Accounts & roles

Authentication uses Auth.js (NextAuth v5) with email + password (bcrypt) and JWT sessions.

Public auth routes

Route	Purpose
`/login`	Sign in
`/signup`	Create member account
`/forgot-password`	Request reset link
`/reset-password`	Set new password
`/account`	Member dashboard

User profile fields

Accounts store:

Title — optional honorific (Mr., Dr., etc.)
First name and last name — required
Email — unique login identifier
Bio — optional profile text
Role — platform permission level
Plan — content access tier (Free, Subscriber, Premium, Enterprise)

The name field is a synced full display name used in emails and exports.

Member management

Admins manage users at /admin/users:

View all members and activity counts
Change role and plan inline
Add member — create accounts with initial password and optional welcome email

Session data

The JWT carries id, role, plan, and previousLoginAt (for the account activity feed). Staff status is derived from role via src/lib/roles.ts.

Password reset

User submits email at /forgot-password
Server creates a hashed PasswordResetToken (1-hour expiry)
Email sent via Resend, or link logged to console in dev
User sets new password at /reset-password?token=…

Extending auth

OAuth providers can be added in src/auth.ts. Adding providers that require refresh tokens typically needs Prisma adapter tables (Account, Session).

See Usage & configuration → Roles & permissions for the full role matrix.