A full-stack authentication system built with Next.js App Router, TypeScript, MongoDB, JWT, and Nodemailer.
This project demonstrates a complete authentication workflow including user registration, login, email verification, password reset, route protection, JWT-based authentication, and secure password storage.
- User Signup
- User Login
- User Logout
- JWT-based Authentication
- Protected Routes
- HTTP-Only Authentication Cookies
- Verification email sent after signup
- Secure token generation using Node.js Crypto
- Token hashing before database storage
- Expiring verification links
- Forgot Password flow
- Password reset via email link
- Secure reset tokens
- Token expiration handling
- Password hashing using bcrypt
- JWT authentication tokens
- HTTP-only cookies
- Route-level access control using Next.js Proxy
- SHA-256 token hashing
- Expiring verification and reset tokens
- Next.js 16 (App Router)
- React 19
- TypeScript
- Tailwind CSS
- Next.js Route Handlers
- MongoDB
- Mongoose
- JWT (jsonwebtoken)
- bcryptjs
- crypto
- Nodemailer
- Mailtrap SMTP
src/
│
├── app/
│ ├── api/users/
│ │ ├── signup/
│ │ ├── login/
│ │ ├── logout/
│ │ ├── me/
│ │ ├── verifyemail/
│ │ ├── forgotpasswd/
│ │ └── confirmpasswd/
│ │
│ ├── signup/
│ ├── login/
│ ├── profile/
│ ├── verifyemail/
│ ├── forgotpasswd/
│ └── confirmpasswd/
│
├── dbConfig/
│ └── dbConfig.ts
│
├── helpers/
│ ├── mailer.ts
│ └── getDataFromToken.ts
│
├── models/
│ └── userModel.js
│
└── proxy.ts
- User submits username, email, and password.
- Password is hashed using bcrypt.
- User is saved to MongoDB.
- Verification email is sent.
- Verification token is stored in hashed form.
- User clicks verification link.
- Token is sent to the backend.
- Backend hashes the token.
- Hashed token is matched against the database.
- Account is marked as verified.
- User submits email and password.
- Password is verified using bcrypt.
- JWT token is generated.
- JWT is stored inside an HTTP-only cookie.
- User gains access to protected routes.
- User requests password reset.
- Reset email is sent.
- Secure reset token is generated.
- User opens reset link.
- New password is hashed and stored.
- Reset token is removed from the database.
The application uses a Next.js Proxy (src/proxy.ts) to protect routes.
/
/login
/signup
/verifyemail
/forgotpasswd
/confirmpasswd
/profile
Behavior:
- Unauthenticated users trying to access protected routes are redirected to
/login. - Authenticated users trying to access
/loginor/signupare redirected to/profile.
{
username: String,
email: String,
password: String,
isVerified: Boolean,
isAdmin: Boolean,
verifyToken: String,
verifyTokenExpiry: Date,
forgotPasswordToken: String,
forgotPasswordTokenExpiry: Date
}Create a .env file in the root directory.
MONGO_URI=your_mongodb_connection_string
TOKEN_SECRET=your_jwt_secret
DOMAIN=http://localhost:3000
MAILTRAP_SMTP_HOST=your_mailtrap_host
MAILTRAP_SMTP_PORT=your_mailtrap_port
MAILTRAP_SMTP_USER=your_mailtrap_username
MAILTRAP_SMTP_PASS=your_mailtrap_passwordgit clone <your-repository-url>
cd nextjs_authnpm installCreate a .env file and add all required variables.
npm run devApplication will start at:
http://localhost:3000
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/users/signup |
Register new user |
| POST | /api/users/login |
Login user |
| GET | /api/users/logout |
Logout user |
| GET | /api/users/me |
Get current user |
| POST | /api/users/verifyemail |
Verify email |
| POST | /api/users/forgotpasswd |
Send password reset email |
| POST | /api/users/confirmpasswd |
Update password |
This project is useful for understanding:
- Next.js App Router
- Route Handlers
- MongoDB with Mongoose
- JWT Authentication
- Password Hashing with bcrypt
- Email Verification Systems
- Password Reset Workflows
- HTTP-only Cookies
- Route Protection using Proxy/Middleware
- Secure Token Generation using Crypto
- Authentication Best Practices
- Refresh Tokens
- Role-Based Access Control (RBAC)
- OAuth Login (Google/GitHub)
- Email Templates
- Rate Limiting
- Account Lockout Protection
- Two-Factor Authentication (2FA)
- Session Management Dashboard
Built as a learning project to understand full-stack authentication using Next.js and MongoDB.