i0j
NEXT_PUBLIC_AWS_REGION=eu-central-1
NEXT_PUBLIC_API_URL=https://xxxxxxxxxx.execute-api.eu-central-1.amazonaws.com/devGo to your GitHub repository → Settings → Secrets and variables → Actions and add:
NEXT_PUBLIC_COGNITO_USER_POOL_ID→ Value fromUserPoolIdoutputNEXT_PUBLIC_COGNITO_CLIENT_ID→ Value fromUserPoolClientIdoutputNEXT_PUBLIC_AWS_REGION→ Value fromUserPoolRegionoutput
Note: For first-time setup, see Infrastructure Setup - First Time Deployment.
Note: GitHub Pages Environment Variables (in Pages settings) don't work for Next.js static export because Next.js needs variables at build time, not runtime. Use GitHub Secrets instead.
npm run dev- Username input (minimum 3 characters, maximum 20 characters)
- Email input
- Password input (minimum 6 characters with uppercase, lowercase, and number)
- Full name
- Receive 6-digit verification code via email
- Resend code option
- Sign in with username or email
- Sign in with password
- Sign out from account and clear tokens
- Request password reset code via email
- Reset password with verification code
frontend/src/features/auth/
├── components/
│ ├── AuthModal.tsx # Main authentication modal
│ ├── AccountModal.tsx # User account management modal
│ └── AuthProvider.tsx # Authentication context provider
├── hooks/
│ └── useAuth.ts # Authentication management hook
├── services/
│ ├── authService.ts # Token management
│ └── cognitoService.ts # AWS Cognito integration
└── types/
└── auth.types.ts # TypeScript types
- All communications with AWS Cognito are performed over HTTPS
- Tokens are stored in localStorage (access token, ID token, refresh token)
- Password policy is enforced by Cognito (minimum 6 characters, uppercase, lowercase, number)
- Email verification is required before sign in
- Cookie consent is required for authentication