Skip to main content

User Authentication

By default Nibchat is anonymous — anyone who opens the app gets a session automatically with no login required. When you want to restrict access, enable email/password authentication with a single environment variable.

Enabling authentication

environment:
  - AUTH_ENABLED=true

When enabled:

  • Unauthenticated visitors are redirected to /login.
  • /login and /register are the only public routes.
  • Conversations are scoped to the user account and accessible from any browser or device after login.

Registration modes

Open registration (default)

Anyone can create an account at /register.

Invite-only mode

environment:
  - AUTH_ENABLED=true
  - INVITE_ONLY=true

The /register page is disabled and shows a message explaining that registration is closed. Only an admin can create user accounts from the Users page in the admin dashboard — this bypasses the invite restriction.

User account management

From the user's perspective

  • Sign in / Sign out — login form at /login; sign-out button in the sidebar footer.
  • Change password — available in the Settings modal (gear icon in the sidebar) under the Change Password section.

From the admin's perspective

The admin dashboard gains a Users section (visible only when AUTH_ENABLED=true):

  • List all registered users with session count, conversation count, and registration date.
  • Create new user accounts (bypasses INVITE_ONLY).
  • Drill into a user's sessions to browse their conversations.
  • Delete a user and all their associated data.

See Admin Dashboard for full details.

How sessions work with authentication

Nibchat uses anonymous sessions (nc_session cookie) as the underlying storage unit even when auth is enabled. On login, the current browser session is linked to the user account. If you log in from a second device, a new session is created and also linked — so all your conversations remain visible regardless of which browser you use.

Old sessions that have expired and contain no conversations are automatically pruned on login to keep things tidy.

Password requirements

Passwords must be at least 8 characters and contain:

  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Environment variables

VariableDefaultDescription
AUTH_ENABLEDfalseSet to true to require login before accessing the chat
INVITE_ONLYfalseSet to true to disable the /register page