This document covers the authentication mechanisms available in Proseperity. In the current version, the admin interface is open by default, but basic authentication can be configured for deployment.
Current Authentication Model
Proseperity v1 ships without built-in authentication. The admin interface at /admin is accessible to anyone who knows the URL. This is suitable for local development and internal use behind a VPN or firewall.
Security Considerations
Before deploying Proseperity to a public server, you should add authentication middleware to protect the admin routes. The recommended approach is to use Next.js middleware with environment variable-based secrets.
Adding Basic Auth
To add basic authentication, create a middleware.ts file in your src directory. Check for an Authorization header on requests to /admin routes and validate against a secret stored in your environment variables.
Configuration
Set the ADMIN_SECRET environment variable in your .env.local file. The middleware will compare incoming requests against this secret and return a 401 Unauthorized response for invalid credentials.
Future Plans
Full authentication with user accounts, roles, and permissions is planned for a future release. This will include support for SSO, OAuth providers, and fine-grained access control for content editing and publishing.
User Roles
The planned role system will include Admin, Editor, and Viewer roles. Admins can manage all content and settings. Editors can create and publish articles. Viewers can only read published content.
API Keys
For programmatic access, API keys will be supported in a future release. Each key will be scoped to specific permissions and can be revoked at any time from the admin interface.