Paladin Farm & Ranch
PALADIN
Contact Us
Contact UsDisaster ResourcesUser ManualDeveloper Docs

© 2026 Paladin Farm and Ranch

PO Box 7228 Glen Rose, TX 76043

Stephen@PaladinFarmandRanch.com

Terms & ConditionsTeam

Authentication & Authorization

How auth is implemented

Authentication

Authentication uses NextAuth.js v5 with the Google OAuth provider. Configuration is in src/lib/auth.ts.

Key files:

FilePurpose
auth.tsNextAuth config — Google provider, Prisma adapter, session callbacks
[...nextauth]/route.tsAuth API route handler
signin/page.tsxCustom sign-in page
schema.prismaUser, Account, and Session models (Prisma adapter)

How It Works

  1. User clicks Sign In → redirected to Google OAuth consent screen
  2. On success, NextAuth creates/updates User and Account records via the Prisma adapter
  3. A session is created and stored in the Session table
  4. The auth() helper (exported from src/lib/auth.ts) is used in API routes and server components to check the session
Loading diagram…

Registration Flow

New users are redirected to a multi-step registration form. Each step collects different information and POSTs to the respective API route.

Loading diagram…

Account Linking

The config uses allowDangerousEmailAccountLinking: true so that Google accounts merge with email-matched records. Since only Google sign-up is supported, this enables seeded test accounts to work with OAuth.

Authorization

There are two levels of roles:

Platform Roles (UserRole)

Stored on the User model. Defined in prisma/schema.prisma:

RoleAccess
ADMINFull access — manage users, review org requests, manage resources, bypass subscription checks
STAFFBypass subscription checks for request creation
(none)Regular user — standard access

Organization Roles (OrgRole)

Stored on OrganizationMember. Controls per-org permissions:

RoleAccess
OWNERFull org control — manage members, approve/reject join requests, delete org
MANAGERManage members and join requests (cannot remove owners)
MEMBERView-only org membership

Where Authorization Is Checked

  • API routes — each route handler calls auth() and checks session.user.role or org membership via checkOrgAdminAccess() in src/app/api/organizations/[id]/members/route.ts
  • Client components — conditional UI rendering based on session.user.role and the user's org role from API responses