This document outlines the secure authentication system implemented for the admin dashboard.

• JWT Tokens: Secure JSON Web Tokens with HTTP-only cookies
• Bcrypt Hashing: Password hashed with cost factor 12 (very secure)
• Token Expiration: 7-day token expiration with automatic refresh
• Brute Force Protection: 1-second delay on failed login attempts

• Middleware Protection: All admin routes protected by Next.js middleware
• Token Validation: JWT signature and payload validation
• Role-Based Access: Admin-only access control
• Automatic Redirects: Unauthorized users redirected to sign-in

• HTTP-Only: Cookies inaccessible to JavaScript (XSS protection)
• Secure Flag: HTTPS-only in production
• SameSite: Strict same-site policy (CSRF protection)
• Path Scoped: Cookies scoped to admin routes

• Environment Variables: Sensitive data in environment variables
• Token Cleanup: Invalid tokens automatically cleared
• HTTPS Enforcement: Secure cookies in production only
• Input Validation: Password requirements and validation

node scripts/generate-admin-hash.js

Create .env.local with:

ADMIN_PASSWORD_HASH=your-bcrypt-hash-here
JWT_SECRET=your-secure-jwt-secret-minimum-32-characters

1. Navigate to /admin/signin
2. Enter your admin password
3. Access protected admin routes

All routes under /admin/* are protected except:

• /admin/signin - Sign-in page
• /admin/api/auth - Authentication API

• POST /admin/api/auth - Sign in
• DELETE /admin/api/auth - Sign out
• GET /admin/api/auth - Check auth status

• Minimum 8 characters (enforced in script)
• Use strong, unique password
• Store hash securely in environment variables

• Minimum 32 characters
• Use cryptographically secure random string
• Never expose in client-side code

• Never commit .env.local to version control
• Use different secrets for development/production
• Rotate secrets periodically

• Ensure NODE_ENV=production
• Use HTTPS for secure cookies
• Set strong environment variables
• Monitor failed authentication attempts

Consider adding these security headers:

// next.config.js
const nextConfig = {
  async headers() {
    return [
      {
        source: "/admin/:path*",
        headers: [
          {
            key: "X-Frame-Options",
            value: "DENY",
          },
          {
            key: "X-Content-Type-Options",
            value: "nosniff",
          },
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  },
};

1. "Server configuration error": Check environment variables
2. Redirect loops: Clear cookies and regenerate tokens
3. Token expired: Tokens expire after 7 days, sign in again

Check browser console and server logs for authentication errors.

• Strong admin password set
• JWT secret is cryptographically secure (32+ chars)
• Environment variables not in version control
• HTTPS enabled in production
• Cookie security flags properly set
• Middleware protecting all admin routes
• Token expiration working correctly
• Invalid tokens properly cleared
• Brute force delay implemented
• Input validation working

• Rotate JWT secret every 90 days
• Monitor authentication logs
• Update dependencies regularly
• Review and test security measures

For questions or security concerns, contact the administrator.