---
name: Custom JWT cookie auth
description: How SkillGuard's custom email+password authentication works after replacing Clerk.
---

# Custom JWT Cookie Auth

Clerk was replaced with a standalone auth system.

**Rule:** Use `jose` (HS256) for JWT signing/verification. The token lives in an httpOnly `session` cookie. `SESSION_SECRET` env var must be set.

**Why:** Removed Clerk dependency for self-contained auth with no external service or Replit binding.

**How to apply:**
- `artifacts/api-server/src/middlewares/auth.ts` — `resolveAuth()` reads the cookie; `signToken()` creates JWTs
- `artifacts/api-server/src/routes/auth.ts` — `POST /api/auth/login` (bcrypt check → set cookie), `POST /api/auth/logout` (clear cookie), `GET /api/me`
- `lib/db/src/schema/adminUsers.ts` — `admin_users` table with email (unique) + password_hash
- `artifacts/api-server/src/lib/seedAdmin.ts` — seeds one admin from `ADMIN_EMAIL`+`ADMIN_PASSWORD` on startup if table is empty
- Cookie is `sameSite: lax`, `secure: true` in production, `httpOnly: true`, 30-day expiry
- All authenticated users in the cookie are considered admins (no separate role check needed)