Authentication
Google OAuth sign-in with database-backed sessions, via Auth.js (NextAuth v5) and the Prisma adapter. It gates the investigator workbench and ties every forensic action to an identified actor.
What it is
- Surfaces — the
/landing page (Sign in with Google),/app(the workbench, auth-gated), and theGET/POST /api/auth/[...nextauth]route handler. - Code —
src/auth.ts(the Auth.js config) and theUser,Account,Session,VerificationTokenPrisma models.
How it works
The session strategy is database-backed, not JWT. That is a forensic
choice: an audit event can reference a real Session and User row as
the actor. /app redirects to the landing page without a session;
auth() from src/auth.ts is the single session accessor every gated
page and route uses.
Database sessions cost a query per request that JWT would not — but the chain-of-custody needs a durable actor row to point at, and that is worth more than the saved round-trip.
Why it matters
Identity is a precondition for chain-of-custody. An analyst's actions are attributable; an auditor can see who exported which evidence. Seat/team modelling and a role/permission model extend these models and routes — they do not add a parallel auth surface.
Last updated