How to Build a Login System

<context>
App: Login System
Difficulty: Intermediate
Estimated build time: 1–3 days

Data model:
  User: id, email, password_hash, email_verified, role (user/admin), created_at
  Session: id (random token), user_id, expires_at, created_at, ip, user_agent
  PasswordResetToken: token (random), user_id, expires_at (1 hour), used_at
  OAuthAccount: provider (google/github), provider_user_id, user_id, access_token, refresh_token

Recommended build order:
  1. Password hashing and sign-up — Hash passwords with bcrypt (cost factor 12). Never store plain text. On sign-up: hash the password, insert the user, send a verification email with a signed token. Reject login until email is verified.
  2. Session-based login — On login: verify email + bcrypt.compare(password, hash). If correct, generate a random session token, store it in the sessions table, and set it as an HttpOnly Secure cookie. Check this cookie on every protected request.
  3. Middleware auth guard — Create a middleware function that reads the session cookie, looks up the session in the DB, checks it hasn't expired, and attaches the user to the request. Return 401 if missing or expired.
  4. Password reset flow — POST /auth/forgot-password: find user by email, generate a random token, store in password_reset_tokens with 1-hour expiry, send email with reset link. POST /auth/reset-password: verify token not expired, hash new password, delete the token.
  5. Google OAuth — Register an OAuth app in Google Cloud Console. Implement the OAuth2 flow: redirect to Google's auth URL → Google redirects back with a code → exchange code for tokens → fetch user profile → find or create your User row → create session.
  6. Role-based access control — Add a role field to users (user / admin). In middleware, check role for admin-only routes. Create a withRole(role) higher-order function that wraps route handlers and rejects insufficient roles with 403.
  7. Rate limiting — Limit /auth/login to 5 attempts per IP per 15 minutes using an in-memory counter (or Redis for multi-server). After 5 failures, return 429 Too Many Requests. Reset the counter on successful login.

Known pitfalls to avoid:
  - Using JWT for sessions without a revocation mechanism — if you store sessions as stateless JWTs, you can't log a user out on the server side (a stolen token stays valid until expiry). Use server-side sessions stored in a database.
  - Storing passwords with MD5 or SHA-1 — these are not password hashing algorithms. Use bcrypt, scrypt, or argon2. They're designed to be slow, which is exactly what you want for password hashing.
  - Exposing the session token in the URL — always use HttpOnly cookies, never URL params or localStorage. localStorage is accessible to JavaScript (and thus XSS attacks).

Tech stack (intermediate): Supabase Auth + Next.js — open source, self-hostable, Postgres-native
</context>

<role>
You are a Senior Full-Stack Engineer and product architect who has shipped production Login Systems before. You know exactly where developers get stuck and how to structure the project to avoid rewrites.
</role>

<task id="step-1-clarify">
Before writing any code or spec, ask me 3–5 clarifying questions that will meaningfully change the architecture. Focus on: scale expectations, auth requirements, platform (web / mobile / both), must-have vs nice-to-have features for the MVP, and any hard constraints (budget, deadline, existing infrastructure).

<example>
BAD: "What tech stack do you want to use?" — too broad, doesn't change architecture decisions.
GOOD: "Do you need real-time sync across devices, or is single-device with periodic refresh acceptable? This decides whether we use WebSockets or simple REST polling and significantly affects infrastructure complexity."
</example>
</task>

<task id="step-2-architect">
After I answer your questions, generate a complete project specification including:

1. Final tech stack with version numbers
2. Full file and folder structure
3. Complete database schema — every table, column, type, index, and foreign key
4. All API routes with request/response shapes and auth requirements
5. Component tree with TypeScript props interfaces
6. Auth and authorisation flow (who can do what)
7. Step-by-step implementation plan in the exact build order from <context> above
8. All environment variables with descriptions

<self_check>
Before presenting the spec, verify:
□ Every answer I gave in step 1 is reflected in the spec
□ The database schema matches the data model in <context>
□ The implementation plan follows the build order from <context>
□ No circular dependencies in the component tree
□ Auth is wired up before any protected routes are built
□ All known pitfalls from <context> are addressed in the spec
</self_check>
</task>

<task id="step-2.5-agents-md">
Generate an AGENTS.md file at the project root. This file is read automatically by Claude Code, Cursor, Windsurf, Sourcegraph Cody, and all major AI coding tools at the start of every session.

Include:
- Project overview (2–3 sentences)
- Tech stack with version numbers
- Folder structure with one-line descriptions
- Key architectural decisions and why they were made
- Coding conventions: naming (camelCase components, kebab-case files), max 200 lines per file, one concern per file
- Available commands: dev, build, test, lint, db:migrate, db:seed

Note in the file: "Cursor users can symlink .cursorrules → AGENTS.md. Claude Code users can symlink CLAUDE.md → AGENTS.md."
</task>

<task id="step-3-implement">
Implement the full project following the spec from step 2, in the exact order defined. For each step:
- Write the complete code (no placeholders or TODOs)
- Confirm the step is working before moving to the next
- Note any deviations from the spec with an explanation

<constraints>
- Max 200 lines per file. WHY: every file must fit in one AI context window for easy review and editing.
- One concern per file. WHY: mixing auth logic into API routes makes it impossible to reuse — extract to lib/auth.ts.
- TypeScript strict mode, no `any` types. WHY: catches data shape mismatches at compile time, not in production at 2am.
- All database queries in server components or API routes only. WHY: keeps credentials server-side, prevents accidental client-side exposure.
- All environment variables documented in .env.example. WHY: the next developer (or your future self) should be able to set up the project in under 5 minutes.
- Comment every non-obvious decision. WHY: AI tools read your comments to understand intent — without them, the next edit will break the pattern you established.
</constraints>
</task>