I built a CLI that adds production-ready auth to any Next.js app in under a minute

Every time I started a new Next.js project, I found myself writing the same authentication code over and over.

JWT setup. bcrypt hashing. httpOnly cookies. Mongoose models. Middleware protection. Login and signup pages. It takes hours to get right and it's the same every single time.

So I built nextauthforge — a CLI that scaffolds the entire auth system into any Next.js App Router project in under a minute.

How it works

npx nextauthforge init

Answer a few questions and you're done.

◆ AUTHFORGE — Next.js Auth Scaffolder

? What is your project name? my-app
? Which database are you using? MongoDB
? Include login & signup pages? Yes
? Include example dashboard ? Yes

✓ Auth files scaffolded
✓ Dependencies installed
✓ AuthForge setup complete!

What gets generated

Running the CLI scaffolds a complete auth system:

API Routes:

• POST /api/auth/signup — register + auto login
• POST /api/auth/login — verify credentials + set cookie
• POST /api/auth/logout — clear session
• GET /api/auth/me — get current user

Frontend Pages:

• Landing page
• Login page
• Signup page
• Dashboard (protected)

Utilities:

• lib/jwt.ts — sign and verify JWT using jose
• lib/hash.ts — bcrypt helpers
• lib/session.ts — cookie reader
• lib/dbConfig.ts — MongoDB connection singleton
• hooks/useAuth.tsx — client-side auth state
• components/ToasterProvider.tsx — toast notifications
• proxy.ts — middleware route protection

The auth strategy

I made some deliberate choices about how auth works:

JWT in httpOnly cookies — not localStorage. This is the right call for security. httpOnly cookies can't be accessed by JavaScript so they're immune to XSS attacks. localStorage tokens are a common mistake.

jose instead of jsonwebtoken. Next.js middleware runs on the Edge Runtime which doesn't support Node.js built-ins. jsonwebtoken breaks in middleware. jose is Web Crypto API compatible and works everywhere in Next.js.

bcrypt with 12 rounds. Intentionally slow to make brute force attacks impractical.

Generic error messages. Both "user not found" and "wrong password" return the same "Invalid credentials" message. This prevents email enumeration attacks where an attacker can figure out which emails are registered.

What's coming next

This is v1.0 and there's a lot more planned:

• PostgreSQL + Prisma support
• Refresh tokens
• Google OAuth — npx nextauthforge add google
• GitHub OAuth
• Email verification flow

Try it

npx nextauthforge init

• npm → npmjs.com/package/nextauthforge
• GitHub → github.com/Gauravkumar512/authforge

Would love feedback from the community. If you run into any issues or have feature requests, open an issue on GitHub.

---

Built with Next.js 14+, MongoDB, jose, bcryptjs, and a lot of copy-pasting the same auth code one too many times.