Overview
Aurora uses a credentials-based authentication system powered by Auth.js (formerly NextAuth.js). The authentication flow uses email/password credentials with secure bcrypt password hashing.Authentication Flow
- User Registration: Users create an account with email, password, and optional name
- User Login: Users authenticate with email and password
- Session Management: Auth.js manages user sessions via the
X-User-IDheader - API Authorization: All API requests must include the
X-User-IDheader from the Auth.js session
Security Features
- Password Hashing: Passwords are hashed using bcrypt with automatically generated salts
- Timing Attack Prevention: Login endpoint uses constant-time password verification
- Session-based Auth: Stateless authentication using Auth.js session management
- CORS Protection: Configurable CORS headers with credential support
Authentication Headers
All authenticated API requests must include:Base URL
All authentication endpoints are under:Available Endpoints
User Registration
Create a new user account
User Login
Authenticate with email and password
Change Password
Update user password
Password Requirements
- Minimum length: 8 characters
- No complexity requirements (for user convenience)
- Stored as bcrypt hash with salt
Error Handling
All authentication endpoints return JSON error responses:200- Success201- Created (registration)400- Bad request (validation error)401- Unauthorized (invalid credentials)409- Conflict (user already exists)500- Internal server error
CORS Configuration
Authentication endpoints support CORS with:- Allowed Origins: Dynamic based on request origin (defaults to
FRONTEND_URL) - Allowed Methods:
GET, POST, PUT, DELETE, OPTIONS - Allowed Headers:
Content-Type, X-Provider, X-Requested-With, X-User-ID, Authorization - Credentials: Supported (
Access-Control-Allow-Credentials: true)