I built a CLI that adds production-ready auth to any Next.js app in under a minute

Source: Dev.to

Introduction

Every time I started a new Next.js project, I found myself writing the same authentication code over and over: JWT setup, bcrypt hashing, httpOnly cookies, Mongoose models, middleware protection, login and signup pages. It takes hours to get right and it’s the same every single time.

So I built nextauthforge — a CLI that scaffolds a complete auth system into any Next.js App Router project in under a minute.

Getting Started

npx nextauthforge init

Answer a few questions and you’re done.

? What is your project name? my-app
? Which database are you using? MongoDB
? Include login & signup pages? Yes
? Include example dashboard? Yes

✓ Auth files scaffolded
✓ Dependencies installed
✓ AuthForge setup complete!

Scaffolded Files

API Routes

• POST /api/auth/signup — register + auto login
• POST /api/auth/login — verify credentials + set cookie
• POST /api/auth/logout — clear session
• GET /api/auth/me — get current user

Frontend Pages

• Landing page
• Login page
• Signup page
• Dashboard (protected)

Utilities

• lib/jwt.ts — sign and verify JWT using jose
• lib/hash.ts — bcrypt helpers
• lib/session.ts — cookie reader
• lib/dbConfig.ts — MongoDB connection singleton
• hooks/useAuth.tsx — client‑side auth state
• components/ToasterProvider.tsx — toast notifications
• proxy.ts — middleware route protection

Design Decisions

• JWT in httpOnly cookies – not localStorage. httpOnly cookies cannot be accessed by JavaScript, making them immune to XSS attacks. Storing tokens in localStorage is a common security mistake.
• jose instead of jsonwebtoken – Next.js middleware runs on the Edge Runtime, which lacks Node.js built‑ins. jsonwebtoken breaks in middleware, while jose is Web Crypto API compatible and works everywhere in Next.js.
• bcrypt with 12 rounds – intentionally slow to make brute‑force attacks impractical.
• Generic error messages – both “user not found” and “wrong password” return the same “Invalid credentials” message, preventing email enumeration attacks.

Roadmap (v1.0)

• PostgreSQL + Prisma support
• Refresh tokens
• Google OAuth (npx nextauthforge add google)
• GitHub OAuth
• Email verification flow

Installation & Links

• npm:
• GitHub:

Feedback & Contributions

I’d love feedback from the community. If you run into any issues or have feature requests, please open an issue on GitHub.

Tech Stack

• Next.js 14+
• MongoDB
• jose
• bcryptjs
• A lot of copy‑pasting the same auth code one too many times.