Skip to content

[Feature]: Replace custom email OTP auth with Clerk authentication #168

Open
Open
[Feature]: Replace custom email OTP auth with Clerk authentication#168
Assignees
amandotyadav
Labels
backendBackend workgssoc:approvedGirlScript Summer of Code contributionhelp wantedExtra attention is neededlevel:criticalDifficulty: criticaltype:featureFeature worktype:refactorRefactoringtype:securitySecurity-related worktype:testingTesting and quality coverage
@chthonn

Description

@chthonn
chthonn
opened on May 24, 2026

Area

Authentication / onboarding

Problem to solve

Summary

Replace the current custom email OTP + JWT authentication system with Clerk
to improve security, reduce maintenance overhead, and unlock features like social login,
MFA, and session management out of the box.

Current Auth System

  • Custom email OTP flow via Nodemailer (Gmail App Password / OAuth2)
  • JWT-based session management (ACCESS_TOKEN secret)
  • Manual token verification middleware on the Express backend
  • User records stored and managed in MongoDB

Motivation

  • The custom OTP + JWT setup requires ongoing maintenance and is error-prone
  • Clerk provides a production-ready auth layer with better DX and security defaults
  • Enables future features: Google/GitHub OAuth, MFA, user management dashboard
  • Reduces environment variables and complexity (MAIL_USER, MAIL_PASS, OAUTH_* keys can be removed)

Proposed Changes

Backend (server/)

  • Install @clerk/express and configure Clerk middleware
  • Replace JWT verify middleware with Clerk's requireAuth() / getAuth()
  • Remove OTP generation, email sending, and token-refresh logic
  • Update user creation flow to sync Clerk user ID with MongoDB (webhooks or on first request)
  • Remove ACCESS_TOKEN, MAIL_USER, MAIL_PASS, OAUTH_* env vars

Frontend (frontend/)

  • Install @clerk/clerk-react
  • Wrap app with <ClerkProvider>
  • Replace custom login/signup/OTP pages with Clerk's <SignIn /> / <SignUp /> components (or use Clerk's hosted UI)
  • Replace manual token handling with useAuth() / getToken() from Clerk
  • Add VITE_CLERK_PUBLISHABLE_KEY to frontend .env

Env / Config

  • Update .env.example for both server and frontend
  • Update README.md with new setup instructions

Out of Scope

  • Migrating existing user passwords (no passwords in current system, OTP-only)
  • Changing the Socket.IO presence/DM logic

References

Labels: enhancement, auth, breaking-change

Proposed solution

.

Who benefits and how?

.

Scope or acceptance criteria

.

Related files, routes, or references

.

Before submitting

  • I checked for an existing issue that already covers this request.

Metadata

Metadata

Assignees

Labels

backendBackend workgssoc:approvedGirlScript Summer of Code contributionhelp wantedExtra attention is neededlevel:criticalDifficulty: criticaltype:featureFeature worktype:refactorRefactoringtype:securitySecurity-related worktype:testingTesting and quality coverage

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions