Verification checklist

Before you test

• Run setup.mjs and install dependencies for your chosen variant.
• Populate .env.local and restart the dev server.
• Confirm Resend is configured so OTP emails can actually be delivered.
• If you chose Supabase, run lib/db/schema.sql before testing credentials auth.
• If you chose Firebase, enable Firestore API and create the default Firestore database first.

Credentials flow

1. Register a new user from /register.
2. Verify the email OTP from /verify-email.
3. Log in from /login.
4. Request a reset from /forgot-password.
5. Reset the password from /reset-password.
6. Log in again with the new password.

Google OAuth flow

1. Configure AUTH_GOOGLE_ID and AUTH_GOOGLE_SECRET.
2. Click the Google button on /login or /register.
3. Complete the Google consent flow.
4. Confirm the app redirects back to /dashboard.
5. Sign out and confirm logout returns you to /login.
6. Verify the backend user record was created or updated correctly for the Google email.

Google OAuth now syncs a canonical backend user record across MongoDB, Supabase, and Firebase. Session data should reflect the backend-backed id, role, emailVerified, name, and image values after sign-in.

Database-specific checks

• MongoDB: confirm users and otps documents are written and that expired OTPs are no longer matched.
• Supabase: confirm rows are present in users and otps and that the project keys match the same database where you ran schema.sql.
• Firebase: confirm users and otps collections exist and create any composite index requested by the runtime error link.

Rate-limits in local dev