Authentication is foundational. Get it wrong and everything else is at risk.
Session strategy
For most SaaS apps, I use database sessions or JWT with short expiry depending on scale and infrastructure.
Middleware for route protection
Use Next.js middleware to guard `/dashboard` and API routes. Check session server-side — never rely on client-only checks.
Role-based routing
After authentication, route users by role. Admins to admin dashboards. Teachers to their views. Parents to limited portals.
Security habits
- Hash passwords with bcrypt or argon2 - Use HTTPS everywhere - Validate sessions on every protected request - Keep secrets in environment variables
Auth should be boring, predictable, and secure.