Cerberus uses Google OAuth via Auth.js v5 (next-auth beta). The app uses a JWT session strategy (no Auth.js Session / Account tables in Prisma).
- Login UI:
/login— client callssignIn("google", { callbackUrl: "/vault" }). - Auth API:
/api/auth/*— OAuth callback, session, etc.
Configure the Google Cloud Console OAuth client with authorized redirect URI:
{AUTH_URL}/api/auth/callback/google
In src/auth.ts, the signIn callback allows users only if:
user.email.toLowerCase().endsWith(`@${ALLOWED_EMAIL_DOMAIN}`)
Set ALLOWED_EMAIL_DOMAIN to your workspace domain (e.g. acme.com). Subdomains are not treated specially: user@mail.acme.com matches acme.com; adjust the callback if you need endsWith behavior for exact host parts only.
- Sessions: JWT cookies.
auth()resolvessession.user.idandsession.user.isOwnerwithout reading a session table. - Users: On first sign-in,
src/auth.tsupserts a row in PostgreSQL (users) so vault ACLs and access tokens can reference stable user IDs.
Protected tRPC procedures require ctx.session.user from auth().
/vault/** layouts call auth() on the server and redirect("/login") when unauthenticated. There is no Edge middleware in this repo to avoid running the Prisma client on the Edge runtime.