Authentication
At the end of the previous chapter, the app had a real shell, but it still did not know how to sign users in. In this chapter, we connect the app to Supabase Auth, add the stock JSKIT login and sign-out routes, and inspect the files that make authentication visible in the shell.
This chapter still does not add the database-backed users layer. That is intentional. It lets us see the authentication pieces clearly before account pages, profile storage, and workspace membership are added later.
To get back to the same starting point as the end of the previous chapter, run:
npx @jskit-ai/create-app exampleapp --tenancy-mode none
cd exampleapp
npm installIf you are already continuing from the previous chapter, you are already in the right place and can skip that setup.
Installing the auth layer
From inside exampleapp, run:
npx jskit add package auth-provider-supabase-core \
--auth-supabase-url "https://YOUR-PROJECT.supabase.co" \
--auth-supabase-publishable-key "sb_publishable_..." \
--app-public-url "http://localhost:5173"
npx jskit add bundle auth-base
npm installThe first command is the provider step. It tells JSKIT which authentication backend to use and writes the project-specific values into the app.
The second command adds the web auth layer. auth-base is a small bundle, not a black box: in practice it adds auth-core and auth-web, which together provide the auth routes, the auth surface, and the stock login and sign-out screens.
The final npm install matters for the same reason it did in the shell chapter: jskit add rewrites the scaffold and updates package.json, but npm install is what actually downloads the newly referenced runtime packages.
Running it
Authentication needs both the browser-facing dev server and the backend runtime, so start both:
npm run dev
npm run serverThen open http://localhost:5173/auth/login in the browser.

The login page is real, and it already contains several different auth modes behind the same card.
- Sign in is the normal email-and-password flow.
- Register creates a new Supabase auth user.
- Forgot password? requests a password reset email.
- Use one-time code switches to an email OTP login flow.
- Remember this account on this device stores a small local hint in browser storage so the next visit can greet the last-used account and let the user keep that email preselected.
If you go back to http://localhost:5173/home, the shell also has a small auth widget in the status area. When you are signed out it shows a guest state and a menu entry that leads to /auth/login. After you sign in, the same placement changes to a sign-out menu.
Reading the screen carefully
The login card is not a single form. It is a small state machine that switches between several modes.
Normal sign-in mode
This is the first screen you see.
- The
Emailfield is validated as an email address. - The
Passwordfield is validated with the password rules from the shared auth command schema. - The eye icon only changes whether the password is visible in the browser.
- The main
Sign inbutton posts toPOST /api/login. - If sign-in succeeds, JSKIT refreshes the current session and redirects back to the requested return path.
The small links under the password field are not decoration.
Forgot password?switches the card into password-reset-request mode.Use one-time codeswitches the card into OTP mode.
Register mode
When the user presses Register, the form changes in three important ways.
- The screen shows the
Create your accounttitle. - A
Confirm passwordfield appears. - The main submit button changes from
Sign intoRegister.
Pressing Register sends a sign-up request to Supabase through POST /api/register. JSKIT also sends a starter display_name value derived from the email prefix, so a user registering as alice@example.com starts with a display name like alice.
What happens next depends on Supabase's email-confirmation settings.
- If email confirmation is required, Supabase creates the user immediately but does not return a live session. The card then switches to a dedicated confirmation state.
- If email confirmation is not required, the user is registered and signed in immediately.
Email-confirmation state
If Supabase requires confirmation, the screen changes again.
- The mode-switch buttons disappear.
- The card shows a confirmation message instead of the email/password fields.
Go to main screenreturns to the app.Resend confirmation emailcallsPOST /api/register/confirmation/resend.Back to sign inreturns to the normal login mode.
This matters because a junior developer might otherwise assume registration failed. In reality, the user usually already exists in Supabase at this point; they just do not have an active session yet.
One-time-code mode
Use one-time code changes the form again.
- The password field disappears.
- A
One-time codefield appears. - A secondary button called
Send one-time codeappears. - The main button changes to
Verify code.
Those two buttons do different jobs.
Send one-time coderequests the email throughPOST /api/login/otp/request.Verify codesubmits the code throughPOST /api/login/otp/verify.
JSKIT asks Supabase to send OTP login emails only for existing users. In other words, this flow is for signing in, not for silently creating a new account.
Password-reset-request mode
Forgot password? does not immediately let the user type a new password. It switches to a reset-request mode.
- The password field disappears.
- The main button changes to
Send reset instructions. - Submitting this screen calls
POST /api/password/forgot.
That endpoint asks Supabase to send a password reset email. In this chapter's scaffold, this mode is only the request step.
The backend already supports the later recovery endpoints too, but the chapter's simple app does not yet scaffold a dedicated app-owned reset-password page. So at this stage, the guide should be read as: the screen can request recovery emails, while the full browser-side password-reset completion UI is still something you would add explicitly in the app.
Remembered account behavior
The checkbox Remember this account on this device is also worth understanding.
If it stays checked and the user successfully signs in, registers, or verifies an OTP code, JSKIT stores a small browser-local hint with:
- the normalized email address
- a masked version of the email
- a display name
- a
lastUsedAttimestamp
On the next visit, the card can show a Welcome back, ... panel and a Use another account button. This is only a browser convenience feature. It is not a second authentication factor, and it is not a server-side session store.
OAuth buttons
The screen is also ready to show OAuth provider buttons, but only if providers are configured.
For this chapter, config.server.js keeps this empty:
config.auth ||= {};
config.auth.profileMode = "standalone";
config.auth.oauth = {
providers: [],
defaultProvider: ""
};That is why the login card in this chapter does not show buttons like Continue with Google.
To turn on Google later, there are two separate setup steps.
First, configure Google and Supabase:
- In Google Auth Platform, create a Web application OAuth client.
- Add your browser URLs as Authorized JavaScript origins.
- In Supabase, open the Google provider settings and copy the provider callback URL shown there.
- Add that Supabase callback URL as an Authorized redirect URI on the Google OAuth client.
- Back in Supabase, paste the Google Client ID and Client Secret into the Google provider settings and enable the provider.
- Make sure Supabase's Site URL and Redirect URLs still match the real browser URL your app uses.
Then tell JSKIT to expose the provider in the login UI:
config.auth ||= {};
config.auth.oauth = {
providers: ["google"],
defaultProvider: "google"
};providers controls which OAuth buttons the stock login screen is allowed to render. defaultProvider tells JSKIT which provider to prefer when it needs a default choice. If the provider is configured in Supabase but missing from this list, the button still does not appear in the JSKIT login screen.
Using auth in your own app
The most important thing this chapter gives you is not just a login page. It gives you three real app-building tools:
- a route-level auth guard
- auth-aware placement predicates
- a client-side auth composable you can read in your own components
Those are different tools, and they do different jobs.
- A route guard protects a URL.
- A placement predicate controls whether a menu entry or widget is visible.
- The auth composable lets your component react to the current session state.
That separation matters. Protecting a route does not automatically hide a menu entry, and hiding a menu entry does not protect a route.
Start with a normal public page
Generate a simple page under the public home surface:
npx jskit generate ui-generator page home/reports/index.vue --name "Reports"At this point the page is still public, because home is a public surface. JSKIT creates:
src/pages/home/reports/index.vue- a new menu placement in
src/placement.js
The placement entry is just a normal shell link:
addPlacement({
id: "ui-generator.page.home.reports.link",
target: "shell.primary-nav",
kind: "link",
surfaces: ["home"],
order: 155,
props: {
label: "Reports",
surface: "home",
scopedSuffix: "/reports",
unscopedSuffix: "/reports"
}
});And the page file itself is a normal generated empty-state screen:
<template>
<section class="generated-page-screen d-flex flex-column ga-4">
<header>
<p class="text-overline text-medium-emphasis mb-1">Screen</p>
<h1 class="generated-page-screen__title">Reports</h1>
</header>
<v-sheet rounded="lg" border class="generated-page-screen__empty-state">
<h2 class="text-h6 mb-2">No Reports activity yet</h2>
<p class="text-body-2 text-medium-emphasis mb-0">
Activity and actions for this screen will appear here.
</p>
</v-sheet>
</section>
</template>So immediately after generation:
- the
Reportsmenu entry is visible to everyone /home/reportsis reachable by everyone
Gate the page behind login
To make the route require login, add a route guard block to src/pages/home/reports/index.vue:
<route lang="json">
{
"meta": {
"guard": {
"policy": "authenticated"
}
}
}
</route>
<template>
<section class="generated-page-screen d-flex flex-column ga-4">
<header>
<p class="text-overline text-medium-emphasis mb-1">Screen</p>
<h1 class="generated-page-screen__title">Reports</h1>
</header>
<v-sheet rounded="lg" border class="generated-page-screen__empty-state">
<h2 class="text-h6 mb-2">No Reports activity yet</h2>
<p class="text-body-2 text-medium-emphasis mb-0">
Activity and actions for this screen will appear here.
</p>
</v-sheet>
</section>
</template>That one change protects the route itself. If a signed-out user tries to visit /home/reports, the auth guard runtime redirects them to the login route instead of letting the page render.
The redirect also keeps the requested target. In practice the browser ends up on a login URL shaped like this:
/auth/login?returnTo=%2Fhome%2FreportsSo after login, JSKIT can send the user back to the page they originally asked for.
Hide the menu entry when signed out
The route is protected, but the drawer link is still visible. That is expected. Route protection and shell visibility are separate concerns.
To hide the Reports menu entry until the user is logged in, update the placement entry in src/placement.js:
addPlacement({
id: "ui-generator.page.home.reports.link",
target: "shell.primary-nav",
kind: "link",
surfaces: ["home"],
order: 155,
props: {
label: "Reports",
surface: "home",
scopedSuffix: "/reports",
unscopedSuffix: "/reports"
},
// Added: only show this menu entry when the current auth context is authenticated.
when: ({ auth }) => Boolean(auth?.authenticated)
});The only new part is the when(...) line. That predicate is evaluated by the shell placement runtime using the auth context that auth-web injects from /api/session.
So the behavior becomes:
- signed out:
- the
Reportsdrawer entry disappears - visiting
/home/reportsmanually still redirects to/auth/login
- the
- signed in:
- the
Reportsdrawer entry appears /home/reportsrenders normally
- the
This is the most important pattern to understand: use the guard to protect the route, and use the placement when(...) function to control whether the shell exposes a link to it.
Read auth state in your own page code
Sometimes you do not want to redirect or hide a menu entry. You just want the page to react differently when a user is logged in.
For that, use useAuthStore() from auth-web. By this point in the guide the scaffold already has Pinia installed from day 0, and shell-web has already shown the same store-facing pattern for shell UI state. auth-web adds the auth version of that pattern: a Pinia store facade over the underlying auth runtime, so normal Vue code can read the session state without manually wiring subscriptions.
Here is a small example that changes src/pages/home/index.vue so it shows a success message when the session is authenticated:
<script setup>
import { useAuthStore } from "@jskit-ai/auth-web/client";
const auth = useAuthStore();
</script>
<template>
<section class="pa-4">
<v-alert v-if="auth.authenticated" type="success" variant="tonal" class="mb-4">
You are logged in!
</v-alert>
<h1 class="text-h5 mb-2">Home</h1>
<p class="text-body-2 text-medium-emphasis">Your account session is active on this device.</p>
</section>
</template>The important thing about that snippet is how little it needs to know. auth.authenticated is already reactive through Pinia, so the banner updates automatically when the session changes.
useAuthStore() also gives you the rest of the surfaced auth state and the lower-level runtime methods when you need them:
authStateauthenticatedusernameoauthProvidersoauthDefaultProviderinitialize()refresh()getState()subscribe()runtime
If you need one of those methods, keep the whole auth object instead of only destructuring a single ref:
<script setup>
import { useAuthStore } from "@jskit-ai/auth-web/client";
const auth = useAuthStore();
async function refreshSession() {
await auth.refresh();
console.log(auth.getState());
}
</script>So this is not just useful for a demo banner. It is the same mechanism you would use for:
- guest vs authenticated copy
- showing a call-to-action only for signed-out users
- enabling a tool panel only for authenticated users
- rendering a user-specific welcome message
The three auth tools, side by side
By this point the surfaced auth API should be clearer:
- route file meta:
- use
"policy": "authenticated"when the page itself must be protected
- use
- placement entry:
- use
when: ({ auth }) => Boolean(auth?.authenticated)when shell UI should only appear for signed-in users
- use
- component code:
- use
useAuthStore()when the page needs to react to auth state directly
- use
That is the real development payoff of this chapter. The login system is not just a screen. It gives the app a reusable auth state model that routing, shell placements, and component code can all use.
At this point the guide has shown three distinct layers of client state:
- the scaffold installs Pinia but does not expose any package stores yet
shell-webadds shell-facing stores such asuseShellLayoutStore()auth-webaddsuseAuthStore()for authentication state
That progression is intentional. Packages keep their operational runtimes internally, but the app-facing shared state they surface to Vue code is store-based.
What auth-base adds to the app
The interesting part of this chapter is that authentication appears in several different layers at once: environment config, public routing config, shell placements, and app-owned view wrappers.
The first new place to inspect is package.json:
{
"scripts": {
"server:auth": "SERVER_SURFACE=auth node ./bin/server.js",
"dev:auth": "VITE_SURFACE=auth vite",
"build:auth": "VITE_SURFACE=auth vite build"
},
"dependencies": {
"@jskit-ai/auth-core": "0.x",
"@jskit-ai/auth-provider-supabase-core": "0.x",
"@jskit-ai/auth-web": "0.x"
}
}Three things are worth noticing immediately.
auth-provider-supabase-coreis the provider-specific runtime.auth-webis the part that adds the web routes and the default auth UI.- there is an
authsurface-specific dev/build script family, just ashomealready had.
The provider command also writes a new .env file:
AUTH_PROVIDER=supabase
AUTH_SUPABASE_URL=https://YOUR-PROJECT.supabase.co
AUTH_SUPABASE_PUBLISHABLE_KEY=sb_publishable_...
APP_PUBLIC_URL=http://localhost:5173This is the bridge between the scaffold and your real Supabase project. APP_PUBLIC_URL matters because auth emails and callback flows need to know which browser URL they should return to.
Public routing config changes too. config/public.js has a second surface:
config.surfaceDefinitions.auth = {
id: "auth",
label: "Auth",
pagesRoot: "auth",
enabled: true,
requiresAuth: false,
requiresWorkspace: false,
origin: ""
};That requiresAuth: false line is important. The auth surface must stay public, otherwise users would need to be logged in before they could reach the login page.
config/server.js also gets an auth stub:
config.auth ||= {};
config.auth.profileMode = "standalone";
config.auth.oauth = {
providers: [],
defaultProvider: ""
};That small block explains a lot of the default login screen and auth profile behavior. profileMode: "standalone" keeps this auth-only chapter on the temporary app-side profile mirror. The stock UI is ready for OAuth providers such as Google, but this chapter keeps the provider list empty, so the page only shows the email/password and one-time-code flows. Later, if you enable a provider in Supabase and list it here, the same login screen can expose that button too.
The auth routes themselves are app-owned wrappers around the module-supplied default views. src/pages/auth/login.vue looks like this:
<route lang="json">
{
"meta": {
"guard": {
"policy": "public"
}
}
}
</route>
<script setup>
import DefaultLoginView from "@jskit-ai/auth-web/client/views/DefaultLoginView";
</script>
<template>
<DefaultLoginView />
</template>There are two important ideas in that small file.
- The route is explicitly public.
- The app owns the page wrapper even though the actual stock login form comes from the installed module.
The meta.guard block is ordinary route metadata, not a special auth-only API. The file-based router plugin turns <route lang="json"> into a normal Vue Router meta object first, and then JSKIT reads meta.guard.policy during navigation. That same mechanism is used elsewhere in the app too.
That pattern gives you a clean customization seam later. The module supplies a working default, but the app still owns the route file and can replace or wrap the view if needed.
Authentication also becomes visible in the shell through src/placement.js:
addPlacement({
id: "auth.profile.widget",
target: "shell.status",
kind: "component",
surfaces: ["*"],
order: 1000,
componentToken: "auth.web.profile.widget"
});
addPlacement({
id: "auth.profile.menu.sign-in",
target: "auth.profile-menu",
kind: "link",
surfaces: ["*"],
order: 200,
props: {
label: "Sign in",
to: "/auth/login"
},
when: ({ auth }) => !Boolean(auth?.authenticated)
});
addPlacement({
id: "auth.profile.menu.sign-out",
target: "auth.profile-menu",
kind: "link",
surfaces: ["*"],
order: 1000,
props: {
label: "Sign out",
to: "/auth/signout"
},
when: ({ auth }) => Boolean(auth?.authenticated)
});This is the shell placement system from the previous chapter doing real work again. auth-web does not hard-code a permanent auth button into ShellLayout.vue. Instead, it contributes the profile widget into the semantic shell.status placement and contributes sign-in/sign-out links into the semantic auth.profile-menu placement. Topology maps those semantic targets to concrete outlets and renderers.
So the auth story in this chapter is spread across clear responsibilities:
.envtells the provider runtime which Supabase project to talk toconfig/public.jsdeclares anauthsurfaceconfig/server.jsexposes app-owned OAuth visibility settingssrc/pages/auth/*gives the app real public auth routessrc/placement.jsmakes auth visible in the shell
That is a very JSKIT-style pattern. The installed package brings the runtime behavior, but the app still owns the important seams where routing and UI get attached.
Under the hood
The runtime behind useAuthStore()
useAuthStore() is the app-facing Pinia layer, but it is not inventing a second auth system. It is a store facade over the lower-level auth guard runtime that auth-web boots on startup.
That lower-level runtime already has a small, concrete contract:
initialize()refresh()getState()subscribe()
auth-web initializes that runtime once, binds it into the Pinia auth store, and then exposes useAuthStore() as the normal component-facing API. That is why the main example earlier could stay so small.
If you strip the composable away and write the same You are logged in! example directly against the runtime, it looks like this:
<script setup>
import { computed, onBeforeUnmount, onMounted, ref } from "vue";
import { useAuthGuardRuntime } from "@jskit-ai/auth-web/client";
const authGuardRuntime = useAuthGuardRuntime({
required: true
});
const authState = ref(authGuardRuntime.getState());
let unsubscribe = null;
const isAuthenticated = computed(() => authState.value?.authenticated === true);
onMounted(() => {
unsubscribe = authGuardRuntime.subscribe((nextState) => {
authState.value = nextState;
});
});
onBeforeUnmount(() => {
if (typeof unsubscribe === "function") {
unsubscribe();
}
});
</script>
<template>
<section class="pa-4">
<v-alert v-if="isAuthenticated" type="success" variant="tonal" class="mb-4">
You are logged in!
</v-alert>
<h1 class="text-h5 mb-2">Home</h1>
<p class="text-body-2 text-medium-emphasis">Your account session is active on this device.</p>
</section>
</template>That code works, and it shows exactly what useAuthStore() is wrapping:
getState()gives the first auth snapshot immediatelysubscribe(...)keeps that snapshot updated later- the component turns that imperative runtime into normal Vue refs and computeds
For ordinary Vue component code there is usually no advantage to writing it this way. useAuthStore() already gives you the same surfaced information plus the same runtime methods when you need them. The direct runtime version is mainly worth knowing so you understand the lower-level contract that auth-web itself is building on.
Who actually talks to whom
The most important thing to understand is that the browser usually talks to your app, and your app talks to Supabase.
For the normal email-and-password flow, the browser does not call Supabase directly. It posts to the app's own API routes such as /api/login. The JSKIT server then calls Supabase, receives the Supabase session, and turns that into HTTP-only cookies.
That means there are really three actors in play:
- the browser, which renders the login screen and submits forms
- the JSKIT app server, which owns
/api/login,/api/oauth/complete,/api/session, and the cookie-writing step - Supabase, which owns the real authentication backend, password verification, OAuth exchange, and auth user records
So the mental model should be:
browser -> JSKIT app -> Supabase
browser <- JSKIT app <- SupabaseFor OAuth there is one extra bounce: the browser is redirected out to Supabase and then back again. But even there, the app still owns the start and completion steps.
Password login: the full round trip
The simplest login flow is the normal Email + Password form.
On the client side, DefaultLoginView eventually calls useLoginViewActions.submitAuth(). In sign-in mode that becomes a POST to:
/api/loginwith a body shaped roughly like this:
{
"email": "alice@example.com",
"password": "correct horse battery staple"
}From there, the server-side flow is:
POST /api/loginhits the route registered byauth-web.AuthController.login()receives the request.AuthWebService.login()executes the internal actionauth.login.password.- The Supabase auth service calls
supabase.auth.signInWithPassword(...). - Supabase returns a
userobject and asessionobject. - JSKIT syncs the app-side profile mirror from that Supabase user.
- JSKIT writes the access and refresh tokens into HTTP-only cookies.
- The API response sent back to the browser is intentionally small.
The important detail is step 7. The browser does not receive the raw Supabase session tokens as normal application state. The server writes them into cookies instead:
sb_access_tokensb_refresh_token
Those cookies are HTTP-only and sameSite: "lax", so the browser sends them back automatically on later requests, but normal client-side code cannot read them directly.
The JSON response from /api/login is much smaller than the underlying Supabase session object:
{
"ok": true,
"username": "alice"
}After that, the browser still is not done. The login view immediately calls /api/session to confirm the session and fetch the current auth state. If that session check comes back with authenticated: true, the client redirects to the requested returnTo path.
So the real password-login round trip is:
1. browser -> POST /api/login -> JSKIT app
2. JSKIT app -> supabase.auth.signInWithPassword(...)
3. Supabase -> JSKIT app: user + session
4. JSKIT app -> browser: set HTTP-only cookies + { ok, username }
5. browser -> GET /api/session
6. JSKIT app -> browser: { authenticated, username, csrfToken, ... }
7. browser redirects to the requested routeOAuth login: the extra browser bounce
OAuth is the case where the browser really does leave the app briefly, but the app still owns the edges of the flow.
The first step is still browser -> app. If the login page shows a button such as Continue with Google, clicking it does not go straight to Supabase. It first goes to:
/api/oauth/google/start?returnTo=/homeThat server route does three jobs:
- normalizes the provider id
- normalizes the
returnTopath - asks Supabase for the correct provider redirect URL
JSKIT then redirects the browser to Supabase's OAuth flow. The redirect URL that JSKIT asks Supabase to use points back to your app, usually /auth/login, with some query parameters describing the provider and the intended return target.
So the browser flow becomes:
browser -> /api/oauth/google/start
app -> Supabase OAuth redirect URL
browser -> Supabase / provider login page
Supabase -> browser back to /auth/login?...callback params...When the browser lands back on /auth/login, the login page JavaScript inspects the URL. It looks for either:
- an OAuth
code, or - an access/refresh token pair
If it finds them, it does not treat the browser as fully signed in yet. Instead, it posts a small completion payload back to the app at:
/api/oauth/completeThat payload looks roughly like one of these:
{
"provider": "google",
"code": "..."
}or
{
"provider": "google",
"accessToken": "...",
"refreshToken": "..."
}Now the app server finishes the job:
AuthController.oauthComplete()receives the payload.- The Supabase auth service either:
- exchanges the code with
supabase.auth.exchangeCodeForSession(...), or - restores the session with
supabase.auth.setSession(...)
- exchanges the code with
- Supabase returns
userandsession. - JSKIT syncs the local profile mirror.
- JSKIT writes HTTP-only cookies.
- The browser strips the callback params out of the URL.
- The browser refreshes
/api/session. - The browser redirects to
returnTo.
So the full OAuth dance is:
browser -> app start route
app -> Supabase redirect
browser -> Supabase/provider
Supabase/provider -> browser back to /auth/login
browser -> app completion route
app -> Supabase session exchange
Supabase -> app: user + session
app -> browser: cookies + small success payload
browser -> /api/session -> redirectThat is why the login page needs both browser-side logic and server-side routes. The browser owns the redirect dance, but the app still owns the final session establishment step.
What /api/session is really doing
/api/session is more than a yes-or-no login check. It is the app's current auth truth endpoint.
When the browser calls it, the server:
- reads the auth cookies
- checks whether the access token still looks valid
- refreshes the session through Supabase if needed
- clears invalid cookies if the session is no longer usable
- returns the auth state the client actually needs
The response is shaped roughly like this:
{
"authenticated": true,
"username": "alice",
"csrfToken": "...",
"oauthProviders": [],
"oauthDefaultProvider": null
}That explains why the login screen and auth guard runtime both care about /api/session. It is how the browser learns:
- whether the user is authenticated
- which username to show
- which OAuth buttons to render
- which CSRF token to use for later writes
It is also why the shell widget can react cleanly to auth state without storing raw session tokens in client state. The browser just asks the app for the current session view, and the app derives that from its cookies plus Supabase.
Authenticated Playwright testing with the dev auth bypass
JSKIT ships a development-only auth bootstrap path specifically so authenticated UI can be verified in Playwright without depending on a real live login flow through Supabase.
This is the standard path the agent should use for authenticated browser tests:
- enable the dev auth bypass in development
- create a session for an existing user through the local app
- let the browser keep the resulting HTTP-only cookies
- navigate to the protected page and verify the feature
- record the Playwright run through
jskit app verify-uisojskit doctorcan verify the receipt later
The feature is intentionally narrow.
- It is development-only.
- It must never be enabled in production.
- JSKIT rejects boot if
AUTH_DEV_BYPASS_ENABLED=truewhileNODE_ENV=production. - The route only looks up an existing user. It does not create one.
The environment variables are:
AUTH_DEV_BYPASS_ENABLED=true
AUTH_DEV_BYPASS_SECRET=replace-this-with-a-local-dev-secretWhen enabled outside production, the app exposes:
POST /api/dev-auth/login-asThe request body must contain either:
{ "userId": "7" }or:
{ "email": "ada@example.com" }The response is intentionally small:
{
"ok": true,
"userId": "7",
"username": "Ada Example",
"email": "ada@example.com"
}Behind the scenes, JSKIT creates the same HTTP-only auth cookies that the normal login flow would create. That means Playwright should not try to read raw tokens. It should bootstrap the session in the browser context, then navigate normally.
One subtle point matters here:
/api/dev-auth/login-asis still an unsafePOST- JSKIT still expects a CSRF token
- the browser can get that token from
/api/session
So the normal Playwright shape is:
- open a same-origin page first
- call
/api/sessionto readcsrfToken - call
/api/dev-auth/login-aswithcredentials: "include"and thecsrf-tokenheader - navigate to the protected route and run the assertions
For example:
await page.goto("/");
await page.evaluate(async ({ email }) => {
const sessionResponse = await fetch("/api/session", {
credentials: "include"
});
if (!sessionResponse.ok) {
throw new Error(`Session bootstrap failed: ${sessionResponse.status}`);
}
const sessionPayload = await sessionResponse.json();
const csrfToken = String(sessionPayload?.csrfToken || "");
if (!csrfToken) {
throw new Error("Missing csrfToken from /api/session.");
}
const loginResponse = await fetch("/api/dev-auth/login-as", {
method: "POST",
credentials: "include",
headers: {
"content-type": "application/json",
"csrf-token": csrfToken
},
body: JSON.stringify({ email })
});
if (!loginResponse.ok) {
throw new Error(`Dev login failed: ${loginResponse.status} ${await loginResponse.text()}`);
}
}, { email: "ada@example.com" });
await page.goto("/w/acme/admin/contacts");In practice, the preferred wrapper is:
npx jskit app verify-ui \
--command "npx playwright test tests/e2e/contacts.spec.ts -g filters" \
--feature "contacts filters" \
--auth-mode dev-auth-login-asFor local pre-merge review, the next step after recording that Playwright run is usually:
npx jskit doctor --against origin/mainAdvanced CI pipelines can use the same --against contract too, but JSKIT does not scaffold hosted auth/database/browser verification by default.
That flow is preferable to driving the real sign-in form in feature tests because it keeps the test focused on the UI feature being added, not on an external auth dependency. If a chunk changes user-facing UI and the flow requires login, the expected JSKIT review standard is:
- use Playwright
- record the run with
jskit app verify-ui - use the local dev auth bypass or another local session bootstrap path
- exercise the actual changed behavior, not only page load
What appears in Supabase
It is important to separate Supabase auth data from JSKIT app-owned data.
When a user registers from this screen, Supabase creates a real auth user immediately. According to Supabase's user-management docs, you can see users in two places.
Authentication -> Usersin the Supabase dashboard- the
authschema in the Table Editor
In practice, after someone registers you should expect to see at least these things on the Supabase side.
- A user row exists in
auth.users. - The email address appears there.
- Supabase tracks whether the email has been confirmed yet.
- The user has a stable auth id.
- The provider is Supabase email/password unless you later add OAuth.
On the Dashboard's Authentication -> Users page, that usually means you will see a new user entry with the email address, creation time, last sign-in information once they have signed in, and confirmation state. If you open the user details, you can inspect the auth record more closely.
JSKIT's register flow also sends a starter display_name into Supabase user metadata. That means the new user can carry an initial display-name value in provider metadata even before the later database-backed users layer is installed.
This is the key distinction for the chapter.
- Supabase already has a real user record.
- JSKIT's own mirrored profile/settings store is still the temporary standalone in-memory version.
So if you restart the local JSKIT server in this chapter, the temporary app-side mirror is rebuilt as users authenticate again, but the actual Supabase auth user is still there because that data lives in Supabase, not in your local Node process.
One more subtle point matters here.
- If registration requires email confirmation, the user can already appear in Supabase even though the browser is not signed in yet.
- If confirmation is disabled, the user appears in Supabase and gets an active session immediately.
That is why the confirmation screen in the app should be understood as a session-state difference, not a sign that the user was never created.
Summary
After this chapter, the app can really authenticate against Supabase. It has a public auth surface, a stock login page, a sign-out route, and a shell widget that reflects auth state. The provider-specific values live in .env, and the web auth layer is wired into the same placement and surface system introduced earlier in the guide.
Just as importantly, the app is still deliberately incomplete. Authentication exists, but the database-backed user model does not. That separation is useful, because the next layer of the guide can explain users and persistence without having to also explain the first auth setup at the same time.