What is NextAuth v5 and how does it relate to this scaffold?

NextAuth v5 is the auth framework used here. The scaffold generates an auth.ts with providers, adapters, and JWT session handling to support RBAC and route protection.

How do I customize the sign-in page or add RBAC to routes?

Configure the signIn page in the NextAuth config and implement middleware-based or route-based RBAC checks that read the user role from the session or token.

How do I access the user role on the client?

Read session data (session.user.role) exposed by the NextAuth client, which is populated from the JWT token via the callbacks.

auth-scaffold

npx machina-cli add skill Nembie/claude-code-skills/auth-scaffold --openclaw

Files (1)

SKILL.md

9.4 KB

Auth Scaffold

Before generating any output, read config/defaults.md and adapt all patterns, imports, and code examples to the user's configured stack.

Generation Process

Determine auth requirements (providers, session strategy, RBAC)
Generate Auth.js configuration
Generate auth helper and route handler
Generate sign-in/sign-out components
Generate middleware for route protection

Auth.js Configuration

Create auth.ts at the project root:

import NextAuth from 'next-auth';
import Credentials from 'next-auth/providers/credentials';
import Google from 'next-auth/providers/google';
import GitHub from 'next-auth/providers/github';
import { PrismaAdapter } from '@auth/prisma-adapter';
import { prisma } from '@/lib/prisma';
import { z } from 'zod';
import bcrypt from 'bcryptjs';

const loginSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
});

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  session: { strategy: 'jwt' },
  pages: {
    signIn: '/login',
  },
  providers: [
    Google({
      clientId: process.env.AUTH_GOOGLE_ID,
      clientSecret: process.env.AUTH_GOOGLE_SECRET,
    }),
    GitHub({
      clientId: process.env.AUTH_GITHUB_ID,
      clientSecret: process.env.AUTH_GITHUB_SECRET,
    }),
    Credentials({
      async authorize(credentials) {
        const parsed = loginSchema.safeParse(credentials);
        if (!parsed.success) return null;

        const user = await prisma.user.findUnique({
          where: { email: parsed.data.email },
        });

        if (!user?.hashedPassword) return null;

        const valid = await bcrypt.compare(parsed.data.password, user.hashedPassword);
        if (!valid) return null;

        return { id: user.id, name: user.name, email: user.email, role: user.role };
      },
    }),
  ],
  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.role = user.role;
      }
      return token;
    },
    async session({ session, token }) {
      if (session.user) {
        session.user.id = token.sub!;
        session.user.role = token.role as string;
      }
      return session;
    },
  },
});

Prisma Schema Extension

Add these models required by Auth.js to prisma/schema.prisma:

enum Role {
  USER
  ADMIN
}

model User {
  id             String    @id @default(cuid())
  name           String?
  email          String?   @unique
  emailVerified  DateTime?
  image          String?
  hashedPassword String?
  role           Role      @default(USER)
  accounts       Account[]
  sessions       Session[]
  createdAt      DateTime  @default(now())
  updatedAt      DateTime  @updatedAt
}

model Account {
  id                String  @id @default(cuid())
  userId            String
  type              String
  provider          String
  providerAccountId String
  refresh_token     String? @db.Text
  access_token      String? @db.Text
  expires_at        Int?
  token_type        String?
  scope             String?
  id_token          String? @db.Text
  session_state     String?
  user              User    @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
}

model Session {
  id           String   @id @default(cuid())
  sessionToken String   @unique
  userId       String
  expires      DateTime
  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
}

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
}

Route Handler

Create app/api/auth/[...nextauth]/route.ts:

import { handlers } from '@/auth';

export const { GET, POST } = handlers;

Auth Helper

Create lib/auth.ts for convenient session access:

import { auth } from '@/auth';
import { redirect } from 'next/navigation';

export { auth } from '@/auth';

export async function requireAuth() {
  const session = await auth();
  if (!session?.user) {
    redirect('/login');
  }
  return session;
}

export async function requireRole(role: string) {
  const session = await requireAuth();
  if (session.user.role !== role) {
    redirect('/unauthorized');
  }
  return session;
}

Middleware Protection

Create middleware.ts at the project root:

import { auth } from '@/auth';
import { NextResponse } from 'next/server';

const protectedRoutes = ['/dashboard', '/settings', '/admin'];
const adminRoutes = ['/admin'];
const authRoutes = ['/login', '/register'];

export default auth((req) => {
  const { pathname } = req.nextUrl;
  const isLoggedIn = !!req.auth;
  const userRole = req.auth?.user?.role;

  // Redirect logged-in users away from auth pages
  if (isLoggedIn && authRoutes.some((route) => pathname.startsWith(route))) {
    return NextResponse.redirect(new URL('/dashboard', req.url));
  }

  // Protect authenticated routes
  if (!isLoggedIn && protectedRoutes.some((route) => pathname.startsWith(route))) {
    const callbackUrl = encodeURIComponent(pathname);
    return NextResponse.redirect(new URL(`/login?callbackUrl=${callbackUrl}`, req.url));
  }

  // Protect admin routes
  if (adminRoutes.some((route) => pathname.startsWith(route)) && userRole !== 'ADMIN') {
    return NextResponse.redirect(new URL('/unauthorized', req.url));
  }

  return NextResponse.next();
});

export const config = {
  matcher: ['/((?!api/auth|_next/static|_next/image|favicon.ico).*)'],
};

Sign-In / Sign-Out Components

Sign-In Button (Client Component)

'use client';

import { signIn } from 'next-auth/react';

interface SignInButtonProps {
  provider: 'google' | 'github' | 'credentials';
  children: React.ReactNode;
  className?: string;
}

export function SignInButton({ provider, children, className }: SignInButtonProps) {
  return (
    <button
      onClick={() => signIn(provider, { callbackUrl: '/dashboard' })}
      className={className}
    >
      {children}
    </button>
  );
}

Sign-Out Button (Client Component)

'use client';

import { signOut } from 'next-auth/react';

interface SignOutButtonProps {
  children?: React.ReactNode;
  className?: string;
}

export function SignOutButton({ children = 'Sign out', className }: SignOutButtonProps) {
  return (
    <button
      onClick={() => signOut({ callbackUrl: '/' })}
      className={className}
    >
      {children}
    </button>
  );
}

Session Provider (Layout)

Wrap the root layout to enable useSession in client components:

import { SessionProvider } from 'next-auth/react';

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    <html lang="en">
      <body>
        <SessionProvider>{children}</SessionProvider>
      </body>
    </html>
  );
}

Session Access Patterns

Server Component

import { auth } from '@/lib/auth';

export default async function ProfilePage() {
  const session = await auth();
  if (!session?.user) return <p>Not authenticated</p>;

  return <p>Welcome, {session.user.name}</p>;
}

Client Component

'use client';

import { useSession } from 'next-auth/react';

export function UserMenu() {
  const { data: session, status } = useSession();

  if (status === 'loading') return <span aria-busy="true">Loading...</span>;
  if (!session) return null;

  return <span>{session.user?.name}</span>;
}

API Route

import { auth } from '@/auth';
import { NextResponse } from 'next/server';

export async function GET() {
  const session = await auth();
  if (!session) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  return NextResponse.json({ user: session.user });
}

Server Action

'use server';

import { auth } from '@/auth';

export async function updateProfile(formData: FormData) {
  const session = await auth();
  if (!session?.user) throw new Error('Unauthorized');

  // Proceed with update
}

Environment Variables

Add to .env.local:

AUTH_SECRET=          # Generate with: npx auth secret
AUTH_GOOGLE_ID=       # Google OAuth client ID
AUTH_GOOGLE_SECRET=   # Google OAuth client secret
AUTH_GITHUB_ID=       # GitHub OAuth client ID
AUTH_GITHUB_SECRET=   # GitHub OAuth client secret

Type Extension

Extend the Auth.js types in types/next-auth.d.ts:

import { DefaultSession } from 'next-auth';

declare module 'next-auth' {
  interface User {
    role?: string;
  }

  interface Session {
    user: {
      id: string;
      role: string;
    } & DefaultSession['user'];
  }
}

declare module 'next-auth/jwt' {
  interface JWT {
    role?: string;
  }
}

Integration Check

After generating the auth scaffold, verify that: the Prisma schema includes all four Auth.js models (User, Account, Session, VerificationToken), the route handler exports GET and POST from handlers, the middleware matcher excludes api/auth routes, the JWT callback passes the role to the session, and AUTH_SECRET is listed in .env.local. If using RBAC, verify the requireRole helper is used in protected server components and API routes.

Asset

See assets/auth-config/auth.ts for a minimal starter Auth.js configuration.

Source

git clone https://github.com/Nembie/claude-code-skills/blob/main/skills/auth-scaffold/SKILL.mdView on GitHub

Overview

Sets up a complete authentication layer with NextAuth v5, including Google, GitHub, and credential providers, Prisma adapter, and JWT-based sessions. It also adds role-based access control, sign-in/out flows, and route-protection middleware to secure pages and APIs.

How This Skill Works

The scaffold generates an auth.ts at the project root that wires NextAuth with PrismaAdapter, configures providers (Google, GitHub, and Credentials), and defines a zod login schema with bcrypt-based password verification. It implements JWT callbacks to embed the user role in tokens and a session callback to expose the role on the client, then creates helper routes, sign-in/out components, and middleware to protect routes.

When to Use It

Need to add login for a Next.js app with social and credential providers.
Protect sensitive routes and APIs with middleware-based access control.
Implement role-based access (RBAC) across dashboards (e.g., ADMIN vs USER).
Set up a ready-made sign-in page at /login and a consistent auth flow.
Integrate with Prisma-backed user storage and password hashing.

Quick Start

Step 1: Install dependencies, set up Prisma schema, and create a User model with role.
Step 2: Create auth.ts at project root configuring NextAuth with PrismaAdapter, providers, bcrypt-based authorize, and JWT/session callbacks.
Step 3: Add middleware to protect routes, implement sign-in/out pages, and wire up RBAC checks in your UI.

Best Practices

Define a clear Role enum and enforce RBAC in middleware and UI components.
Store hashed passwords (bcrypt) and validate via a strict login schema (zod).
Keep provider keys and secrets in environment variables; configure signIn page if needed.
Propagate user.role through JWT and session so client and server share RBAC state.
Test both social and credential login flows and guard protected routes thoroughly.

Example Use Cases

Admin dashboard accessible only to users with ADMIN role.
SaaS app with Google or GitHub login plus email/password fallback.
Protected Next.js API routes guarded by custom middleware.
Custom sign-in page at /login with RBAC-aware redirects.
Prisma-backed User model with role field and RBAC in access checks.

Frequently Asked Questions

Add this skill to your agents