Authentication
The authentication pages handle user registration, login, password recovery, email verification, and the post-signup onboarding flow. These routes live in two separate route groups: (auth) for login/registration and (onboarding) for the onboarding wizard.
Route map
Section titled “Route map”Auth pages ((auth) group)
Section titled “Auth pages ((auth) group)”| Route | File | Protection |
|---|---|---|
/sign-in | (auth)/sign-in/+page.svelte | Unauthenticated only |
/sign-up | (auth)/sign-up/+page.svelte | Unauthenticated only |
/forgot-password | (auth)/forgot-password/+page.svelte | Unauthenticated only |
/reset-password | (auth)/reset-password/+page.svelte | Unauthenticated only |
/verify-email | (auth)/verify-email/+page.svelte | Fully public |
/auth/callback | (auth)/auth/callback/ | Fully public |
/auth/confirm | (auth)/auth/confirm/ | Fully public |
/auth/error | (auth)/auth/error/+page.svelte | Fully public |
/auth/forgot-password | (auth)/auth/forgot-password/ | Fully public |
/auth/reset-password | (auth)/auth/reset-password/ | Fully public |
/auth/resend-verification | (auth)/auth/resend-verification/ | Fully public |
Onboarding ((onboarding) group)
Section titled “Onboarding ((onboarding) group)”| Route | File | Protection |
|---|---|---|
/onboarding | (onboarding)/onboarding/+page.svelte | Authenticated (exempt from onboarding check) |
Marketing
Section titled “Marketing”| Route | File | Protection |
|---|---|---|
/ | (marketing)/+page.svelte | Public (authenticated users redirect to /feed) |
Layout
Section titled “Layout”The (auth) group has its own +layout.svelte that renders a centered card layout without the app sidebar or navigation. This gives auth pages a clean, focused appearance.
The (onboarding) group has a separate +layout.svelte and +layout.server.ts that provide a wizard-style layout with progress steps.
Route guard behavior
Section titled “Route guard behavior”The route guard in hooks.server.ts enforces the following rules for auth-related routes:
Unauthenticated users
Section titled “Unauthenticated users”- Can access
/sign-in,/sign-up,/forgot-password,/reset-password, and all/auth/*routes. - Attempting to access any protected route redirects to
/sign-in.
Authenticated users
Section titled “Authenticated users”- Accessing
/sign-in,/sign-up,/forgot-password, or/reset-passwordredirects to/feed. - Accessing the landing page (
/) redirects to/feed. - All protected routes check the
onboardstable. If no onboard record exists, the user is redirected to/onboarding.
Sign in (/sign-in)
Section titled “Sign in (/sign-in)”The sign-in page provides:
- Email/password login form
- OAuth social login buttons (via Supabase Auth)
- Link to sign-up and forgot-password pages
The +page.server.ts handles the form submission by calling supabase.auth.signInWithPassword().
Sign up (/sign-up)
Section titled “Sign up (/sign-up)”The registration page collects:
- Email address
- Password (with confirmation)
- Agreement to terms
The +page.server.ts calls supabase.auth.signUp() and sends a confirmation email.
Forgot password (/forgot-password)
Section titled “Forgot password (/forgot-password)”Allows users to request a password reset link. Submits the email to supabase.auth.resetPasswordForEmail().
Reset password (/reset-password)
Section titled “Reset password (/reset-password)”The password reset form where users set a new password using the token from their email link.
Email verification (/verify-email)
Section titled “Email verification (/verify-email)”Displays a confirmation message after signup prompting the user to check their email. The +page.server.ts may handle resend logic.
Auth server endpoints
Section titled “Auth server endpoints”The /auth/* routes handle server-side callbacks and actions:
| Route | Purpose |
|---|---|
/auth/callback | OAuth redirect handler — exchanges the auth code for a session |
/auth/confirm | Email confirmation link handler |
/auth/error | Displays authentication error messages |
/auth/forgot-password | Server action for password reset request |
/auth/reset-password | Server action for password update |
/auth/resend-verification | Resend the verification email |
Onboarding (/onboarding)
Section titled “Onboarding (/onboarding)”After a new user verifies their email and signs in for the first time, they land on the onboarding page. This wizard collects:
- Profile information (name, avatar)
- Interests and preferences
- Initial follow suggestions
The +page.server.ts reads the current onboarding state and processes step submissions. Once all steps are complete, it creates a record in the onboards table, allowing the user to proceed to /feed.
Landing page (/)
Section titled “Landing page (/)”The marketing landing page at the root URL is served from (marketing)/+page.svelte. Authenticated users are immediately redirected to /feed by the route guard.