Authentication Flow

This document provides a sequential breakdown of the authentication lifecycle in the Bagisto Headless project. It covers how a user transitions from an anonymous state to an authenticated one and how sessions are maintained across requests.

The following flow describes the journey from the Login Page to an authenticated Account Dashbaord.

3.2 State Management & Persistence

Authentication state is handled at multiple levels to ensure a fluid user experience.

Layer	Responsibility	persistence
NextAuth.js	Manages the primary session and encrypted JWT.	HTTP-Only Cookie: Persists across browser refreshes and tabs.
Apollo Client	Injects the `accessToken` from the session into every GraphQL request header.	In-Memory: The token is retrieved from the session provider dynamically.
Redux/Zustand	(Optional) Stores non-sensitive user metadata like `firstName` or `email`.	Client State: Optimized for instant UI updates (e.g., "Hello, User").

3.3 Route Protection Strategies

The storefront handles protected routes (like /customer/account or /checkout) using two main methods:

A. MiddleWare Level (Global)

Controls access before the page even begins to render.

Workflow: Redirects unauthenticated users to /customer/login immediately.

B. Page Level (Server Component)

Check session before fetching dashboard data.

typescript

const session = await getServerSession(authOptions);
if (!session) redirect('/customer/login');

3.4 Data Flow: Token Injection

Once authenticated, every request sent to the Bagisto backend follows this pattern:

Retreival: The ApolloLink fetches the accessToken from the NextAuth session.
Injection: Adds the header: Authorization: Bearer <token>.
Verification: Bagisto verifies the Sanctum/API token.
Resolution: Bagisto returns user-specific data (e.g., personalized cart).

3.5 Session Termination (Logout)

When a user logs out:

signOut() is triggered from the frontend.
NextAuth clears the encrypted session cookie.
The Apollo Cache is reset to prevent stale data leaks.
The user is redirected to the Homepage or Login page.

📖 Continue Reading:

Architecture Overview

Product Listing

Product Details

Categories

Cart State Management

Cart Operations

Checkout Flow

Shipping & Billing

Payment Integration

Supported Ecosystems

Core Philosophy

Installing Packages

Hotwire Bridge Bundle

Implementing Native Behaviors

@bagisto-native/core

Overview

Web Components

Utility Functions

Best Practices

@bagisto-native/react

Overview

Usage Rules

Components Reference

Integration Patterns

Project URL Concept

iOS App Setup

Base URL Configuration

Build & Run

Bridge Components

Available Components

How-to Guides

Step 1: Install Bagisto Headless

Step 2: API & Environment Configuration

Authentication Flow ​

3.1 Scenario: Customer Login Flow ​

3.2 State Management & Persistence ​

3.3 Route Protection Strategies ​

A. MiddleWare Level (Global) ​

B. Page Level (Server Component) ​

3.4 Data Flow: Token Injection ​

3.5 Session Termination (Logout) ​