Museum Ibu Marsinah auth file map (~/Project/lumendev-core). Reusable pattern: [[Resources/Tech/Auth.js/Auth.js Next.js JWT Google MongoDB adapter pattern]]. Operator detail: repo docs/utility/authentication.md, AGENTS.md.
| Layer | File | Role |
|---|---|---|
| Edge-safe config | src/auth.config.ts | Google, JWT/session callbacks (id, role), trustHost — no MongoDB |
| Full app auth | src/auth.ts | Adapter + Credentials provider, OAuth role sync |
| Middleware | src/middleware.ts | Selective public / vs /admin, POST /api/bookings |
Unlike [[Projects/lumendev-invoice/context/authjs-implementation|Invoice]], the museum app does not lock the entire site — only admin and booking API.
ADMIN_EMAILS env → admin on sign-in (Google or credentials)POST /api/auth/register → always userrole for middleware (req.auth.user.role)| Path | Implementation |
|---|---|
| Auth catch-all | src/app/api/auth/[...nextauth]/route.ts |
| Register | src/app/api/auth/register/route.ts |
| Sign-in UI | src/app/sign-in/page.tsx |
| Register UI | src/app/daftar/page.tsx |
| Admin stub | src/app/admin/page.tsx |
| Booking auth stub | src/app/api/bookings/route.ts — POST → 501 after requireRole |
src/lib/requireSession.ts — requireSession(), requireRole(roles)/admin and POST /api/bookings before handlers runsrc/lib/mongodb-auth.tssrc/models/User.ts on users collection (role, passwordHash)src/lib/mongodb.ts