Authentication API
PlayRen uses NextAuth v5 for authentication, supporting both email/password credentials and Google OAuth. Sessions are managed using JWT tokens stored in secure HTTP-only cookies.
Authentication Flow
Credentials (Email/Password)
- User submits email and password to the login form.
- The credentials provider validates the password against the bcrypt hash stored in the database.
- On success, a JWT session token is created and set as an HTTP-only cookie.
- Subsequent requests include the cookie automatically.
Google OAuth
- User clicks "Continue with Google".
- They are redirected to Google's consent screen.
- After authorization, Google redirects back to PlayRen with an authorization code.
- NextAuth exchanges the code for user information and creates or links the account.
- A JWT session token is created and set as a cookie.
Session Endpoints
Get Current Session
GET /api/auth/session
Returns the current user's session data if authenticated.
Response (authenticated):
{
"user": {
"id": "clx1234...",
"name": "Alex Player",
"email": "alex@example.com",
"image": "https://lh3.googleusercontent.com/..."
},
"expires": "2025-04-01T00:00:00.000Z"
}Response (not authenticated):
{}Sign In
POST /api/auth/callback/credentials
Content-Type: application/x-www-form-urlencoded
Parameters:
| Field | Type | Description |
|---|---|---|
email | string | User's email address |
password | string | User's password |
csrfToken | string | CSRF token from /api/auth/csrf |
On success, sets a session cookie and redirects to the callback URL.
Sign Out
POST /api/auth/signout
Content-Type: application/x-www-form-urlencoded
Parameters:
| Field | Type | Description |
|---|---|---|
csrfToken | string | CSRF token from /api/auth/csrf |
Clears the session cookie and redirects to the homepage.
Get CSRF Token
GET /api/auth/csrf
Returns a CSRF token required for sign-in and sign-out POST requests.
Response:
{
"csrfToken": "abc123..."
}JWT Token Structure
The JWT token is stored in a secure, HTTP-only, SameSite cookie named next-auth.session-token (or __Secure-next-auth.session-token in production).
The token payload includes:
sub— the user's database ID.name— display name.email— email address.iat— issued at timestamp.exp— expiration timestamp.
Tokens expire after 30 days by default. Each request with a valid token extends the session.
API Route Protection
All protected API routes check for a valid session using NextAuth's auth() helper:
import { auth } from "@/lib/auth";
export async function GET(request: Request) {
const session = await auth();
if (!session?.user) {
return Response.json({ error: "unauthorized" }, { status: 401 });
}
// ... handle authenticated request
}Rate Limiting
Login attempts are rate-limited to prevent brute-force attacks:
- 5 failed attempts within 15 minutes triggers a temporary lockout.
- The lockout duration increases with repeated failures.
- Successful login resets the counter.
Rate limiting is tracked per email address in the login_attempts database table.
Next Steps
- Games API — Browse and query the game catalog.
- Sessions API — Launch, manage, and stop game sessions.
- Error Codes — Common error responses.